Professional Documents
Culture Documents
Yong Wang1, Dawu Gu2, DaoGang Peng1, Shuai Chen1, and Heng Yang1
1
Department of Computer Science and Technology, Shanghai University of Electric Power,
2103 Pingliang Road
Shanghai, 200090/Yangpu District, China
2
Department of Computer Science and Engineering, Shanghai Jiao Tong University, 800
Dongchuan Road
Shanghai, 200240/Minhang District, China
wy616@126.com
1 Introduction
*
This work is supported by State Key Laboratory of Information Security (Institute of
Software, Chinese Academy of Sciences) (04-02-1), Shanghai Education Commission
Innovation Foundation (11YZ192), Shanghai Science and Technology Commission Key
Program (11511504400) and National Nature Science Foundation of China under Grant
(60903188). Natural science foundation of Shanghai City (NO.12ZR1411900).
J. Lei et al. (Eds.): NCIS 2012, CCIS 345, pp. 640–646, 2012.
© Springer-Verlag Berlin Heidelberg 2012
Stuxnet Vulnerabilities Analysis of SCADA Systems 641
2 Stuxnet Files
Stuxnet from tuts4you.com has 7 files in root directory 2 subdirectory with 1,129,027
bytes.
2010/09/14 16:52 26,616 A0055521.sys
2010/08/25 20:15 4,171 Copy of Shortcut to.lnk
2010/07/18 01:07 40,960 dll.dll
2010/09/27 17:46 513,536 malware.exe
2010/07/22 09:03 <DIR> signed drivers
2010/10/02 02:02 <DIR> stuxnet core
2010/07/18 00:37 392 suckme.lnk_
2010/08/25 20:15 517,632 ~WTR4132.tmp
2010/08/25 20:15 25,720 ~WTR4141.tmp
There are dropper.exe_ and maindll.decrypted.unpacked. dll_ in the stuxnet core
directory besides the files listed. In the signed drivers directory, files are
“0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198”,
“1635ec04f069ccc8331d01fdf31132a4bc8f6fd3830ac94739df95ee093c555c”,
“63e6b8136058d7a06dfff4034b4ab17a261cdf398e63868a601f77ddd1b32802” and
70f8789b03e38d07584f57581363afa848dd5c3a197f2483c6dfa4f3e7f78b9b.
3 Stuxnet Analysis
3.1 Dll.dll
The Dll.dll is a main module. Its size is 40,960 bytes. Section header of .text
composed of 00006354h virtual size, 10001000h virtual address, 0006400h raw data,
and 0000400h pointer to raw data.
_text_1000285C in .text with 96h length is the main program in dll.dll, which has
procedures, such as _text_1000288E, _text_100028D4, _text_100028DF and
_text_100028EE. The string in dll.dll file is shown in Table 1.
Virtual
String
Address
10008838 ‘Microsoft Visual C++ Runtime Library’,0
SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA
10008120
#@!',0Ah,0
'R6032',0Dh,0Ah,'- not enough space for locale
7783ADC1
information',0Dh,0Ah,0
1000830C 'DOMAIN error',0Dh,0Ah,0
100091D8 'GetProcessWindowStation',0