eset Stuxnet Under the Microscope 英文

Stuxnet Under the Microscope Aleksandr Matrosov, Senior Virus Researcher Eugene Rodionov, Rootkit Analyst David Harley, Senior Research Fellow Juraj Malcho, Head of Virus Laboratory 2 Contents CONTENTS ............................................................................................................................................................. 2 PREFACE ................................................................................................................................................................ 4 1 INTRODUCTION 1.1 TARGETED ATTACKS ............................................................................................................................. 5 1.2 STUXNET VERSUS AURORA ..................................................................................................................... 7 1.3 STUXNET REVEALED............................................................................................................................ 11 1.4 STATISTICS ON THE SPREAD OF THE STUXNET WORM ................................................................................ 15 2 MICROSOFT, MALWARE AND THE MEDIA ....................................................................................... 17 2.1 SCADA, SIEMENS AND STUXNET .......................................................................................................... 17 2.2 STUXNET TIMELINE ............................................................................................................................ 18 3 DISTRIBUTION ................................................................................................................................. 21 3.1 THE LNK EXPLOIT .............................................................................................................................. 21 3.1.1 Propagation via External Storage Devices ............................................................................... 24 3.1.2 Metasploit and WebDAV Exploit .............................................................................................. 24 3.1.3 What Do DLL Hijacking flaws and the LNK Exploit have in Common? ...................................... 24 3.2 LNK VULNERABILITY IN STUXNET .......................................................................................................... 26 3.3 THE MS10-061 ATTACK VECTOR......................................................................................................... 28 3.4 NETWORK SHARED FOLDERS AND RPC VULNERABILITY (MS08-067) ......................................................... 31 3.5 EXPLOITING UNPATCHED 0-DAY IN WIN32K.SYS ...................................................................................... 32 4 STUXNET IMPLEMENTATION 4.1 USER-MODE FUNCTIONALITY ................................................................................................................ 33 4.1.1 Overview of the main module .................................................................................................. 33 4.1.2 Injecting code ........................................................................................................................... 34 4.1.3 Injecting into a current process ................................................................................................ 34 4.1.4 Injecting into a new process ..................................................................................................... 37 4.1.5 Installation ............................................................................................................................... 37 4.1.6 Exported functions.................................................................................................................... 39 4.1.7 RPC Server ................................................................................................................................ 43 4.1.8 Resources ................................................................................................................................. 45 www.eset.com 3 4.2 KERNEL-MODE FUNCTIONALITY ............................................................................................................. 45 4.2.1 MRXCLS.sys............................................................................................................................... 47 4.2.2 MRXNET.sys .........................................