Stuxnet is a sophisticated malware that targeted Siemens supervisory control and data acquisition (SCADA) systems. It used multiple zero-day exploits to spread via USB devices and network shares to infect SCADA systems indirectly connected to the internet. Stuxnet installed rootkits to hide its files and injected itself into processes to remain undetected while sabotaging its targets. It was the first malware known to target and damage physical infrastructure.

1. Case Study : Stuxnet By Amr Thabet

2. Stuxnet Overview Most sophisticated malware ever seen in public Uses up to 6 Vulnerabilities (5 in Win and 1 in Siemens) Its code is ~ 1.5 MB (very large) Has 3 Rootkits (User-Mode, Kernel-Mode & PLC Rootkit) Spreads via USB Flash Memory and Network Shares It updates itself via Internet by connecting (HTTP) to two Websites (encrypted connection) Infects SCADA Systems The First Malware that has a physical payload

3. Stuxnet Life Cycle

4. Stuxnet’s Main Dropper The Dropper is a program that contains the real malware and carries it from PC to another (like a ship) It loads the Main DLL with a special way It uses LoadLibraryA and Hooks the File Management APIs that’s used by LoadLibraryA to get the File from memory not from a file on the disk

5. Process Injection Stuxnet injects itself into a process (usually lsass.exe) It copies itself into the Memory of lsass and then forces lsass to execute it by modifying its code In Stuxnet case it unloads (remove) the original process (lsass) from its memory (when the process suspended) and then loads another PE File inside the memory has the same entrypoint

6. Escalation of Privileges Escalation of Privileges means do something you are not allowed to do. In stuxnet it takes the administrator privileges to install itself It uses 2 vulnerabilities in win OS CVE-2010-2743(MS-10-073) –Win32K.sys Keyboard Layout Vulnerability CVE-xxxx-xxxx(MS-xx-xxx) –Windows Task Scheduler Vulnerability These Vulnerabilities allow stuxnet to execute as a system application (runs like a system process)

7. Installation Mechanism It installs these files % SystemRoot%\inf\oem7A.PNF %SystemRoot%\inf\mdmeric3.PNF %SystemRoot%\inf\mdmcpq3.PNF %SystemRoot%\inf\oem6C.PNF %SystemRoot%\Drivers\mrxnet.sys %SystemRoot%\Drivers\mrxcls.sys Then it adds MrxNet & MrxCls to registry to be sure they will be executed on every boot

8. Disabling Windows Defender It modifies some registry entries related to Window Defender: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection EnableUnknownPrompts EnableKnownGoodPrompts ServicesAndDriversAgent These modifications allows stuxnet to work normally without blocking

9. Spreading Mechanism USB Infection Stuxnet uses a vulnerability in Win OS: CVE-2010-2568(MS-10-046) -Windows Shell LNK Vulnerability This vulnerability is found in the shortcut of the CPL files In these shortcuts the Explorer loads the icon dynamically This loading makes Explorer load the CPL File and calls to its Entrypoint Stuxnet uses this trick to make Explorer calls to the Entrypoint of its Executable

10. Spreading Mechanism Network Stuxnet Spreads via Network by using 2 Vulnerabilities: CVE-2010-2729(MS-10-061) –Windows Print Spooler Service Vulnerability CVE-2008-4250(MS-08-067) –Windows Server Service NetPathCanonicalize() The 1 st Vulnerability: allows Stuxnet to infect PCs that share their printers The 2 nd is used before in Conflicker and it allows Stuxnet to spreads via Network Shares

11. Updating Mechanism Stuxnet updates itself via 2 Websites www.mypremierfutbol.com www.todaysfutbol.com Stuxnet updates itself via a P2P connection (on the isolated machines) They communicate via RPC connection Control the ICS machines without a direct communication To the Internet

12. Rootkits Rootkit is a program (or tool) is used by malwares to hide its presence In Stuxnet, they hide stuxnet files in the USB Infected Flash Memory Stuxnet has 2 rootkits : User-Mode and Kernel-Mode rootkit

13. User-Mode Rootkit loaded by the LNK Vulnerability Used only once before Infecting a machine It modifies the pointer to the File Management APIs Change the input or the output of these APIs Hide the Stuxnet Flash Memory Files

14. Kernel-Mode Rootkit It’s a device driver It’s installed in the installation progress of Stuxnet It’s a simple file system filter it modifies the outputs and the inputs of the File Management functions inside the Kernel

15. Loading Mechanism There’s two ways for stuxnet to load 1. WTR4141.TMP : Loaded by LNK Vulnerability loads the Main Dropper of Stuxnet 2. MrxCls : It’s a device driver Injects Stuxnet into services.exe every time the system boots

16. Thank You For any question don’t Forget to mail me at: [email_address] For more about me visit my Website http://www.amrthabet.co.cc Or My Blog http:// blog.amrthabet.co.cc

17. Thank You