Dutch
English
Dit artikel is alleen beschikbaar in het English
blue teaming
malware analysis

Malware Analysis example. Classic case: Stuxnet

Zhassulan Zhussupov
14 December, 2022

image.png

Almost every war has a starting point - a precedent, a provocation, or something else from which it is customary to count the beginning of the conflict. However, no one knows when the first war in human history occurred.From the conflict between two ape tribes at the very beginning of civilization? During the initial conflict between Cro-Magnons and Neanderthals?

However, unnoticed by the general public, the daily cyberwars of the twenty-first century have begun.

We will tell you the story about it - the story of the virus that started everything, the story of Stuxnet.

Stuxnet

The Stuxnet malware is a malicious computer worm that was first discovered in 2010. It was the first malware to specifically target industrial control systems, such as those used in factories, power plants, and other critical infrastructure. The Stuxnet worm was designed to cause physical destruction of equipment, and it was able to do this by taking control of the computers that control these systems.

The Stuxnet worm was created by a nation-state, and is believed to be the work of the United States and Israel. It was designed to sabotage the Iranian nuclear program, and it was successful in disabling centrifuges used to enrich uranium.

After all, most major industrial hacks begin with social engineering (attacks on employees), most often with the distribution of malicious emails. But it’s too difficult and time-consuming to find employees of a secret facility in a closed country and their home computers, and they may not have access to the holy of holies of the plant—the process control system—and you won’t know it in advance.

So you need to infect those who maintain and configure these process control systems, and as a rule, these are external organizations. That is why Stuxnet hit the first five companies in Iran that worked in the field of industrial systems development or the supply of related components.

Here are the top five:

  • Foolad Technic Engineering Co. - designed automated systems for Iranian manufacturing companies.
  • Behpajooh Co., Elec. & Comp. Engineering—similar to the previous one, it was with it that the global epidemic began, but more on that later.
  • Neda Industrial Group is an organization that has been on the US Department of Justice sanctions list since September 2008 and is accused of illegally exporting prohibited substances (obviously not drugs) to Iran, including for military purposes.
  • Control-Gostar Jahed Company is another Iranian company working in the field of industrial automation.
  • Kala Electric is considered the sweetest company to contaminate.

The virus successfully searched the infected machines for the following software from Siemens: PCS 7, WinCC, and STEP 7. If he found it, took control, checked what equipment was connected, and if understood that it was a centrifuge and not anything from another plant, then he rewrote part of the controller code, setting the incorrect rotation speed.

The Stuxnet worm was highly sophisticated, and it was able to spread itself through USB drives and other means. It was also able to disable security software, and it was able to evade detection for a long time.

The Stuxnet worm was a wakeup call to the world, as it demonstrated the potential damage that malicious software can cause. It showed that industrial control systems are vulnerable to attack, and that critical infrastructure can be disrupted by cyber-attacks. It also showed that nation-states are willing to use malware for political and military gain.

The Stuxnet worm serves as a reminder of the importance of cyber security. It is essential that organizations take steps to protect their critical systems from attack, and to ensure that their industrial control systems are secure.

Summary

We did a comprehensive technical investigation of the worm Win32/Stuxnet, which is arguably the most technologically advanced malware designed for a targeted assault to date.

It's not included significant information regarding injecting code into the SCADA system because this topic merits its own discussion.

This research was primarily meant as content for information security professionals, demonstrating how technology might be utilized in targeted assaults.

The samples of malware for investigation are downloaded from:

https://github.com/gr33ntii/malware-collection

https://github.com/micrictor/stuxnet (decompiled source code)

Intro

Stuxnet represents not simply a new virus or worm, but also a new age of malicious software. This virus altered the definition and purpose of malware.

Stuxnet is the first time you've heard of a virus that wrecks buildings, destroys machines, or kills people. Typically, you hear about viruses that irritate people or steal from banks or credit cards.

In the 2010 year, virus experts and the media have paid considerable attention to Stuxnet. It is designed to undermine Iran's nuclear program.

This sophisticated attack exploits up to four zero-day vulnerabilities in Windows OS and employs several techniques to prevent detection by behavior-blocking antivirus systems.

It harmed the Iranian nuclear reactor and its equipment by infecting the PLCs (Programmable Logic Controllers) that operate the equipment there. This causes the modification of the control software, which alters the machine's behavior.

This malware was designed primarily to disrupt the Iranian Nuclear Program. Once installed on a computer, Stuxnet used Siemens' default passwords to obtain access to the systems that run the WinCC and PCS 7 applications, which control and change the code of the PLCs (programmable logic controllers) that control the machines themselves.

Stuxnet functions in two stages following infection.

First, it transfers Siemens system setup information to a command-and-control server. Then, the attackers are able to select a target and modify its functionality. They select how they want the PLCs to function for them, and then transmit code to the infected devices that modifies how the PLCs function.

It was able to infect facilities associated with Iran's disputed nuclear program before altering control systems to speed up and slow down high-speed centrifuges.

Exploits known as 0-days were exploited in the Stuxnet attacks so that malicious programs could be installed on the system:

MS10-046 (0-day)

MS10-061 (0-day)

MS08-067 (patched)

0-day (unpatched)

2022-10-14_07-49.png

Stuxnet live cycle

This is the live cycle of stuxnet virus on windows OS:

1.png

We will describe every step in this cycle. Let's go to beginning by WTR4132.TMP file and that's the main dropper of stuxnet worm.

The Main dropper

~WTR4132.TMP - This File is a dynamic link library that explorer.exe loads (we will describe the loading of it in the booting mechanism). It starts the execution by looking for a .stub section:

2022-10-14_13-12.png

2022-10-14_14-16.png

And that's the MZ file inside .stub section:

2022-10-14_07-09.png

This .stub section also contains stuxnet's configuration data, which is vital to its propagation process, update mechanism, and many others.

In order to prevent detection by antivirus software, malware installs the following module:

Firstly, allocates a memory buffer within the calling process in preparation for the loading of the module

Then, system library ntdll.dll is patched as follows: In particular, it hooks into the functions listed below:

  • ZwMapViewOfSection
  • ZwCreateSection
  • ZwOpenFile
  • ZwClose
  • ZwQueryAttributesFile
  • ZwQuerySection

2022-10-15_07-08.png

To coerce these APIs into creating a.stub section similar to the file that you will need to open with ZwOpenFile and to read from this section as though it were a file stored on the hard disk.

Because of these modifications, the DLL file that is loaded by LoadLibraryA comes not from the hard disk, as is customary, but rather from a location within the RAM.

It loads the Main DLL File by calling LoadLibraryA with the DLL name being something like KERNEL32.DLL.ASLR.XXXX or SHELL32.DLL.ASLR.XXXX, where XXXX is a random hexadecimal number.

Privilege escalation

After determining whether or not the configuration data is up to date and accurate, it examines the administrative permissions. If it isn't currently operating at the administrator level, it will use either of two zero-day vulnerabilities to elevate its privileges so that it can begin operating at the administrator level:

CVE-2010-2743(MS-10-073)

These vulnerability allow the malware to escalate the privileges and run in a new process (csrss.exe):

2022-10-14_13-16.png

Injection

After ensuring that everything is in working order and that the environment is ready to be infected by stuxnet, it will then inject itself into another process in order to install itself using that process.

The injection starts by looking for an antivirus program that was previously installed on the machine.

The currently running processes are enumerated for the following:

  • Kaspersky KAV (avp.exe)
  • Mcafee (Mcshield.exe)
  • AntiVir (avguard.exe)
  • BitDefender (bdagent.exe)
  • Etrust (UmxCfg.exe)
  • F-Secure (fsdfwd.exe)
  • Symantec (rtvscan.exe)
  • Symantec Common Client (ccSvcHst.exe)
  • Eset NOD32 (ekrn.exe)
  • Trend Pc-Cillin (tmpproxy.exe)

So depending on which security products are installed stuxnet choose which process is used for injection.

The potential target processes for the injection are as follows:

  • Lsass.exe
  • Winlogon.exe
  • Svchost.exe

2.png

After extracting a template PE file from inside itself, a new section with the name .verif is generated.

Because of this section, the size of the PE-file is now the same as the size of the module that was unloaded before. In addition, stuxnet puts a jmp instruction to the entrypoint of this PE-file. This instruction is placed where the entrypoint of the unloaded module would normally be.

In the last stage, Stuxnet will copy the .stub section as well as the main DLL into the memory of the process that has been infected. It will then write the pointer to this memory buffer onto the .bin section.

At the end, main dll picks up where it left off with the main thread of this infected process.

Installation process

Stuxnet installs itself with writing 6 files in the Windows directory 4 encrypted files:

  • C:\WINDOWS\inf\oem7A.PNF
  • C:\WINDOWS\inf\oem6C.PNF
  • C:\WINDOWS\inf\mdmcpq3.PNF
  • C:\WINDOWS\inf\mdmeric3.PNF

and 2 device drivers:

C:\WINDOWS\system32\Drivers\mrxnet.sys C:\WINDOWS\system32\Drivers\mrxcls.sys

After that, it adds the device drivers to the registry for persistence.

Then, disable Windows Defender firewall via modify registry key:

SOFTWARE\Microsoft\Windows Defender\Real-Time Protection

LONG res = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Policies\\Microsoft\\Windows Defender", 0, KEY_ALL_ACCESS, &key);
if (res == ERROR_SUCCESS) {
  RegCreateKeyEx(key, "Real-Time Protection", 0, 0, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, 0, &new_key, 0);
  RegSetValueEx(new_key, "EnableUnknownPrompts", 0, REG_DWORD, (const BYTE*)&disable, sizeof(disable));
  RegSetValueEx(new_key, "EnableKnownGoodPrompts", 0, REG_DWORD, (const BYTE*)&disable, sizeof(disable));
  RegSetValueEx(new_key, "ServicesAndDriversAgent", 0, REG_DWORD, (const BYTE*)&disable, sizeof(disable));
  RegCloseKey(key);
  RegCloseKey(new_key);
}

Now the installation ends. Here we will stop and continue our research in the next post.

Conclusion

It is known that the first assembly and the subsequent launch of one of the versions of Stuxnet happened on June 23, 2009 at 4:40 GMT. This version has not yet used shortcuts (.lnk files) for distribution. The next versions were launched on June 28 and July 7. Mass launch of a new, more aggressive version of Stuxnet is was prepared for "Behpajooh Co. Elec & Comp. Engineering", and then moved from this company directly to the Internet! As a result of an avalanche spread through networks, the Stuxnet epidemic covered the whole world and could no longer go unnoticed.

References

ZwMapViewOfSection

ZwCreateSection

ZwOpenFile

ZwClose

CVE-2010-2568 (MS-10-046)

CVE-2008-4250(MS-08-067)

CVE-2010-2729(MS-10-061)

Symantec W32.Stuxnet Dossier

Stuxnet Under The Microscope

https://github.com/gr33ntii/malware-collection

https://github.com/micrictor/stuxnet (decompiled source code)

Authored By
Zhassulan Zhussupov

Cybersecurity enthusiast | Author | Speaker | CTF player | R&D Engineer | Jiu-Jitsu Practicioner

Deel met de wereld!

Beveiligingsbehoeften?

Bent u er echt zeker van dat uw organisatie veilig is?

Bij WebSec helpen we u deze vraag te beantwoorden door geavanceerde beveiligingsbeoordelingen uit te voeren.

Wil je meer weten? Plan een gesprek in met een van onze experts.

Afspraak Inplannen
Authored By
Zhassulan Zhussupov

Cybersecurity enthusiast | Author | Speaker | CTF player | R&D Engineer | Jiu-Jitsu Practicioner