Thursday, October 20, 2011

Does Anyone Want the Source Code to Stuxnet? Come and Get It!!! (update 1)

After reading report-after-report, blog-after-blog during the past 24 hours, I have decided that rather than comment to each of these individually to offer some additional information which should help set the record straight on who the author is ... or maybe better ... who it is NOT ... in this new variant to our old friend Stuxnet.


It all began back in January when Egyptian student Amr Thabet first announced that he had decompiled and reversed engineered the MRxNet.sys file used by Stuxnet.  As you may recall, this was one of the digitally signed files that was placed in the windows\system32\drivers directory used as a rootkit to hide the presence of the Stuxnet malware on its victims.

If you have not taken a look at the work from Amr, I suggest you visit his writeup on Stuxnet, as he actually provides some very good insight into the code, and how it is used.

The list below is a summary of the key files used with the original Stuxnet codebase after infection:

     c:\windows\system32\drivers\mrxnet.sys (Windows rootkit)
     c:\windows\system32\drivers\mrxcls.sys (load point)
     c:\windows\inf\oem7A.PNF (main payload)
     c:\windows\inf\mdmeric3.PNF (90-byte data file)
     c:\windows\inf\mdmcpq3.PNF (configuration data)
     c:\windows\inf\oem6C.PNF (log file)
     c:\windows\help\winmic.fts (25-byte data file)
     c:\windows\system32\s7otbxdx.dll (PCS7 DOS driver)

Shortly after in February of 2011, you may recall that the hacktivist group Anonymous successfully hacked into the computers at security company HBGary. Within the data they "stole", were a series of emails that contained a "decrypted translation" of the code that HBGary was working on.  This was widely covered in the media (FoxNews, Homeland Security News Wire, and many others).

"There is the real potential that others will build on what is being released," said Michael Gregg, chief operating officer of cybersecurity firm Superior Solutions. Gregg was quick to clarify that the group hasn't released the Stuxnet worm itself, but rather a decrypted version of it HBGary had been studying -- which could act almost like a building block for cybercrooks.

On February 13, 2011, Anonymous published their work at this site. Though this code does not reflect true "source code", it does provide the malware in a high-level language which can be re-purposed and re-compiled for another purpose.

I reviewed much of the code, and though it did not contain 100% of the Stuxnet functionality, it did contain a large portion of the working malware. One piece that I noticed was missing was the initial dropper and infection algorithms. After reading many of the articles this week, this seems to be one of the pieces missing from this new codebase, and is why I believe that the authors of this attack were in fact using the Anonymous published code. If we use September as the date upon which this was initially launched, a new attacker would have had six (6) months to develop this new malware, which is a lot of time. The real point of interest is the fact that this may have surfaced as early as December 2010. If this was in fact the case, we may actually be dealing with more than one author - or a group of "copycats".

Today, I listened in on Symantec's webcast on Duqu, and Kevin Haley was pretty convinced these authors did in fact use the Stuxnet source code. He went on to say that this does not mean that the original authors were also the authors of Duqu, but that the code could have been "stolen" or "misplaced". Kevin went on to say that Stuxnet source code was not available on the Internet. I have received comments about my position, and agree that even though the Anonymous files are not pure, original source code, they are high-level language translations of the original binaries that could be re-written for another purpose.

Comments, debates, arguments, or compliments always appreciated!

3 comments:

  1. that's just silly. have you looked much at the hex-rays dump? that's not really usable code. and where do you think the attackers got the "improved"/untraceable digital certificates?

    Nope, Tabet's stuff is much better. And the similarities between Duqu's main module and Stux are too close to be re-written from translations. That can be identified from the compiled code and the compiler flags implemented.

    ReplyDelete
  2. I am anything but an expert on (de)compiling or re-use of code.

    But if your theory is true that someone is re-using this code, this adversary also copied the modus operandi of stealing a code signing certificate of a Taiwanese hardware manufacturer. That's not something you can download of the Internet.

    ReplyDelete
  3. I understand your points, and am just throwing out a theory to spark some good dialogue. There is too much sloppy work in Duqu to make me think it is the same authors as the highly sophisticated Stuxnet. How they got the code is still a mystery, but maybe the same "subcontractor" who was asked to steal the first certs actually obtained an extra one! Thanks again for your input and please share any new findings with the community.

    ReplyDelete