English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Myrtus and Guava, Episode 3

Aleks
Kaspersky Lab Expert
Posted July 15, 11:07  GMT
Tags: Malware Technologies, Rootkits, Stuxnet
0.3
 

The geographical distribution of Stuxnet infections is just as interesting as the Trojan itself. We detect the rootkit component (the signed drivers) as Rootkit.Win32.Stuxnet, and the other files as Trojan-Dropper.Win32.Stuxnet.

Over the last four days, KSN has identified Trojan components (although the program should really be thought of as a worm, as it spreads via removable storage media) on more than 16,000 computers around the world. A map with infection statistics shows three countries (all starting with the letter I!) are at the centre of the epidemic - Iran, India and Indonesia.

KSN identified more than 5,000 incidents in each of the three countries – in comparison, there were around 150 cases of infection in Russia, and only 5 in China.

There’s no simple explanation for the distribution, but any explanation has to take into account the way Stuxnet spreads - via removable storage media. This isn’t the quickest way to spread malware, but on the other hand, it can ensure that the malware will have a longer life-cycle (one example of this is Sality, which also spread on USB devices). What is quite clear is that the epidemic hasn’t yet reached beyond Asia.

Could the geography help us work out how the rootkit component came to be digitally signed?

Of course, coming up with conspiracy theories isn’t the nicest thing to do, but paranoia is inherent in IT security professionals. So I’ll give myself the freedom to hypothesize:

Realtek is a “hardware” company; writing the software is a subsidiary process which can be optimized by using outsourcers. Which country is the world leader when it comes to outsourcing programming? You’re right – India.

Could an outsourcer creating software for a company have the means to sign programs with that company’s certificate? It’s certainly possible.

So one theory would be that the malware was created in India (just look at the map) and, possibly, without an “insider” amongst the Realtek application developers.

However, if we’re going with that theory, then I wouldn’t throw out the possibility that the driver files are actually legitimate drivers created by Realtek. Yes, they have rootkit functionality, and hide lnk and ~WTRxxxx.tmp files in the root of the storage device. But that doesn’t mean the driver files aren’t legitimate – remember the Sony rootkit incident? And the malware that used the rootkit technology?

Now that we're nearing the end of episode 3’s, I’ve just realized that I’ve forgotten one important point – the title of my last three posts.

“Myrtus (myrtle) is a genus of one or two species of flowering plants in the family Myrtaceae,” and “The Myrtaceae or Myrtle family are a family of dicotyledon plants, placed within the order Myrtales. Myrtle, clove, guava, feijoa, allspice, and eucalyptus belong here.”

Why the sudden foray into botany? Because the rootkit driver code contains the following string:

b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb

Project “Myrtus”. Module “Guava”.

To be continued?


5 comments

Newest first
Threaded view
 

David Kennedy

2010 Sep 23, 22:01
0
 

Cutesy Title

I was researching Stuxnet last night to answer a customer query and I ended up using Symantec and Langer as my primary sources because Stuxnet shows up in a subject search in my RSS reader. Today, I got to thinking and I remembered Kaspersky was one of the best early sources and I widened my search to include article bodies and these finally showed up.

I wonder how many hits your blog hasn't gotten because of the cutesy title?

Reply    

Farhood Sadeghi

2010 Jul 18, 09:49
0
 

Having Rootkit.Win32.Stuxnet

Hi everybody,

In a company (actually in 3 places: Office and 2 factories) I found this Trojan and now I finished reading this article. It's very amazing. But I saw another view from the infected computers, I don't know that it's about this Trojan or not.
All the infected computers using Windows XP Service Pack 3, but all folders are marked as Read Only in windows explorer, whereas these folders are not actually Read Only. It's not the real problem. The real problem is about a software.
They have an accounting software which cannot work with the Read Only folders. Also, Kaspersky Administration Kit cannot gets updates because of this problem too. I copied update files that I had and it had been copied (Update date: 2010/07/03).

Regards

Reply    

Arvind

2010 Jul 24, 10:03
0
 

Re: Having Rootkit.Win32.Stuxnet

Some of the miss concepts about the latest CVE-2010-2568 based attack by StuxNet:

Myth 1: Many articles are calling this as a zero day vulnerability in Windows Shell, some are calling it as a vulnerability in .LNK file format and so on so forth.
Fact: It is basically a design flaw by Microsoft in handling .LNK files. Can be called as designed to be a feature which got misused by a malware to get executed automatically. Just like Autorun feature which now is being widely used by malware authors to spread the malware. So its not at all a vulnerability in Windows Shell or .LNK file format and nor any kind of buffer overflow that is being happening.

Myth 2: Malware/Worm will not work on all pen drives. Needs OllyDbg debugger to start the code or modify the .LNK to make it work.
Fact: The worm does work on all pen drives and does not need any modification to .LNK file to work or a debugger to start it. Basically the worm drops a .LNK file on pen drive when infecting it which is unique to the pen drive being infected. So if researchers or user copies these files as it is to other pen drive of-course it is not going to get executed automatically on other pen drives. Important thing is the pen drive which is infected by the worm (.lnk and other files dropped by the worm on it) will infect other PCs successfully if we use the same pen drive as it is on the other PC and open the removable drive in explorer. That means attack vector successfully works without any modifications provided it is infected by the worm automatically and not by manually copying the malware files on the pen drive.

Myth 3: Attack vector works only on USB/Pen drives.
Fact: If the specially crafted .LNK file is dropped on network drive with all the relevant files in same location it will still work. The malware will automatically get executed if we happen to open that particular network drive or even any folder (local or shared) in the system. The flaw is about handling of .LNK files it can be from any location like removable drives (Pen/USB drives), local drives and folders, shared drives and folders.

Myth 4: Disabling autoplay or autorun feature of Windows will prevent execution of such malware from infected pen drive.
Fact: Disabling of autoplay or autorun feature of Windows will not prevent automatic execution of malware from pen drive. You may still get infected if you simply insert the infected pen drive to your system and open the drive in explorer. As it common practice that users most of the time open the pen drive in explorer to explore the contents and do operations like copy paste or view. So even if you have autoplay off simply opening the infected pen drive in explorer is going to infect your PC.

Ref: http://blogs.quickheal.com/

Reply    

Jagadeesh

2010 Jul 15, 23:27
-2
 

Baseless Allegation on Indian programmers.

I agree the fact that the malware originated in India but how can you make an allegation that it was digitally signed by an outsourced programmer in India?. Do you have any idea how offensive this is against all the indian community and all the indian kaspersky users. Should we buy an Antivirus from a company which hires a person who does allegations without any proof based on race and region.

Reply    

sludge3000

2010 Jul 16, 15:13
2
 

Re: Baseless Allegation on Indian programmers.

Aleks hasn't made any allegations here. He clearly states he is stating one theory on the origin.
He also states the following:
"However, if we’re going with that theory, then I wouldn’t throw out the possibility that the driver files are actually legitimate drivers created by Realtek."
He also didn't make any statement related to the nationality of the malware creator or their race.
Even if it is true that the malware originated from a company based in India you could always hypothesize that it was introduced by a Japanese executive who normally works at a branch office in Germany.
I would like to state that this is not a theory I am putting forward, it is merely a hypothetical example.

Edited by sludge3000, 2010 Jul 16, 15:42

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog