How did stuxnet hid it's files after the infection?

Question

I've noticed that when ~WTR4141.tmp is loaded, it doesn't set hidden file attributes to .lnk files and on the other .tmp rootkit file of the Stuxnet bundle.

I've seen that these are all the possible file attributes on Windows:

Let-  Bit   
ter   masks Description and notes
--- ------- ------------------------------------------------------------------
 R      0x1 Read-only
 H      0x2 Hidden
 S      0x4 System
(V)     0x8 Volume label (obsolete in NTFS and must not be set)
 D     0x10 Directory
 A     0x20 Archive
 X     0x40 Device (reserved by system and must not be set)
 N     0x80 Normal (i.e. no other attributes set)
 T    0x100 Temporary
 P    0x200 Sparse file
 L    0x400 Symbolic link / Junction / Mount point / has a reparse point
 C    0x800 Compressed (flag changable with directories only)
 O   0x1000 Offline
 I   0x2000 Not content indexed (displayed as 'N' in Explorer in Windows Vista)
 E   0x4000 Encrypted
(V)  0x8000 Integrity (Windows 8 ReFS only; attribute not displayed in Explorer)
 -  0x10000 Virtual (reserved by system and must not be set)
(X) 0x20000 No scrub (Windows 8 ReFS only; attribute not displayed in Explorer)

(Taken from: https://superuser.com/questions/44812/windows-explorers-file-attribute-column-values)

So my question is simple: How does stuxnet hide itself?

Jonathan Allon · Accepted Answer · 2017-04-30T14:57:10.010

4

Answer is also simple - inject into Explorer and hook the following functions:

FindFirstFileW
FindNextFileW
FindFirstFileExW
NtQueryDirectoryFile
ZwQueryDirectoryFile .

Symantec has a bit more in depth explanation.

edited Apr 30 '17 at 14:57

answered Apr 30 '17 at 14:33

Jonathan Allon

721
3
14

2

ah - there we go! – schroeder Apr 30 '17 at 14:57

How did stuxnet hid it's files after the infection?

1 Answers1