S
sinu
Thread author
- The first digital weapon rank no.1 among zero day vulnerability when it comes to causing collateral damage to computers in the real world.
- It was first discovered in June 2010 and reportedly destroyed 1/5th of the centrifugal pumps of the Iranian nuclear facility.
- It is also capable of downloading auto updates, which updates as older version installed in a system. It recursively communicates to the command and control server covertly to pass on information about its spread, the device's affected and possible ways of getting updated. Stuxnet auto updates via a built-in P2P network. This kind of auto updating leads to different versions and different attack vectors. The recent version of stuxnet uses "LNK Vulnerabilities" where as the older version uses "Autorun.inf".
LNK Vulnerability:
Stuxnet registers the code in an infected windows computer whenever USB drives are inserted stuxnet automatically copies the code to the driver. A very interesting face is that the code will work to infect any of three machines .If the drive is already infected a new version of stuxnet is updated to the drive for further infection. An LNK vulnerability contains four files with .lnk extension in addition to stuxnet DLL, which are used to execute the payload in different versions of windows.
Autorun.inf :
Is an autorun file which automatically runs the code in USB drives whenever the drive is inserted in a windows machine. Here the command and code for infection is inserted and configured in the autorun.inf file. Hence the windows OS ignores the stuxnet data portion in the autorun.inf file.
Network Shares:
Stuxnet can use windows shared folders to propagate itself in a LAN. It drops and schedules a dropper file to execute it on remote computers.
Print Spooler Vulnerabilities:
Stuxnet copies and shares itself to remote computers using this vulnerabilities and then executes itself to infect the remote computers, in general stuxnet replicates into two and then it copies itself into the C:\windows\system folder with zero day privilege escalation and infect the computer.
The Attack Phase:
Stuxnet consists of 2 modules - The user module and kernel module.
User Module: In this module there are several functions to do the following operations. first stuxnet itself injects malware code into the actual running process this results in the execution of the malware code in the target address space then it checks for the appropriate platform to execute the code; if the machine is already infected zeroday vulnerabilities are used for escalating privilege's , finally it installs two kernel drivers one for execution of stuxnet after reboot and the other to hide the files.
Kernel Module: Kernel module consists of two dropped driver files namely Mrxnet.sys and Mrxcls.sys. The latter is a driver takes responsibility for reading the registry and contains information for injecting stuxnet code Mrxnet.sys is used to hide the stuxnet files it creates the device object and attaches it to the system object to monitor all the result.
How stuxnet worked in Iranian nuclear Programme:
1) Infection: Stuxnet enters a system via USB stick and proceeds to infect all machine running Microsoft windows, by brandishing a digital certificate that seems to show that it comes from a reliable company the worm is able to evade automated detection systems.
2)Search: Stuxnet then checks whether a given machine is part of the targeted industrial control system made by Siemens such systems are deployed in iran to run high speed centrifuges that help to enrich nuclear fuel.
3)Update: If the system isn't a traget stuxnet does nothing, if it is the worm attempts to access the internet and download a more recent version of itself.
4)Compromise: The worm then compromises the target systems logic controllers exploiting zero day vulnerabilities software weaknesses that haven't been identified by security experts.
5)Control: In the beginning stuxnet spies on the operations of the targeted systems then it uses the information it has generated to take control of the centrifuges making them spin themselves to failure
6) Deceive and destroy: Meanwhile it provides false feedback to outside controllers ensuring that they won't know whats going wrong until its too late to do anything about it.