Symantec recently published their findings about the internals of the Stuxnet worm. The document describes the architecture and the internals of the worm. According to Symantec, Stuxnet is by far the most complex threat discovered until today. The experts at Symantec spent more than three months doing in-depth analysis of the thread. The outcome is really impressive.
Stuxnet uses a wrapper program, called a dropper, which contains all of the code to control the worm (contained in a large .dll file) and two encrypted configuration blocks, stored inside a section called “stub”. A dropper is required, because viruses are not executable programs by themselves, they rather infect other executable program code. So, for the initial release or infection process, they need a dropper component to perform this step.
The execution of the dropper will extract the .dll file, load it into memory and call different exports on it. Whenever an export is called, Stuxnet injects its entire DLL into other processes and call other exports on it. Stuxnet is able to inject itself into arbitrary processes or specific trusted processes. Depending on the security product installed on the pc, certain processes will be choosen for injection. Stuxnet especially looks for the following security products:
- Kaspersky (avp.exe)
- McAfee (Mcshield.exe)
- AntiVir (avguard.exe)
- BitDefender (bdagent.exe)
- Etrust (UmxCfg.exe)
- F-Secure (fsdfwd.exe)
- Symantec (rtvscan.exe)
- Symantec Common Client (ccSvcHst.exe)
- Eset NOD32 (ekrn.exe)
- Trend Pc-Cillin (tmpproxy.exe)
The registry is also searched for specific security products, to see if they are installed. Potential target processes for injection are as follows:
- The installed security product process
When called the first time, while executing the dropper, Stuxnet performs the following actions:
- Check if configuration is up-to-date
- Determine if it is running on a 64-bit machine or not. If it is 64-bit, it will exit.
- Check which operatin system is running. Stuxnet will only run on the following operating systems: Win2K, WinXP, Windows 2003, Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2
- Check if it has Administrator rights on the computer. Stuxnet wants to run with the highes privilege possible. It this is not the case, it will execute one of the zero-day escalation of privilege attacks. It does this by exploiting the currently undisclosed Task Scheduler Escalation of Privilege vulnerability (Vista, Windows 7, Windows Server 2008 R2) or the Windows Win32k.sys Local Privilege Escalation vulnerability (MS10-073) (WinXP, Win2k).
- Next it checks the date and version number of the compromised computer
- Decrypt, create and installs the rootkit files and registry keys
- Inject itself into the services.exe process to infect removable drives
- Inject itself into the Step7 process to infect all Step7 projects
- Setup global mutexes to communicate between different components
- Connect to the RPC server
If it is not running on one of these operating systems, it will exit.
Command and Control
After installing itself, Stuxnet contacts the command and control server on port 80 and sends some basic information about the compromised system to the attacker via HTTP. This will inform the attackers if the target software, the ICS programming software Siemens Step7 or WinCC, are running. It is by design that Stuxnet uses Port 80 HTTP traffic. It is a common way by malware to bypass corporate firewall blocking rules. Stuxnet was also able to receive payload modules which gave him some backdoor functionaliry, enabling the attackers to execute arbitrary code on the infected machine.
Windows Rootkit Functionality
Stuxnet has the ability to hide copies of its files copied to removable drives by using a rootkit. This prevents users from noticing that their removable drives (e.g. USB sticks) are infected before sharing the removable drive to another party and also prevents those users from realizing the recently inserted removable drive was the source of infection.
Stuxnet does this by using a compromised Realtek digital certificate, which was revoked by VeriSign on July 16, 2010.
Stuxnet Propagation Methods
Stuxnet uses different approaches to propagate itself:
- Network propagation (network shares, MS10-061 Print Spooler Zero-Day Vulnerability, MS08-067 Windows Server Service Vulnerability, Peer-to-peer communication, through WinCC machines)
- Removable drive propagation (LNK vulnerability CVE-2010-2568)
- Step 7 Project File Infections
Stuxnet is the first to exploit four Zero-Day vulnerabilities, compromise two digital certificates and inject code into industrial control systems and hide the code from the operator. It is of such great complexity, requiring significant resources to develop, that few attackers will be able to produce a similar threat. But we must not forget, that Stuxnet showed us, that it is not plain theory to attack such critical infrastructure
Symantec W32.Stuxnet Dossier
Windows Win32k.sys Local Privilege Escalation (MS10-073)
Task Scheduler Escalation of Privilege vulnerability
LNK vulnerability CVE-2010-2568
MS08-067 Windows Server Service Vulnerability
MS10-061 Print Spooler Zero-Day Vulnerability