Threat Description

Trojan-Dropper:​W32/Stuxnet

Details

Aliases: Trojan-Dropper:​W32/Stuxnet, Rootkit:​W32/Stuxnet, Exploit:​W32/WormLink, Trojan-Dropper.Win32.Stuxnet.a, Trojan.Agent.AQCK
Category: Malware
Type: Trojan-Dropper,Rootkit
Platform: W32

Summary



A program or set of programs which hides itself by subverting or evading the computer's security mechanisms, then allows remote users to secretly control the computer's operating system.



Removal



Manual Removal Using IS2010

  • Right click My Computers > Properties > Hardware > Device Manager: - Go to View > Show Hidden Devices - Go to Non-Plug and Play Drivers
  • Disable bothMRXNET and MRXCLS:
  • Once done, the system will request for a restart.
  • After restart, open F-Secure Internet Security 2010 and run a Full System Scan:
  • All the drivers, installers, LNK files should be removed at this point.

Manual Removal Instructions

  • Delete the following Registry Keys: - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet
  • Delete the following files: 1. %windir%\inf\mdmcpq3.PNF 2. %windir%\inf\mdmeric3.PNF 3. %windir%\inf\oem6C.PNF 4. %windir%\inf\oem7A.PNF 5. %windir%\system32\drivers\mrxcls.sys 6. %windir%\system32\drivers\mrxnet.sys
  • Turn-off AutoPlay on all drives (for more details, see http://support.microsoft.com/kb/967715).
  • Reboot the system.
  • Clean the malware components from the infected USB thumb drive: 1. Open Command Prompt 2. Change drive to USB drive 3. Run command "del *.lnk" 4. Run command "del *.tmp"


Technical Details



Trojan-Dropper:W32/Stuxnet automatically executes itself and drops files onto the system by exploiting a vulnerability in various Windows versions (CVE-2010-2568) that allows malicious code to run when a specially crafted shortcut icon is displayed. This malware appears to be targeted to businesses using Siemens >SIMATIC WinCC database applications, as its payload involves data theft from these resources.This malware is further discussed in the following Labs weblog posts:

For more information, please also refer to Microsoft Security Advisory 2286198.

Exploit

Stuxnet shares similarities with an Autorun worm, as it usually arrives via an infected USB thumb drive or other removable media, and once on an infected computer, will save copies of itself on other removable media for propagation to new victim machines. However, instead of exploiting a vulnerability to forcibly execute an autorun.inf file, Stuxnet takes advantage of a vulnerability in parsing shortcut (.LNK) files in order to execute a malicious Control Panel module. An attacker can subvert this operation with a specially crafted .LNK file, which is pointed to a specially crafted Control Panel module (in reality, the malware). When the system attempts to resolve the shortcut file's icon, the vulnerability is triggered and the Control Panel module is automatically executed. The user does not need to click on the icon in order for the malware to be executed.In order to work with this exploit, the malicious shortcut file has to be formatted as a valid Control Panel shortcut, while the trojan-dropper component itself must be formatted to be a valid Control Panel module. The exploit may also be embedded in document files that support embedded shortcuts (see LNK Vulnerability: Embedded Shortcuts in Documents). We detect the exploit as >Exploit:W32/WormLink.

Infection

On execution, the malware drops the following files onto the system:

  • 2 files ( mrxcls.sys and mrxnet.sys) - Dropped in C:\Windows\System32\Drivers folder
  • C:\Windows\inf\oem7a.PNF - An encrypted DLL file, the trojan-dropper's main component
  • C:\Windows\inf\mdmcpq3.PNF - An encrypted data file
  • C:\Windows\inf\mdmeric3.PNF
  • C:\Windows\inf\oem6c.PNF

An alert user may recognize the presence of a Stuxnet infection if the following items are present (which is helpful if the infected machine has no antivirus product installed):

  • The 2 dropped files, mrxcls.sys and mrxnet.sys, are found in C:\Windows\System32\Drivers folder
  • The registry keys associated with the 2 dropped drivers are visible. - HKLM\System\CurrentControlSet\Services\Services\MRxNet - HKLM\System\CurrentControlSet\Services\Services\MRxCls

Execution

The encrypted DLL file contained in the dropped oem7a.PNF file is injected into a process, using the following name structure:

  • [normaldll].ASLR.[random] - e.g., Kernel32.dll.aslr.21af34

The injection is performed by the mrxcls.sys file, which is responsible for attaching and copying the DLL into the target process. The rest of the injection routine is carried out by 2 additional components embedded in the mrxcls.sys file, which are also loaded into the same process space.

Mrxcls.sys also injects code to these processes:

  • services.exe
  • svchost.exe
  • lsass.exe

Payload

The file mrxnet.sys checks for files on the system with the following extensions:

  • .TMP
  • ~WTR
  • .LNK

If a match is found, the files are hidden by modifying the FileInfo structure.Meanwhile, the DLL attempts to connect to any available Siemens >SIMATIC WinCC applications using hard-coded administrative username/password credentials. If successfully connected, it attempts to locates the file \GraCS\cc_tlg7.sav in all database names that starts with CC. If the file is found, the DLL then extracts it as cc_tlg7.savx.

The DLL also connects to domains which are listed in the encrypted mdmcpq3.PNF file.If the targeted files are not found on the infected system, Stuxnet will save copies of itself as TMP files onto an available removable drive, using the following filenames:

  • ~WTR4132.tmp - Main installer from the USB drive
  • ~WTR4141.tmp - First driver loader in the USB drive

The following files are also dropped to the removable drive:

  • Copy of Shortcut to.lnk
  • Copy of Copy of Shortcut to.lnk
  • Copy of Copy of Copy of Shortcut to.lnk
  • Copy of Copy of Copy of Copy of Shortcut to.lnk

These shortcuts are responsible for loading the ~WTR4141.tmp file whenever the infected removable drive is plugged into a new system; the ~WTR4141.tmp file in turn loads the ~WTR4132.tmp file.

Stealth

The file ~WTR4141.tmp hooks the following APIs to hide the malware files in the removable drive:

  • FindFirstFileW
  • FindNextFileW
  • FindFirstFileExW
  • NtQueryDirectoryFile
  • ZwQueryDirectoryFile





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More