Learn about the sample Rootkit.Win32.Stuxnet.a

Classified as Rootkits, they are created to "focus" on the main objects and activities of the Windows system, such as files, folders and processes stored in the memory of computer is infected. All are well hidden, and of course ordinary users cannot detect their existence. On the other hand, they are also equipped with sophisticated payload methods to avoid detection by the current popular security programs and extend the operation time as they continue to spread to other machines.

The original Rootkit.Win32.Stuxnet.a activity was discovered on July 12, 2010 at 07:57 GMT, analyzed on July 12, 2010, and the official information was published on the 20th. September 2010. In fact, this is a NT kernel mode driver with a capacity of about 26616 bytes.

When executing on a victim's computer, they automatically copy the following file:

% System% driversmrxcls.sys

To enable system startup, they continue to come out with the following registry keys:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMRxCls]
"Description" = "MRXCLS"
"DisplayName" = "MRXCLS"
"ErrorControl" = dword: 00000000
"Group" = "Network"
"ImagePath" = "??% System% Driversmrxcls.sys"
"Start" = dword: 00000001
"Type" = dword: 00000001

And the file % System% driversmrxnet.sys with a capacity of 17400 bytes (aka Rootkit.Win32.Stuxnet.b ). At the same time, they continue to create the following keys in registry services:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMRxNet]
"Description" = "MRXCLS"
"DisplayName" = "MRXNET"
"ErrorControl" = dword: 00000000
"Group" = "Network"
"ImagePath" = "??% System% Driversmrxnet.sys"
"Start" = dword: 00000001
"Type" = dword: 00000001

and the following files to store the executable command line and the main data encryption of the rootkit:

% windir% infmdmcpq3.pnf - 4633 bytes
% windir% infmdmeric3.pnf - 90 bytes
% windir% infoem6c.pnf - 323848 bytes
% windir% infoem7a.pnf - 498176 bytes

This type of rootkit primarily infiltrates and spreads via USB with Zero Day CVE-2010-2568 vulnerability. When booting, they will activate services.exe internal processes to detect and control USB connection protocols on the system. If any USB devices are detected, they will create the following files on that USB device:

~ wtr4132.tmp with a capacity of 513536 bytes (assessed as Trojan-Dropper.Win32.Stuxnet.a)

~ wtr4141.tmp - 25720 bytes (determined to be Trojan-Dropper.Win32.Stuxnet.b type)

These DLLs will automatically download to the computer when the vulnerability is exploited and automatically install the rootkit on the system. On the other hand, shortcuts that lead to the above vulnerability are created on all partitions:

"Copy of Shortcut to.lnk"
"Copy of Copy of Shortcut to.lnk"
"Sao chép của Copy của Bản đồ vào Shortcut"
"Sao chép của Copy của Bản bản của Bản đồ vào shortcuts"

All of these files are 4171 bytes in size and are identified as Trojan.WinLnk.Agent.i. Security holes on the operating system will continue to be exploited if the user accesses and views the content inside the USB device. And this process continues another spreading cycle of rootkits.

Payload method:

The main purpose of this type of rootkit is malicious code into processes and applications that users activate. Later, they will continue to download DLL files and 'embed' the following services:

svchost.exe
services.exe
lsass.exe

When this process is completed, the DLLs will be listed in the module list with the name:

kernel32.dll.aslr.
shell32.dll.aslr.

In it, the parameter rnd is the decimal number. The code being inserted is stored in the file % WinDir% infoem7A.PNF . Of course it was encrypted.

The code to insert into the system with the following main functions:

- There is a self-spreading mechanism through USB protocol storage devices

- Control the Siemens system Step7. For the purpose of spreading and quickly gaining control of the system, they will immediately replace the s7tgtopx.exe process instead of the s7otbxsx.dll library as usual, to simulate the different stages in the system according to the The following API function:

s7_event
s7ag_bub_cycl_read_create
s7ag_bub_read_var
s7ag_bub_write_var
s7ag_link_in
s7ag_read_szl
s7ag_test
s7blk_delete
s7blk_findfirst
s7blk_findnext
s7blk_read
s7blk_write
s7db_close
s7db_open
s7ag_bub_read_var_seg
s7ag_bub_write_var_seg

Thereby it is easy to collect the necessary information on the system.

- Execute SQL query commands, this rootkit will receive a list of computers in the local network and check the existence of Microsoft SQL server application on it, to meet the virtualization system and operations of Siemens WinCC. If they find any server, the accompanying malware will try to connect and log into the database using the WinCCConnect / 2WSXcder account name and password, and then request to extract the data from The following tables:

MCPTPROJECT
MCPTVARIABLEDESC
MCPVREADVARPERCON
It collects thông tin từ tập tin với các Extensions:
* .S7P
* .MCP
* .LDF

These tables are used in Siemens Step7. And they will continue to spread to other computers in the system in the same way.

- After that, they will send stolen information to the address prepared by hackers in different types of encrypted packets.

- These rootkits are marked with digital signatures - digital signature, by Realtek Semiconductor Corp.

Instructions to remove:

If your computer has been infected with this type of rootkit, and the security program currently has no preventive effect, apply the following method to completely remove these malicious programs:

Find and completely remove rootkit files (strange characters appear on partitions, USB devices .)
Delete the following registry files:

[ HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMRxNet]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMRxCls]

Continue to delete the following system files:

% System% driversmrxnet.sys
% System% driversmrxcls.sys
% windir% infmdmcpq3.pnf
% windir% infmdmeric3.pnf
% windir% infoem6c.pnf
% windir% infoem7a.pnf

Restart the computer, turn off the icon display feature in the data manager to avoid spread.

Delete the following files on the USB device:

" Copy of Shortcut to.lnk"
"Copy of Copy of Shortcut to.lnk"
"Sao chép của Copy của Bản đồ vào Shortcut"
"Sao chép của Copy của Bản bản của Bản đồ vào shortcuts"
~ wtr4132.tmp
~ wtr4141.tmp

- Use reputable security programs like Kaspersky Internet Security, BitDefender Security, Avira Antivir Premium, Norton Internet Security .