About TmpHider/Stuxnet #1

Some info on this new malware spreading in these days under the name of TmpHider/Stuxnet

Let’s start with the propagation method which is the only novel aspect about this malware. As already discussed and reported on multiple forums online, this particular piece of malware exploits some unidentified bug in the lnk file format to autostart itself when a usb key is opened.

Once infected you’ll find in the usb pen two lnk files and a two tmp files, opening one of the lnk files we can see inside the UNC path to the tmp file, which is actually a DLL.

I didn’t have analyzed completely these two dlls but I guess they contain the infection logic and are responsible for dropping and installing the two sys files.

So what i did was attaching to explorer.exe and setting a breakpoint on LoadLibrary, and that’s what i got:

As you can see it’s trying to load the the tmp file from the system32 directory, something is not going how expected right ? my guess is that’s because the UNC path inside the lnk file is specific to the usb pen, so if you copy the link and tmp files on a different usb pen they wont work.

Let’s start from the lnk file since it’s clear that it is triggering the loading of the dll in some way, and since there is no sign of shellcode must some kind of logic bug or “feature”. My starting point was microsoft lnk format reference to see how that path is interpreted.
The path is expressed as a PIDL, and is composed by three components (two of which represented through their CLSID)

{20D04FE0-3AEA-1069-A2D8-08002B30309D} {21EC2020-3AEA-1069-A2DD-08002B30309D} \\.\STORAGE#Volume#_??_....\file.tmp

which corresponds to

{My computer} {Control Panel} \\.\STORAGE#Volume#_??_....\file.tmp

I didn’t catch any other relevant differences between a normal lnk and this one except how the path is expressed, anyway that’s all for now, more details coming in the weekend on how that path leads to execution.

edit: typo it’s Control Panel not Computer Panel, of course

edit: local LNK format spec here

posted in internals, malware, reversing by swirl

8 Comments to "About TmpHider/Stuxnet #1"

  1. Fotis wrote:

    Hey nice info posted there. I would be glad if you could give me some links for a sample of this worm. I am especially interested in analyzing those lnk files that trigger the exploit.

    Thanks

  2. gb wrote:

    Hey, it’s good that you’re analyzing and posting info on it, I recommend you blur out the whole image and not just the ascii part.

  3. swirl wrote:

    Hi Fotis,

    I got it from a private feed but you can ask a copy from contagiodump

  4. swirl wrote:

    Hey gb,

    if I blur all the image there would be no point in publishing it right ? ;)
    and anyway now there are already POCs out there so no harm done

  5. rur wrote:

    Hi!
    Thank you for interesting research! The bad thing is microsoft removed pdf with documentation ([MS-SHLLINK].PDF) from their site :(
    May be someone saved it and can upload it to sendspace or rapidshare?
    Thanks

  6. swirl wrote:

    we will upload it here shortly :)

  7. cP wrote:

    You can download it from here:
    http://ivanlef0u.nibbles.fr/repo/windoz/MS-SHLLINK.pdf

    :)

  8. rur wrote:

    Thank you!

 
Copyright (c) 2010-2011 InREVERSE - All Right Reserved
Büyükçekmece Evden Eve Nakliyat Esenler Evden Eve Nakliyat Gaziosmanpasa Evden Eve Nakliyat Güngören Evden Eve Nakliyat Kadiköy Evden Eve Nakliyat Kartal Evden Eve Nakliyat Küçükçekmece Evden Eve Nakliyat Maltepe EvdenEve Nakliyat Sisli Evden Eve Nakliyat Tuzla Evden Eve Nakliyat Ümraniye Evden Eve Nakliyat Üsküdar Evden Eve Nakliyat Içerenköy Evden Eve Nakliyat Erenköy Nakliyat Etiler Evden Eve Nakliyat