Real world example: Stuxnet Worm

Overview
Primary target: industrial control systems Reprogram Industrial Control Systems (ICS) On Programmable Logic Controllers (PLCs) Specific Siemens Simatic (Step 7) PLC Code changes are hidden Vast array of components used: Zero-day exploits Windows rootkit PLC rootkit (first ever) Antivirus evasion Peer-to-Peer updates Signed driver with a valid certificate Command and control interface

History
2009 June: Earliest Stuxnet seen Does not use MS10-046 Does not have signed drivers 2010 Jan: Stuxnet driver signed With a valid certificate belonging to Realtek Semiconductors 2010 June: Virusblokada reports W32.Stuxnet Stuxnet use MS10-46 Verisign revokes Realtek certificate 2010 July: Eset identify new Stuxnet driver With a valid certificate belonging to JMicron Technology Corp 2010 July: Siemens report they are investigating malware SCADA systems Verisign revokes JMicron certificate

History (2)
2010 Aug: Microsoft issues MS10-046 Patches windows shell shortcut vulnerability 2010 Sept: Microsoft issues MS10-061 Patches Printer Spooler Vulnerability 2010 Sept: Iran nuclear plant hit by delay Warm weather blamed Measured temperatures were at historical averages 2010 Oct: Iran arrest spies Spies who attempted to sabotage the country's nuclear programme Russian nuclear nuclear experts flee Iran

Possible Attack Scenario (Conjecture)

Industrial control systems (ICS) are operated by a specialized assembly like code on programmable logic controllers (PLCs). The PLCs are programmed typically from Windows computers The ICS are not connected to the Internet ICS usually consider availability and ease of maintenance first and security last ICS usually consider the airgap as sufficient security

Scenario (2)
Reconnaissance As each PLC is configured in a unique manner Targeted ICSs schematics needed Possible methods: Design documents may have been stolen by an insider Retrieved by an early version of Stuxnet Stuxnet could only be developed with the goal of sabotaging a specific set of ICS.

Scenario (2)
Development Mirrored development Environment needed ICS Hardware PLC modules PLC development software Estimation 6+ man-years by an experienced and well funded development team

Scenario (3)
The malicious binaries need to be signed to avoid suspicion Two digital certificates were compromised High probability that the digital certificates/keys were physically stolen from the companies premises Realtek and JMicron are in close proximity

Scenario (4)
Initial Infection Stuxnet needed to be introduced to the targeted environment Insider Willing third party Unwilling third party such as a contractor Delivery method USB drive Windows Maintenance Laptop

Scenario (5)
Infection Spread Look for Windows computer that program the PLCs (Called Field PG) The Field PG are typically not network Spread the Infection on computers on the local LAN Zero-day vulnerabilities Two-year old vulnerability Spread to all available USB drives When a USB drive is connected to the Field PG, the Infection jumps to the Field PG The airgap is thus breached

Scenario (6)
Target Infection Look for Specific PLC Running Step 7 Operating System Change PLC code Sabotage system Hide modifications Command and Control may not be possible Due to the airgap Functionality already embedded

Infection Statistics
29 September 2010, From Symantic Infected Hosts

Infection Statistics 2
Infected Organizations (By WAN IP)

Infection Statistics 3
Geographic Distribution of Infections

Infection Statistics 4
Percentage of Stuxnet infected Hosts with Siemens Software installed

Stuxnet Architecture
Organization Stuxnet consists of a large .dll file 32 Exports (Function goals) 15 Resources (Function methods)

Export # 1 2 4 5 6 7 9 10 14 15 16 17 18 19 22 24 27 28 29 31 32

Function Infect connected removable drives, Starts remote procedure call (RPC) server Hooks APIs for Step 7 project file infections Calls the removal routine (export 18) Verifies if the threat is installed correctly Verifies version information Calls Export 6 Updates itself from infected Step 7 projects Updates itself from infected Step 7 projects Step 7 project file infection routine Initial entry point Main installation Replaces Step 7 DLL Uninstalls Stuxnet Infects removable drives Network propagation routines Check Internet connection RPC Server Command and control routine Command and control routine Updates itself from infected Step 7 projects Same as 1

Resource ID Function 201 MrxNet.sys load driver, signed by Realtek 202 DLL for Step 7 infections 203 CAB file for WinCC infections 205 Data file for Resource 201 207 Autorun version of Stuxnet 208 Step 7 replacement DLL 209 Data file (%windows%\help\winmic.fts) 210 Template PE file used for injection 221 Exploits MS08-067 to spread via SMB. 222 Exploits MS10-061 Print Spooler Vulnerability 231 Internet connection check 240 LNK template file used to build LNK exploit 241 USB Loader DLL ~WTR4141.tmp 242 MRxnet.sys rootkit driver 250 Exploits undisclosed win32k.sys vulnerability

Bypassing Intrusion Detection

Stuxnet calls LoadLibrary With a specially crafted file name that does not exist Which causes LoadLibrary to fail. However, W32.Stuxnet has hooked Ntdll.dll To monitor for requests to load specially crafted file names. These specially crafted filenames are mapped to another location instead A location specified by W32.Stuxnet. Where a .dll file has been decrypted and stored by the Stuxnet previously.

Code Injection
Stuxnet use trusted Windows processes or security products Lsass.exe Winlogin.exe Svchost.exe Kaspersky KAV (avp.exe) Mcafee (Mcshield.exe) AntiVir (avguard.exe) BitDefender (bdagent.exe) Etrust (UmxCfg.exe) F-Secure (fsdfwd.exe) Symantec (rtvscan.exe) Symantec Common Client (ccSvcHst.exe) Eset NOD32 (ekrn.exe) Trend Pc-Cillin (tmpproxy.exe) Stuxnet detects the version of the security product and based on the version number adapts its injection process

Configuration
Stuxnet collects and store the following information: Major OS Version and Minor OS Version Flags used by Stuxnet Flag specifying if the computer is part of a workgroup or domain Time of infection IP address of the compromised computer file name of infected project file

Installation: Control Flow

Installation: OS

Win 2K WinXP Windows 200 Vista Windows Server 2008 Windows 7 Windows Server 2008 R2

Installation: Infection routine flow

Command & Control

Stuxnet contacts the command and control server Test if can connect to: www.windowsupdate.com www.msn.com On port 80 Sends some basic information about the compromised computer to the attacker www.mypremierfutbol.com www.todaysfutbol.com The two URLs above previously pointed to servers in Malaysia and Denmark

Command & Control (2)

Command & Control payload

Part 2 Part 1 0x00 dword IP address of interface 1, if any 0x00 byte 1, fixed value 0x01 byte from Configuration Data 0x04 dword IP address of interface 2, if any 0x02 byte OS major version 0x08 dword IP address of interface 3, if any 0x03 byte OS minor version 0x0C dword from Configuration Data 0x10 byte unused 0x04 byte OS service pack major version 0x11 string copy of S7P string from C. Data (418h) 0x05 byte size of part 1 of payload 0x06 byte unused, 0 0x07 byte unused, 0 0x08 dword from C. Data 0x0C word unknown 0x0E word OS suite mask 0x10 byte unused, 0 0x11 byte flags 0x12 string computer name, null-terminated 0xXX string domain name, null-terminated

Windows Rootkit Functionality

Stuxnet has the ability to hide copies of its files copied to removable drives Stuxnet extracts Resource 201 as MrxNet.sys. The driver is registered as a service creating the following registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet\I magePath = %System%\drivers\mrxnet.sys The driver file is a digitally signed with a legitimate Realtek digital certificate. The driver then filters(hides) files that : Files with a .LNK extension having a size of 4,171 bytes. Files named ~WTR[FOUR NUMBERS].TMP,

whose size is between 4Kb and 8Mb; the sum of the four numbers, modulo 10 is null. For example, 4+1+3+2=10=0 mod 10
Examples:

Copy of Copy of Copy of Copy of Shortcut to.lnk Copy of Shortcut to.lnk ~wtr4141.tmp

Propagation Methods: Network

Peer-to-peer communication and updates Infecting WinCC machines via a hardcoded database server password Propagating through network shares Propagating through the MS10-061 Print Spooler ZeroDay Vulnerability Propagating through the MS08-067 Windows Server Service Vulnerability

Propagation Methods: USB

LNK Vulnerability (CVE-2010-2568)

AutoRun.Inf

Modifying PLCs
The end goal of Stuxnet is to infect specific types of Simatic programmable logic controller (PLC) devices. PLC devices are loaded with blocks of code and data written in STL The compiled code is an assembly called MC7. These blocks are then run by the PLC, in order to execute, control, and monitor an industrial process. The original s7otbxdx.dll is responsible for handling PLC block exchange between the programming device and the PLC. By replacing this .dll file with its own, Stuxnet is able to perform the following actions:

Monitor PLC blocks being written to and read from the PLC. Infect a PLC by inserting its own blocks

Modifying PLCs

What was the target?

Bushehr Nuclear Plant in Iran 60% Infections in Iran No other commercial gain Stuxnet complexity Stuxnet self destruct date Siemens specific PLCs

Who did it?

Best guess Israel 19790509. A safe code that prevents infection Where is this code already in ICS coded? May 9,1979: Habib Elghanian was executed by a firing squad in Tehran He was the first Jew and one of the first civilians to be executed by the new Islamic government USA Russia UK China

Propaganda
Iran Iran blames Stuxnet worm on Western plot (Ministry of Foreign Affairs) "Western states are trying to stop Iran's (nuclear) activities by embarking on psychological warfare and aggrandizing, but Iran would by no means give up its rights by such measures, "Nothing would cause a delay in Iran's nuclear activities "enemy spy services" were responsible for Stuxnet (Minister of intelligence)

Propaganda (2)
Israel (DEBKA file) An alarmed Iran asks for outside help to stop rampaging Stuxnet malworm Not only have their own attempts to defeat the invading worm failed, but they made matters worse: The malworm became more aggressive and returned to the attack on parts of the systems damaged in the initial attack. One expert said: "The Iranians have been forced to realize that they would be better off not 'irritating' the invader because it hits back with a bigger punch. These statements were copied verbatim by mayor news services

Conclusion
Stuxnet represents the first of many milestones in malicious code history It is the first to exploit multiple 0-day vulnerabilities, Compromise two digital certificates, And inject code into industrial control systems and hide the code from the operator. Stuxnet is of such great complexity Requiring significant resources to develop That few attackers will be capable of producing a similar threat Stuxnet has highlighted direct-attack attempts on critical infrastructure are possible and not just theory or movie plotlines.