New viruses are produced every day in the world, most of which are teenagers' pranks, and a few are tools used by criminals to steal personal information. The earthquake network virus may be just one of them. What is its background? Let's give you a detailed introduction to the background of the earthquake net virus! I hope it helps you!

Introduction to the background of seismic network virus;

First, it exploits four Windows zero-day vulnerabilities. Zero-day vulnerability refers to a vulnerability in software that has just been discovered, not yet made public or not yet fixed. Zero-day vulnerability can greatly improve the success rate of computer intrusion and has great economic value. On the black market, a zero-day loophole can usually sell for hundreds of thousands of dollars. Even professional hackers of criminal groups will not be extravagant enough to use four zero-day vulnerabilities in one virus at the same time. Only this, we can see that the developer of this virus is not an ordinary hacker, it has strong economic strength. Moreover, developers are very determined to attack the target, so they will use multiple zero-day vulnerabilities at the same time to ensure a successful attack.

Secondly, it has super USB communication ability. Traditional viruses mainly spread through the Internet, while the ability of earthquake network viruses to spread through USB interface is greatly enhanced, and it will automatically infect any connected U disk. In the eyes of virus developers, it seems that the virus's propagation environment is not the real Internet, but a place where Internet connection is restricted, so it is necessary to rely on USB port to expand the propagation path.

The strangest thing is that the virus actually contains two attacks on Siemens industrial control software vulnerabilities, which is unique among the viruses at that time. From the Internet point of view, industrial control is a dinosaur-style technology. The ancient communication mode, isolated network connection, huge system scale and slow technological change all make the industrial control system look completely different from the Internet. No one has ever thought that viruses that are rampant on the Internet can also be applied to industrial systems.

5 depth analysis editor

Chapter I Event Background

20 10,10 June, many domestic and foreign media reported the attack of Stuxnet worm on Siemens data acquisition and monitoring system SIMATIC WinCC, calling it "super virus" and "super factory virus", describing it as "special weapon" and "Pandora's box".

Stuxnet worm * * * commonly known as "Shenzhen" and "Gemini" * * * began to break out in July 2003. It takes advantage of at least four vulnerabilities in Microsoft operating system, including three new zero-day vulnerabilities; Forge the digital signature of the driver; Break through the physical limitations of industrial private area network through a set of intrusion and communication processes; Using two vulnerabilities of WinCC system, we launched a destructive attack on it. It is the first malicious code that directly destroys the industrial infrastructure in the real world. According to Symantec's statistics, as of September 20 10, about 45,000 networks around the world were infected by this worm, and 60% of the victims were located in Iran. Iran * * * has confirmed that its Bushehr nuclear power plant was attacked by a seismic worm.

An Tian Laboratory captured the first Stuxnet worm variant in July 65438+May, analyzed it at the first time, released the analysis report and preventive measures, and followed it continuously. As of the publication of this report, An Tian has captured 13 variants and more than 600 sample entities with different hash values.

Chapter II Analysis of Typical Behavior of Samples

2. 1 execution environment

Stuxnet worms can be executed in the following operating systems:

Windows 2000、Windows Server 2000

Windows XP、Windows Server 2003

Windows Vista

Windows 7、Windows Server 2008

When it finds itself executing in a non-Windows NT operating system, it will quit immediately.

The attacked software system includes:

SIMATIC WinCC 7.0

SIMATIC WinCC 6.2

However, it is not excluded that other versions may have this problem.

2.2 Local behavior

After the example is enabled, the typical execution flow is shown in figure 1.

This example first determines the type of the current operating system. If it is Windows 9X/ME, it will exit directly.

Next, load a main DLL module, and subsequent actions will be carried out in this DLL. In order to avoid killing, this example does not release the DLL module as a disk file and then load it, but directly copies it into memory and then simulates the loading process of DLL.

Specifically, this example first applies for enough memory space, and then Hookntdll.dll exports six system functions:

ZwMapViewOfSection

ZwCreateSection

ZwOpenFile

ZwClose

ZwQueryAttributesFile

ZwQuerySection

Therefore, this example first modifies the protection attribute of the PE header in the memory image of ntdll.dll file, and then rewrites the useless data at the offset 0x40 into the jump code to realize the hook.

In addition, this example can create a new PE section in the memory space by using ZwCreateSection, copy the DLL module to be loaded into it, and finally use LoadLibraryW to obtain the module control code.

After that, the example jumps to the loaded DLL for execution and derives the following files:

% System32 % \ drivers \ mrx cls . sys % System32 % \ drivers \ mrx net . sys % Windir % \ INF \ oem7A。 PNF%Windir%\inf\mdmeric3。 PNF % Windir % \ INF \ MDM CP 3。 PNF%Windir%\inf\ There are two drivers in oem6C. PNF, MRXCLS.sys and MRXNET.sys are registered as system services of MRXCLS and MRXNET, respectively, to realize startup and self-startup. Both drivers use Rootkit technology and have digital signatures.

Mrxcls.sys is responsible for querying the WinCC system installed in the host and implementing attacks. Specifically, it is to monitor the mirror loading operation of the system program and inject a module stored in %Windir%\inf\oem7A. Services.exe, S7tgtopx.exe and CCProjectMgr.exe are the programs when WinCC system is executed.

Mrxnet.sys hides lnk files and DLL files copied to U disk by modifying some core calls. "People also: