Difference between revisions of "Stuxnet"

Summary

Stuxnet was the first cyber weapon to be developed and utilized in an act of strategic sabotage (attacking SCADA systems). Its origins are still unclear although there are theories about who might have been behind the attack. It is a very special piece of code targeting a very distinct setup. A total of seven vulnerabilities were found (four of them zero day attacks) for propagating, hiding, taking over and executing. Also, it used two different (stolen) signed certificates to make Windows believe its .dll files were legit. Unlike other worms or trojans it is quite huge and implements several programming languages. Interestingly it also has an “expiry date” where it would stop working. If not for coincidence it might never have been discovered.

Description

Targeted software and hardware setup

• Operating system: 32-bit Windows Operating System (2k, XP, 2003, Vista, Server 2008, 7, Server 2008 R2)
• PLC programming software: Siemens STEP7
• Hardware: S7-315-2/S7-417 programmable logic controllers with specific PROFIBUS VFD

Overview

• Over 500KBytes of code in several languages (mostly C and C++)
• Seven different ways to propagate, hide and replicate – four of them zero day exploits
• Two stolen certificates (RealTek Semiconductor and JMicron Technology) to appear legitimate
• Dropper / Worm (propagating by itself), Rootkit (by hiding itself and taking over the centrifuge controllers), Command&Control (by reporting to two servers outside and acquiring updates), SQL Injection, Man-in-the-Middle (by presenting “recorded” data to the monitors of the vaults while attacking), Process Injection
• Detailed knowledge about the targets was necessary to develop this malware
• Two different attack patterns – gas pressure and spin speed – which had very specific conditions and were not meant to destroy immediately but rather delay the uranium enrichment
• Development of Stuxnet (according to various sources) required a team of five to ten programmers working full-time for at least six months

Four Zero-Day Attacks

Zero Day Attacks target vulnerabilities that have not yet been found and therefore also not been patched giving attackers huge advantages. Finding these vulnerabilities and developing working exploits costs a lot of time, money and human resources.

Replication

• Shortcut "LNK" Files Automatic File Execution vulnerability (CVE-2010-2568): Bypassing disabled auto-run allowing auto-execution

• Print Spooler Service Impersonation vulnerability (CVE-2010-2729): Installing .exe to %System% Folder that loads .dll file

Escalation

• Task Scheduler Escalation of Privilege vulnerability (CVE-2010-3888): Starting the .dll as a new process with administrator rights (Windows Vista / Windows 7 / Windows Server R2)

• Local Privilege Escalation vulnerability (CVE-2010-2743): Starting the .dll as a new process within csrss.exe (Windows XP / Windows 2000)

Story of Stuxnet

Historical background

In April 2006 Iran announced they have successfully enriched uranium refusing to give in to international demands to close its nuclear program. From February to November 2007 about 3000 new centrifuges were installed in Natanz, a uranium enrichment plant. In the same year the US Congress released $400 million for covert operations against Iran´s nuclear program as Israel and other Arab Countries have continuously asked for help against Iran. In 2008 they again approached the US hoping for help with an airstrike on Natanz but the US leaders feared this would lead to a wide-range war and also, as Natanz was situated mostly underground, they pointed out that an airstrike would probably not be very effective.

Throughout 2009 the number of centrifuges at Natanz was increased to 8700 and on at least one occasion President Ahmadinejad proudly led a tour through the plant providing the world with videos and images of the control rooms and centrifuges.

Early 2010 the IAEA (International Atomic Energy Agency) inspectors that periodically visited Natanz, noticed a huge number of centrifuges being replaced. Later that year Stuxnet was discovered and with it the cause for all the failing centrifuges.

Discovery

The first person to encounter what was later known as Stuxnet was Sergey Ulason at VirusBlokAda, Belarus. One of their customers in Iran contacted them because their computer kept crashing.

Ulason and his colleagues discovered several interesting factors about the malware they were presented with including the replication methods, the ability to hide in other processes and the usage of stolen certificates to legitimize to antivirus programs and Windows security.

They contacted Microsoft and RealTek to inform them about their discovery. As neither of the companies reacted, they finally posted their findings online but it took a blog article by Brian Krebs on KrebsOnSecurity.com to gain attention.

Symantec started their own research on Stuxnet as it was be then named. Also Ralph Langner, a German cybersecurity specialist and expert on industrial control systems, turned his attention on Stuxnet and finds clues that it targets a very special environment and only two Siemens PLC models.

In September 2010 Langner revealed most of the insights he had discovered in two online postings and commented them with the words: "Welcome to cyberwar".

Origins

Both evidence and motive indicate that the US and the Israeli were involved in the attack, as they both have the means financially and in terms of human resources. Additionally both countries maintain research facilities that could have been used to test the malware on the same setup as found in Natanz. Other sources mention China and Russia but no one has ever admitted anything. Even Iran denies that the closure of Natanz happened as a consequence of a cyber attack.

Propagation

Stuxnet can spread in a variety of ways, as shown in the below figure. Stuxnet spreads by infecting removable drives and copying itself over the network using a variety of means, including two Zero-Day exploits. Stuxnet also spreads by copying itself into Step 7 projects using a technique that causes Stuxnet to run automatically when the project is opened. This section introduces the distribution routines via the network, removable drive and the Step-7 projects.

File:Picture.jpg

Propagation via removable media

LNK vulnerbility (CVE-2010-2568)

Autorun.inf

Propagation via network

Zero-Day-Exploit (MS10-061) in print-spooler

SMB vulnerbility MS08-067

Propagation via Step7-Projects

References

• Kim Zetter. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. Broadway Books, 2015
• Ben Buchanan. The Hacker and the State. Harvard University Press, 2020
• Nicolas Falliere, Liam O Murchu, and Eric Chien. W32. Stuxnet dossier. White paper, Symantec Corp., Security Response, 5(6):29, 2011
• D.E. Sanger. Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power. Crown, 2012
• T. M. Chen and S. Abu-Nimeh. Lessons from stuxnet. Computer, 44(4):91-93, 2011