STUXNETStuxnet is a computer worm. It targets Siemens industrial software and equipment runningMicrosoft Windows. While it...
   Spreads in a LAN through a vulnerability in the Windows Print Spooler.               Microsoft Windows Print Spooler S...
W32.Stuxnet TimelineDate              EventNovember          Trojan.Zlob variant found to be using the LNK vulnerability o...
Infection StatisticsAs of September 29, 2010, the data has shown that there are approximately 100,000 infectedhosts.The fo...
Looking at the percentage of infected hosts by country, shows that approximately 60% ofinfected hosts are in Iran:Geograph...
Stuxnet ArchitectureThe heart of Stuxnet consists of a large .dll file that contains many different exports andresources. ...
1. The Windows operating system,   2. Siemens PCS 7, WinCC and STEP7 industrial software applications that run on      Win...
Overview of normal communications between Step 7 and a Siemens PLCOverview of Stuxnet hijacking communication between Step...
PLC infection               Siemens Simatic S7-300 PLC CPU with three I/O modules attachedThe entirety of the Stuxnet code...
Wired that writing the code would have taken many man-months, if not years. Symantecestimates that the group developing St...
accident" occurred at the site in the first half of 2009, which is speculated to have forced the headof Irans Atomic Energ...
The head of the Bushehr Nuclear Power Plant told Reuters that only the personal computersof staff at the plant had been in...
Upcoming SlideShare
Loading in...5
×

Stuxnet - A weapon of the future

947

Published on

This article is all about "STUXNET", the first weapon built entirely out of code.
It gives a brief insight of what is it all about. A new world of computer programming where you can make deadly weapons with codes. Read the complete article to know more about it.

For my presentation on this article visit : http://www.slideshare.net/hardeep4u/stuxnet-more-then-a-virus

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
947
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
55
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Stuxnet - A weapon of the future"

  1. 1. STUXNETStuxnet is a computer worm. It targets Siemens industrial software and equipment runningMicrosoft Windows. While it is not the first time that hackers have targeted industrial systems, itis the first discovered malware that spies on and subverts industrial systems, and the first toinclude a programmable logic controller (PLC) rootkit.Stuxnet is a large, complex piece of malware with many different components andfunctionalities. Stuxnet is a threat that was primarily written to target an industrial controlsystem or set of similar systems. Industrial control systems are used in gas pipelines and powerplants. Its final goal is to reprogram industrial control systems (ICS) by modifying code onprogrammable logic controllers (PLCs) to make them work in a manner the attacker intendedand to hide those changes from the operator of the equipment. In order to achieve this goal thecreators amassed a vast array of components to increase their chances of success. This includeszero-day exploits, a Windows rootkit, the first ever PLC rootkit, antivirus evasiontechniques, complex process injection and hooking code, network infection routines, peer-to-peer updates, and a command and control interface. The worm initially spreadsindiscriminately, but includes a highly specialized malware payload that is designed to targetonly Siemens supervisory control and data acquisition (SCADA) systems that are configuredto control and monitor specific industrial processes. Different variants of Stuxnet targeted fiveIranian organizations, with the probable target widely suspected to be uranium enrichmentinfrastructureStuxnet is a threat targeting a specific industrial control system likely in Iran, such as a gaspipeline or power plant. The ultimate goal of Stuxnet is to sabotage that facility byreprogramming programmable logic controllers (PLCs) to operate as the attackers intend themto, most likely out of their specified boundaries.The majority of infections were found in Iran. Stuxnet contains many features such as:  Self-replicates through removable drives exploiting a vulnerability allowing auto- execution. Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732)Hardeep Singh Bhurji Page 1
  2. 2.  Spreads in a LAN through a vulnerability in the Windows Print Spooler. Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073)  Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).  Copies and executes itself on remote computers through network shares.  Copies and executes itself on remote computers running a WinCC database server.  Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded.  Updates itself through a peer-to-peer mechanism within a LAN.  Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed.  Contacts a command and control server that allows the hacker to download and execute code, including updated versions.  Contains a Windows rootkit that hide its binaries.  Attempts to bypass security products.  Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabo• tage the system.  Hides modified code on PLCs, essentially a rootkit for PLCsHistoryThe worm was at first identified by the security company VirusBlokAda in mid-June 2010.Journalist Brian Krebss 15 July 2010 blog posting was the first widely read report on theworm. Its name is derived from some keywords discovered in the software.Kaspersky Lab experts at first estimated that Stuxnet started spreading around March or April2010, but the first variant of the worm appeared in June 2009. The second variant, withsubstantial improvements, appeared in March 2010, apparently because its authors believed thatStuxnet was not spreading fast enough; a third, with minor improvements, appeared in April2010. The worm contains a component with a build time-stamp from 3 February 2010. In theUnited Kingdom on 25 November 2010, Sky News reported that it had received informationfrom an anonymous source at an unidentified IT security organization that Stuxnet, or a variationof the worm, had been traded on the black market.Hardeep Singh Bhurji Page 2
  3. 3. W32.Stuxnet TimelineDate EventNovember Trojan.Zlob variant found to be using the LNK vulnerability only later identified in Stuxnet.20, 2008April, 2009 Security magazine Hakin9 releases details of a remote code execution vulnerability in the Printer Spooler service. Later identified as MS10-061.June, 2009 Earliest Stuxnet sample seen. Does not exploit MS10-046. Does not have signed driver files.January 25, Stuxnet driver signed with a valid certificate belonging to Realtek Semiconductor Corps.2010March, First Stuxnet variant to exploit MS10-046.2010June 17, Virusblokada reports W32.Stuxnet (named RootkitTmphider). Reports that it’s using a2010 vulnerability in the processing of shortcuts/.lnk files in order to propagate (later identified as MS10-046).July 13, Symantec adds detection as W32.Temphid (previously detected as Trojan Horse).2010July 16, Microsoft issues Security Advisory for “Vulnerability in Windows Shell Could Allow Remote2010 Code Execution (2286198)” that covers the vulnerability in processing shortcuts/.lnk files. Verisign revokes Realtek Semiconductor Corps certificate.July 17, Eset identifies a new Stuxnet driver, this time signed with a certificate from JMicron2010 Technology Corp.July 19, Siemens report that they are investigating reports of malware infecting Siemens WinCC2010 SCADA systems. Symantec renames detection to W32.Stuxnet.July 20, Symantec monitors the Stuxnet Command and Control traffic.2010July 22, Verisign revokes the JMicron Technology Corps certificate.2010August 2, Microsoft issues MS10-046, which patches the Windows Shell shortcut vulnerability.2010August 6, Symantec reports how Stuxnet can inject and hide code on a PLC affecting industrial control2010 systems.September Microsoft releases MS10-061 to patch the Printer Spooler Vulnerability identified by14, 2010 Symantec in August. Microsoft report two other privilege escalation vulnerabilities identified by Symantec in August.September Symantec presents at Virus Bulletin and releases comprehensive analysis of Stuxnet.30, 2010Hardeep Singh Bhurji Page 3
  4. 4. Infection StatisticsAs of September 29, 2010, the data has shown that there are approximately 100,000 infectedhosts.The following graph shows the number of unique infected hosts by country:Infected HostsThe following graph shows the number of infected organizations by country based on WAN IP addresses:Infected Organizations (By WAN IP)Hardeep Singh Bhurji Page 4
  5. 5. Looking at the percentage of infected hosts by country, shows that approximately 60% ofinfected hosts are in Iran:Geographic Distribution of InfectionsStuxnet aims to identify those hosts which have the Siemens Step 7 software installed. Thefollowing chart shows the percentage of infected hosts by country with the Siemens softwareinstalled.Percentage of Stuxnet infected Hosts with Siemens Software installedHardeep Singh Bhurji Page 5
  6. 6. Stuxnet ArchitectureThe heart of Stuxnet consists of a large .dll file that contains many different exports andresources. In addition to the large .dll file, Stuxnet also contains two encrypted configurationblocks.The dropper component of Stuxnet is a wrapper program that contains all of the abovecomponents stored inside itself in a section name “stub”. This stub section is integral to theworking of Stuxnet. When the threat is executed, the wrapper extracts the .dll file from the stubsection, maps it into memory as a module, and calls one of the exports.A pointer to the original stub section is passed to this export as a parameter. This export in turnwill extract the .dll file from the stub section, which was passed as a parameter, map it intomemory and call another different export from inside the mapped .dll file. The pointer to theoriginal stub section is again passed as a parameter. This occurs continuously throughout theexecution of the threat, so the original stub section is continuously passed around betweendifferent processes and functions as a parameter to the main payload. In this way every layer ofthe threat always has access to the main .dll and the configuration blocks.In addition to loading the .dll file into memory and calling an export directly, Stuxnet also usesanother technique to call exports from the main .dll file. This technique is to read an executabletemplate from its own resources, populate the template with appropriate data, such as which .dllfile to load and which export to call, and then to inject this newly populated executable intoanother process and execute it. The newly populated executable template will load the original.dll file and call whatever export the template was populated with.Although the threat uses these two different techniques to call exports in the main .dll file, itshould be clear that all the functionality of the threat can be ascertained by analyzing all of theexports from the main .dll file.OperationUnlike most malware, Stuxnet does little harm to computers and networks that do not meetspecific configuration requirements; "The attackers took great care to make sure that only theirdesignated targets were hit...It was a marksman’s job." While the worm is promiscuous, it makesitself inert if Siemens software is not found on infected computers, and contains safeguards toprevent each infected computer from spreading the worm to more than three others, and to eraseitself on 24 June 2012. For its targets, Stuxnet contains, among other things, code for a man-in-the-middle attack that fakes industrial process control sensor signals so an infected system doesnot shut down due to abnormal behavior. The worm consists of a layered attack against threedifferent systems:Hardeep Singh Bhurji Page 6
  7. 7. 1. The Windows operating system, 2. Siemens PCS 7, WinCC and STEP7 industrial software applications that run on Windows and 3. One or more Siemens S7 PLCs.Windows infectionStuxnet attacked Windows systems using an unprecedented four zero-day attacks (plus theCPLINK vulnerability and a vulnerability used by the Conficker worm). It is initially spreadusing infected removable drives such as USB flash drives, and then uses other exploits andtechniques such as peer-to-peer RPC to infect and update other computers inside privatenetworks that are not directly connected to the Internet. Stuxnet is unusually large at half amegabyte in size, and written in several different programming languages (including C and C++)which is also irregular for malware. The Windows component of the malware is promiscuous inthat it spreads relatively quickly and indiscriminately.The malware has both user-mode and kernel-mode rootkit capability under Windows, and itsdevice drivers have been digitally signed with the private keys of two certificates that werestolen from separate companies, JMicron and Realtek, that are both located at Hsinchu SciencePark in Taiwan. The driver signing helped it install kernel-mode rootkit drivers successfullyand therefore remain undetected for a relatively long period of time. Both compromisedcertificates have been revoked by VeriSign.Two websites in Denmark and Malaysia were configured as command and control servers forthe malware, allowing it to be updated, and for industrial espionage to be conducted byuploading information. Both of these websites have subsequently been taken down as part of aglobal effort to disable the malware.Step 7 software infectionOnce installed on a Windows system Stuxnet infects project files belonging to SiemensWinCC/PCS 7 SCADA control software (Step 7), and subverts a key communication libraryof WinCC called s7otbxdx.dll. Doing so intercepts communications between the WinCCsoftware running under Windows and the target Siemens PLC devices that the software is ableto configure and program when the two are connected via a data cable. In this way, the malwareis able to install itself on PLC devices unnoticed, and subsequently to mask its presence fromWinCC if the control software attempts to read an infected block of memory from the PLCsystem. The malware furthermore used a zero-day exploit in the WinCC/SCADA databasesoftware in the form of a hard-coded database password.Hardeep Singh Bhurji Page 7
  8. 8. Overview of normal communications between Step 7 and a Siemens PLCOverview of Stuxnet hijacking communication between Step 7 software and a Siemens PLCHardeep Singh Bhurji Page 8
  9. 9. PLC infection Siemens Simatic S7-300 PLC CPU with three I/O modules attachedThe entirety of the Stuxnet code has not yet been understood, but its payload targets only thoseSCADA configurations that meet criteria that it is programmed to identify. Stuxnet requiresspecific slave variable-frequency drives (frequency converter drives) to be attached to thetargeted Siemens S7-300 system and its associated modules. It only attacks those PLC systemswith variable-frequency drives from two specific vendors: Vacon based in Finland and FararoPaya based in Iran. Furthermore, it monitors the frequency of the attached motors, and onlyattacks systems that spin between 807 Hz and 1210 Hz. The industrial applications of motorswith these parameters are diverse, and may include pumps or gas centrifuges.Stuxnet installs malware into memory block DB890 of the PLC that monitors the Profibusmessaging bus of the system. When certain criteria are met, it periodically modifies thefrequency to 1410 Hz and then to 2 Hz and then to 1064 Hz, and thus affects the operation of theconnected motors by changing their rotational speed. It also installs a rootkit—the first suchdocumented case on this platform—that hides the malware on the system and masks the changesin rotational speed from monitoring systems.Speculations about the target and originExperts believe that Stuxnet required the largest and costliest development effort in malwarehistory. Its many capabilities would have required a team of people to program, in-depthknowledge of industrial processes, and an interest in attacking industrial infrastructure. EricByres, who has years of experience maintaining and troubleshooting Siemens systems, toldHardeep Singh Bhurji Page 9
  10. 10. Wired that writing the code would have taken many man-months, if not years. Symantecestimates that the group developing Stuxnet would have consisted of anywhere from five tothirty people, and would have taken six months to prepare. The Guardian, the BBC and TheNew York Times all reported that experts studying Stuxnet considered that the complexity of thecode indicates that only a nation state would have the capabilities to produce it. The self-destructand other safeguards within the code imply that a Western government was responsible, withlawyers evaluating the worms ramifications.It has been speculated that Israel and the United States may have been involved.In May 2011, the PBS program Need To Know cited a statement by Gary Samore, White HouseCoordinator for Arms Control and Weapons of Mass Destruction, in which he said, "were gladthey [the Iranians] are having trouble with their centrifuge machine and that we – the US and itsallies – are doing everything we can to make sure that we complicate matters for them", offering"winking acknowledgement" of US involvement in Stuxnet. According to the British DailyTelegraph, a showreel that was played at a retirement party for the head of the Israel DefenceForces (IDF), Gabi Ashkenazi, included references to Stuxnet as one of his operationalsuccesses as the IDF chief of staff.Iran as targetRalph Langner, the researcher who identified that Stuxnet infected PLCs, first speculatedpublicly in September 2010 that the malware was of Israeli origin, and that it targeted Iraniannuclear facilities. However Langner more recently, in a TED Talk recorded in February 2011,stated that, "My opinion is that the Mossad is involved but that the leading force is not Israel.The leading force behind Stuxnet is the cyber superpower—there is only one; and thats theUnited States." Kevin Hogan, Senior Director of Security Response at Symantec, reported thatthe majority of infected systems were in Iran (about 60%), which has led to speculation that itmay have been deliberately targeting "high-value infrastructure" in Iran including either theBushehr Nuclear Power Plant or the Natanz nuclear facility. Langner called the malware "aone-shot weapon" and said that the intended target was probably hit, although he admitted thiswas speculation. Another German researcher, Frank Rieger, was the first to speculate thatNatanz was the target.Natanz nuclear facilitiesAccording to the Israeli newspaper Haaretz, experts on Iran and computer security specialistsare increasingly convinced that Stuxnet was meant "to sabotage the uranium enrichment facilityat Natanz – where the centrifuge operational capacity has dropped over the past year by 30percent." On 23 November 2010 it was announced that uranium enrichment at Natanz hadceased several times because of a series of major technical problems. A "serious nuclearHardeep Singh Bhurji Page 10
  11. 11. accident" occurred at the site in the first half of 2009, which is speculated to have forced the headof Irans Atomic Energy Organization Gholam Reza Aghazadeh to resign. Statistics publishedby the Federation of American Scientists (FAS) show that the number of enriched centrifugesoperational in Iran mysteriously declined from about 4,700 to about 3,900 beginning around thetime the nuclear incident WikiLeaks mentioned would have occurred. The Institute for Scienceand International Security (ISIS) suggests in a report published in December 2010 that Stuxnetis "a reasonable explanation for the apparent damage" at Natanz and may have destroyed up to1000 centrifuges (10 percent) sometime between November 2009 and late January 2010. Theauthors conclude:The attacks seem designed to force a change in the centrifuge’s rotor speed, first raising thespeed and then lowering it, likely with the intention of inducing excessive vibrations ordistortions that would destroy the centrifuge. If its goal was to quickly destroy all the centrifugesin the FEP, Stuxnet failed. But if the goal was to destroy a more limited number of centrifugesand set back Iran’s progress in operating the FEP, while making detection difficult, it may havesucceeded, at least temporarily.The ISIS report further notes that Iranian authorities have attempted to conceal the breakdown byinstalling new centrifuges on a large scale. The virus worked by first causing an infected IranianIR-1 centrifuge to increase from its normal operating speed of 1,064 hertz to 1,410 hertz for 15minutes before returning to its normal frequency. Twenty-seven days later, the virus went backinto action, slowing the infected centrifuges down to a few hundred hertz for a full 50 minutes.The stresses from the excessive, then slower speeds, caused the aluminum centrifugal tubes toexpand, often forcing parts of the centrifuges into sufficient contact with each other to destroythe machine. According to the Washington Post, International Atomic Energy Agency(IAEA) cameras installed in the Natanz facility recorded the sudden dismantling and removal ofapproximately 900–1000 centrifuges during the time the Stuxnet worm was reportedly active atthe plant. Iranian technicians, however, were able to quickly replace the centrifuges and thereport concluded that uranium enrichment was likely only briefly disrupted.Iranian reactionThe Associated Press reported that the semi-official Iranian Students News Agency released astatement on 24 September 2010 stating that experts from the Atomic Energy Organization ofIran met in the previous week to discuss how Stuxnet could be removed from their systems.Hardeep Singh Bhurji Page 11
  12. 12. The head of the Bushehr Nuclear Power Plant told Reuters that only the personal computersof staff at the plant had been infected by Stuxnet and the state-run newspaper Iran Daily quotedReza Taghipour, Irans telecommunications minister, as saying that it had not caused "seriousdamage to government systems". The Director of Information Technology Council at the IranianMinistry of Industries and Mines, Mahmud Liaii, has said that: "An electronic war has beenlaunched against Iran... This computer worm is designed to transfer data about production linesfrom our industrial plants to locations outside Iran."On 29 November 2010, Iranian president Mahmoud Ahmadinejad stated for the first time thata computer virus had caused problems with the controller handling the centrifuges at its Natanzfacilities. According to Reuters he told reporters at a news conference in Tehran, "Theysucceeded in creating problems for a limited number of our centrifuges with the software theyhad installed in electronic parts."SummaryStuxnet represents the first of many milestones in malicious code history – it is the first to exploitfour 0-day vulnerabilities, compromise two digital certificates, and inject code into industrialcontrol systems and hide the code from the operator. Whether Stuxnet will usher in a newgeneration of malicious code attacks towards real-world infrastructure—overshadowing the vastmajority of current attacks affecting more virtual or individual assets—or if it is a once- in-a-decade occurrence remains to be seen.Stuxnet is of such great complexity—requiring significant resources to develop—that fewattackers will be capable of producing a similar threat, to such an extent that we would notexpect masses of threats of similar in sophistication to suddenly appear. However, Stuxnet hashighlighted direct-attack attempts on critical infrastructure are possible and not just theory ormovie plotlines.The real-world implications of Stuxnet are beyond any threat we have seen in the past. Despitethe exciting challenge in reverse engineering Stuxnet and understanding its purpose, Stuxnet isthe type of threat we hope to never see again.Hardeep Singh Bhurji Page 12

×