Analysis: Stuxnet dissected > Cybercrime > Legal > News > SC Magazin... http://www.securecomputing.net.au/News/249061,analysis-stuxnet-dissec...

Newsletter Sign Up | Site Map | RSS | SC US | SC

UK

TODAY ON SC MAGAZINE: The case for splitting identity and access SEARCH
Sophos: mobile malware scandal 'damages' industry WhiteGold signs networ

HOME NEWS PRODUCTS ALERTS STATS BLOGS WHITEPAPERS EVENTS JOBS DOWNLOADS

Vulnerabilities
AWARDS & Exploits Breaches & Exposures Messaging Mobile Access Control Biometrics & Forensics Legal Risk Management Patch Management

SC Magazine Australia/NZ > News > Legal > Cybercrime > Analysis: Stuxnet dissected Monday March 28, 2011 3:42 PM AEST

CYBERCRIME
Vulnerability Alerts
MOST READ MOST DISCUSSED LATEST NEWS

SANS Analysis: Stuxnet dissected

Infocon: green Popular porn site hacked by prudes
By Brett Winterford
Strange Shockwave File with RSA breach leaves customers waiting for answers
Feb 23, 2011 11:02 PM
Surprising Attachments, (Sun, Facebook user profiles hacked
Tags: stuxnet | symantec | security | response
Mar 27th) | Iran | nuclear | program | Siemens | SCADA Adobe patches 0-day flaws in Flash, Acrobat and
| supervisory | control | and | data | Reader
Microsoft
acquisition | centrifuge | LNK | vulnerability | Hacker takes off with TripAdvisor's customer email
Microsoft Security Bulletin
zero-day | exploit | Autorun | vulnerability | database
Summary for February 2011
S7-315 | S7-417 2 million child porn images seized in QLD, nine
MS11-012 - Important:
arrested
Vulnerabilities in Windows How one of the world's most complex
Kernel-Mode Drivers Could Microsoft details Rustock botnet takedown
cyber attacks crippled Iran's nuclear Security experts, DHS, lawmakers react to RSA
Allow Elevation of Privilege
(2479628) - Version:2.0 programme. hack
RELATED ARTICLES Hackers breach RSA IT systems
CERT/CC So how did Stuxnet do the damage?
Privacy group raises concerns over Skype
SA11-067A: Microsoft Updates US warns of SCADA flaws
for Multiple Vulnerabilities Hogan believes the team has a fairly
AG speech transcript creating
SA11-039A: Microsoft Updates accurate idea of how Stuxnet succeeded. cyberwarfare unit Legal Whitepapers
for Multiple Vulnerabilities
From Stuxnet to Snoop: The
1. Getting inside Cloud First IT: Managing a Growing Network of SaaS
infosec year in lists
Applications
CERT Australia chief headlines
Even the most sophisticated virus in the Controlling who is granted secure access to which
AISA Week applications and data becomes a real challenge when
Latest Comments world would have trouble infecting
Stuxnet pinned for killing Indian users can get access from any browser, at any...
machines that aren't connected to the satellite View Now
Powered by Disqus
internet. Exclusive: Trend Micro aims for Data Protection For Businesses With Remote Offices
cloud top spot Across Multiple Locations
The computers connected to the This white paper drills into the security challenges that IT
Spam drops but exploits kits are on
enrichment program's industrial control organizations face and the considerations for a better way
the rise
to approach data protection.
systems are air-gapped - that is, not View Now
connected to the internet or other
Finding an Effective Antivirus Solution to Please
insecure networks. Users and Administrators
Download this Tech Brief to learn the five common
Hogan can only guess that a degree of social engineering would have been required complaints IT professionals have with antivirus software
to convince an operator or engineer that worked at the plant to introduce data from and how you can find software that does ...
View Now
external media (such as USB key) that was infected with the virus.
Power and Cooling Capacity Management for Data
"In our experience in cases like this, the target organisation is usually being attacked Centers
High density IT equipment stresses the power density
through an intermediary like an outsourced partner," Hogan said. capability of modern data centers. Installation and
unmanaged proliferation of this equipment ...
These intermediaries might have offered skilled labour, technology outsourcing, and View Now

any number of services to the program. View More Research

Engineers often used ruggedised laptops, he said, that are taken off-site for new
instruction sets to be programmed and taken into the facility to upload these new
commands to the system. Popular Tags

Hogan suspected that the worker that infected the machines made a genuine mistake
rather than a deliberate attempt at spying.
autorun
acqusition asio

The attacker may have deliberately left memory sticks lying around at the offices of
vulnerability
the outsourced provider. As long as one machine was infected, any network it centrifuge cyberwar
cert china control
connected to was at risk - and the worm was programmed to use these connections
to seek out those devices that could do the damage. iran nuclear
dr dsd

2. Creating a backdoor program lnk

Once a USB stick or other external media is plugged in, the worm used the LNK vulnerability malware
automatic file execution vulnerability to infect the machine. The code would be
executed simply by the user looking at what contents might be on that USB stick s7315 s7417 scada

1 of 4 3/27/2011 6:47 PM
Analysis: Stuxnet dissected > Cybercrime > Legal > News > SC Magazin... http://www.securecomputing.net.au/News/249061,analysis-stuxnet-dissec...

using internet explorer - they would not have to click on anything.

The Stuxnet worm then used compromised security certificates from two Taiwanese
siemens stuxnet
device manufacturers - JMicron and Realtek - to allow Stuxnet to run more deeply
inside the target computer.
supervisory control
"Someone got access to private keys of those two organisations - which curiously are
and data acquisition
based within a few kilometres of each other," Hogan said. symantec security
Stuxnet would then log-in, create an internet connection and connect to two command response zeroday
and control servers to download instructions.
exploit
3. Looking around the network

The worm also used vulnerability in Microsoft's Windows print spooler to spread to
other devices connected to the local area network for infection, copying itself and
executing on network shares.

Stuxnet then created a peer-to-peer network between infected machines to efficiently

download the latest version of the virus from the command-and-control servers.

The virus also performs a check to see whether a Siemens Step 7 SCADA software is
running on any devices connected to the infected machine.

If any computers with this software are found on the network, Stuxnet copies itself and
executes on these machines, too.

4. Doing the damage

Once the virus finds machines running the Siemens software, it infects the Step7
project files as another way to spread around the target installation.

Ultimately, Stuxnet attempts to upload its own code to the Siemen's controllers or
programmable logic controllers that act as a hardware-software interface. In the case
of the Iranian nuclear enrichment facility, the controllers were connected to frequency
modulators that ran high-speed motors to spin the centrifuges used for nuclear
enrichment.

So Stuxnet was able to download a fresh set of commands to the controllers that
would override instruction sets.

This code instructed frequency converters on how fast the 164 motors in the
centrifuges should spin and for how long.

Stuxnet was programmed to first watch the frequency modulation for 13 days to
calculate what instructions could cause the most physical damage. Symantec
believes Stuxnet would have inserted a set of instructions to spin up the frequency
converters at 1410Hz for 15 minutes, well above the usual limit of 1064Hz.

"We assume it was spinning it up quickly to malfunction," Hogan said. "It was an
attempt to create sympathetic vibrations that would cause problems," he said,
potentially even breaking the rotors or centrifuges themselves.

Next, Stuxnet's instruction set aimed to set the frequency converters back to nominal
speed for at least 27 days, then set the speed way back down to 2Hz for some 50
minutes, before spinning back to normal speed, screaming back up to 1410Hz, and so
on and so forth.

5. Masking its tracks

In order to inflict maximum damage, Stuxnet would intercept any attempt by operators
to upload new code onto the controller chips. As new instructions are uploaded,
Stuxnet would shunt the code aside and keep its own instructions running, but
present a picture back to the operators that suggested all was running as it should be.

"If you went in and looked at the .DLL file, you would see your original code," Hogan
remarked. "Stuxnet is hiding what it is doing."

Best in class, and hopefully the last.

After months of pulling Stuxnet apart and documenting its ability, Hogan is convinced
it is the "first publicly known malware to intend real-world damage".

He believes the development of such a sophisticated threat "required resources

characteristic of a nation state".

Symantec has noted that the attacker would have required access to the design
schematics of the plant, to the private keys of the two Taiwanese manufacturers, and

2 of 4 3/27/2011 6:47 PM
Analysis: Stuxnet dissected > Cybercrime > Legal > News > SC Magazin... http://www.securecomputing.net.au/News/249061,analysis-stuxnet-dissec...

a team of "five to 10 core developers" taking about six months to develop the exploit.

With the LNK vulnerability now known, and Stuxnet analysed in every corner, Hogan
is confident it will be a relatively isolated attack.

"I don't believe there will be a Stuxnet II," he said.

"But the whole area of industrial controls systems security is now an open to a lot
more eyes and brains than it was before - for both good and bad."

The writer attended Symantec's research labs in Japan as a guest of the anti-virus
vendor.

Copyright © iTnews.com.au . All rights reserved.

Ads by Google

Thoughts on this article? Add a comment below.

Add New Comment

Required: Please login below to comment.

Type your comment here.

Image

Showing 0 comments

Sort by Subscribe by email Subscribe by RSS

Real-time updating is enabled. (Pause)

Reactions

From Twitter

#Gnews Analysis: Stuxnet dissected - Secure Computing http://bit.ly/dSKvZU

From Twitter

Dissecting #Stuxnet: Behind the news w virus chasers who found the world's first state-
sponsored malware http://bit.ly/dJBHuO

From Twitter

Analysis: Stuxnet dissected http://tinyurl.com/4h6a28l

3 of 4 3/27/2011 6:47 PM
Analysis: Stuxnet dissected > Cybercrime > Legal > News > SC Magazin... http://www.securecomputing.net.au/News/249061,analysis-stuxnet-dissec...

From Twitter

Analysis: Stuxnet dissected: How one of the world's most complex cyber attacks
crippled Iran's nuclear programme. http://bit.ly/eCatoU

Trackback URL

blog comments powered by DISQUS

Ads by Google

SC MAGAZINE SITEMAP CATEGORIES

News Photo Galleries Vulnerabilities & Exploits Breaches & Exposures Messaging
Latest News Latest Galleries Application Flaws Identity Email Security
Latest Features Web Corporate Data IM Security
Latest Opinions Whitepapers Spyware Health VoIP Security
Latest Whitepapers Malware E-Commerce Security Storage
Alerts Botnet
Latest Security Alerts Events Trojan
Mobile Access Control
DDoS
Latest Events Wi-fi Security PKI
Products Social Networking
Submit an Event Smartphone Password Manager
Endpoint Security
Latest Reviews Remote Access Single Sign On
Latest Group Tests Jobs iPhone Smart Cards Tokens
Latest Jobs Virtualisation Network Access
Stats Advertise a Job Vacancy
Latest Stats
Biometrics & Forensics Legal Risk Management
Downloads
Blogs Biometrics Cybercrime Training
Latest Downloads
Forensics Audit Policy Management
Latest Blogs
Privacy Incident Response
Managed Services
Conferences

Job Centre Patch Management

Job Centre Microsoft
Oracle
Apple
Cisco
Other

Contact Us | Advertise | About Us | SC Awards | Editorial | Newsletter | Syndication | Site Map | RSS
Atomic MPC | CRN Australia | iTnews | PC & Tech Authority | PC & Tech Authority Business Centre | SC Magazine

Copyright © 2011 Haymarket Media. All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of Haymarket Media's Privacy Policy and Terms & Conditions.

4 of 4 3/27/2011 6:47 PM