Search This Blog

Wednesday, October 20, 2010

Celebrating Passover

Probably, you didn't quite connect all the Biblical allusions in the whitepaper on Stuxnet or grasp why they are there. Maybe this will help.

The software project used to create the STUXNET was called guava. Guavas are plants in the myrtle (myrtus) family genus. The files it creates are called mrxcls.sys and mrxnet.sys. Myrtle branches were used to celebrate passover. First, we need some history.

Esther was originally named Hadassah. Hadassah means 'myrtle' in Hebrew." Esther learned of a plot to assassinate the king and "told the king of Haman's plan to massacre all Jews in the Persian Empire. Haman who set them up finally suffers for his crime of falsely implicating the jews by dying at the kings hands. The Jews went on to kill only their would-be executioners."

May 9, 1979 is the date the first Jew was executed by the Iranian government. It is also the day a Northwestern University graduate student was injured by a bomb made by the Unabomber. Earth is a dark and bloody planet.

When you type STUX in Hebrew you get דאוס (transcribed as Deus or DeOS). This happens to be the name of an Israeli children’s story playing on TV, where hackers develop a program named Deus which takes over the world.

Thus STUX is an allusion to God and 19790509 is an allusion to blood that you place on your door, i.e., in the registry of your computer, and the sacrifice that is required in order to avoid God’s wrath. Thus, we all must honor and celebrate Passover.

Actually, the current version of Stuxnet will only run on 32 bit versions of the following operating systems:
Win2K•
WinXP•
Windows 2003•
Vista•
Windows Server 2008•
Windows 7•
Windows Server 2008 R2•
If it is not running on one of these operating systems it will exit. So, I do not need to worry yet.


STUX is also known as Troj/Stuxnet-A [Sophos], W32/Stuxnet-B [Sophos], W32.Temphid [Symantec], WORM_STUXNET.A [Trend], Win32/Stuxnet.B [Computer Associates], Trojan-Dropper:W32/Stuxnet [F-Secure], Stuxnet [McAfee], W32/Stuxnet.A [Norman]

Decryption of the virus shows the following:

SOFTWARE\SIEMENS\WinCC\Setup
STEP7_Version
SOFTWARE\SIEMENS\STEP7
SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation
NTVDM TRACE

The initial loader first checks that the configuration data is valid, after that it checks the value "NTVDM TRACE" in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation

If this value is equal to 19790509 the threat will exit. This is thought to be an infection marker or a "do not infect" marker. If this is set correctly, infection will not occur.

Next, Stuxnet reads a date from the configuration data (offset 0x8c in the configuration data). If the current date is later than the date in the configuration file then infection will also not occur and the threat will exit. The date found in the current configuration file is June 24, 2012.

Alo, the registry is searched for indicators that the following anti-virus programs are installed:

KAV v6 to v9•
McAfee•
Trend PcCillin•

If one of the above security product processes are detected, version information of the main image is extracted. Based on the version number, the target process of injection will be determined or the injection process will fail if the virus considers the security product non-bypassable.

Discovered: July 13, 2010
Updated: September 17, 2010 8:53:13 AM
Also Known As: Troj/Stuxnet-A [Sophos], W32/Stuxnet-B [Sophos], W32.Temphid [Symantec], WORM_STUXNET.A [Trend], Win32/Stuxnet.B [Computer Associates], Trojan-Dropper:W32/Stuxnet [F-Secure], Stuxnet [McAfee], W32/Stuxnet.A [Norman]

Stuxnet was the first worm to exploit the Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability (BID 41732) in order to spread; in fact when Stuxnet was first discovered, this vulnerability was an unknown, or zero-day, vulnerability and it wasn’t until Stuxnet was analyzed that this vulnerability was recognized as such. Normally, when one thinks of a vulnerability in software, one would think of a coding error that an attacker discovers and then exploits. However, while this does indeed fit the definition of a vulnerability, specifically it is a design flaw as Windows is doing exactly what it was designed to do.

The virus copies itself to removable drives as the following files:

%DriveLetter%\~WTR4132.tmp
%DriveLetter%\~WTR4141.tmp

Note: Both file names are hardcoded and they are actually .dll files.

It also copies the following files to the above drives:

%DriveLetter%\Copy of Shortcut to.lnk
%DriveLetter%\Copy of Copy of Shortcut to.lnk
%DriveLetter%\Copy of Copy of Copy of Shortcut to.lnk
%DriveLetter%\Copy of Copy of Copy of Copy of Shortcut to.lnk

When the drive is accessed by an application that can display icons, such as Windows Explorer, instead of displaying the icon for the .lnk files, it runs code that executes the file %DriveLetter%\~WTR4132.tmp. This file’s main purpose is to execute the other file that is copied to the removable drive, DriveLetter%\~WTR4141.tmp, which is then loaded into memory. Its worth noting that this file has a valid signature issued to and signed by well-known companies in Taiwan.

It also uses a remote procedure call (RPC) exploit to spread. This exploit is only effective against computers that have not applied the patch for the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).

Furthermore, it exploits the Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073) to copy itself from one compromised computer to another. The vulnerability allows for a file to be written to the %System% directory of a vulnerable computer. Stuxnet first uses this vulnerability to plant a copy of itself on a vulnerable machine and later it uses a feature of WBEM to achieve execution of that file on the remote computer.

Stuxnet also attempts to spread via network shares by copying itself to network shares as the following file:
%DriveLetter%\ “DEFRAG[RANDOM NUMBER].tmp

Note: This file is in fact a .dll file.

It then attempts to create a job to run the .dll file.

The following file(s) may be seen on the compromised computer.

%System%\drivers\mrxcls.sys
%System%\drivers\mrxnet.sys
%DriveLetter%\~WTR4132.tmp
%DriveLetter%\~WTR4141.tmp
%DriveLetter%\Copy of Shortcut to.lnk
%DriveLetter%\Copy of Copy of Shortcut to.lnk
%DriveLetter%\Copy of Copy of Copy of Shortcut to.lnk
%DriveLetter%\Copy of Copy of Copy of Copy of Shortcut to.lnk
%Windir%\inf\oem6C.PNF
%Windir%\inf\oem7A.PNF
%Windir%\inf\mdmcpq3.PNF
%Windir%\inf\mdmeric3.PNF

The following registry entries are created:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls\"ImagePath" = "%System%\drivers\mrxcls.sys"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet\"ImagePath" = "%System%\drivers\mrxnet.sys"

It uses two processes:

iexplorer.exe (injection)
lsass.exe (injection)

Once an infected removable drive is attached to a clean computer, the virus copies itself to the clean computer as the following files:
%System%\drivers\mrxcls.sys
%System%\drivers\mrxnet.sys

Next, the virus registers the file mrxcls.sys as a service with the following characteristics:
Display Name: MRXCLS
Startup Type: Automatic
Image Path: %System%\drivers\mrxcls.sys

The virus creates the following registry entry for the above service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls\"ImagePath" = "%System%\drivers\mrxcls.sys"

It also registers the file mrxnet.sys as a service with the following characteristics:
Display Name: MRXNET
Startup Type: Automatic
Image Path: %System%\drivers\mrxnet.sys

The virus creates the following registry entry for the above service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet\"ImagePath" = "%System%\drivers\mrxnet.sys"

It also creates the following files, which are encrypted copies of the virus:

%Windir%\inf\oem6C.PNF
%Windir%\inf\oem7A.PNF
%Windir%\inf\mdmcpq3.PNF
%Windir%\inf\mdmeric3.PNF

The file %System%\drivers\mrxcls.sys decrypts these files to reinfect the compromised computer if attempts are made to remove the worm.
Downloading
The worm is able to download a payload executable on to the compromised computer from the C&C server and execute it.

The virus sends an HTTP request to the server containing information about the compromised computer. This information is sent by making a request to the following URL:
http://[C&C SERVER ADDRESS]/index.php?data=[DATA]

Note: DATA represents the system information that has been gathered.

The virus contacts the following URLs through port 80, which are the virus's Command and Control servers, to test Internet connectivity:

www.mypremierfutbol.com
www.todaysfutbol.com

The two URLs above were registered in Arizona and previously pointed to servers in Malaysia and Denmark. Names like this are typically American. “We don’t play soccer, we play futbol.” is a 21st century American expression.

The data is not sent in plain text though; instead it is encrypted with XOR using a 31-byte key. The data section also contains several fields describing the data. The response received back from the C&C server is also encrypted using XOR but using a different 31-byte key. Both of these keys are contained in the malicious .dll file on the compromised computer and can be used to decipher network traffic to and from the C&C server.

The data sent from the compromised computer to the C&C server contains the following information:

The Windows version information,
The computer name,
The network group name,
Flag for whether SCADA software was installed or not, and
IP addresses of all network interfaces.

When the C&C receives this information it can reply with 2 types of responses. The first type of response instructs the threat to execute one of the procedures already existing within the threats code. In fact the data from this type of response is forwarded to various RPC routines within the main .dll file. The second type of response delivers an additional .dll file to the client in the response and instructs the client to load that .dll file and call an ordinal one from within the downloaded .dll file.

The first type of response acts as a wrapper for RPCs that will be forwarded to the local machine. The RPC calls implemented on the client side can perform the following actions:

Read a file
Write to a file
Delete a file
Create a process
Inject a .dll into lsass.exe
Load an additional .dll file and executed export 1
Extract resource 210 from the main .dll file (this resource is used to inject into other processes)
Update the configuration data for the threat

The parameters for these RPC calls are passed to the client via response type 1. For example, the .dll file to be injected into lsass.exe is passed to the client from the server inside response type 1.

Stuxnet is specifically targeting systems with supervisory control and data acquisition (SCADA) software installed. The threat performs many database queries on the database used by the Siemens Step 7 software and interacts with the .dll files belonging to that product. It tries to extract specific data from the database. For example, it tries to access files with the following characteristics, created by the Step 7 software:

GracS\cc_tag.sav
GracS\cc_alg.sav
GracS\db_log.sav
GracS\cc_tlg7.sav
*.S7P
*.MCP
*.LDF

By accessing these files, Stuxnet steals code and design projects.

Industrial control systems consist of Programmable Logic Controllers (PLCs) that can be programmed from a Windows system. These PLCs contain special code that controls the automation of industrial processes. Programmers use software (e.g., on a Windows PC) to create code and then upload their code to the PLCs.

Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.

In particular, Stuxnet hooks the programming software, which means that when someone uses the software to view code blocks on the PLC, the injected blocks are nowhere to be found. This is done by hooking enumeration, read, and write functions so that you can’t accidentally overwrite the hidden blocks as well. Thus Stuxnet introduces the first known rootkit for industrial control systems.

By writing code to the PLC, Stuxnet can potentially control or alter how the system operates. To date, no industrial facility has been knowingly compromised. What any attacker hopes to achieve by compromising an industrial facility is not known, but one thing is for sure: nothing good can come from a facility being compromised.

In an attempt to avoid detection the file %DriveLetter%\~WTR4132.tmp hides threat related files by hooking the following APIs from kernel32.dll and Ntdll.dll:
From Kernel32.dll

FindFirstFileW
FindNextFileW
FindFirstFileExW

From Ntdll.dll

NtQueryDirectoryFile
ZwQueryDirectoryFile

It replaces the original code for these functions with code that checks for files with the following properties:

File names ending with ".lnk"
File names beginning with "~WTR" and ending in ".tmp" (which explains why the file names on the removable drive are hardcoded and cannot change significantly)

If a request is made to list a file with the above properties, the response from these APIs is altered to state that the file does not exist, thereby hiding all files with those properties.

After the kernel32.dll APIs are hooked, the file %DriveLetter%\~WTR4132.tmp loads the other .dll file, %DriveLetter%\~WTR4141.tmp. However, to achieve this Stuxnet uses a different approach from what one would normally expect. Rather than calling the "LoadLibrary" API to load a .dll file into memory, which is what one would normally expect, Stuxnet hooks certain Ntdll.dll functions, then calls the “LoadLibrary” with a specially crafted file name. The file requested to be loaded does not exist on disk, therefore normally LoadLibrary would fail. However, W32.Stuxnet has hooked Ntdll.dll to monitor for requests to load specially crafted file names. If a specially crafted file name is encountered, the hooked ntdll.dll functions know to load a .dll file from another location instead; a location specified by Stuxnet and that location is generally an area in memory where a .dll file has been decrypted and stored by the threat previously.

The functions hooked for this purpose in Ntdll.dll are:

ZwMapViewOfSection
ZwCreateSection
ZwOpenFile
ZwCloseFile
ZwQueryAttributesFile
ZwQuerySection

Once a .dll file has been loaded, GetProcAddress is used to find the address of a specific export from the .dll file and that export is called, handing control to that new .dll file.

Stuxnet lower security settings and can inject its code into iexplorer.exe in order to bypass firewalls.

It also stops the following security-related processes:

vp.exe
Mcshield.exe
avguard.exe
bdagent.exe
UmxCfg.exe
fsdfwd.exe,
rtvscan.exe
ccSvcHst.exe
ekrn.exe
tmpproxy.exe

The vulnerability exploited by Stuxnet to escalate access privileges still exists.

STUXNET U.S.A., Israel, Taiwan, Denmark, Malaysia, Germany, etc.
Put 19790509 in the registry and it will passover you.

Sept 5, 2007 Air Defense in Syria neutralized.

November 20, 2008 Trojan.Zlob variant found to be using the LNK vulnerability only later identified in Stuxnet.

January, 2009 Compile date in virus.

June, 2009 Earliest Stuxnet sample seen.

July 5, 2009 Nuclear accident in Iran's Centrifuges

January 25, 2010 Stuxnet driver signed with a valid certificate belonging to Realtek Semiconductor Corps.

March, 2010 New Version exploits MS10-046, INSAT-4B???

June, 2010 Russian Disclosure

Stuxnet has even attacked Vanderlande's and Siemens' own systems.

September, 2010 "Iran has crossed the critical nuclear threshold taking it nearer to being able to arm ballistic missiles with nuclear warheads, weapons inspectors of the International Atomic Energy Agency reported last week.
October, 2010: The Fifth Fleet doubles combat power in the Persian Gulf. Forces mass near the border to attack Chad. Vengence is mine saith the LORD. Please save us from murdering ourselves.

What do the information assurance people say? They say people in information assurance are only allowed to talk to people in information assurance. They can hardly contain their laughter when someone foolishly tries to communicate with them.

In fact, Earth in the 21st Century is primary made up of cliques of people forbidden to have connections with each other. How odd? Maybe someone should check for aberrant methylation patterns in their cortex, liver and myometrium, if they have one. They do not seem human any more.

Who is there left to talk to? twitter, maybe, God surely.

No comments:

Post a Comment