Stuxnet:震网攻击行动评估 - By nEINEI Time:2010-09-30 1) 利用4个windows 0day漏洞和1day漏洞,及1个wincc漏洞攻击工业设备的基础设施。 2)破坏基础工业设施为主要目的。 Symptoms The worm copies itself to removable drives as the following files: %DriveLetter%\~WTR4132.tmp %DriveLetter%\~WTR4141.tmp It also copies the following files to the above drives: %DriveLetter%\Copy of Shortcut to.lnk %DriveLetter%\Copy of Copy of Shortcut to.lnk %DriveLetter%\Copy of Copy of Copy of Shortcut to.lnk %DriveLetter%\Copy of Copy of Copy of Copy of Shortcut to.lnk The following file(s) may be seen on the compromised computer. %System%\drivers\mrxcls.sys %System%\drivers\mrxnet.sys %DriveLetter%\~WTR4132.tmp %DriveLetter%\~WTR4141.tmp %DriveLetter%\Copy of Shortcut to.lnk %DriveLetter%\Copy of Copy of Shortcut to.lnk %DriveLetter%\Copy of Copy of Copy of Shortcut to.lnk %DriveLetter%\Copy of Copy of Copy of Copy of Shortcut to.lnk %Windir%\inf\oem6C.PNF %Windir%\inf\oem7A.PNF %Windir%\inf\mdmcpq3.PNF %Windir%\inf\mdmeric3.PNF Once an infected removable drive is attached to a clean computer, the worm copies itself to the clean computer as the following files: %System%\drivers\mrxcls.sys %System%\drivers\mrxnet.sys Next, the worm registers the file mrxcls.sys as a service with the following characteristics: Display Name: MRXCLS Startup Type: Automatic Image Path: %System%\drivers\mrxcls.sys The worm creates the following registry entry for the above service: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls\"ImagePath" = "%System%\drivers\mrxcls.sys" It also registers the file mrxnet.sys as a service with the following characteristics: Display Name: MRXNET Startup Type: Automatic Image Path: %System%\drivers\mrxnet.sys The worm creates the following registry entry for the above service: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet\"ImagePath" = "%System%\drivers\mrxnet.sys" It also creates the following files, which are encrypted copies of the worm: %Windir%\inf\oem6C.PNF %Windir%\inf\oem7A.PNF %Windir%\inf\mdmcpq3.PNF %Windir%\inf\mdmeric3.PNF Targetting SCADA software Stuxnet is specifically targeting systems with supervisory control and data acquisition (SCADA) software installed. The threat performs many database queries on the database used by the Siemens Step 7 software and interacts with the .dll files belonging to that product. It tries to extract specific data from the database. For example, it tries to access files with the following characteristics, created by the Step 7 software: GracS\cc_tag.sav GracS\cc_alg.sav GracS\db_log.sav GracS\cc_tlg7.sav *.S7P *.MCP *.LDF 相关样本信息: 8d57400b7a84a16ef6482f740259ce38920c15c730ecc34cf82610b533d25979 181b1a08edd9851b65c81028052b4aefd4b2a22356dd704c9d70b949a1f4dd65 d40663c8cce7eb053c6ea975049bda9664194321afe8e1a3fe3c28e46850d1d4 cb3b9aa29d9b26f158f8b5f727314787a86ba2f8f025f12b2e57b825e23adfe4 最小闭合的攻击样本: 1 lnk漏洞+ ~WTR4141.tmp + ~WTR4132.tmp lnk:cb3b9aa29d9b26f158f8b5f727314787a86ba2f8f025f12b2e57b825e23adfe4 ,size = 4,171 ~WTR4141.tmp: c66fce516da82eb67c7a7a5f788eae1f6654e8a1f35cc88b6e4d89c92b749efd,size = 25,720 ~WTR4132.tmp: c66fce516da82eb67c7a7a5f788eae1f6654e8a1f35cc88b6e4d89c92b749efd,size = 517,632 攻击能力计算: K = 3 (超出安全认知范围) a = 3 (无交互) s = 2 (u盘+网络共享) m = 4 (代码注入+rootkit+高难度&复杂技术实现+特定目标感染) p = 2 (攻击2种平台,WINDOWS + wincc) x = 30(攻击组织独享,及1day, 其中CVE-2010-2743 = 5, CVE-2010-2568 = 4, CVE-2010-2729 = 4, CVE-2010-3338 = 5, CVE-2010-2772 = 6, CVE-2008-4250 = 2, 盗用数字签名Realtek = 4; C = (4171+25720+517632)/1024 = 534; 攻击能力AT = (a+s+m+p)^(k) * (1+x)^ 2 + c AT = (3+2+4+2) ^(3) * (1+30)^2 + 534 = 11 ^ 3 * 31 ^ 2 + 534 = 1279091+534 = 1279625 我们规定stuxnet的攻击力是1000T,为了计算方便得到数值*1000,设定1T攻击力单位 = 1279625, ==> 1279625 * 1000/1279625 = 1000T 参考引用: 1. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf 2. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf 3.《论高级威胁的本质及攻击能力的量化研究》- www.vxjump.net/files/aptr/aptr.txt