Stuxnet Worm Detection with ECAT
“Give ECAT 10,000 systems and within hours, it will identify the few systems infected by malware who bypassed your corporate security”
What can ECAT do for Stuxnet-like attacks?
ECAT is signature-less enterprise assessment software designed to be deployed on hundreads or thousands of computers and is aimed at large organizations. It uses live memory analysis and advanced correlation techniques to quickly identify emerging threats on Windows computers without having to wait for signature deployment. It gives analysts the tools to quickly detect Advanced Persistent Threats (APTs) like the Stuxnet worm and its variants.
Finding Stuxnet with ECAT
The ECAT agent is deployed across the workstations and servers of the organization. The agent has a minimal impact on system peformance and is invisbile to the end users.
It can be deployed before or after the infection occurred. Once deployed, it connects to the ECAT Server and is accessible through the ECAT Console. Detection occurs through system scans that can be done either manually or scheduled at selected intervals.
Before the infection
The suspect level of the system was set to 0 meaning no significant abnormal behavior was found.
After the scan
We can see the suspect level of the system is now set to 33, a huge jump indicating a potential compromise. Systems with a suspect level higher than 10 are most likely compromised. Digging down shows us the reasons why this system is likely compromised.First, the DLLs’ category is highlighted, indicating that 8 items of this category have a suspect behavior.
The DLLs’ table shows that a floating DLL has been found within lsass.exe, services.exe and svchost.exe, all known to be critical Windows processes. Floating DLLs are pretty uncommon and are a very good indicator that a malware is trying to use a legitimate process as a host to perform other operations. It does this by injecting a DLL in the target process with a technique known as “reflective loading” that doesn’t require an actual DLL file to work. This technique is very effective as it bypasses most antivirus and personal firewall protections.
At this stage, it is already clear that this system is compromised by an unknown malware and that actions will have to be taken to remove it from the system. Let’s continue the analysis.
An expert eye will notice that there are two lsass.exe processes injected with a floating DLL. This process is normally loaded only once in the system. Looking at the process list we can see that 3 instances of lsass.exe are in fact running.
Looking at the Suspicious Threads
This category confirms that not only injected DLLs are present in the system but threads are actually running within the injected code. Also, other blocks of independent floating code, not linked to any floating DLLs have been found in the processes memory.
Looking at more details in the Drivers category, we can see that there are two new files on the system.
Both are unknown to the whitelists (bit9 and NSRL) but both files are signed by Realtek Semiconductors. The signatures are valid but the Company name associated with the files is Microsoft???
Sorting the driver list by file name also reveals an unusual pattern.
The new file names have the same “mrx” prefix as Microsoft signed files as if they were named to hide in plain sight. Online searches of these hashes will not yield any results. Also, ECAT shows that the files are only present once in the entire environment which is rather unusual, especially in a controlled and mostly standardized environment.
Finding malware like Stuxnet is quick and easy with ECAT and does not require a degree in reverse engineering. By performing a deep memory analysis and presenting the information in an easy to understand format, ECAT allows the rapid discovery of any hidden threats.
You can view our approach and our software for more details about finding malware, suspicious threads, etc with our product. For more information or a live demo, contact us at info@siliciumsecurity or call us toll free at +1-888-819-0829