Looking at Rootkits

Presenter Notes

Six-step investigation (SANS)

  1. Identify rouge processes
  2. Analyze process DLLs and handles
  3. Review network artifacts
  4. Look for code injection
  5. Check for rootkits
  6. Dump suspicious processes and drivers

Presenter Notes

Stuxnet
Link attached

Presenter Notes

Step 0 Imageinfo

[root&windows]#volatility -f stuxnet.vmem  imageinfo
Volatility Foundation Volatility Framework 2.4
Determining profile based on KDBG search...

          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/root/amf/windows/stuxnet.vmem)
                      PAE type : PAE
                           DTB : 0x319000L
                          KDBG : 0x80545ae0L
          Number of Processors : 1
     Image Type (Service Pack) : 3
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2011-06-03 04:31:36 UTC+0000
     Image local date and time : 2011-06-03 00:31:36 -0400


[root&windows]#export profile=WinXPSP3x86

Presenter Notes

Step 1 Rouge Processes

[root&windows]#volatility -f stuxnet.vmem --profile=$profile pslist
Volatility Foundation Volatility Framework 2.4
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x823c8830 System                    4      0     59      403 ------      0         
0x820df020 smss.exe                376      4      3       19 ------      0 2010-10-29 17:08:53 UTC+0000
0x821a2da0 csrss.exe               600    376     11      395      0      0 2010-10-29 17:08:54 UTC+0000
0x81da5650 winlogon.exe            624    376     19      570      0      0 2010-10-29 17:08:54 UTC+0000
0x82073020 services.exe            668    624     21      431      0      0 2010-10-29 17:08:54 UTC+0000
0x81e70020 lsass.exe               680    624     19      342      0      0 2010-10-29 17:08:54 UTC+0000
0x823315d8 vmacthlp.exe            844    668      1       25      0      0 2010-10-29 17:08:55 UTC+0000
0x81db8da0 svchost.exe             856    668     17      193      0      0 2010-10-29 17:08:55 UTC+0000
0x81e61da0 svchost.exe             940    668     13      312      0      0 2010-10-29 17:08:55 UTC+0000
0x822843e8 svchost.exe            1032    668     61     1169      0      0 2010-10-29 17:08:55 UTC+0000
0x81e18b28 svchost.exe            1080    668      5       80      0      0 2010-10-29 17:08:55 UTC+0000
0x81ff7020 svchost.exe            1200    668     14      197      0      0 2010-10-29 17:08:55 UTC+0000
0x81fee8b0 spoolsv.exe            1412    668     10      118      0      0 2010-10-29 17:08:56 UTC+0000
0x81e0eda0 jqs.exe                1580    668      5      148      0      0 2010-10-29 17:09:05 UTC+0000
0x81fe52d0 vmtoolsd.exe           1664    668      5      284      0      0 2010-10-29 17:09:05 UTC+0000
0x821a0568 VMUpgradeHelper        1816    668      3       96      0      0 2010-10-29 17:09:08 UTC+0000
0x8205ada0 alg.exe                 188    668      6      107      0      0 2010-10-29 17:09:09 UTC+0000
0x820ec7e8 explorer.exe           1196   1728     16      582      0      0 2010-10-29 17:11:49 UTC+0000
0x820ecc10 wscntfy.exe            2040   1032      1       28      0      0 2010-10-29 17:11:49 UTC+0000
0x81e86978 TSVNCache.exe           324   1196      7       54      0      0 2010-10-29 17:11:49 UTC+0000
0x81fc5da0 VMwareTray.exe         1912   1196      1       50      0      0 2010-10-29 17:11:50 UTC+0000
0x81e6b660 VMwareUser.exe         1356   1196      9      251      0      0 2010-10-29 17:11:50 UTC+0000
0x8210d478 jusched.exe            1712   1196      1       26      0      0 2010-10-29 17:11:50 UTC+0000
0x82279998 imapi.exe               756    668      4      116      0      0 2010-10-29 17:11:54 UTC+0000
0x822b9a10 wuauclt.exe             976   1032      3      133      0      0 2010-10-29 17:12:03 UTC+0000
0x81c543a0 Procmon.exe             660   1196     13      189      0      0 2011-06-03 04:25:56 UTC+0000
0x81fa5390 wmiprvse.exe           1872    856      5      134      0      0 2011-06-03 04:25:58 UTC+0000
0x81c498c8 lsass.exe               868    668      2       23      0      0 2011-06-03 04:26:55 UTC+0000
0x81c47c00 lsass.exe              1928    668      4       65      0      0 2011-06-03 04:26:55 UTC+0000
0x81c0cda0 cmd.exe                 968   1664      0 --------      0      0 2011-06-03 04:31:35 UTC+0000   2011-06-03 04:31:36 UTC+0000
0x81f14938 ipconfig.exe            304    968      0 --------      0      0 2011-06-03 04:31:35 UTC+0000   2011-06-03 04:31:36 UTC+0000

Presenter Notes

More than one lsass!

[root&windows]#volatility -f stuxnet.vmem --profile=$profile pslist
Volatility Foundation Volatility Framework 2.4
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
Volatility Foundation Volatility Framework 2.4
0x81e70020 lsass.exe               680    624     19      342      0      0 2010-10-29 17:08:54 UTC+0000
0x81c498c8 lsass.exe               868    668      2       23      0      0 2011-06-03 04:26:55 UTC+0000
0x81c47c00 lsass.exe              1928    668      4       65      0      0 2011-06-03 04:26:55 UTC+0000

Presenter Notes

Who spanwed them?

Lsass should be started from winlogon.exe.

[root&windows]#volatility -f stuxnet.vmem --profile=$profile psscan | grep 624
0x0000000001fa5650 winlogon.exe        624    376 0x0a940060 2010-10-29 17:08:54 UTC+0000
0x0000000002070020 lsass.exe           680    624 0x0a9400a0 2010-10-29 17:08:54 UTC+0000

Winlogon spawned lsass with PID 680... which is legitimate.

[root&windows]#volatility -f stuxnet.vmem --profile=$profile psscan | grep 668
0x0000000001e47c00 lsass.exe          1928    668 0x0a9403c0 2011-06-03 04:26:55 UTC+0000
0x0000000001e498c8 lsass.exe           868    668 0x0a940360 2011-06-03 04:26:55 UTC+0000
0x0000000002273020 services.exe        668    624 0x0a940080 2010-10-29 17:08:54 UTC+0000

And services.exe created two new lsass!

Presenter Notes

Step 2 Analyze process DLLs and handles

[root&windows]#volatility -f stuxnet.vmem --profile=$profile dlllist -p 1928,868,668
Volatility Foundation Volatility Framework 2.4
************************************************************************
services.exe pid:    668
Command line : C:\WINDOWS\system32\services.exe
Service Pack 3

Base             Size  LoadCount Path
---------- ---------- ---------- ----
0x01000000    0x1c000     0xffff C:\WINDOWS\system32\services.exe
0x7c900000    0xaf000     0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000    0xf6000     0xffff C:\WINDOWS\system32\kernel32.dll
0x77dd0000    0x9b000     0xffff C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000    0x92000     0xffff C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000    0x11000     0xffff C:\WINDOWS\system32\Secur32.dll
0x77c10000    0x58000     0xffff C:\WINDOWS\system32\msvcrt.dll
0x5f770000     0xc000     0xffff C:\WINDOWS\system32\NCObjAPI.DLL
0x76080000    0x65000     0xffff C:\WINDOWS\system32\MSVCP60.dll
0x7dbd0000    0x51000     0xffff C:\WINDOWS\system32\SCESRV.dll
0x776c0000    0x12000     0xffff C:\WINDOWS\system32\AUTHZ.dll
0x7e410000    0x91000     0xffff C:\WINDOWS\system32\USER32.dll
0x77f10000    0x49000     0xffff C:\WINDOWS\system32\GDI32.dll
0x769c0000    0xb4000     0xffff C:\WINDOWS\system32\USERENV.dll
0x7dba0000    0x21000     0xffff C:\WINDOWS\system32\umpnpmgr.dll
0x76360000    0x10000     0xffff C:\WINDOWS\system32\WINSTA.dll
0x5b860000    0x55000     0xffff C:\WINDOWS\system32\NETAPI32.dll
0x5cb70000    0x26000        0x1 C:\WINDOWS\system32\ShimEng.dll
0x47260000     0xf000        0x1 C:\WINDOWS\AppPatch\AcAdProc.dll
0x77b40000    0x22000        0x2 C:\WINDOWS\system32\Apphelp.dll
0x77c00000     0x8000        0x4 C:\WINDOWS\system32\VERSION.dll
0x77b70000    0x11000        0x1 C:\WINDOWS\system32\eventlog.dll
0x76bf0000     0xb000        0x3 C:\WINDOWS\system32\PSAPI.DLL
0x71ab0000    0x17000        0xb C:\WINDOWS\system32\WS2_32.dll
0x71aa0000     0x8000        0x9 C:\WINDOWS\system32\WS2HELP.dll
0x76f50000     0x8000        0x1 C:\WINDOWS\system32\wtsapi32.dll
0x76c30000    0x2e000        0x1 C:\WINDOWS\system32\WINTRUST.dll
0x77a80000    0x95000        0x4 C:\WINDOWS\system32\CRYPT32.dll
0x77b20000    0x12000        0x5 C:\WINDOWS\system32\MSASN1.dll
0x76c90000    0x28000        0x2 C:\WINDOWS\system32\IMAGEHLP.dll
0x01020000   0x2c5000        0x1 C:\WINDOWS\system32\xpsp2res.dll
0x68000000    0x36000        0x1 C:\WINDOWS\system32\rsaenh.dll
0x5ad70000    0x38000        0x2 C:\WINDOWS\system32\uxtheme.dll
0x75150000    0x13000        0x1 C:\WINDOWS\system32\Cabinet.dll
0x774e0000   0x13d000        0x6 C:\WINDOWS\system32\ole32.dll
0x013f0000   0x138000        0x1 C:\WINDOWS\system32\KERNEL32.DLL.ASLR.0360c5e2
0x76f20000    0x27000        0x2 C:\WINDOWS\system32\DNSAPI.dll
0x76d60000    0x19000        0x2 C:\WINDOWS\system32\IPHLPAPI.DLL
0x77120000    0x8b000        0x4 C:\WINDOWS\system32\OLEAUT32.dll
0x7c9c0000   0x817000        0x2 C:\WINDOWS\system32\SHELL32.dll
0x77f60000    0x76000        0x8 C:\WINDOWS\system32\SHLWAPI.dll
0x771b0000    0xaa000        0x2 C:\WINDOWS\system32\WININET.dll
0x71ad0000     0x9000        0x2 C:\WINDOWS\system32\WSOCK32.dll
0x773d0000   0x103000        0x2 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0x5d090000    0x9a000        0x1 C:\WINDOWS\system32\comctl32.dll
************************************************************************

Presenter Notes

lsass.exe pid:    868
Command line : "C:\WINDOWS\\system32\\lsass.exe"
Service Pack 3

Base             Size  LoadCount Path
---------- ---------- ---------- ----
0x01000000     0x6000     0xffff C:\WINDOWS\system32\lsass.exe
0x7c900000    0xaf000     0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000    0xf6000     0xffff C:\WINDOWS\system32\kernel32.dll
0x77dd0000    0x9b000     0xffff C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000    0x92000     0xffff C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000    0x11000     0xffff C:\WINDOWS\system32\Secur32.dll
0x7e410000    0x91000     0xffff C:\WINDOWS\system32\USER32.dll
0x77f10000    0x49000     0xffff C:\WINDOWS\system32\GDI32.dll
************************************************************************
lsass.exe pid:   1928
Command line : "C:\WINDOWS\\system32\\lsass.exe"
Service Pack 3

Base             Size  LoadCount Path
---------- ---------- ---------- ----
0x01000000     0x6000     0xffff C:\WINDOWS\system32\lsass.exe
0x7c900000    0xaf000     0xffff C:\WINDOWS\system32\ntdll.dll
0x7c800000    0xf6000     0xffff C:\WINDOWS\system32\kernel32.dll
0x77dd0000    0x9b000     0xffff C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000    0x92000     0xffff C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000    0x11000     0xffff C:\WINDOWS\system32\Secur32.dll
0x7e410000    0x91000     0xffff C:\WINDOWS\system32\USER32.dll
0x77f10000    0x49000     0xffff C:\WINDOWS\system32\GDI32.dll
0x00870000   0x138000        0x1 C:\WINDOWS\system32\KERNEL32.DLL.ASLR.0360b7ab
0x76f20000    0x27000        0x2 C:\WINDOWS\system32\DNSAPI.dll
0x77c10000    0x58000       0x27 C:\WINDOWS\system32\msvcrt.dll
0x71ab0000    0x17000        0xa C:\WINDOWS\system32\WS2_32.dll
0x71aa0000     0x8000        0x8 C:\WINDOWS\system32\WS2HELP.dll
0x76d60000    0x19000        0x2 C:\WINDOWS\system32\IPHLPAPI.DLL
0x5b860000    0x55000        0x2 C:\WINDOWS\system32\NETAPI32.dll
0x774e0000   0x13d000        0x5 C:\WINDOWS\system32\ole32.dll
0x77120000    0x8b000        0x4 C:\WINDOWS\system32\OLEAUT32.dll
0x76bf0000     0xb000        0x2 C:\WINDOWS\system32\PSAPI.DLL
0x7c9c0000   0x817000        0x2 C:\WINDOWS\system32\SHELL32.dll
0x77f60000    0x76000        0x8 C:\WINDOWS\system32\SHLWAPI.dll
0x769c0000    0xb4000        0x2 C:\WINDOWS\system32\USERENV.dll
0x77c00000     0x8000        0x2 C:\WINDOWS\system32\VERSION.dll
0x771b0000    0xaa000        0x2 C:\WINDOWS\system32\WININET.dll
0x77a80000    0x95000        0x2 C:\WINDOWS\system32\CRYPT32.dll
0x77b20000    0x12000        0x2 C:\WINDOWS\system32\MSASN1.dll
0x71ad0000     0x9000        0x2 C:\WINDOWS\system32\WSOCK32.dll
0x773d0000   0x103000        0x2 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0x5d090000    0x9a000        0x1 C:\WINDOWS\system32\comctl32.dll

Presenter Notes

Rouge processes do not have many DLLs...

Presenter Notes

What about handles?

Rouge processes also do not have many handles compared to the legit process

[root&windows]#volatility -f stuxnet.vmem --profile=$profile handles  -p 680 | wc -l
344

[root&windows]#volatility -f stuxnet.vmem --profile=$profile handles  -p 1928 | wc -l
67

[root&windows]#volatility -f stuxnet.vmem --profile=$profile handles  -p 868 | wc -l
25

Presenter Notes

Specific handles?

[root&windows]#volatility -f stuxnet.vmem --profile=$profile handles  -p 868
Volatility Foundation Volatility Framework 2.4
Offset(V)     Pid     Handle     Access Type                       Details
---------- ------ ---------- ---------- -------------------------- -------
0x8225b710    868        0xc   0x100020 File                       \Device\HarddiskVolume1\WINDOWS\system32
0x81eddc18    868      0x7a4   0x1f03ff Thread                     TID 592 PID 940
0x82083a60    868      0x7ac   0x1f0003 IoCompletion
0x81c427a8    868      0x7b0   0x1f0003 IoCompletion
0x82083a60    868      0x7b4   0x1f0003 IoCompletion
0x822bbda8    868      0x7b8   0x1f03ff Thread                     TID 1884 PID 868
0x81f9eae8    868      0x7bc   0x1f0003 Event
0x81c36ef8    868      0x7c0   0x1f0003 Event
0x81c8ee00    868      0x7c4   0x1f0003 Event
0x81f6cff0    868      0x7c8   0x1f0003 Event
0x81e61da0    868      0x7cc   0x1f0fff Process                    svchost.exe(940)
0x822bbda8    868      0x7d0   0x1f03ff Thread                     TID 1884 PID 868
0x81d9c670    868      0x7d4    0xf016e WindowStation              Service-0x0-3e7$
0x822563f0    868      0x7d8    0xf00cf Desktop                    Default
0x81d9c670    868      0x7dc    0xf016e WindowStation              Service-0x0-3e7$
0x821a4678    868      0x7e0  0x21f0003 Event
0xe2a6e830    868      0x7e4  0x20f003f Key                        MACHINE
0x81c68458    868      0x7e8   0x100003 Semaphore
0xe2b19ae0    868      0x7ec  0x21f0001 Port
0xe1613978    868      0x7f0    0xf000f Directory                  Windows
0x81fb0a88    868      0x7f4   0x100003 Semaphore
0xe16008f8    868      0x7f8        0x3 Directory                  KnownDlls
0xe10096e0    868      0x7fc    0xf0003 KeyedEvent                 CritSecOutOfMemoryEvent

Presenter Notes

Threads

[root&windows]#volatility -f stuxnet.vmem --profile=$profile threads -p 868
Volatility Foundation Volatility Framework 2.4
[x86] Gathering all referenced SSDTs from KTHREADs...
Finding appropriate address space for tables...
------
ETHREAD: 0x822bbda8 Pid: 868 Tid: 1884
Tags: HookedSSDT
Created: 2011-06-03 04:26:55 UTC+0000
Exited: 1970-01-01 00:00:00 UTC+0000
Owning Process: lsass.exe
Attached Process: lsass.exe
State: Waiting:UserRequest
BasePriority: 0x8
Priority: 0x9
TEB: 0x7ffdc000
StartAddress: 0x7c8106e9 kernel32.dll
ServiceTable: 0x80552fa0
  [0] 0x80501b8c
      [0x19] NtClose 0xb240f80e PROCMON20.SYS
      [0x29] NtCreateKey 0xb240f604 PROCMON20.SYS
      [0x3f] NtDeleteKey 0xb240f4ac PROCMON20.SYS
      [0x41] NtDeleteValueKey 0xb240f4f2 PROCMON20.SYS
      [0x47] NtEnumerateKey 0xb240f3f2 PROCMON20.SYS
      [0x49] NtEnumerateValueKey 0xb240f34e PROCMON20.SYS
      [0x4f] NtFlushKey 0xb240f446 PROCMON20.SYS
      [0x62] NtLoadKey 0xb240f972 PROCMON20.SYS
      [0x77] NtOpenKey 0xb240f7d0 PROCMON20.SYS
      [0xa0] NtQueryKey 0xb240f03e PROCMON20.SYS
      [0xb1] NtQueryValueKey 0xb240f166 PROCMON20.SYS
      [0xf7] NtSetValueKey 0xb240f28a PROCMON20.SYS
      [0x107] NtUnloadKey 0xb240fac2 PROCMON20.SYS
  [1] 0x00000000
  [2] 0x00000000
  [3] 0x00000000
Win32Thread: 0x00000000
CrossThreadFlags:
Eip: 0x7c90e4f4
  eax=0x0066feb8 ebx=0x00000000 ecx=0x000004a5 edx=0x7c90e4f4 esi=0x000007a4 edi=0x00000000
  eip=0x7c90e4f4 esp=0x0066ff1c ebp=0x0066ff80 err=0x00000000
  cs=0x1b ss=0x23 ds=0x23 es=0x23 gs=0x00 fs=0x3b efl=0x00000246
  dr0=0x00000000 dr1=0x00000000 dr2=0x00000000 dr3=0x00000000 dr6=0x00000000 dr7=0x00000000
0x7c8106e9 33ed             XOR EBP, EBP
0x7c8106eb 53               PUSH EBX
0x7c8106ec 50               PUSH EAX
0x7c8106ed 6a00             PUSH 0x0
0x7c8106ef e9e8afffff       JMP 0x7c80b6dc
0x7c8106f4 90               NOP
0x7c8106f5 33ed             XOR EBP, EBP
0x7c8106f7 50               PUSH EAX
0x7c8106f8 6a00             PUSH 0x0
0x7c8106fa e945690000       JMP 0x7c817044
0x7c8106ff 90               NOP
0x7c810700 8b               DB 0x8b
------
ETHREAD: 0x81f2ec48 Pid: 868 Tid: 112
Tags: HookedSSDT
Created: 2011-06-03 04:26:55 UTC+0000
Exited: 1970-01-01 00:00:00 UTC+0000
Owning Process: lsass.exe
Attached Process: lsass.exe
State: Waiting:UserRequest
BasePriority: 0x8
Priority: 0x8
TEB: 0x7ffdd000
StartAddress: 0x7c8106f5 kernel32.dll
ServiceTable: 0x80552f60
  [0] 0x80501b8c
      [0x19] NtClose 0xb240f80e PROCMON20.SYS
      [0x29] NtCreateKey 0xb240f604 PROCMON20.SYS
      [0x3f] NtDeleteKey 0xb240f4ac PROCMON20.SYS
      [0x41] NtDeleteValueKey 0xb240f4f2 PROCMON20.SYS
      [0x47] NtEnumerateKey 0xb240f3f2 PROCMON20.SYS
      [0x49] NtEnumerateValueKey 0xb240f34e PROCMON20.SYS
      [0x4f] NtFlushKey 0xb240f446 PROCMON20.SYS
      [0x62] NtLoadKey 0xb240f972 PROCMON20.SYS
      [0x77] NtOpenKey 0xb240f7d0 PROCMON20.SYS
      [0xa0] NtQueryKey 0xb240f03e PROCMON20.SYS
      [0xb1] NtQueryValueKey 0xb240f166 PROCMON20.SYS
      [0xf7] NtSetValueKey 0xb240f28a PROCMON20.SYS
      [0x107] NtUnloadKey 0xb240fac2 PROCMON20.SYS
  [1] 0xbf999b80
  [2] 0x00000000
  [3] 0x00000000
Win32Thread: 0xe28044a0
CrossThreadFlags:
Eip: 0x7c90e4f4
  eax=0x0006fda0 ebx=0x7ffde000 ecx=0x0006ff98 edx=0x7c90e4f4 esi=0x000007d0 edi=0x00000000
  eip=0x7c90e4f4 esp=0x0006ff38 ebp=0x0006ff9c err=0x00000000
  cs=0x1b ss=0x23 ds=0x23 es=0x23 gs=0x00 fs=0x3b efl=0x00000246
  dr0=0x00000000 dr1=0x00000000 dr2=0x00000000 dr3=0x00000000 dr6=0x00000000 dr7=0x00000000
0x7c8106f5 33ed             XOR EBP, EBP
0x7c8106f7 50               PUSH EAX
0x7c8106f8 6a00             PUSH 0x0
0x7c8106fa e945690000       JMP 0x7c817044
0x7c8106ff 90               NOP
0x7c810700 8bff             MOV EDI, EDI
0x7c810702 648b1518000000   MOV EDX, [FS:0x18]
0x7c810709 8b4210           MOV EAX, [EDX+0x10]
0x7c81070c 8b               DB 0x8b

Presenter Notes

Step 3 Network Artifacts

XP Images lets us use connscan and sockscan

[root&windows]#volatility -f stuxnet.vmem --profile=$profile connscan
Volatility Foundation Volatility Framework 2.4
Offset(P)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ---
[root&windows]#volatility -f stuxnet.vmem --profile=$profile sockscan
Volatility Foundation Volatility Framework 2.4
Offset(P)       PID   Port  Proto Protocol        Address         Create Time
---------- -------- ------ ------ --------------- --------------- -----------
0x01e20898     1200   1900     17 UDP             127.0.0.1       2011-06-03 04:25:47 UTC+0000
0x01e79778     1080   1142     17 UDP             0.0.0.0         2010-10-31 16:36:16 UTC+0000
0x01eb3d70     1080   1141     17 UDP             0.0.0.0         2010-10-31 16:36:16 UTC+0000
0x01eb9e98     1580   5152      6 TCP             127.0.0.1       2010-10-29 17:09:05 UTC+0000
0x01fa4d18      680      0    255 Reserved        0.0.0.0         2010-10-29 17:09:05 UTC+0000
0x01fa54b0        4    445     17 UDP             0.0.0.0         2010-10-29 17:08:53 UTC+0000
0x01fc2008      680    500     17 UDP             0.0.0.0         2010-10-29 17:09:05 UTC+0000
0x021dbe98     1032    123     17 UDP             127.0.0.1       2011-06-03 04:25:47 UTC+0000
0x02260008      680   4500     17 UDP             0.0.0.0         2010-10-29 17:09:05 UTC+0000
0x02261c08        4    445      6 TCP             0.0.0.0         2010-10-29 17:08:53 UTC+0000
0x023a5008      188   1025      6 TCP             127.0.0.1       2010-10-29 17:09:09 UTC+0000
0x02494aa8      940    135      6 TCP             0.0.0.0         2010-10-29 17:08:55 UTC+0000

Presenter Notes

Step 4 Code Injection

Found a few locations in lsass that had RWX memory and had signs of code injection...

Several results were "MZ" headers!

Csrss, services, Svchost, explorer and Lsass had signs of code injection.

PID 600, 668, 940, 1196, 868, 1928.

Presenter Notes

More

Process: lsass.exe Pid: 1928 Address: 0x870000
Vad Tag: Vad  Protection: PAGE_EXECUTE_READWRITE
Flags: Protection: 6

Process: lsass.exe Pid: 1928 Address: 0x1000000
Vad Tag: Vad  Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 2, Protection: 6

With vadinfo we see there are no file objects backing these MZ headers

(also one at 0x80000, but snipped for brevity) 
[root&windows]#volatility -f stuxnet.vmem --profile=$profile vadinfo -p 1928 -a 0x870000
************************************************************************
Pid:   1928
VAD node @ 0x82232950 Start 0x00870000 End 0x009a7fff Tag Vad
Flags: Protection: 6
Protection: PAGE_EXECUTE_READWRITE
ControlArea @822bbd38 Segment e107e600
NumberOfSectionReferences:          0 NumberOfPfnReferences:           0
NumberOfMappedViews:                1 NumberOfUserReferences:          1
Control Flags: Commit: 1, HadUserReference: 1
First prototype PTE: e107e640 Last contiguous PTE: e107eff8
Flags2: Inherit: 1

[root&windows]#volatility -f stuxnet.vmem --profile=$profile vadinfo -p 1928 -a 0x1000000
************************************************************************
Pid:   1928
VAD node @ 0x82086d40 Start 0x01000000 End 0x01005fff Tag Vad
Flags: CommitCharge: 2, Protection: 6
Protection: PAGE_EXECUTE_READWRITE
ControlArea @81ff33e0 Segment e2343888
NumberOfSectionReferences:          1 NumberOfPfnReferences:           0
NumberOfMappedViews:                1 NumberOfUserReferences:          2
Control Flags: Commit: 1, HadUserReference: 1
First prototype PTE: e23438c8 Last contiguous PTE: e23438f0
Flags2: Inherit: 1

Presenter Notes

No FileObject = code injection!

Hidden DLLs?

Addresses of interest 0x80000, 0x00870000 and 0x01000000

[root&windows]#volatility -f stuxnet.vmem --profile=$profile ldrmodules -p 1928
Volatility Foundation Volatility Framework 2.4
Pid      Process              Base       InLoad InInit InMem MappedPath
-------- -------------------- ---------- ------ ------ ----- ----------
1928 lsass.exe            0x00080000 False  False  False
1928 lsass.exe            0x01000000 True   False  True
1928 lsass.exe            0x00870000 True   True   True

Presenter Notes

Verbose output?

[root&windows]#volatility -f stuxnet.vmem --profile=$profile ldrmodules -p 1928
Volatility Foundation Volatility Framework 2.4
Pid      Process              Base       InLoad InInit InMem MappedPath
-------- -------------------- ---------- ------ ------ ----- ----------
1928 lsass.exe            0x00080000 False  False  False
1928 lsass.exe            0x00870000 True   True   True
Load Path: C:\WINDOWS\system32\KERNEL32.DLL.ASLR.0360b7ab : KERNEL32.DLL.ASLR.0360b7ab
Init Path: C:\WINDOWS\system32\KERNEL32.DLL.ASLR.0360b7ab : KERNEL32.DLL.ASLR.0360b7ab
Mem Path:  C:\WINDOWS\system32\KERNEL32.DLL.ASLR.0360b7ab : KERNEL32.DLL.ASLR.0360b7ab
1928 lsass.exe            0x01000000 True   False  True
Load Path: C:\WINDOWS\system32\lsass.exe : lsass.exe
Mem Path:  C:\WINDOWS\system32\lsass.exe : lsass.exe

0x01000000 appears to be the ImageBase for lsass... but it's path is blank!

Presenter Notes

Skipping to step 6... because excitement
Dump suspicious processes and drivers


Presenter Notes

Hollow Process Injection

Create process suspended, hollow its insides out and replace with mal code!

[root&windows]#volatility -f stuxnet.vmem --profile=$profile procdump -p 680,868,1928 -D stuxnetDump/
Process(V) ImageBase  Name                 Result
---------- ---------- -------------------- ------
0x81e70020 0x01000000 lsass.exe            OK: executable.680.exe
0x81c498c8 0x01000000 lsass.exe            OK: executable.868.exe
0x81c47c00 0x01000000 lsass.exe            OK: executable.1928.exe


[root&windows]#ssdeep -d stuxnetDump/executable.680.exe stuxnetDump/executable.1928.exe -a
/root/amf/windows/stuxnetDump/executable.1928.exe matches /root/amf/windows/stuxnetDump/executable.680.exe (0)
[root&windows]#ssdeep -d stuxnetDump/*
/root/amf/windows/stuxnetDump/executable.868.exe matches /root/amf/windows/stuxnetDump/executable.1928.exe (100)

Presenter Notes

More artifacts

[root&windows]#strings stuxnetDump/executable.868.exe
ZwMapViewOfSection
ZwCreateSection
ZwOpenFile
ZwClose
ZwQueryAttributesFile
ZwQuerySection
TerminateProcess
GetCurrentProcess
CloseHandle
WaitForSingleObject
OpenProcess
ExitProcess
CreateThread
SetUnhandledExceptionFilter
SetErrorMode
KERNEL32.dll
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
ADVAPI32.dll
VirtualProtect
GetModuleHandleW
GetCurrentThreadId
GetTickCount
lstrcpyW
lstrlenW
GetProcAddress
wsprintfW
USER32.dll

ZwMapViewOfSection is used for Hollow Process Injection to unmap a section!

Presenter Notes

VirusTotal?

[root&stuxnetDump]#../virus.py
['executable.868.exe', 'executable.1928.exe', 'executable.680.exe']
executable.868.exe
Report
- Resource's UID: 6f293f095e960461d897b688bf582a0c9a3890935a7d443a929ef587ed911760-1428734311
- Scan's UID: 6f293f095e960461d897b688bf582a0c9a3890935a7d443a929ef587ed911760-1428734311
- Permalink: https://www.virustotal.com/file/6f293f095e960461d897b688bf582a0c9a3890935a7d443a929ef587ed911760/analysis/1428734311/
- Resource's MD5: 7b62da1a65ffc31c55da778b276ad1e2
- Resource's status: Scan finished, information embedded
- Antivirus' total: 57
- Antivirus's positives: 35

executable.1928.exe
Report
- Resource's UID: 20a3c5f02b6b79bcac9adaef7ee138763054bbedc298fb2710b5adaf9b74a47d-1426221873
- Scan's UID: 20a3c5f02b6b79bcac9adaef7ee138763054bbedc298fb2710b5adaf9b74a47d-1426221873
- Permalink: https://www.virustotal.com/file/20a3c5f02b6b79bcac9adaef7ee138763054bbedc298fb2710b5adaf9b74a47d/analysis/1426221873/
- Resource's MD5: e1e00c2d5815e4129d8ac503f6fac095
- Resource's status: Scan finished, information embedded
- Antivirus' total: 57
- Antivirus's positives: 38


executable.680.exe
Report
- Resource's UID: 45f3b06cfb72ff8fc49fbb7076561b4ebf67a0953b1472ebeaec9d48c8c9dc92-1423774745
- Scan's UID: 45f3b06cfb72ff8fc49fbb7076561b4ebf67a0953b1472ebeaec9d48c8c9dc92-1423774745
- Permalink: https://www.virustotal.com/file/45f3b06cfb72ff8fc49fbb7076561b4ebf67a0953b1472ebeaec9d48c8c9dc92/analysis/1423774745/
- Resource's MD5: f9e5dd3014390b8ead50deab4907dafe
- Resource's status: Scan finished, information embedded
- Antivirus' total: 56
- Antivirus's positives: 1

Presenter Notes

Step 5 Check for Rootkits

[lots of snip]
[root&windows]#volatility -f stuxnet.vmem --profile=$profile callbacks
Volatility Foundation Volatility Framework 2.4
Type                                 Callback   Module               Details
------------------------------------ ---------- -------------------- -------
IoRegisterShutdownNotification       0xf86aa73a MountMgr.sys         \Driver\MountMgr
IoRegisterShutdownNotification       0xf8bb05be Fs_Rec.SYS           \FileSystem\Fs_Rec
IoRegisterShutdownNotification       0xf8bb05be Fs_Rec.SYS           \FileSystem\Fs_Rec
IoRegisterShutdownNotification       0xf8bb05be Fs_Rec.SYS           \FileSystem\Fs_Rec
IoRegisterShutdownNotification       0xf853c2be ftdisk.sys           \Driver\Ftdisk
IoRegisterShutdownNotification       0x805cdef4 ntoskrnl.exe         \FileSystem\RAW
IoRegisterShutdownNotification       0xf83d98f1 Mup.sys              \FileSystem\Mup
IoRegisterShutdownNotification       0x805f5d66 ntoskrnl.exe         \Driver\WMIxWDM
IoRegisterFsRegistrationChange       0xf84be876 sr.sys               -
GenericKernelCallback                0xf87ad194 vmci.sys             -
IoRegisterFsRegistrationChange       0xb21d89ec mrxnet.sys           -
GenericKernelCallback                0xb240ce4c PROCMON20.SYS        -
GenericKernelCallback                0x805f81a6 ntoskrnl.exe         -
GenericKernelCallback                0xb240cc9a PROCMON20.SYS        -
GenericKernelCallback                0xf895ad06 mrxcls.sys           -
PsSetLoadImageNotifyRoutine          0xb240ce4c PROCMON20.SYS        -
PsSetLoadImageNotifyRoutine          0x805f81a6 ntoskrnl.exe         -
PsSetLoadImageNotifyRoutine          0xf895ad06 mrxcls.sys           -
PsSetCreateThreadNotifyRoutine       0xb240cc9a PROCMON20.SYS        -
PsSetCreateProcessNotifyRoutine      0xf87ad194 vmci.sys             -

Presenter Notes

Suspicious?

PsSetLoadImageNotifyRoutine is good to check on... mrxcls.sys?

[root&windows]#volatility -f stuxnet.vmem --profile=$profile callbacks | grep mrxcls
Volatility Foundation Volatility Framework 2.4
GenericKernelCallback                0xf895ad06 mrxcls.sys           -
PsSetLoadImageNotifyRoutine          0xf895ad06 mrxcls.sys           -


[root&windows]#volatility -f stuxnet.vmem --profile=$profile modules | grep mrxcls
Volatility Foundation Volatility Framework 2.4
0x81f8cb60 mrxcls.sys           0xf895a000     0x5000 \??\C:\WINDOWS\system32\Drivers\mrxcls.sys

Presenter Notes

Devices and IRPs?

[root&windows]#volatility -f stuxnet.vmem --profile=$profile devicetree  | grep -i mrxcls
[root&windows]#volatility -f stuxnet.vmem --profile=$profile devicetree | grep -i mrxcls
DRV 0x02126870 \Driver\MRxCls
---| DEV 0x81bdbeb0 MRxClsDvX FILE_DEVICE_UNKNOWN
[root&windows]#

Presenter Notes

Anything else?

Another callback..

IoRegisterFsRegistrationChange       0xb21d89ec mrxnet.sys           -

Presenter Notes

Devices and IRPs?

[root&windows]#volatility -f stuxnet.vmem --profile=$profile devicetree | grep -i mrxnet
Volatility Foundation Volatility Framework 2.4
---------| ATT 0x821354b8  - \Driver\MRxNet FILE_DEVICE_NETWORK_FILE_SYSTEM
------| ATT 0x81fb9680  - \Driver\MRxNet FILE_DEVICE_DISK_FILE_SYSTEM
------| ATT 0x81f0ab90  - \Driver\MRxNet FILE_DEVICE_DISK_FILE_SYSTEM
------| ATT 0x8226ef10  - \Driver\MRxNet FILE_DEVICE_CD_ROM_FILE_SYSTEM
------| ATT 0x821354b8  - \Driver\MRxNet FILE_DEVICE_NETWORK_FILE_SYSTEM
------| ATT 0x81f0fc58  - \Driver\MRxNet FILE_DEVICE_NETWORK_FILE_SYSTEM
------| ATT 0x81c0a910  - \Driver\MRxNet FILE_DEVICE_NETWORK_FILE_SYSTEM
---------| ATT 0x81fb9680  - \Driver\MRxNet FILE_DEVICE_DISK_FILE_SYSTEM
---------| ATT 0x81f0ab90  - \Driver\MRxNet FILE_DEVICE_DISK_FILE_SYSTEM
---------| ATT 0x81c0a910  - \Driver\MRxNet FILE_DEVICE_NETWORK_FILE_SYSTEM
DRV 0x022e54f8 \Driver\MRxNet
---------| ATT 0x81f0fc58  - \Driver\MRxNet FILE_DEVICE_NETWORK_FILE_SYSTEM
---------| ATT 0x8226ef10  - \Driver\MRxNet FILE_DEVICE_CD_ROM_FILE_SYSTEM
------| ATT 0x81c8b500  - \Driver\MRxNet FILE_DEVICE_CD_ROM_FILE_SYSTEM
------| ATT 0x81dc49c0  - \Driver\MRxNet FILE_DEVICE_DISK_FILE_SYSTEM
------| ATT 0x82125f10  - \Driver\MRxNet FILE_DEVICE_DISK_FILE_SYSTEM
------| ATT 0x81fd59c0  - \Driver\MRxNet FILE_DEVICE_CD_ROM_FILE_SYSTEM
------------| ATT 0x81fb9680  - \Driver\MRxNet FILE_DEVICE_DISK_FILE_SYSTEM
------------| ATT 0x81f0ab90  - \Driver\MRxNet FILE_DEVICE_DISK_FILE_SYSTEM

Presenter Notes

Main driver?

[root&windows]#volatility -f stuxnet.vmem --profile=$profile devicetree | grep -i mrxnet -B 10 | grep Driver
Volatility Foundation Volatility Framework 2.4
DRV 0x0205e5a8 \FileSystem\vmhgfs
---| DEV 0x820f0030 hgfsInternal UNKNOWN
---| DEV 0x821a1030 HGFS FILE_DEVICE_NETWORK_FILE_SYSTEM
------| ATT 0x81f5d020 (?) - \FileSystem\FltMgr FILE_DEVICE_NETWORK_FILE_SYSTEM
---------| ATT 0x821354b8 (?) - \Driver\MRxNet FILE_DEVICE_NETWORK_FILE_SYSTEM
DRV 0x023ae880 \FileSystem\MRxSmb
---| DEV 0x81da95d0 LanmanDatagramReceiver FILE_DEVICE_NETWORK_BROWSER
---| DEV 0x81ee5030 LanmanRedirector FILE_DEVICE_NETWORK_FILE_SYSTEM
------| ATT 0x81bf1020 (?) - \FileSystem\FltMgr FILE_DEVICE_NETWORK_FILE_SYSTEM
---------| ATT 0x81f0fc58 (?) - \Driver\MRxNet FILE_DEVICE_NETWORK_FILE_SYSTEM
DRV 0x02476da0 \FileSystem\Cdfs
---| DEV 0x81e636c8 Cdfs FILE_DEVICE_CD_ROM_FILE_SYSTEM
------| ATT 0x81fac548 (?) - \FileSystem\FltMgr FILE_DEVICE_CD_ROM_FILE_SYSTEM
---------| ATT 0x8226ef10 (?) - \Driver\MRxNet FILE_DEVICE_CD_ROM_FILE_SYSTEM
DRV 0x0253d180 \FileSystem\Ntfs
---| DEV 0x82166020 FILE_DEVICE_DISK_FILE_SYSTEM
------| ATT 0x8228c6b0 (?) - \FileSystem\sr FILE_DEVICE_DISK_FILE_SYSTEM
---------| ATT 0x81f47020 (?) - \FileSystem\FltMgr FILE_DEVICE_DISK_FILE_SYSTEM
------------| ATT 0x81fb9680 (?) - \Driver\MRxNet FILE_DEVICE_DISK_FILE_SYSTEM

Presenter Notes

A lot of FILE_DEVICE... IRPs?

[root&windows]#volatility -f stuxnet.vmem --profile=$profile driverirp -r mrxnet -v
--------------------------------------------------
DriverName: MRxNet
DriverStart: 0xb21d8000
DriverSize: 0x2980
DriverStartIo: 0x0
   0 IRP_MJ_CREATE                        0xb21d8486 mrxnet.sys
   1 IRP_MJ_CREATE_NAMED_PIPE             0xb21d8486 mrxnet.sys
   2 IRP_MJ_CLOSE                         0xb21d8486 mrxnet.sys
   3 IRP_MJ_READ                          0xb21d8486 mrxnet.sys
   4 IRP_MJ_WRITE                         0xb21d8486 mrxnet.sys
   5 IRP_MJ_QUERY_INFORMATION             0xb21d8486 mrxnet.sys
   6 IRP_MJ_SET_INFORMATION               0xb21d8486 mrxnet.sys
   7 IRP_MJ_QUERY_EA                      0xb21d8486 mrxnet.sys
   8 IRP_MJ_SET_EA                        0xb21d8486 mrxnet.sys
   9 IRP_MJ_FLUSH_BUFFERS                 0xb21d8486 mrxnet.sys
  10 IRP_MJ_QUERY_VOLUME_INFORMATION      0xb21d8486 mrxnet.sys
  11 IRP_MJ_SET_VOLUME_INFORMATION        0xb21d8486 mrxnet.sys
  12 IRP_MJ_DIRECTORY_CONTROL             0xb21d84ec mrxnet.sys
  13 IRP_MJ_FILE_SYSTEM_CONTROL           0xb21d8496 mrxnet.sys
  14 IRP_MJ_DEVICE_CONTROL                0xb21d8486 mrxnet.sys
  15 IRP_MJ_INTERNAL_DEVICE_CONTROL       0xb21d8486 mrxnet.sys
  16 IRP_MJ_SHUTDOWN                      0xb21d8486 mrxnet.sys
  17 IRP_MJ_LOCK_CONTROL                  0xb21d8486 mrxnet.sys
  18 IRP_MJ_CLEANUP                       0xb21d8486 mrxnet.sys
  19 IRP_MJ_CREATE_MAILSLOT               0xb21d8486 mrxnet.sys
  20 IRP_MJ_QUERY_SECURITY                0xb21d8486 mrxnet.sys
  21 IRP_MJ_SET_SECURITY                  0xb21d8486 mrxnet.sysnn
  22 IRP_MJ_POWER                         0xb21d8486 mrxnet.sys
  23 IRP_MJ_SYSTEM_CONTROL                0xb21d8486 mrxnet.sys
  24 IRP_MJ_DEVICE_CHANGE                 0xb21d8486 mrxnet.sys
  25 IRP_MJ_QUERY_QUOTA                   0xb21d8486 mrxnet.sys
  26 IRP_MJ_SET_QUOTA                     0xb21d8486 mrxnet.sys
  27 IRP_MJ_PNP                           0xb21d8486 mrxnet.sys

Presenter Notes

EOF
Lots more to Stuxnet... have fun!

Presenter Notes