Stuxnet - User/Kernel-Mode analysis

Nytro · November 16, 2014

[h=3]Stuxnet - User/Kernel-Mode analysis[/h]

Today I'll be taking a look at Stuxnet, and at a kernel level mostly (as usual) more than its impact on user-mode. I'll still however be going over a few user-mode things as it ties in with our kernel level discussion. I also won't go in-depth regarding all of the ways Stuxnet uses its four-slot toolbelt of zero-day flaws, and a lot of other Stuxnet's methods of attack (network, etc). ESET, Symantec, and others have done a fantastic job in that regard.

What is Stuxnet?

First of all, it's important (and a bit hilarious) to know the story behind Stuxnet. If you're researching Stuxnet for the first time, it's really easy to get confused. There's finger pointing, claims, supposed "confirmed sources", etc, left and right. I'll briefly go over it. For example:

Confirmed: US and Israel created Stuxnet, lost control of it.

The article is adapted from journalist David Sanger's forthcoming book, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power, and it confirms that both the US and Israeli governments developed and deployed Stuxnet.

Obama Order Sped Up Wave of Cyberattacks Against Iran.

Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.

US unleashed Stuxnet cyber war on Iran to appease Israel – report.

The US and Israel made the Stuxnet virus as a new kind of weapon targeted against Iran, a media investigation revealed. The operation reportedly started in the Bush era, but was intensified by Obama administration.

Snowden confirms NSA created Stuxnet with Israeli aid.

“The NSA and Israel wrote Stuxnet together,” Snowden told Applebaum in the interview that was carried out in May.

The big TLDR is here - Operation Olympic Games.

My initial reaction was "What the hell am I reading?", and it still sort of is. It goes on and on. All in all, after reading the above, you're likely inclined to believe that the US (and maybe even Israel) were behind Stuxnet. Whether or not this is true is a story for another day, although it's easier to lean towards 'yes' than it is to 'no'. The reason for this is due to the fact that Stuxnet as I discussed above used four zero-day flaws within Windows. It's a pretty big deal when malware exploits one zero-day flaw within the OS, but four is extremely high.

It's also pretty laughable to think that Stuxnet was created by amateurs not invested in any sort of organization regarding cyber warfare, etc of some sort, or amateurs in general. A lot of amateurs make malware for a lot of reasons, but causing nuclear centrifuges to commit suicide is pretty advanced. Aside from the many reasons to believe the answer is yes, some may lean towards no, and it's largely due to the fact that most cannot imagine the US and Israel working closely together to create something like Stuxnet.

I digress, and in any case, I'm not here to discuss politics or debate the true creator(s), so let's just get to the part where we talk about what Stuxnet was primarily created for. Stuxnet is a worm that was developed primarily to target industrial PLCs, which led to the nuclear centrifuges ultimately destroying themselves. The malware obviously couldn't be outright sent to the nuclear facilities themselves, so this is where its USB attack vector comes into play. More notably known as a supply chain attack:

So the creators of Stuxnet, they were thinking that these companies would do some communications with power plant workers; maybe exchange with USB devices. That’s probably how Stuxnet infected the system.

Stuxnet patient zero: Kaspesky Lab identifies worm’s first victims in Iran.

In the end, Stuxnet ended up destroying nearly one-fifth of Iran's centrifuges. In November 2010, it was reported that uranium enrichment within the Natanz nuclear facility had halted several times due to severe technical issues.

User-Mode

Stuxnet has two ways of injecting itself into the address space of a process and then executing exported functions. Stuxnet's user-mode modules are implemented as DLLs, and the first method is done by injecting itself into a preexisting process.

Preexisting Process Inject

1. Allocates a memory buffer in the calling process for the modules to be loaded.

2. Patches ntdll and hooks the following APIs:

ZwMapViewOfSection.

ZwCreateSection.

ZwOpenFile.

ZwClose.

ZwQueryAttributesFile.

ZwQuerySection.

Here's what a clean (unpatched) ntdll MZ header looks like:

We can see some of these hooks in action:

ServiceDescriptor n°0

---------------------

ServiceTable : nt!KiServiceTable (804e26a8)

ParamTableBase : nt!KiArgumentTable (80510088)

NumberOfServices : 0000011c

Index Args Check System call

----- ---- ----- -----------

0019 0001 HOOK-> f8c5761c ##### Original -> nt!NtClose (805678dd)

0029 0007 HOOK-> f8c575d6 ##### Original -> nt!NtCreateKey (8057065d)

0032 0007 HOOK-> f8c57626 ##### Original -> nt!NtCreateSection (805652b3)

0035 0008 HOOK-> f8c575cc ##### Original -> nt!NtCreateThread (8058e63f)

003F 0001 HOOK-> f8c575db ##### Original -> nt!NtDeleteKey (805952be)

0041 0002 HOOK-> f8c575e5 ##### Original -> nt!NtDeleteValueKey (80592d50)

0044 0007 HOOK-> f8c57617 ##### Original -> nt!NtDuplicateObject (805715e0)

0062 0002 HOOK-> f8c575ea ##### Original -> nt!NtLoadKey (805aed5d)

007A 0004 HOOK-> f8c575b8 ##### Original -> nt!NtOpenProcess (805717c7)

0080 0004 HOOK-> f8c575bd ##### Original -> nt!NtOpenThread (8058a1bd)

00B1 0006 HOOK-> f8c5763f ##### Original -> nt!NtQueryValueKey (8056a1f1)

00C1 0003 HOOK-> f8c575f4 ##### Original -> nt!NtReplaceKey (8064f0fa)

00C8 0003 HOOK-> f8c57630 ##### Original -> nt!NtRequestWaitReplyPort (80576ce6)

00CC 0003 HOOK-> f8c575ef ##### Original -> nt!NtRestoreKey (8064ec91)

00D5 0002 HOOK-> f8c5762b ##### Original -> nt!NtSetContextThread (8062dcdf)

00ED 0003 HOOK-> f8c57635 ##### Original -> nt!NtSetSecurityObject (8059b19b)

00F7 0006 HOOK-> f8c575e0 ##### Original -> nt!NtSetValueKey (80572889)

00FF 0006 HOOK-> f8c5763a ##### Original -> nt!NtSystemDebugControl (80649ce3)

0101 0002 HOOK-> f8c575c7 ##### Original -> nt!NtTerminateProcess (805822e0)

If we for example go ahead and disassemble our hooked nt!NtClose function, we see the following:

lkd> u 0xFFFFFFFFF8C5761C L1

f8c5761c e92d8b23fe jmp f6e9014e

We have a hook regarding nt!NtClose and a jump. Classic rootkit behavior. Let's go further and dump the IAT by loading notepad.exe into OlyDbg and viewing executable modules:

Address Section Type ( Name Comment

0100102C .text Import ( GDI32.AbortDoc

0100131C .text Import msvcrt._acmdln

0100132C .text Import msvcrt._adjust_fdiv

01001300 .text Import ( msvcrt._cexit

01001204 .text Import ( USER32.CharLowerW

01001244 .text Import ( USER32.CharNextW

010011C0 .text Import ( USER32.CharUpperW

01001248 .text Import ( USER32.CheckMenuItem

01001230 .text Import ( USER32.ChildWindowFromPoint

010012D0 .text Import ( comdlg32.ChooseFontW

0100124C .text Import ( USER32.CloseClipboard

010010F8 .text Import ( KERNEL32.CloseHandle

010012B8 .text Import WINSPOOL.ClosePrinter

010012E0 .text Import ( comdlg32.CommDlgExtendedError

010010EC .text Import ( KERNEL32.CompareStringW

0100133C .text Import ( msvcrt._controlfp

01001040 .text Import ( GDI32.CreateDCW

01001214 .text Import ( USER32.CreateDialogParamW

010010B4 .text Import ( KERNEL32.CreateFileMappingW

01001104 .text Import ( KERNEL32.CreateFileW

01001064 .text Import ( GDI32.CreateFontIndirectW

01001020 .text Import ( COMCTL32.CreateStatusWindowW

010011E0 .text Import ( USER32.CreateWindowExW

010012F4 .text Import ( msvcrt._c_exit

010011A4 .text Import ( USER32.DefWindowProcW

01001034 .text Import ( GDI32.DeleteDC

01001158 .text Import ( KERNEL32.DeleteFileW

01001068 .text Import ( GDI32.DeleteObject

010011A8 .text Import ( USER32.DestroyWindow

01001198 .text Import ( USER32.DialogBoxParamW

01001294 .text Import ( USER32.DispatchMessageW

0100117C .text Import ( SHELL32.DragAcceptFiles

01001174 .text Import ( SHELL32.DragFinish

01001178 .text Import ( SHELL32.DragQueryFileW

01001210 .text Import ( USER32.DrawTextExW

0100125C .text Import ( USER32.EnableMenuItem

0100120C .text Import ( USER32.EnableWindow

01001288 .text Import ( USER32.EndDialog

01001030 .text Import ( GDI32.EndDoc

01001028 .text Import ( GDI32.EndPage

01001054 .text Import ( GDI32.EnumFontsW

01001308 .text Import ( msvcrt._except_handler3

010012F0 .text Import ( msvcrt._exit

01001318 .text Import ( msvcrt.exit

0100111C .text Import ( KERNEL32.FindClose

01001120 .text Import ( KERNEL32.FindFirstFileW

010012C8 .text Import ( comdlg32.FindTextW

010010F4 .text Import KERNEL32.FoldStringW

0100114C .text Import ( KERNEL32.FormatMessageW

0100115C .text Import ( KERNEL32.GetACP

01001188 .text Import ( USER32.GetClientRect

01001114 .text Import ( KERNEL32.GetCommandLineW

010010C0 .text Import ( KERNEL32.GetCurrentProcess

0100110C .text Import ( KERNEL32.GetCurrentProcessId

0100108C .text Import ( KERNEL32.GetCurrentThreadId

01001238 .text Import ( USER32.GetCursorPos

010010A0 .text Import ( KERNEL32.GetDateFormatW

01001194 .text Import ( USER32.GetDC

010011E4 .text Import ( USER32.GetDesktopWindow

01001060 .text Import ( GDI32.GetDeviceCaps

0100122C .text Import ( USER32.GetDlgCtrlID

01001274 .text Import ( USER32.GetDlgItem

01001284 .text Import ( USER32.GetDlgItemTextW

01001124 .text Import ( KERNEL32.GetFileAttributesW

010010B0 .text Import ( KERNEL32.GetFileInformationByHandle

010012D4 .text Import ( comdlg32.GetFileTitleW

010011E8 .text Import ( USER32.GetFocus

010011B4 .text Import ( USER32.GetForegroundWindow

010011A0 .text Import ( USER32.GetKeyboardLayout

01001138 .text Import ( KERNEL32.GetLastError

010010D8 .text Import ( KERNEL32.GetLocaleInfoW

01001098 .text Import ( KERNEL32.GetLocalTime

01001320 .text Import msvcrt.__getmainargs

01001264 .text Import ( USER32.GetMenu

01001258 .text Import ( USER32.GetMenuState

010012A8 .text Import ( USER32.GetMessageW

010010CC .text Import ( KERNEL32.GetModuleHandleA

0100105C .text Import ( GDI32.GetObjectW

010012D8 .text Import ( comdlg32.GetOpenFileNameW

0100128C .text Import ( USER32.GetParent

010012B4 .text Import WINSPOOL.GetPrinterDriverW

01001110 .text Import ( KERNEL32.GetProcAddress

010012E4 .text Import ( comdlg32.GetSaveFileNameW

010010D0 .text Import ( KERNEL32.GetStartupInfoA

01001058 .text Import ( GDI32.GetStockObject

01001260 .text Import ( USER32.GetSubMenu

010011CC .text Import ( USER32.GetSystemMenu

0100121C .text Import ( USER32.GetSystemMetrics

010010B8 .text Import ( KERNEL32.GetSystemTimeAsFileTime

0100103C .text Import ( GDI32.GetTextExtentPoint32W

01001048 .text Import ( GDI32.GetTextFaceW

0100106C .text Import ( GDI32.GetTextMetricsW

01001090 .text Import ( KERNEL32.GetTickCount

010010A4 .text Import KERNEL32.GetTimeFormatW

0100109C .text Import ( KERNEL32.GetUserDefaultLCID

01001150 .text Import KERNEL32.GetUserDefaultUILanguage

01001270 .text Import ( USER32.GetWindowLongW

010011BC .text Import ( USER32.GetWindowPlacement

01001218 .text Import ( USER32.GetWindowTextW

010010D4 .text Import ( KERNEL32.GlobalFree

010010A8 .text Import ( KERNEL32.GlobalLock

010010AC .text Import ( KERNEL32.GlobalUnlock

01001324 .text Import msvcrt._initterm

01001224 .text Import ( USER32.InvalidateRect

01001250 .text Import ( USER32.IsClipboardFormatAvailable

010012A0 .text Import ( USER32.IsDialogMessageW

010011B8 .text Import ( USER32.IsIconic

0100100C .text Import ADVAPI32.IsTextUnicode

01001304 .text Import ( msvcrt.iswctype

010011C8 .text Import ( USER32.LoadAcceleratorsW

010011D8 .text Import ( USER32.LoadCursorW

010011EC .text Import ( USER32.LoadIconW

010011D4 .text Import ( USER32.LoadImageW

010010C8 .text Import ( KERNEL32.LoadLibraryA

010011C4 .text Import ( USER32.LoadStringW

010010E0 .text Import ( KERNEL32.LocalAlloc

010010DC .text Import ( KERNEL32.LocalFree

010010F0 .text Import ( KERNEL32.LocalLock

01001148 .text Import ( KERNEL32.LocalReAlloc

01001134 .text Import ( KERNEL32.LocalSize

010012FC .text Import ( msvcrt.localtime

010010E8 .text Import ( KERNEL32.LocalUnlock

01001074 .text Import ( GDI32.LPtoDP

01001118 .text Import ( KERNEL32.lstrcatW

01001108 .text Import ( KERNEL32.lstrcmpiW

01001128 .text Import ( KERNEL32.lstrcmpW

01001130 .text Import ( KERNEL32.lstrcpynW

010010FC .text Import ( KERNEL32.lstrcpyW

010010E4 .text Import ( KERNEL32.lstrlenW

01001168 .text Import ( KERNEL32.MapViewOfFile

010011AC .text Import ( USER32.MessageBeep

01001268 .text Import ( USER32.MessageBoxW

0100739D .text Export <ModuleEntryPoint>

01001220 .text Import ( USER32.MoveWindow

0100112C .text Import ( KERNEL32.MulDiv

01001164 .text Import ( KERNEL32.MultiByteToWideChar

01001254 .text Import ( USER32.OpenClipboard

010012BC .text Import WINSPOOL.OpenPrinterW

010012C4 .text Import comdlg32.PageSetupDlgW

01001208 .text Import ( USER32.PeekMessageW

010012A4 .text Import ( USER32.PostMessageW

010011F4 .text Import ( USER32.PostQuitMessage

010012CC .text Import comdlg32.PrintDlgExW

01001330 .text Import msvcrt.__p__commode

01001334 .text Import msvcrt.__p__fmode

01001094 .text Import ( KERNEL32.QueryPerformanceCounter

01001100 .text Import ( KERNEL32.ReadFile

01001004 .text Import ( ADVAPI32.RegCloseKey

01001008 .text Import ( ADVAPI32.RegCreateKeyW

010011D0 .text Import ( USER32.RegisterClassExW

010011F8 .text Import ( USER32.RegisterWindowMessageW

01001014 .text Import ( ADVAPI32.RegOpenKeyExA

01001010 .text Import ( ADVAPI32.RegQueryValueExA

01001000 .text Import ( ADVAPI32.RegQueryValueExW

01001018 .text Import ( ADVAPI32.RegSetValueExW

01001190 .text Import ( USER32.ReleaseDC

010012DC .text Import ( comdlg32.ReplaceTextW

01001234 .text Import ( USER32.ScreenToClient

01001084 .text Import ( GDI32.SelectObject

0100123C .text Import ( USER32.SendDlgItemMessageW

01001240 .text Import ( USER32.SendMessageW

01001044 .text Import ( GDI32.SetAbortProc

0100119C .text Import ( USER32.SetActiveWindow

01001070 .text Import ( GDI32.SetBkMode

0100118C .text Import ( USER32.SetCursor

0100127C .text Import ( USER32.SetDlgItemTextW

01001154 .text Import ( KERNEL32.SetEndOfFile

01001278 .text Import ( USER32.SetFocus

01001140 .text Import ( KERNEL32.SetLastError

01001080 .text Import ( GDI32.SetMapMode

01001200 .text Import ( USER32.SetScrollPos

010010C4 .text Import ( KERNEL32.SetUnhandledExceptionFilter

01001328 .text Import msvcrt.__setusermatherr

0100107C .text Import ( GDI32.SetViewportExtEx

01001078 .text Import ( GDI32.SetWindowExtEx

0100126C .text Import ( USER32.SetWindowLongW

010011DC .text Import ( USER32.SetWindowPlacement

010011F0 .text Import ( USER32.SetWindowTextW

010012AC .text Import ( USER32.SetWinEventHook

01001338 .text Import msvcrt.__set_app_type

01001180 .text Import ( SHELL32.ShellAboutW

010011B0 .text Import ( USER32.ShowWindow

01001314 .text Import ( msvcrt._snwprintf

01001050 .text Import ( GDI32.StartDocW

01001038 .text Import ( GDI32.StartPage

010010BC .text Import ( KERNEL32.TerminateProcess

0100104C .text Import ( GDI32.TextOutW

010012F8 .text Import ( msvcrt.time

0100129C .text Import ( USER32.TranslateAcceleratorW

01001298 .text Import ( USER32.TranslateMessage

0100116C .text Import ( KERNEL32.UnhandledExceptionFilter

01001290 .text Import ( USER32.UnhookWinEvent

01001160 .text Import ( KERNEL32.UnmapViewOfFile

010011FC .text Import ( USER32.UpdateWindow

01001310 .text Import ( msvcrt.wcsncmp

01001340 .text Import ( msvcrt.wcsncpy

01001144 .text Import ( KERNEL32.WideCharToMultiByte

01001228 .text Import ( USER32.WinHelpW

0100113C .text Import ( KERNEL32.WriteFile

01001280 .text Import ( USER32.wsprintfW

0100130C .text Import ( msvcrt._wtol

010012EC .text Import msvcrt._XcptFilter

The Import Address Table (IAT) is essentially just a table of jumps. It's used primarily as a lookup table when an application is calling a function in a different module. Compiled programs cannot know the memory locations of the libraries they depend on, therefore an indirect jump (jmp) is required whenever an API call is made.

In the above code we can see jumps to functions such as USER32.GetKeyboardLayout, which is a wrapper for the NtUserLoadKeyboardLayoutEx win32k syscall. This is in regards to Stuxnet's keyboard layout vulnerability (CVE-2010-2743), which is one of four exploitative ways used to escalate privileges in order to reach ring 0.

I would have loved to set a breakpoint on win32k!NtUserLoadKeyboardLayoutEx and trace the malware as it's extremely interesting, but setting breakpoints is not possible on an LKD session. I would have needed to break in to another physical machine (which I don't have), or set up a host > virtual COM port, which is a bit of a pain. I'll chalk it up to something to do on a rainy day. Call me lazy... I know.

3. Calls LoadLibraryW which is exported from kernel32.dll and passes it as a parameter for specially crafted file names such as: KERNEL32.DLL.ASLR.[HEX] or SHELL32.DLL.ASLR.[HEX]. Below we can see an example of a KERNEL32 variant:

4. Calls desired exported function.

5. Calls FreeLibrary function to free load library.

New Process Inject

The second method of injection is done through injecting a newly created process, as such:

1. Creates host process.

2. Replaces process image with the Stuxnet module to execute and with code that will load the module and call a specificed export passing parameters.

There's a few different image names that can be chosen as the host process for the module:

lsass.exe - MSFT system process in charge of enforcing the security policy.

avp.exe - Kaspersky.

mcshield.exe - McAfee VirusScan.

avguard.exe - Avira Personal Edition.

bdagent.exe - Bitdefender Switch Agent.

UmxCfg.exe - eTrust Configuration Engine (HIPS).

fsdfwd.exe - F-Secure.

rtvscan.exe - Symantec Real time Virus Scan Service.

ccSvchst.exe - Symantec Service Framework.

ekrn.exe - ESET Service Process.

tmproxy.exe - TrendMicro (PC-cillin in Australia and Virus Buster in Japan).

Malware Execution and Infection

First of all, to even successfully execute the malware you need to set your system time to before June 24th, 2012. This is due to the fact that Stuxnet hard-coded a poison pill to fully delete itself on June 24th, 2012. This was most likely done with the original idea in mind that Stuxnet wouldn't escape the nuclear facilities, which would allow time for Stuxnet to be reversed and ultimately defeated.

This piece of malware wanted to stay inside nuclear facilities, target Siemens systems, cause large actual damage, spread to cause more damage, and then go ghost. Fortunately, it did happen to escape its intended environment (some even speculate deliberately) and was inevitably reversed and defeated long before its hard-coded deletion date.

First of all, let's take a pre-infected look at the system with Autoruns + Process Explorer:

(Ignore the file not found messages)

Note the checked filter options > Verify code signatures + Hide Microsoft entries.

Everything looks to be pretty normal, and nothing really out of the ordinary. We can see we have one instance of lsass.exe.

Now let's turn things up a bit by executing the malware, and then comparing our results from pre-infection:

We can see now within Autoruns we have two new services - MRxCls and MRxNet. These are Stuxnet's kernel-mode drivers which enable its rookit functionality.

One big thing about malware that surfaces to the face of the public media (for whatever reason, we'll assume popularity/intention) is that journalists love to spin it and give awkward buzzwords - Undefeatable, The Most Sophisticated Malware, etc. Was Stuxnet an elborate piece of code? Yes, absolutely. Not only was knowledge needed regarding your typical rootkit/Win development, but heavy reverse engineering knowledge regarding Semens software was necessary as well.

However, one of Stuxnet's biggest weak points was its immense lack of anti-debugging/reversing techniques. Among a slew of reasons such as zero VM obfuscation, you can literally use the default regedit to find the locations of both MRxCLS and MRxNet. For example:

This had led Stuxnet to be something of a joke among some reverse engneers and analysts, even moreso if you believe that it was created by [insert government]. It's hard to imagine [insert government] wouldn't go to any lengths at all to hide its malware, but then again you never really know, right? : ) I'll continue the discussion regarding its kernel-mode functionality a little later as I'd like to swing back to user-mode real quick.

I couldn't get Process Explorer to run after infection, as the VM would bugcheck. I have no idea why, and AFAIK Stuxnet doesn't employ anti-debugging against Sysinternals tools by any means, so it was likely a buggy sample. I digress, and used VMmap instead:

We can see there's now three instances of lsass.exe, two of which are fake (newly created host processes). So first off, which is our legitmate lsass.exe? Well, 2/3 are the only ones above 1xxx regarding PID, so let's assume the only one not above 1xxx is legitimate:

lsass.exe%2Blegit%2B%28pid%2B648%29%2Bafter.png

If sort by Protection regarding the tabs, we can see it's mostly Execute/Read which doesn't raise any red flags. Let's assume for the moment this is legitimate and take a look at another one:

lsass.exe%2Bfake%2B%231%2B%28pid%2B1812%29%2Bafter.png

Uh oh, we can see two instances of memory that was chosen to share from this lsass.exe that has Write permissions in addition to Execute and Read. When a process has all three, it's a huge red flag for a fake/compromised process. In addition, note how the Size>Commited>Total Working Set, etc are equal. We can now at this point determine PID 648 is legitimate, and PID 1812 is fake. We can also at this point then assume that PID 1840 is fake as well:

lsass.exe%2Bfake%2B%232%2B%28pid%2B1840%29%2Bafter.png

Yep! In this case, we have five instances of memory that was chosen to be shared with R/W/E permissions, in addition to ntdll with R/W/E permissions as well. Note the Size>Commited>Total Working Set, etc equals again as well. At this point we can fully determine 1812 and 1840 are our fake lsass.exe instances, and 1840 is in relation to the patching of ntdll.

Let's further compare the three images based on their strings:

strings_lsass.exe%2Blegit%2B%28pid%2B648%29%2Bafter.png

(PID 648 - legit)

strings_lsass.exe%2Bfake%2B%231%2B%28pid%2B1812%29%2Bafter%2Btop.png

(PID 1812 - fake #1)

Note we have quite the changes here, with the important being "!This program cannot run in DOS mode.". This is the classic MZ exe format used for .exe files within DOS. We can note the ASCII string - 4D. Let's take a look at the bottom of the string list:

strings_lsass.exe%2Bfake%2B%231%2B%28pid%2B1812%29%2Bafter%2Bbottom.png

(PID 1812 - fake #1)

We can see a number of functions, such as

InternetOpen. We can at this point determine the DLL was successfully injected into this image of lsass.exe.

We can of course expect similar results with PID 1840:

strings_lsass.exe%2Bfake%2B%232%2B%28pid%2B1840%29%2Bafter%2Btop.png

(PID 1840 - fake #2)

We can also see abnormal termination of the NT Kernel, as well as a jmp:

Another big red flag of a malformed image.

Let's head back to discussing our kernel-mode drivers, MRxCls and MRxNet. As noted above, these two drivers aren't packed whatsoever with a protector nor packer, so inspecting them in-depth is painless:

First off, both of these drivers were digitally signed (albeit fake... what a surprise) to fool the user into believing it was a legitmate driver signed off as such by VeriSign. For example:

We can see MRxCls was fake-signed by VeriSign which claimed to be from Realtek. Realtek is obviously a legitimate company and releases lots of software/drivers for their products, such as audio, so this would fool a user if they ever questioned the legitimacy of the apparent MRxCls/Net drivers.

Using SwishDbgExt, let's dump the list of objects:

lkd> !ms_object

Object: \ (Directory)

|------|----------------------|--------------------|---------------------------------------------------------------------------|

|------|----------------------|--------------------|---------------------------------------------------------------------------|

| 0000 | Key | 0xFFFFFFFFE1010478 | \REGISTRY |

| 0000 | Directory | 0xFFFFFFFFE15AA4B8 | NLS |

| 0000 | Device | 0xFFFFFFFF82063A90 | Dfs |

| 0000 | Directory | 0xFFFFFFFFE100E838 | Driver

Notice the strange 'Driver' object with a 'Directory' type. Let's take a look:

lkd> !ms_object 0xFFFFFFFFE100E838

Object: Driver (Directory)

|------|----------------------|--------------------|---------------------------------------------------------------------------|

|------|----------------------|--------------------|---------------------------------------------------------------------------|

... |

| 0000 | Driver | 0xFFFFFFFF81F0FAE8 | \Driver\MRxNet

Let's dump the driver object information for MRxNet:

lkd> !drvobj 81f0fae8

Driver object (81f0fae8) is for:

\Driver\MRxNet

Driver Extension List: (id , addr)

Device Object list:

820ee288 81f10020 81ebac80 82136298

82302298 82339be0 821bb500 821996c0

821bc238 8224a9d0

We can see MRxNet has a lot of device objects, so let's check one:

lkd> !devobj 81ebac80

Device object (81ebac80) is for:

\Driver\MRxNet DriverObject 81f0fae8

Current Irp 00000000 RefCount 0 Type 00000003 Flags 00000080

DevExt 81ebad38 DevObjExt 81ebad40

ExtensionFlags (0000000000)

AttachedTo (Lower) 821d4450 \FileSystem\Cdfs

Stuxnet creates new device objects and attaches to the device chain for each device object. As we can see, Stuxnet attached to cdfs.sys, which is part of the filesystem, specifically the CD-ROM filesystem driver. Other filesystem drivers it attaches to are: ntfs.sys, and fastfat.sys. After attaching, Stuxnet manages the driver object, which in turn provides Stuxnet with the ability to succesfully intercept IRP requests.

Other than checking regedit, we can also confirm the existence of the MRxCls service within the registry using the !dreg command, which displays formatted registry key information. Before we do this however, we need to load ntsdexts.dll, or we'll get the following:

lkd> !dreg System\CurrentControlSet\Services

No export dreg found

This is due to the fact that ntsdexts.dll isn't of course loaded in the extension DLL chain list:

lkd> .chain

Extension DLL search Path:

C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem

Extension DLL chain:

dbghelp: image 6.12.0002.633, API 6.1.6, built Mon Feb 01 15:08:26 2010

[path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]

ext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:31 2010

[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll]

exts: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:24 2010

[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll]

kext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:22 2010

[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\kext.dll]

kdexts: image 6.1.7650.0, API 1.0.0, built Mon Feb 01 15:08:19 2010

[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\kdexts.dll]

After loading it however with .load ntsdexts, we can then see it's in the list:

lkd> .chain

Extension DLL search Path:

C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem

Extension DLL chain:

ntsdexts: image 6.1.7650.0, API 1.0.0, built Mon Feb 01 15:08:08 2010

[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\ntsdexts.dll]