Hacking Exposed

• Short-link
• Link
• Embed

How Stuxnet works… – ~WTR4132.tmp – DLL is a CPL applet containing ~12 encoded components in the last .stub section: • 298.000, 7A4E2D2638A454442EFB95F23DF391A1, s7otbxsx.dll. • 145.920, 335707EABBE7FF256E0650432ACCEC9B, svchost.dll • 102.400, F979C6A3E668C5073C4C6506461B034E, svchost.dll • 40.960, A3844A1B6BEA3F6FAF9C276858F40960, - • 26.616, F8153747BAE8B4AE48837EE17172151E, MRXCLS.SYS • 25.720, 37FC7C5D89F1E5A96F54318DF1A2B905, ~WTR4141.TMP • 17.400, ED68775A8E242933403F7791BBA2437A, MRXNET.SYS • 14.848, F9BAE53E77B31841235F698955AECE30, - • 10.240, C1CB4117D9998C79AE10C1B890C23A4D, Executable extracted from CAB • 9.728, 98FBEBD8883021FBE6464C37ACF17938, - • 5.237, D102BDAD06B27616BABE442E14461059, CAB file • 4.171, F58DBFCD6119C139E9E143D3660A1288, LNK template/skeleton

Bypassing Detection • Creates the following mutexes to ensure that only one instance of itself is running in memory: – @ssd[random number] (i.e. “@ssd094”, “@ssd083A1”) – Global\Spooler_Perf_Library_Lock_PID_01F – Global\{CAA6BD26-6C7B-4af0-95E2-53DE46FDDF26} – Global\{4A9A9FA4-5292-4607-B3CB-EE6A87A008A3} – Global\{E41362C3-F75C-4ec2-AF49-3CB6BCA591CA} – Global\{85522152-83BF-41f9-B17D-324B4DFC7CC3} – Global\{B2FAC8DC-557D-43ec-85D6-066B4FBC05AC} – Global\{5EC171BB-F130-4a19-B782-B6E655E091B2}