This is How Stuxnet malware works ?

was your PC infected with Stuxnet malware ?

  • LNK Vulnerability

    Votes: 0 0.0%
  • Autorun.inf

    Votes: 1 25.0%
  • Both

    Votes: 3 75.0%

  • Total voters
    4
S

sinu

Thread author
  • The first digital weapon rank no.1 among zero day vulnerability when it comes to causing collateral damage to computers in the real world.
  • It was first discovered in June 2010 and reportedly destroyed 1/5th of the centrifugal pumps of the Iranian nuclear facility.
  • It is also capable of downloading auto updates, which updates as older version installed in a system. It recursively communicates to the command and control server covertly to pass on information about its spread, the device's affected and possible ways of getting updated. Stuxnet auto updates via a built-in P2P network. This kind of auto updating leads to different versions and different attack vectors. The recent version of stuxnet uses "LNK Vulnerabilities" where as the older version uses "Autorun.inf".

LNK Vulnerability:
Stuxnet registers the code in an infected windows computer whenever USB drives are inserted stuxnet automatically copies the code to the driver. A very interesting face is that the code will work to infect any of three machines .If the drive is already infected a new version of stuxnet is updated to the drive for further infection. An LNK vulnerability contains four files with .lnk extension in addition to stuxnet DLL, which are used to execute the payload in different versions of windows.

Autorun.inf :
Is an autorun file which automatically runs the code in USB drives whenever the drive is inserted in a windows machine. Here the command and code for infection is inserted and configured in the autorun.inf file. Hence the windows OS ignores the stuxnet data portion in the autorun.inf file.

Network Shares:
Stuxnet can use windows shared folders to propagate itself in a LAN. It drops and schedules a dropper file to execute it on remote computers.

Print Spooler Vulnerabilities:
Stuxnet copies and shares itself to remote computers using this vulnerabilities and then executes itself to infect the remote computers, in general stuxnet replicates into two and then it copies itself into the C:\windows\system folder with zero day privilege escalation and infect the computer.


The Attack Phase:

Stuxnet consists of 2 modules - The user module and kernel module.

User Module: In this module there are several functions to do the following operations. first stuxnet itself injects malware code into the actual running process this results in the execution of the malware code in the target address space then it checks for the appropriate platform to execute the code; if the machine is already infected zeroday vulnerabilities are used for escalating privilege's , finally it installs two kernel drivers one for execution of stuxnet after reboot and the other to hide the files.

Kernel Module: Kernel module consists of two dropped driver files namely Mrxnet.sys and Mrxcls.sys. The latter is a driver takes responsibility for reading the registry and contains information for injecting stuxnet code Mrxnet.sys is used to hide the stuxnet files it creates the device object and attaches it to the system object to monitor all the result.


How stuxnet worked in Iranian nuclear Programme:

1) Infection: Stuxnet enters a system via USB stick and proceeds to infect all machine running Microsoft windows, by brandishing a digital certificate that seems to show that it comes from a reliable company the worm is able to evade automated detection systems.

2)
Search: Stuxnet then checks whether a given machine is part of the targeted industrial control system made by Siemens such systems are deployed in iran to run high speed centrifuges that help to enrich nuclear fuel.

3)Update: If the system isn't a traget stuxnet does nothing, if it is the worm attempts to access the internet and download a more recent version of itself.

4)Compromise: The worm then compromises the target systems logic controllers exploiting zero day vulnerabilities software weaknesses that haven't been identified by security experts.

5)Control: In the beginning stuxnet spies on the operations of the targeted systems then it uses the information it has generated to take control of the centrifuges making them spin themselves to failure

6) Deceive and destroy: Meanwhile it provides false feedback to outside controllers ensuring that they won't know whats going wrong until its too late to do anything about it.


 
  • Like
Reactions: Oxygen

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
You cannot easily be infected by Stuxnet considering the location of virus deploy, unlike Conficker which everywhere is a breding place with a ghost signal to jump on a inserted USB.

A movie entitled "Blackhat" as also a same story which nuclear facilities infected and cause failure with the piece of RAT malware.
 
  • Like
Reactions: LabZero

Tony Cole

Level 27
Verified
May 11, 2014
1,639
I never understood why Kaspersky went to Iran, a country who is actively developing nuclear weapons. Stuxnet was deployed via USB, then the question, who inserted the USB, CIA agent, America truly is everywhere. Stuxnet was the biggest revolution in malware, to target PLC's is unique and must of taken years to develop.
 

Cch123

Level 7
Verified
May 6, 2014
335
Those people who answered the "was your pc infected with stuxnet malware" poll, I am really curious as to who you are to get hit by a targeted attack.:D
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top