Detected Jul 12 2010 07:57 GMT
Released Jul 12 2010 16:22 GMT
Published Sep 20 2010 10:31 GMT
It is a rootkit which is designed to launch malicious code in the user’s system. It is an NT kernel mode driver. It is 26616 bytes in size.
The rootkit copies its executable file as:
In order to ensure that it is launched automatically when the system is rebooted, the rootkit creates the following service registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls] "Description"="MRXCLS" "DisplayName"="MRXCLS" "ErrorControl"=dword:00000000 "Group"="Network" "ImagePath"="\\??\\%System%\Drivers\\mrxcls.sys" "Start"=dword:00000001 "Type"=dword:00000001
It creates the file:
– 17400 bytes, defined as Rootkit.Win32.Stuxnet.b
To ensure that it is launched automatically when the system is rebooted, the rootkit creates the following service registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet] "Description"="MRXCLS" "DisplayName"="MRXNET" "ErrorControl"=dword:00000000 "Group"="Network" "ImagePath"="\\??\\%System%\Drivers\\mrxnet.sys" "Start"=dword:00000001 "Type"=dword:00000001
It also creates the following files:
%windir%\inf\mdmcpq3.pnf - 4633 bytes. %windir%\inf\mdmeric3.pnf - 90 bytes. %windir%\inf\oem6c.pnf - 323848 bytes. %windir%\inf\oem7a.pnf – 498176 bytes.
which contain the code and encrypted rootkit data.
The rootkit spreads via removable USB devices exploiting the zero-day vulnerability CVE-2010-2568 in LNK files (for more details see here).
For this purpose the malicious code running in the services.exe process monitors the connection of new USB storage devices to the system and if a connection is detected, creates the following files in the root folder of the device:
– 513536 bytes, identified as Trojan-Dropper.Win32.Stuxnet.a
– 25720 bytes, identified as Trojan-Dropper.Win32.Stuxnet.b
These DLL files are downloaded when the vulnerability is exploited and install the rootkit on the system. Together with these files the shortcuts to the vulnerability are placed in the root of the infected disk:
"Copy of Shortcut to.lnk" "Copy of Copy of Shortcut to.lnk" "Copy of Copy of Copy of Shortcut to.lnk" "Copy of Copy of Copy of Copy of Shortcut to.lnk"
The files are 4171 bytes in size and are detected as Trojan.WinLnk.Agent.i. The vulnerability will be exploited if the user attempts to view the contents of the removable media’s root directory using the file manager with file icons enabled. Once the vulnerability is exploited the rootkit is activated, which instantaneously hides the malicious files.
The rootkit is designed to inject the malicious code into user mode processes. The rootkit downloads the DLL dynamic library to the following system processes:
svchost.exe services.exe lsass.exe
After this DLLs are displayed in their module lists with the following names:
Where rnd stands for a random hexadecimal number. The code being injected is contained in the file:
It is encrypted.
The injected code contains the main functionality of this malicious program. This includes:
- Propagation via removable media.
- Monitoring of the Siemens Step7 system. For this purpose the rootkit driver injects its intermediary library to the s7tgtopx.exe process instead of the original s7otbxsx.dll, which emulates the work of the following API functions:
s7_event s7ag_bub_cycl_read_create s7ag_bub_read_var s7ag_bub_write_var s7ag_link_in s7ag_read_szl s7ag_test s7blk_delete s7blk_findfirst s7blk_findnext s7blk_read s7blk_write s7db_close s7db_open s7ag_bub_read_var_seg s7ag_bub_write_var_seg
collecting various information on the work of the system.
- Performing SQL requests. The rootkit receives a list of computers in the local network and checks if the Microsoft SQL server, which services the visualization system for Siemens WinCC operational processes, is launched on any of them. If the server is found, the malware attempts to log in to the database using the WinCCConnect/2WSXcder username and password and then tries to acquire data from the following tables:
MCPTPROJECT MCPTVARIABLEDESC MCPVREADVARPERCON It collects information from files with the extensions: *.S7P *.MCP *.LDF
which are created using Siemens Step7. The entire computer hard drive is searched for the files.
- It sends the collected data via the Internet to the cybercriminals’ servers in encrypted format.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Delete the original rootkit file (the location will depend on how the program originally penetrated the victim machine).
- Delete the system registry keys
- Delete the following files:
%System%\drivers\mrxnet.sys %System%\drivers\mrxcls.sys %windir%\inf\mdmcpq3.pnf %windir%\inf\mdmeric3.pnf %windir%\inf\oem6c.pnf %windir%\inf\oem7a.pnf
- Reboot the computer
- Disable the display of icons in the file manager to avoid repeated infection.
- Delete the following files from removable media if there are any:
"Copy of Shortcut to.lnk" "Copy of Copy of Shortcut to.lnk" "Copy of Copy of Copy of Shortcut to.lnk" "Copy of Copy of Copy of Copy of Shortcut to.lnk" ~wtr4132.tmp ~wtr4141.tmp
- Update your antivirus databases and perform a full scan of the computer
(Dikutip dari http://www.securelist.com/en/descriptions/15071647/Rootkit.Win32.Stuxnet.a tanpa terjemahan)