(Volatility 2.2: Lesson 2)

{ Analyzing Stuxnet }

1. What is Stuxnet?
   • Stuxnet is a threat targeting a specific industrial control system likely in Iran, such as a gas pipeline or power plant. The ultimate goal of Stuxnet is to sabotage that facility by reprogramming programmable logic controllers (PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries. [4]
   
   
2. Pre-Requisite
   • Volatility 2.2: Lesson 1: Installing Volatility 2.2 on BackTrack 5 R1
   
   
3. References
   1. Author: @PROFESX0R
   2. Michael Hale:  Stuxnet's Footprint in Memory with Volatility
   3. Mark Russinovich:  Analyzing a Stuxnet Infection with the Sysinternals Tools, Part I
   4. Michael Hale:  http://code.google.com/p/volatility/wiki/CommandReference
   5. Symantec's:   W32.Stuxnet Dossier
   
   
4. Lab Notes
   • In this lab we will do the following:
     1. Download a Stuxnet memory capture.
     2. Analyze a Stuxnet memory capture using the above references.
   
   
5. Legal Disclaimer
   • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
   • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
   • In addition, this is a teaching website that does not condone malicious behavior of any kind.
   • Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
   • © 2013 No content replication of any kind is allowed without express written permission.

1. Start Up VMWare Player
   • Instructions:
     1. Click the Start Button
     2. Type Vmplayer in the search box
     3. Click on Vmplayer
   • 

    

2. Open a Virtual Machine
   • Instructions:
     1. Click on Open a Virtual Machine
   • 

    

3. Open the BackTrack5R1 VM
   • Instructions:
     1. Navigate to where the BackTrack5R1 VM is located
     2. Click on on the BackTrack5R1 VM
     3. Click on the Open Button
   • 

    

4. Edit the BackTrack5R1 VM
   • Instructions:
     1. Select BackTrack5R1 VM
     2. Click Edit virtual machine settings
   • 

    

5. Edit Virtual Machine Settings
   • Instructions:
     1. Click on Network Adapter
     2. Click on the Bridged Radio button
     3. Click on the OK Button
   • 

    

6. Play the BackTrack5R1 VM
   • Instructions:
     1. Click on the BackTrack5R1 VM
     2. Click on Play virtual machine
   • 

    

7. Login to BackTrack
   • Instructions:
     1. Login: root
     2. Password: toor or <whatever you changed it to>.
   • 

    

8. Bring up the GNOME
   • Instructions:
     1. Type startx
   • 

    

1. Start up a terminal window
   • Instructions:
     1. Click on the Terminal Window
   • 

    

2. Obtain the IP Address
   • Instructions:
     1. ifconfig -a
   • Note(FYI):
     • My IP address 192.168.1.108.
     • In your case, it will probably be different.
   • 

    

1. Download a Stuxnet Image
   • Instructions
     1. cd /pentest/forensics/volatility-2.2
     2. mkdir -p images/stuxnet/output
     3. cd images/stuxnet/
     4. wget http://malwarecookbook.googlecode.com/svn/trunk/stuxnet.vmem.zip
     5. unzip stuxnet.vmem.zip
   • 

    

1. Determine Which Profile to Use
   • Instructions
   1. cd /pentest/forensics/volatility-2.2
   2. chmod 700 vol.py
      • Make vol.py executable.
   3. ./vol.py imageinfo -f images/stuxnet/stuxnet.vmem
   • Note(FYI):
   • For this image Volatility tells us to use the WinXPSP3x86 profile.
   • 

1. Basic Stuxnet Description
   • Note(FYI):
   1. A normal Windows XP installation has just one instance of lsass.exe that the Winlogon process creates when the system boots. (Wininit creates it on Windows Vista and higher).
   2. [The following] process tree [example] reveals that the two new lsass.exe instances were both created by services.exe [], the Service Control Manager, which implies that Stuxnet somehow got its' code into the Services.exe process. [1][2].
   3. Mrxnet.sys is the driver that ... implements the rootkit that hides files, and Mrxcls.sys is a second Stuxnet driver file that launches the malware when the system boots. [1]

    

2. What is lsass.exe
   • Note(FYI):
   • LSASS, or local security authority subsystem service, is a process that functions as part of the Microsoft Windows operating system.
   • LSASS is part of the process for maintaining and enforcing the security protocols on the operating system.
   • LSASS performs several important functions
     1. To ensure that the system remains free from unauthorized access
     2. LSASS oversees access to a computer or server.
     3. LSASS recognizes any restrictions on access to any information on the hard drive or the server.
     4. LSASS makes sure that only recognized access codes or other login credentials will allow persons to interact with password protected files, directories, etc.

    

3. Analyze Stuxnet Process Tree
   • Instructions
   1. ./vol.py pstree --profile=WinXPSP3x86 -f images/stuxnet/stuxnet.vmem | egrep '(services.exe|lsass.exe|winlogon.exe)' | tee images/stuxnet/output/pstree.txt
   2. ls -l images/stuxnet/output/pstree.txt
   • Note(FYI):
   • The normal Parent-Child relation
     • winlogon.exe (624) kicks off, DATE: 2010-10-29 17:08:54
       • services.exe (668), DATE: 2010-10-29 17:08:54
       • lsass.exe (680), 2010-10-29 17:08:54
   • The Stuxnet Parent-Child relation
     • services.exe(668) is NOT supposed to, but kicks off
       • lsass.exe (1928), DATE: 2011-06-03 04:26:55
       • lsass.exe (868), DATE: 2011-06-03 04:26:55
     • Notice these two lsass.exe processes were created 216 after winlogin.exe was started.
   • 

1. Analyze Sockets
   • Instructions
   1. ./vol.py sockets --profile=WinXPSP3x86 -f images/stuxnet/stuxnet.vmem | egrep '(Off|---|680|1928|868)' | tee images/stuxnet/output/sockets.txt
   2. ls -l images/stuxnet/output/sockets.txt
   • Note(FYI):
   • Another way that you can tell the good lsass.exe (680) processes from the bad (1928 & 868) lsass.exe process is that PID 680 are bound to Port 500 and 4500, while PIDs 1928 & 868 are not.
   • 

1. Analyze lsass dll's
   • Instructions
   1. ./vol.py dlllist -p 680 --profile=WinXPSP3x86 -f images/stuxnet/stuxnet.vmem 2>/dev/null | wc -l
   2. ./vol.py dlllist -p 1928 --profile=WinXPSP3x86 -f images/stuxnet/stuxnet.vmem 2>/dev/null | wc -l
   3. ./vol.py dlllist -p 868 --profile=WinXPSP3x86 -f images/stuxnet/stuxnet.vmem 2>/dev/null | wc -l
   4. ./vol.py dlllist -p 680,1928,868 --profile=WinXPSP3x86 -f images/stuxnet/stuxnet.vmem > images/stuxnet/output/dlllist.txt
   5. ls -l images/stuxnet/output/dlllist.txt
   • Note(FYI):
   • [A]nother suspicious characteristic of the two superfluous processes is the fact that they have very few DLLs loaded. [1][2].
   • DLLs are automatically added ... when a process call the  LoadLibrary. [3]
   • Notice that the good PID (680) has 64 DLLs attached to its' process.
   • Notice that the bad PID (1928) has 35 DLLs attached to its' process.
   • Notice that the bad PID (868) has 15 DLLs attached to its' process.
   • 

1. Analyze Process IDs with malfind
   • Instructions
   1. ./vol.py malfind -p 680 --profile=WinXPSP3x86 -f images/stuxnet/stuxnet.vmem
   2. ./vol.py malfind -p 868 --profile=WinXPSP3x86 -f images/stuxnet/stuxnet.vmem
   3. ./vol.py malfind -p 868,1928 --profile=WinXPSP3x86 -f images/stuxnet/stuxnet.vmem > images/stuxnet/output/malfind.txt
   4. ls -l images/stuxnet/output/malfind.txt
   • Note(FYI):
   • The malfind command has several purposes. You can use it to find hidden or injected code/DLLs in user mode memory, based on characteristics such as VAD tag and page permissions. [3]
   • Services.exe, Lsass.exe or Explorer.exe should not have write permission. 
   • Notice, that PID(680) did not return any results, while PID(868 & 1928) do.
   • 

1. What is Address space layout randomization (ASLR)
   • Note(FYI):
   • Address space layout randomization (ASLR) is a computer security method which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space.
   
   
2. Bypassing Behavior Blocking When Loading DLLs
   • Note(FYI):
   • Whenever Stuxnet needs to load a DLL, including itself, it uses a special method designed to bypass behavior- blocking and host intrusion-protection based technologies that monitor LoadLibrary calls. Stuxnet calls Load - Library with a specially crafted file name that does not exist on disk and normally causes LoadLibrary to fail. However, W32.Stuxnet has hooked Ntdll.dll to monitor for requests to load specially crafted file names. These specially crafted filenames are mapped to another location instead—a location specified by W32.Stuxnet. That location is generally an area in memory where a .dll file has been decrypted and stored by the threat previously. The filenames used have the pattern of KERNEL32.DLL.ASLR.[HEXADECIMAL] or SHELL32.DLL.ASLR. [HEXA - DECIMAL], where the variable [HEXADECIMAL]is a hexadecimal values. [4]

    

3. Hiding DLLs
   • Instructions
   1. ./vol.py dlllist --profile=WinXPSP3x86 -f images/stuxnet/stuxnet.vmem | grep ASLR
   2. ./vol.py dlllist --profile=WinXPSP3x86 -f images/stuxnet/stuxnet.vmem | grep ASLR > images/stuxnet/output/aslr.txt
   3. ls -l images/stuxnet/output/aslr.txt
   • Note(FYI):
   • Step 1 displays the Stuxnet specially crafted files designed to bypass the ASRL.
   • 

1. Using ldrmodules to find hidden DLLs
   • Note(FYI):
   • There are many ways to hide a DLL. One of the ways involves unlinking the DLL from one (or all) of the linked lists in the PEB (Process Enviroment Block). However, when this is done, there is still information contained within the VAD (Virtual Address Descriptor) which identifies the base address of the DLL and its full path on disk. To cross-reference this information (known as memory mapped files) with the 3 PEB lists, use the ldrmodules command. For each memory mapped Portable Executable (PE) file, the ldrmodules command prints a 0 or a 1 if the PE exists in the PEB lists. [3]
    
2. Using ldrmodules
   • Instructions
   1. ./vol.py ldrmodules -p 680 --profile=WinXPSP3x86 -f images/stuxnet/stuxnet.vmem
      • This is normal.
   2. ./vol.py ldrmodules -p 868 --profile=WinXPSP3x86 -f images/stuxnet/stuxnet.vmem
      • Notice the lines identified by the word "Problem".
   3. ./vol.py ldrmodules -p 1928 --profile=WinXPSP3x86 -f images/stuxnet/stuxnet.vmem | egrep '(Pid|-$)'
   • Note(FYI):
   • The lines identified as a problem are either suspicious because an entry is missing from one of the PEB (Process Enviroment Block) lists or because the path name is blank.
   • 

1. Using procexedump to dump process executables
   • Note(FYI):
   • To dump a process's executable (not including the slack space), use the procexedump command.

    

2. Using procexedump
   • Instructions
   1. ./vol.py procexedump -p 680,868,1928 -D images/stuxnet/output/ --profile=WinXPSP3x86 -f images/stuxnet/stuxnet.vmem
   2. ls -l images/stuxnet/output/*.exe
   • 

    

3. Looking at Malicious Hooks
   • Instructions
   1. strings images/stuxnet/output/executable.868.exe | more
   • Note(FYI):
   • The below example is the second type of code injection used by Stuxnet. The names of the APIs inside of the red rectangle are the ones hooked by the malware PID 868. [3].
   • Analyzing a Stuxnet Infection with the Sysinternals Tools, Part I, See Page 13.
   • 

1. Proof of Lab
   • Proof Of Lab Instructions:
     1. Do a PrtScn of the below commands
     2. Paste into a word document
     3. Upload to Moodle
   • Instructions
     1. cd /pentest/forensics/volatility-2.2/images/stuxnet/output
     2. ls -lrts
     3. date
     4. echo "Your Name"
        • Put in your actual name in place of "Your Name"
        • e.g., echo "John Gray"
   •