Fake Stuxnet cleaner = very nasty

Discussion in 'malware problems & news' started by CloneRanger, Oct 10, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    It doesn't come much worse than this.

    stuxnet-cleaner.exe

    sc.gif

    shell.gif

    Originally Posted by a_d_13

    Of course not many people are going change the extension from .exe to .bat and/or then run it :D But now the code is out there that means other idiots could make use of it, and release it as a .bat file. This could be delivered in the usual ways, and people tricked into running it, with possible devastating consequences :eek:

    I have .bat protection, so i'd get alerted and prompted ;) but i'm not sure how many others out there would be protected from running such a file, and then .....

    Would people be protected from this scenario ?

    If so how exactly ?
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    For me, the question isn't answerable w/o seeing an actual exploit and the way it attempts to trick the user into running it.

    ----
    rich
     
  3. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    621
    Location:
    Sydney Australia
    The stuxnet cleaner executable creates the file Stuxnet Cleaner.bat in
    *\Local Settings\Temp\1.tmp\Stuxnet Cleaner.bat, then executes the batch file.
    Simple and skiddy as that.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Tried it without any security. System unbootable.
    GesWall- Passed
    CIS Default settings with AV turned off- It gave pop up and I opted to sandbox it. It deleted some start menu items, some jpg images from my desktop etc etc but system remained intact, rebooted fine( It will however succeed to delete some files from ur PC).

    1.jpg
    2.jpg
    3.jpg
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Well, I went to that forum to check it out, and agree with the second poster that it is a script kiddie thingy.

    Surely, no respectable cybercriminal would write such a piece of code.

    ----
    rich
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I agree except with the word "respectable". :)
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I use that word in an ironic sense.

    My implication is that a respectable cybercriminal (respected in her/his profession; creditable; one committed to her/his work) wants to take over the computer for monetary gain, not to destroy it!


    ----
    rich
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    OK ;)

    Script kiddie thingy indeed, i don't see the sense in releasing stuff like this. Well i guess they don't have any !

    @ stackz

    Hi, i searched for ALL temp files and didn't see it in *\Local Settings\Temp\1.tmp\Stuxnet Cleaner.bat ? Only as shown below. Did you test it, if so how ?

    Yes nasty :eek:

    Nice to see GesWall Passed :thumb: With CIS you were still alive :thumb: but some issues :( Thanks for testing :)

    *

    Well i ran it after enabling ShadowDefender & allowing it via ProcessGuard.

    Stuxnet-Cleaner.exe appeared in running processes.

    An E.tmp folder was created in Temp

    e.gif

    Inside there was this

    scb.gif

    Found a locked file tmp.edb in C:\WINDOWS\system32\CatRoot2

    edb.gif

    Found some info on tmp.edb -

    http://technet.microsoft.com/en-us/library/bb124808(EXCHG.65).aspx - which didn't seem relevant !

    W32/Archiles.worm - http://vil.nai.com/vil/content/v_141963.htm - Coincidence ?

    Not sure what that is right now ? but as it was created over 3 hours before i ran the test, i don't see how it's connected !

    Didn't notice anything unusual with Autoruns/RkU/Gmer

    Killed Stuxnet-Cleaner.exe with RkU, cut & pasted E.tmp/Stuxnet Cleaner.bat to a new folder excluded from deletion by SD, and rebooted. SD returned my comp to as before

    Obviously this malware is designed to do it's nasty deeds on reboot, and i wasn't going to allow that, guess why :D But i wanted to see what i could find that it installed & ready to run on boot etc. I expect i maybe missed something/s ? as i don't see how that .bat could have autorun on boot from within that folder, without some other help !

    Edit

    virscan.org = Only BitDefender detected Stuxnet Cleaner.bat - BehavesLike:BAT.Delete (suspected)

     
    Last edited: Oct 11, 2010
  9. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    621
    Location:
    Sydney Australia
    I had a chance to have a closer look at this piece of rubbish. The batch file is embedded in the the executable's resource file. It gets written to *\Local Settings\Temp\[Single Char].tmp\Stuxnet Cleaner.bat
    The batch file is deleted after execution.

    The batch file:
    Changes file association for .exe, .mp3, .jpg, .bmp and .gif.
    Deletes every file on C drive that it can.
    Kills explorer.exe, firefox.exe. iexplore.exe and avgnt.exe (avira)
    Reboots the computer - obviously if it gets this far, then the computer would be unbootable.

    The program appears to be of German origin.
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks for the nice analysis.
     
  11. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    Thanks stackz for analysis :) It really seems work of script kiddy.
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Re - \Local Settings\Temp\[Single Char].tmp\Stuxnet Cleaner.bat

    So the [Single Char] folder it creates appears to be a random one, as mine was E.tmp not 1.tmp.

    After running Stuxnet-Cleaner.exe,

    I was able to create .gif file with no file association etc problems.

    It didn't delete ANY file on C drive.

    Didn't kill explorer.exe/firefox.exe/avgnt.exe and all were running.

    That's why i curious to find out how the batch file actually executes itself, after being created by running Stuxnet-Cleaner.exe. As it didn't happen on my comp, and Script Defender would have prompted me for permission to run a .bat file anyway, which it didn't.

    Also as i mentioned earlier, i'm wondering how many people out there would be protected, or not, from a .bat file auto running ? The person using W7 with big problems in the - www.trojaner-board.de - obviously had it run !

    @ stackz

    From post # 9, does that mean you ran it as i asked ?

    Or that you found the info elsewhere, if so where ?

    How does the batch file execute itself, and then do what it does ?

    TIA
     
  13. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    364
    Location:
    italy
    DefenseWall is also able to contain the effects of this malware..
     
    Last edited: Oct 11, 2010
  14. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Prevx stopped it.:thumb:
     
  15. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    The fake stuxnet cleaner contains a line to wipe C drive so dunno why it needs to do anything else as that does enough damage in itself?

    Kernelmode Topic
     
  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    :thumb:

    Prevx didn't detect Anything when i did the test o_O and still does Not detect Stuxnet-Cleaner.exe or Stuxnet Cleaner.bat in my folder ?

    Which is very strange, considering your experience ?
     
  17. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Franklin

    Hi, the thing is, as you can see from my test, it didn't cause ANY damage to my comp !
     
  18. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    621
    Location:
    Sydney Australia
    I've run it, unpacked it, debugged it etc
    Batch file is launched using ShellExecuteExA, which will mean cmd.exe runs the batch file.
    The executable resource manifest shows requestedExecutionLevel level="highestAvailable", which means in admin account it runs as admin or prompts for admin where UAC is involved, in LUA it will run as limited user.

    If the stuxnet cleaner runs successfully, the first thing you'll notice is that its icon changes to wma icon and cmd.exe is using a lot of cpu cycles.
    Code:
    [FONT="Courier New"][SIZE="2"]@echo off
    assoc .exe=WMAFile // change file association
    assoc    <snip>
    assoc    <snip>
    assoc    <snip>
    assoc    <snip>
    del      <snip>  // recursive delete file command
    taskkill <snip>  // kill process
    taskkill <snip>
    taskkill <snip>
    taskkill <snip>
    shutdown -r -t 600 -c "Opfer" // reboots after 600 seconds, additional comment "Opfer" = victim [/SIZE][/FONT]
    
     
    Last edited: Oct 12, 2010
  19. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    XP VM's - Sandboxie and Bufferzone both contain any changes to their secure zones.

    Returnil and Shadow Defender don't contain any changes realtime but things are back to normal after reboot.

    Line from Stuxnet-Cleaner.exe saved as "Delete System.bat" - 3/43 - Trojan.BAT.KillFiles.gc

    Stuxnet-Cleaner.exe - 19/42 - Trojan:Win32/Delfiles.Q

    BSA report via Sandboxie:

    [ General information ]
    * File name: c:\documents and settings\ven\desktop\stuxnet-cleaner.exe
    * File length: 75776 bytes
    * File signature: UPX [com] *
    * MD5 hash: 8fab1b7e5e11adaf4d57afeb652d7832
    * SHA1 hash: 16c8dd9b634248016930f81b3e7f66bfbef8e219
    * SHA256 hash: 872ea49751b04bf2ea1e07eeb96384f812b880bdb648bb1f4641b0cb0304723e

    Then proceeds to delete every file it can mainly those not in use.

    [ Changes to registry ]
    * Modifies value "Default=THEMEFile" in key HKEY_LOCAL_MACHINE\software\Classes\.bmp
    old value "Default=Paint.Picture"
    * Modifies value "Default=WMAFile" in key HKEY_LOCAL_MACHINE\software\Classes\.exe
    old value "Default=exefile"
    * Modifies value "Default=THEMEFile" in key HKEY_LOCAL_MACHINE\software\Classes\.gif
    old value "Default=giffile"
    * Modifies value "Default=THEMEFile" in key HKEY_LOCAL_MACHINE\software\Classes\.jpg
    old value "Default=jpegfile"
    * Modifies value "Default=VBSFile" in key HKEY_LOCAL_MACHINE\software\Classes\.mp3
    old value "Default=mp3file"
    * Deletes Registry key HKEY_CURRENT_USER\software\classes\*\shell\sandbox

    [ Process/window information ]
    * Opens a service named "LanmanWorkstation".
    * Creates a mutex "ZonesCounterMutex".
    * Creates a mutex "ZonesCacheCounterMutex".
    * Creates a mutex "ZonesLockedCacheCounterMutex".
    * Creates process "(null),"C:\Documents and Settings\Ven\Local Settings\Temp\2.tmp\Stuxnet Cleaner.bat" ,C:\Documents and Settings\USER\Desktop\".
    * Creates a mutex "SHIMLIB_LOG_MUTEX".
     
  20. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ stackz

    @ Franklin

    Thanks for the extra info etc, wish you'ld posted it all earlier ;)

    Well they say, you mileage may vary, and it certainly did with me. Interesting how different malware affects people comps, or not, in different ways !
     
Loading...
Thread Status:
Not open for further replies.