Symantec Stuxnet Deep Diving


(T) “I think that computer viruses should count as life. I think that it says something about human nature. The only form of life, we have created so far is purely destructive. We’ve created life in our own image” did say, Stephen Hawking.

The widely commented, in the press and in blogs, Stuxnet Windows worm or Win.Stuxnet introduces the third generation of computer attacks – the one that every information security engineer has been talking about for so long. The first generation of security attacks in the 1990s, the time of Melissa, Code Red and Slammer, was driven by kids trying to make the headlines. The second generation of attacks that started to appear in the early 2000s was driven by organized groups trying to make a profit with a specific target e.g. I give you access to your computer if you send me a check. The present generation of worms such as Stuxnet is to attack computer systems key to an industrial process or a country infrastructure. Unfortunately, nothing to be proud of! I let you read the New York Times or the Economist or your favorite paper or blog which has analyzed in depth the geopolitical landscape of cyberwar introduced by Stuxnet and the “why” about Stuxnet and the “who” behind Stuxnet.

But as an engineer, I could not resist the reading of the findings from the three scientists namely Nicolas Falliere, Liam Murchu and Eric Chien from Symantec that have provided in-depth technical analysis of Stuxnet over the last two months. Following is a summary of their final findings in nearly plain computer English. All background information is referenced below.

Stuxnet Target System – Siemens WinCC Systems

Stuxnet targets Siemens’ SIMATIC WinCC SCADA system. SCADA stands for Supervisory Control and Data Acquisition and generally refers to a computer system that monitors and controls an industrial process such as a manufacturing plant, an infrastructure such as a water or power generation or distribution system or a facility such as a building or an airport.

Siemens WinCC system is a TCP/IP-based client-server system that involves operator and server stations. The operator station is a standard PC running Windows Vista/XP or Windows Server 2003. The server station runs Windows 2003 Server SP2 or Windows Server R2 SP2.

The operator from his PC generates the code called a Programmable Logic Controller (PLC) that will provide the monitoring and control of the industrial process. A simple example of a PLC could be controlling the flow of cooling water in a production process. To that end, the design of a PLC includes a number of integrated systems software components: APIs, graphics and visualization tools, notification/event systems, process data reporting and archiving etc…

Stuxnet Anatomy and Infection

Stuxnet goal is to reprogram Siemens SCADA systems by modifying the code from the PLCs and to hide those changes from the operator of the equipment. In order to achieve this goal, Stuxnet leverages and compounds the effects of many subtle components to increase its chance of success.

According to Symantec, this includes in a nutshell:
“zero-day exploits, a Windows rootkit, the first ever PLC rootkit, antivirus evasion techniques, complex process injection and hooking code, network infection routines, peer-to-peer updates, and a command and control interface.”

or in more technical details:
• “Self-replicates through removable drives exploiting a vulnerability allowing auto-execution (Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732).
• Spreads in a LAN through a vulnerability in the Windows Print Spooler (Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073)).
• Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).
• Copies and executes itself on remote computers through network shares.
• Copies and executes itself on remote computers running a WinCC database server.
• Copies itself into Siemens SIMATIC Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded.
• Updates itself through a peer-to-peer mechanism within a LAN.
• Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities for self-replication and the other two are an escalation of privilege vulnerabilities that have yet to be disclosed.
• Contacts a command and control server that allows the hacker to download and execute code, including updated versions.
• Contains a Windows rootkit that hides its binaries.
• Attempts to bypass security products.
• Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system.
• Hides modified code on PLCs, essentially a rootkit for PLCs.”

Stuxnet History and Geographic Distribution

Stuxnet was first discovered in June 2010 by VirusBlokAda, a security firm based in Belarus.

According to Symantec:
“As of September 29, 2010, the data has shown that there are approximately 100,000 infected hosts. We (Symantec) have observed over 40,000 unique external IP addresses, from over 155 countries. Looking at the percentage of infected hosts, by country, shows that approximately 60% of infected hosts are in Iran. The concentration of infections in Iran likely indicates that this was the initial target for infections and was where infections were initially seeded. While Stuxnet is a targeted threat, its use of a variety of propagation techniques has meant that Stuxnet has spread beyond the initial target. These additional infections are likely to be “collateral damage”—unintentional side-effects of the promiscuous initial propagation methodology utilized by Stuxnet.”


Stuxnet Removal

Siemens has released a detection and removal tool for Stuxnet but the worm’s ability to reprogram external PLCs may complicate the removal procedure. Symantec’s has warned that fixing Windows systems may not completely solve the infection; a thorough audit of PLCs might be wise to perform.

Stuxnet Introduces the First Known Rootkit for Industrial Control Systems”, Symantec Nicolas Falliere
Stuxnet Using Three Additional Zero-Day Vulnerabilities”, Symantec, Liam Murchu
Exploring Stuxnet’s PLC Infection Process”, Symantec, Nicolas Falliere
Stuxnet P2P component”, Symantec, Liam Murchu
W.32Stuxnet Dossier”, Symantec, Eric Chien (The essential reading to really understand Stuxnet!).

Copyright © 2005-2010 by Serge-Paul Carrasco. All rights reserved.
Contact Us: asvinsider at gmail dot com.

Categories: Cybersecurity