Thursday, May 19, 2011

What is Stuxnet?

Stuxnet made big news about a year ago in summer 2010 when it was discovered to be installed on many Windows systems that were controlling Siemens SCADA systems. Stuxnet made news because it was the most sophisticated malware seen to date. The intent of Stuxnet seems to have been industrial espionage, and due to the complexity of its code, it is thought to have been written by an organization with the resources to design and test such complex code. Some noteworthy aspects of Stuxnet:
  1. It exploited 4 different "0-day" Windows vulnerabilities. This is unheard of due to the difficulty of finding even 1 exploitable vulnerability in Windows. This suggests that the organization that sponsored Stuxnet development had a lot of resources.
  2. Stuxnet exploited Siemens software and centrifuges used for Uranium purification. As with any software development effort, resources must be allocated to testing. In this case, testing would involve using the code to run the centrifuges. This requires a lot of money.
  3. Pure code complexity-Stuxnet's code was relatively large compared to the codes of other malware that exists. Additionally, Stuxnet was a Windows rootkit (kernel mode malware). Unlike userland malware, kernel mode malware requires special skill to write, because kernel programming is usually more difficult than userland programming, as it is very easy to crash the system, and requires an intricate knowledge of Operating Systems internals (Windows kernel in this specific case).
A sample of Stuxnet comes as 3 files:

Stuxnet files

The shortcut file is interesting. When opened in a Hex editor, one can see the following text:
This implies that the exploit takes advantage of the specific device name that is registered with windows when it is mounted(Kingston Data Traveler). Due to its complexity and the estimated resources that its development required, it is hypothesized that a Nation's Government was behind the development of Stuxnet. Stuxnet is known as the turning point in the world of cyberwarfare as the one of the first malcodes of this complexity to attack another nation's infrastructure. According to multiple sources on the internet, it is supposed that Stuxnet has set Iran's nuclear program back by about 2 years, approximately as effective as a physical military attack.

Sunday, May 15, 2011

VirtualBox kernel debugging a Windows XP Guest

Below are the steps to debug the kernel of a Windows XP guest running through a VitualBox hypervisor.

Windbg configuration(File->Kernel Debug...)

VirtualBox VM settings

In order to get the guest kernel to listen for a debugger connecting to it, C:\boot.ini on the guest Windows XP VM has to be edited. The boot.ini file now looks like this:

[boot loader]
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /debugport=COM1 /baudrate=115200

In order to debug the guest, start windbg and select "File->Kernel Debug...", hit OK, and then start the VM in Virtual Box. The output in windbg shows that that there is a kernel attached.