Bodi 1
Kathleen R. Bodi
Computer Forensics CS 346
05/25/2014
Stuxnet
“If the radiance of a thousand suns were to burst at once into the sky, that would be like the splendor of the Mighty One…
I am become Death (Shiva), the shatterer of Worlds.” - Bhagavad-Gita, cited by J. Robert Oppenheimer on the Trinity Project1
STUXNET SUMMARY:
In June 2010, a new computer virus appeared quietly on the world stage. By the time this CBS 60
Minutes video2 aired on March 4, 2012, the Trojan known as Stuxnet had been carefully analyzed by
global independent and leading industrial security experts. Correspondent Steve Kroft opens this report
by informing the American public that, “The Nation’s top military, intelligence, and law enforcement
officials have been warning Congress and the country about a coming cyber-attack against critical
infrastructure in the United States.” He then explains that our energy and financial industries could be
targeted, which would have a devastating impact on our daily lives, and that cyber-warfare has already
begun with the chain of events set into motion by the introduction of the Stuxnet virus.
After such foreshadowing, viewers might well be wondering how a computer virus most of us have
never encountered could possibly equate to cyber-warfare against the United States. Stuxnet was
actually the first targeted attack by at least one sophisticated actor against a nation-state using malware
1
2
http://en.wikipedia.org/wiki/Robert_Oppenheimer#Trinity
http://www.cbsnews.com/videos/stuxnet-computer-worm-opens-new-era-of-warfare/
Bodi 2
to damage their critical infrastructure. The target in this attack has been identified by researchers
Fallierre and O Murchu and Chien (2011) to be a nuclear facility in Natanz, Iran. Like many others
around the world, this manufacturing plant is maintained by a computer-controlled system known as an
ICS. An ICS is an industrial control system that uses supervisory control and data acquisition (SCADA)3
technology. SCADA technology combines automated-monitoring processes with human interfaces to
supervise programmable logic controllers4. In turn, these programmable logic controllers manage the
speed of motorized devices such as a large constellation of centrifuges. According to Albright and Shire
(2009) at the Institute for Science and International Security, the centrifuges at the Natanz Fuel
Enrichment Plant were believed to be used, or were being readied for use, for the increased production
of low-enriched uranium.
Stuxnet primarily infected computer systems by self-extraction. This occurred when infected thumb
drives were loaded into USB ports on computers belonging to both wide-area and peer-to-peer
networks. The virus spread across networks when it identified other computers as having two files used
only by the Siemens S7-300 industrial control system. It also forwarded information about computers it
had infected to two websites. The data it sent to the websites included the date of infection, the type of
operating system on the computer, its place on the network including level of privileges, IP addresses
infected, country of location, and whether or not it possessed the two files in question. The only data
received back from the website instructed the virus to initiate a checklist sequence. If the sequence
correctly executed, a payload would be activated that would overwrite data on the host computer. The
overwritten data would then produce two separate actions. It would change the speed that the
3
http://www.automation.siemens.com/mcms/human-machine-interface/en/visualizationsoftware/scada/Pages/Default.aspx
4
http://www.automation.siemens.com/mcms/industrial-automation-systems-simatic/en/plc-controlsystem/Pages/Default.aspx
Bodi 3
centrifuges operated at thereby sabotaging them. At the same time, it would instruct the humaninterface controls to continue to display normal settings so that no control alarms would be raised.
PANDORA’S BOX:
It is difficult to know with certainty whether the creators of Stuxnet anticipated the virus being
discovered. It seems unlikely to me that they had not calculated a substantial risk of detection at some
point after the attack was launched. Further research by McDonald and O Murchu and Doherty and
Chien (2013) reveals Stuxnet was crafted with the following attributes:

The employment of two valid digital security certificates.

A stealth rootkit injection technique designed to avoid detection by anti-virus scanning.

A complicated checklist style guidance system.

A set of encrypted files to help shield its primary payload capable of updating itself.

A Zero-day exploit to allow it to escalate privileges whenever necessary.

Two-way communication capability with web servers in Malaysia and Denmark.

Five methods for spreading across networks including P2P, network shares, Zero-day exploits
and SQL injection on WinCC machines.

Primary means of infection via USB ports.

Several waves of attack that contain code modifications5.

The integration of assembly code and data blocks into the malware.
5
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/stuxnet_0_5_the_m
issing_link.pdf
Bodi 4
The discovery of such a robust virus necessarily prompts concerns from security analysts, forensic
experts, hackers, industry leaders, and intelligence communities all around the globe. Now that the
knowledge of how to leverage such capabilities into a single cyber-weapon has been widely
disseminated, we must assume that all parties now have or can easily acquire a similar weapon.
According to the National Cybersecurity and Communications Integration Center’s most recent ICS-CERT
Report (2014), an unnamed public utility in the United States was breached when a sophisticated actor
gained access without authorization to its control system network. ISC-CERT investigated the incident
and found that the control systems were accessible via internet hosts, were remote access enabled, and
were inadequately protected with a standard password technique that could be brute-force attacked.
Further analysis of network logs revealed that this system had been breached prior to this incident.
While a great deal of attention has been focused on widely publicized financial and retail sector security
breaches, much less attention has been directed toward industrial control systems. SCADA systems are
used extensively in manufacturing plants, power generation facilities, oil and gas pipelines, and electrical
power plants6. Because of reduced federal, state and local government funding, many public utilities
including nuclear power plants are relying on aging “legacy” control systems. Stuxnet has revealed how
vulnerable high-value infrastructure targets are to sabotage by determined attackers. Since these public
utilities are also susceptible to threats from natural disasters, predicted by the Intergovernmental Panel
on Climate Change (2014) to increase in frequency and severity going forward, strengthening our
security protections for industrial control systems should be deemed a very high priority.
6
http://en.wikipedia.org/wiki/SCADA
Bodi 5
COUNTER MEASURES:
The ICS-CERT recommendations for securing industrial control systems included in this latest report
emphasizes an immediate need to strengthen security for ICSs. They strongly recommend
implementation of defense-in-depth strategies. These strategies were initially authorized by the
Department of Homeland Security as recommended practice for improving ICS Cybersecurity in October
2009.7 The successful adoption of these strategies for industrial control system environments requires a
thorough evaluation of existing architecture and vulnerabilities as well as an understanding of problemzones. According to their report, “Security problems arise because of:

Increasing dependency of automation and industrial control systems.

Insecure connectivity to external networks.

Usages of technologies with known vulnerabilities, creating previously unseen cyber risk in the
control domain.

Lack of a qualified cybersecurity business case for industrial control system environments.

Some control system technologies have limited security and are often only enabled if the
administrator is aware of the capability (if the security does not impede the process).

Many popular control system communications protocols are absent of basic security
functionality (i.e., authentication, authorization).

Considerable amount of open source information that is available regarding industrial control
systems, their operations, and security vulnerabilities.”
7
http://ics-cert.us-cert.gov/sites/default/files/recommended_practices/Defense_in_Depth_Oct09.pdf
Bodi 6
Another significant challenge arises because of the inversion of security objectives between those of
modern information networks and those required by industrial control system environments. A typical
IT hierarchy assigns highest importance to Confidentiality, then high importance to Integrity and a lower
importance to Availability. However, the ICS typically requires a very high importance to Availability, a
medium importance to Integrity and low importance to Confidentiality.
Furthermore, Homeland Security recommends the most critical weaknesses that need to be remedied
when identified are:

“Backdoors and ‘holes’ (either intentional or not) in the network perimeter.

Devices with little or no security features (modems, legacy control devices, etc.)

Vulnerabilities in common protocols.

Attacks on field devices.

Database attacks.

Communications hijacking and Man-in-the-Middle (MitM) attacks.

Improper or nonexistent patching of software and firmware.

Improper coding techniques.

Improper cybersecurity procedures for internal and external personnel.

Lack of control systems specific mitigation technologies.”
Bodi 7
Further ISC-CERT updated recommendations for defensive measures include:

Minimizing network exposure for all ICS devices. Control system networks and devices should
be situated behind firewalls and away from enterprise networks.

When remote access is required, extra security measures including the employment of Virtual
Private Networks, taking into account their known vulnerabilities.

Removal, disabling or renaming of default system accounts.

Account lockout policies as a counter-measure to brute-force attacks.

Strong password policies. These should be routinely enforced.

Monitor routinely for escalation of privileges, especially the creation of Administrator accounts
by third parties.

Apply all patches in ICS environments.
Not addressed in either of these reports, but strongly recommended by security experts is the ramping
up of security training of both current and new employee additions. Encouraging and incentivizing IT
staff to acquire additional security training/certification would be a long-term security measure well
worth the investment in time, money and staffing.
Bodi 8
POST SCRIPT:
Computer forensic experts and security analysts were instrumental in identifying and dissecting Stuxnet.
A number of great videos have been posted online. Chester Wisniewski, Senior security advisor for
Sophos appears in, “Stuxnet/Windows shortcut zero-day explained [Anatomy of an Attack online].”8 9
He explains how the Windows short-cut links were exploited by the malware and shows us exactly how
it appears to the user both in a hex-editor environment and in a Windows environment.
Code-specific to a USB stick for infecting other devices. Cannot now be copied to another USB stick.
8
http://www.youtube.com/watch?v=eFLNG5zHaVA
9
http://www.youtube.com/watch?v=1UxN7WJFTVg
Bodi 9
View in Windows in the first seconds after clicking “Open” files on removal device.
View in Windows seconds later after virus self-extracts. Computer is now infected.
Bodi 10
Symantec produced another very informative video, “Stuxnet: How It Infects PLCs”10 In it, we are given
an overview of how the virus was brought into the target environment and how it spread across the
network looking for computers running the Step 7 software processes. Additionally, Liam O Murchu
Stuxnet introduction and network propagation.
Two-Way communication between infected PLC computer and attacker’s webserver.
10
http://www.youtube.com/watch?v=cf0jlzVCyOI
Bodi 11
Provides a wonderful live demonstration of actual performance of motorized devices under normal PLC
conditions and Stuxnet-altered conditions. We also see how the human-interface control display is
appears unaltered.
PLC Screen before infection.
PLC Screen after infection
Bodi 12
On June 17, 2010, an anti-virus company in Belarus, VirusBlokAda was the first to detect and report the
discovery of a new Trojan that used USB storage devices as a vector of transmission.11 This report was
picked up on by Brian Krebs on July 10, 2010.12 A Krebs on Security blog update on July 16, 2010 adds
that Frank Boldwin,13 an independent security expert had dissected samples of Stuxnet to discover that
it was targeting Siemens WinCC SCADA systems.
I learned a tremendous amount from reading Symantec’s, “W.32: Stuxnet Dossier” and “Stuxnet 0.5:
The Missing Link.” For instance, the version of Stuxnet most widely analyzed did not seem to need to
do reconnaissance. By 2010, the only reporting ability that the computer’s needed to do are as follows:
(extracted from “W.32: Stuxnet Dossier”)
The following is an example of the computer description block:
5.1 - 1/1/0 - 2 - 2010/09/22-15:15:47 127.0.0.1, [COMPUTER NAME]
[DOMAIN NAME] [c:\a\1.zip:\proj.s7p]
The following describes each field:
5.1 - Major OS Version and Minor OS Version
1/1/0 – Flags used by Stuxnet
2 – Flag specifying if the computer is part of a workgroup or domain
2010/09/22-15:15:47 – The time of infection.
127.0.0.1 – Up to IP addresses of the compromised computer (not in the June 2009 version). Third wave….
11
http://www.anti-virus.by/en/tempo.shtml
http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/
13
http://www.reconstructer.org/
12
Bodi 13
[COMPUTER NAME] – The computer name.
[DOMAIN NAME] – The domain or workgroup name.
[c:\a\1.zip:\proj.s7p] – The file name of infected project file.
It also notifies attackers if either of the two targeted Siemens files (Step7 or WinCC) are found, see pg. 21
However, “Stuxnet 0.5: The Missing Link” reports that oldest known version of Stuxnet has been
identified, dating back to an in-the-wild debut of approximately November, 2007 and was only spread
via Step 7 project files. It also contained additional code that targeted closing valves in Natanz, Iran and
could potentially have crippled Iran’s uranium enrichment system much more extensively than the later
version targeting only the centrifuges.
Bodi 14
Works Cited
Albright, D., & Shire, J. (2009). ISIS Report: IAEA Report on Iran. Centrifuge and LEO increases;
access to Arak reactor denied; no progress on outstanding issues. Retrieved from
http://www.isisnucleariran.org/assets/pdf/Iran_IAEA_Report_Analysis_5June2009.pdf
Falliere, N., & O Murchu, L., & Chien, E. (2011). Symantec Security Response. W32.Stuxnet
Dossier. (Version 1.4) Retrieved from
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitep
apers/w32_stuxnet_dossier.pdf
Intergovernmental Panel on Climate Change (2014). Climate Change 2014: Impacts, Adaptation,
and Vulnerability. (IPCC WGII AR5, Chapter 26). Retrieved from http://ipccwg2.gov/AR5/images/uploads/WGIIAR5-Chap26_FGDall.pdf
McDonald, G., & O Muchu, L., & Doherty, S., Chien, E. (2013). Symantec Security Response.
Stuxnet 0.5: The Missing Link. (Version 1.0). Retrieved from
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitep
apers/stuxnet_0_5_the_missing_link.pdf
U.S. Department of Homeland Security (2014). ISC-CERT Monitor: Incident Response Activity.
(January–April, 2014). Retrieved from http://ics-cert.uscert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_%20Jan-April2014.pdf