Trojan-Dropper:W32/Stuxnet automatically executes itself and drops files onto the system by exploiting a vulnerability in various Windows versions (CVE-2010-2568) that allows malicious code to run when a specially crafted shortcut icon is displayed.
This malware appears to be targeted to businesses using Siemens SIMATIC WinCC database applications, as its payload involves data theft from these resources.
This malware is further discussed in the following Labs weblog posts:
For more information, please also refer to Microsoft Security Advisory 2286198.
Stuxnet shares similarities with an Autorun worm, as it usually arrives via an infected USB thumb drive or other removable media, and once on an infected computer, will save copies of itself on other removable media for propagation to new victim machines.
However, instead of exploiting a vulnerability to forcibly execute an autorun.inf file, Stuxnet takes advantage of a vulnerability in parsing shortcut (.LNK) files in order to execute a malicious Control Panel module.
An attacker can subvert this operation with a specially crafted .LNK file, which is pointed to a specially crafted Control Panel module (in reality, the malware). When the system attempts to resolve the shortcut file’s icon, the vulnerability is triggered and the Control Panel module is automatically executed. The user does not need to click on the icon in order for the malware to be executed.
In order to work with this exploit, the malicious shortcut file has to be formatted as a valid Control Panel shortcut, while the trojan-dropper component itself must be formatted to be a valid Control Panel module.
The exploit may also be embedded in document files that support embedded shortcuts (see LNK Vulnerability: Embedded Shortcuts in Documents).
We detect the exploit as Exploit:W32/WormLink.
On execution, the malware drops the following files onto the system:
• 2 files ( mrxcls.sys and mrxnet.sys) – Dropped in C:\Windows\System32\Drivers folder
• C:\Windows\inf\oem7a.PNF – An encrypted DLL file, the trojan-dropper’s main component
• C:\Windows\inf\mdmcpq3.PNF – An encrypted data file
An alert user may recognize the presence of a Stuxnet infection if the following items are present (which is helpful if the infected machine has no antivirus product installed):
• The 2 dropped files, mrxcls.sys and mrxnet.sys, are found in C:\Windows\System32\Drivers folder
• The registry keys associated with the 2 dropped drivers are visible.
The encrypted DLL file contained in the dropped oem7a.PNF file is injected into a process, using the following name structure:
• [normaldll].ASLR.[random] – e.g., Kernel32.dll.aslr.21af34
The injection is performed by the mrxcls.sys file, which is responsible for attaching and copying the DLL into the target process. The rest of the injection routine is carried out by 2 additional components embedded in the mrxcls.sys file, which are also loaded into the same process space.
mrxcls.sys also injects code to these processes:
The file mrxnet.sys checks for files on the system with the following extensions:
If a match is found, the files are hidden by modifying the FileInfo structure.
Meanwhile, the DLL attempts to connect to any available Siemens SIMATIC WinCC applications using hard-coded administrative username/password credentials. If successfully connected, it attempts to locates the file \GraCS\cc_tlg7.sav in all database names that starts with CC. If the file is found, the DLL then extracts it as cc_tlg7.savx.
The DLL also connects to domains which are listed in the encrypted mdmcpq3.PNF file.
If the targeted files are not found on the infected system, Stuxnet will save copies of itself as TMP files onto an available removable drive, using the following filenames:
• ~WTR4132.tmp – Main installer from the USB drive
• ~WTR4141.tmp – First driver loader in the USB drive
The following files are also dropped to the removable drive:
• Copy of Shortcut to.lnk
• Copy of Copy of Shortcut to.lnk
• Copy of Copy of Copy of Shortcut to.lnk
• Copy of Copy of Copy of Copy of Shortcut to.lnk
These shortcuts are responsible for loading the ~WTR4141.tmp file whenever the infected removable drive is plugged into a new system; the ~WTR4141.tmp file in turn loads the ~WTR4132.tmp file.
The file ~WTR4141.tmp hooks the following APIs to hide the malware files in the removable drive: