March 29, 2011
MrxCls – Malicious driver and primary attack of Stuxnet
There has been much attention placed on Stuxnet by the world media since it was widely reported in the summer of 2010. As we have seen the evolution of malware from mere annoyance, to organized crime over the years, Stuxnet marks the first known targeted malware attack designed to damage physical property, capable of destroying buildings, machines and even eventually killing people. We have seen as in recent events in Japan, that compromised infrastructure can pose serious problems to regional and national governments over a significant period of time, and can be effective targets in this new front of warfare.
This complex threat uses multiple vulnerabilities and has been specially coded to avoid detection from behavioral antivirus defenses. The final payload is the injection of malicious code to alter the behavior of SCADA systems, ultimately leading to industrial malfunctions and sabotage of Iran’s suspected nuclear program.
Recently, independent malware researcher Amr Thabet shared with us a document that takes a close look at MrxCls, the malicious driver dropped by Stuxnet. MrxCls is a very complex project, which Thabet believes was developed independently from the main Stuxnet dropper due to its scale, complexity and lack of modification alongside Stuxnet. MrxCls appears to have had some cooperation from industrial or politically motivated spies, having been signed with a security certificate from a major hardware vendor.
From the reverse analysis in the paper, an exclusive from InfoSpyware, the reader will find that MrxCls is a multi-staged attack, which in the end, does not need to run initially with elevated privileges. Other interesting features include entry point obfuscation techniques, as well specific methods to avoid behavioral-based detection that is used by most commercial antivirus.
This is the first salvo of politically-motivated targeted malware attacks, but for sure, this will not be the last. Indeed, retaliatory attacks and preparation for further attacks have already occurred and are guaranteed to escalate the situation further. The malware phase of cyber warfare has begun in earnest and we are likely to see stuxnet evolve over time as well, inspiring similar attacks and the inevitable intensification of hostilities. What we can do as persons dedicated to fighting all forms of malware, is to know and understand the enemy, even if they are in our midst.
Download PDF:MrxCls – Stuxnet Loader Driver-English
Contributing Editor at InfoSpyware in English.
