Main Stuxnet DLL: Installing Stuxnet into the Infected Machine

stuxnet_tweets_per-week2

When the main DLL begins the execution. It unupx itself (as the DLL is upxed) and then checks the configuration data of this stuxnet sample and checks the environment to choose if it will continue or exit from the beginning.

It checks if the configuration data is correct and recent and then it checks the admin rights. If it’s not running on administrator level, it uses one of two zero-day vulnerabilities to escalate the privileges and run in the administrator level.

CVE-2010-2743(MS-10-073) – Win32K.sys Keyboard Layout Vulnerability CVE-xxxx-xxxx(MS-xx-xxx) – Windows Task Scheduler Vulnerability

These two vulnerabilities allow the worm to escalate the privileges and run in a new process (“csrss.exe” in case of Win32K.sys) or as a new task in the Task Scheduler case.

It makes also some other checks like checking on 64bits or 32bits and so on.

After everything goes right and the environment is prepared to be infected by stuxnet, it injects itself into another process to install itself from that process. The injection begins by searching for an Antivirus application installed in the machine.

Depending on the antivirus application (AVP or McAfee or what?), stuxnet chooses the process to inject itself into. If there’s no antivirus program it chooses “lsass.exe”….

The Function #16 begins by checking the configuration data and be sure that everything is ready to begin the installation. And also, it checks if the there’s a value in the registry with this name “NTVDM TRACE” in

SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation

And then, it checks if this value equal to “19790509”. This special number seems a date “May 9, 1979” and this date has a historical meaning “Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community”….

Stuxnet_Malware_Analysis_Paper

Advertisements

One thought on “Main Stuxnet DLL: Installing Stuxnet into the Infected Machine

  1. […] Stuxnet is a threat targeting a specific industrial control system likely in Iran, such as a gas pipeline or power plant. The ultimate goal of Stuxnet is to sabotage that facility by reprogramming programmable logic controllers (PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s