By
Stuxnet is a complex piece of malware with many different components and functionalities with one goal in mind, which is to reprogram programmable logic controllers (PLCs). These industrial control systems are used in everything from gas pipelines, power plants and water purification systems.
The Stuxnet virus is the next generation in computer viruses because it not only exploits the Zero-Day vulnerabilities within Windows, but it also compromised two digital certificates. Furthermore, it hides its code from the operator using a technique that involves the rootkit development process.
Self-replicates through removable drives.
Spreads in a LAN Network using Windows Print Spooler vulnerability.
Spread through SMB – Microsoft RPC handling Remote Code Execution vulnerability.
Copies and Executes itself on remote systems
Updates itself through peer-to-peer mechanism within LAN
Contacts a command and control server that allows a hacker to download and execute code.
Contains a Windows rootkit that hides its binaries.
Attempts to bypass security products.
Hides modified code on PLC’s, essentially a rootkit for programmable logic controllers (PLCs).
Each PLC device is configured differently for each task. So the attacker would need to gain access to the industrial control systems (ICS’s) schematics. These design documents layout the computing environment for the facility. This brings up a major point in any risk management plan, and just how important design documents are to not only the engineers on staff, but to hacker who is planning an attack on your companies network.
Once Stuxnet had infected a computer within an organization it begins to spread out in search of field PGs, which are typical Windows computers, but used to program PLCs.
Since most of these devices are non-networked, Stuxnet would first try to spread over the LAN network exploiting a two year old vulnerability called a zero-day bug within the shared printer peer-to-peer network in Windows.
Stuxnet embeds everything it needs to infect a system; since it could not relay on a system to have outside connection to the Internet.
Export 15/16
The Stuxnet Architecture consists of a large .dll file that contains many different exports and resources and two encrypted configuration blocks.
When the threat is executed, the wrapper extracts the .dll file from the stub section and maps it into memory.
Each export from this .dll file has a different purpose in controlling the threat as outlined in the table.
When the Stuxnet export is called, it typically injects the entire DLL into another process and then just calls the particular export. The processes are a set of Windows security based products that Stuxnet literally takes over. I have seen only one other virus that goes after an anti-virus package, and that virus was targeted only at a Symantec application.
The Stuxnet virus goes after the top anti-virus programs on the market.
Example of Security Products it injects itself into :
Mcafee (Mcshield.exe)
AnitVir (avguard.exe)
Etrust (UmxCfg.exe)
F-Secure(fsdfwd.exe)
Symantec Common Client (ccSvcHst.exe)
Trend Pc-Cillin (tmpproxy.exe)
Stuxnet also searched the Windows registry files for McAfee and Trend PcCillin and other security product process.
Export 15 is the first Stuxnet process called when the .dll file is loaded. It checks to make sure the virus is running and is compatible with whatever version of windows it’s running on.
Win2K
WinXP
Windows 2003
Vista
Windows Server 2008
Windows 7
Windows Serve 2008 R2
Stuxnet checks to see if it has administration rights, because it wants to run with the highest level of privileges it can get. If it does not have the administration rights. It executes one of the two zero-day escalation of privilege attacks to see if it can acquire the administration rights.
The use of previously unknown security holes (known in the trade as “Zero-Day vulnerabilities”), is not that unusual for a virus to take advantage of one security hole. But Stuxnet exploits four entirely different ones in order to worm its way into a system. This is very unique for a virus!
Normally, anyone who discovers a new zero-day exploit can sell it on the hacker networks for real money.
So whoever created the Stuxnet virus was willing to pay handsomely to the hacker or hackers who found the exploit. Furthermore, it would take a team of experts on different platforms and systems to take advantage of the bugs, once they acquired them. This leads a lot experts to think it was and organized team backed with government money.
After Stuxnet gains the administration rights it needs. It would call Export 16.
Export 16 is the main installer for the virus. It decrypts, and creates and installs the rootkit files and registry keys it needs to operate. ( I will explain what a rootkit is shortly ).
It injects itself into the Step7 process to infect all Step 7 projects; sets up the global mutexes that are used to communicate between different components; and connects to the RPC server.
Step 7 is a single software framework for all your automation tasks within the Siemens software package running
WinCC applications. It’s how you program a programmable logic controller device (PLC). It provides the engineering software framework that makes it easier for you to configure devices and networks through straightforward workflows and an intuitive user interface. It lets you drag and drop objects onto the screen and link them together building relationships between the objects and processes you want to run. It’s like working with a very sophisticated version of Microsoft Visio with a very advanced design engine build around the C++ language platform.
Stuxnet communicates between different components via global mutexes - (mutexes or Mutual exclusion executable programs (often abbreviated to mutex) algorithms are used in concurrent programming to avoid the simultaneous use of a common resource, such as a global variable, by pieces of computer code called critical sections ) Stuxnet tries to create such a global mutex but first it will use “ SetSecurityDescriptorDaci ” for
Windows XP computers or “
SetSecurityDescriptorSaci
” API for computers running Windows Vista to reduce the integrity levels of objects, and thus ensure no write actions are denied.
There are a couple of other infection routines it does by injecting the payload .dll file into the services.exe process and calling export 32. But the main ones are the export 15 and 16. The other Zero-day vulnerability is in win32k.sys file which local privilege escalation happens. This has since been patched as of
October 12, 2010 by Microsoft.
The data sent back to servers running the Siemens DIMATIC Step 7 industrial control software which includes internal and external IP addresses.
The Stuxnet virus uses two stolen digital certificates to spoof its identity over the Internet. This is a grave risk for managers because everyone is starting to use them from the Banking Industry to E-Commerce transactions.
One of the digital certificates the Stuxnet virus used was from Realtek. It was finally revoked on July 16, 2010. Another digital certificate was compromised from JMicron which is in the process of being revoked.
The Rootkits uses a cloaking technology or techniques whereby it attempts to hide its presence from spyware blockers, anti-virus, and system management utilities. It gives Stuxnet the ability to hide copies of its files on removable drives. It also prevents the removable drive from noticing it’s infected. What is even more interesting is that it prevents those users from realizing the recently inserted removable drive was the source of the infection….very cool!
The Stuxnet virus sets up a rootkit on any removable drive or flash device it encounters.
Stuxnet using Export 16 extracts itself as an MrxNet.sys file and the driver is registered as a service creating the following registry entry:
HKEY_LOCAL_MACHNE\SYSTEM\CurrentControlSet\Services\MRxNet\
”ImagePath”=
“%System%\drivers\mrxnet.sys”
The driver is digitally signed with the Realtek digital certificate, which is now revoked as of July, 16 2010 by VeriSign.
The driver scanned the following file-systems driver objects:
A new device object is created by Stuxnet and attached to the device chain for each device object managed by these driver type objects. The MrxNet.sys driver will manage this driver object by inserting such objects into their process flows. Stuxnet is able to intercept IRP request (example: writes/reads, to devices like VTFS, FAT or CD-ROM devices). Furthermore, once infected, the rootkit helps hide these processes and so making it extremely difficult to remove, often requiring a full disk reformat.
The rootkits needs administration rights in order to download and install. That is why one of the first things that this virus does is to invoke a zero-day exploit. In a lot of way most users give Stuxnet a helping hand in this process because the way Windows is installed - its default setting is to give the user
– super user privileges.
The virus knows of this default and takes full advantage of it. This is something a risk manager should plan for in any risk assessment.
Persistent Rootkits: A persistent Rootkit is malware that activates each time the system boots.
Memory-Based Rootkits: Memory-based Rootkits are malware that have no persistent code and therefore does not survive a reboot of a system.
User-mode Rootkits: This one attempts to evade detection by intercepting all calls to the Windows
FindFirstFile/FindNextFile APIs, which programs like Windows Explorer use to find files. It intercepts and modifies the output results returned from Explorer to remove entries that a Rootkit exists on your system.
Kernel-mode Rootkits: Kernel-mode Rootkits can be even more powerful. Since, not only can they intercept the native API in kernel-mode, like the user-mode rootkit above, but they can also directly manipulate kernel-mode data structures. They can spoof the Task Manager and Explorer and are extremely hard to find. This one is the most likely rootkit type used with the Stuxnet virus.
The McCumber Cube methodology requires the security practitioner to decompose the elements of the IT system into three primary information states – Transmission, storage and processing. The Stuxnet virus clearly goes through each of these states in how it first transmits and exports its code into other systems. Then sit’s in storage waiting for the Step 7 software, or Windows processes to activate it and start to corrupt a given system.
You will notice in reading about the major security vendors like Cisco, Juniper or Symantec have NOT claimed that their product is the Stuxnet-killer. They know Stuxnet is a very complex worm with no single solution. This means, that any risk managers will have to attack this virus using a host of different methods in order to first find the virus, and then to delete it off the device or server it has infected.
Transmission: The Stuxnet transmits or propagates using three completely different transmission mechanisms:
1.
Via infected Removable USB Drives;
2.
Via Local Area Network communications and
3.
Via infected Siemens project files
If one was to look at the information flow, as per examples in the McCumber Cube to determine the information state and location within a given system. You would have to look at each of these transmission methods and map out their vulnerabilities using the information already discussed, which would include the technical, procedural, and the human factors that help this bug get around.
1. It infects computers via removable USB flash drives (even when autorun is disabled) via a previously undiscovered shortcut (i.e. *.lnk files) vulnerability.
2. For versions of Stuxnet created prior to March 2010, it spread via removable USB flash drives using an autorun-based exploit rather than the *.lnk file exploit.
3. It spreads over local area networks to computers with network shares by enumerating all user accounts of the computer and the domain. It then tries all available network resources in order to copy itself and execute on the remote share, thereby infecting the remote computer.
4. It spreads over local area networks to computers offering print sharing via a Windows Print Spooler Zero-Day vulnerability.
5. It spreads over local area networks via the Windows Server Service Vulnerability.
6.
It infects computers running Siemens WinCC software by using Siemens “internal” system passwords (i.e. passwords that cannot be changed) to log into the SQL server, transferring a version of the worm and then executing it locally.
7. It Propagates by copying itself to any discovered Siemens STEP 7 projects (*.S7P, *.MCP and *.TMP files) and then auto-executing whenever the user opens the infected project.
Furthermore, it also takes advantage of two other Windows vulnerabilities that allow escalation of privileges
(i.e. upgrading its account privileges to Administrator). It uses a special method of loading software designed to bypass behavior blocking and host intrusion protection-type technologies. Thus hiding itself in storage till the right processes are activated. To top it off, it detects and subverts most major anti-virus programs, loading itself into the anti-virus process itself and then executing as part of the AV product.
Storage: When you go about determining the other information states and mapping their flows relating to storage. This virus is deadly and could if redesigned to go after other systems which would be a nightmare to system administrators and risk managers alike. This virus can hide itself in storage, and intercept calls to and from anti-virus programs, waiting for the right process to activate in Windows. There is only a few products on the market that can detect rootkits, like the RootKitRevealer or the Sysinternals suite software package, but there are not guarantees with this virus.
This virus takes full advantage of the more advanced Rootkit clocking technology, because it not only hides its existence, but its trail on how it came to be on that system . Once it infects a system. The only way to really get it off is to reformat the harddrive and reinstall the software. If you don’t reformat the drive this virus can store itself in the file allocation system of Windows waiting for the right process to start so it can re-infect the system.
Processing: One of the key attributes of the computer systems is that they automatically process information. In the case of the Stuxnet virus it uses the computers own programs to help it process and propagate. A key element of the McCumber Cube is the mapping of information flow and defining the boundaries of a systems in question.
But this can be very difficult with this type of virus because it does not rely on any one method to infect a system.
You would not only have to map out the systems operating software, but all the applications on any given system to find the boundaries that this virus might uses to spread.
Moreover, as outlined earlier the Stuxnet virus exploits a number of zero-day vulnerabilities within windows and Step 7 software products. These systems have shown in the past to have many vulnerabilities not yet discovered, and the makers of this virus have shown that if needed, they will go to outside resources; meaning other hackers to acquire new zero-day exploits. The research is not conclusive on this question, but all the techniques this virus uses leads one to this conclusion.
Define the Boundaries
McCumber methodology is not founded on an educated guess of attackers profiles. All sound security analysis is based on understanding and protecting the assets requiring protection, because new vulnerabilities of attack are always coming forth and being tried by hackers.
Make an inventory of all IT Resource
Once you have identified the extent of your parameters, you need to work within its confines to identify the various technology resources and components that transmit, store, and process the data used by any new threat.
Decompose and identify each information states.
Keep up-to-date on known security vulnerabilities for the types of components and software currently running on your systems.
With 120 countries now in the cyber arms race, intelligence agencies around the world are working to assess their offensive and defensive cyber capabilities. Developing cyber weapons does not require the massive infrastructure usually associated with conventional arms. A couple of PCs and a few smart programmers and you have all you need to create a cyber weapon. But when it comes to the Stuxnet virus which is a very sophisticated piece of programming, it took a team of skilled programmers who specialized in different types of technology in order to get it all to work together.
Some of the more political aspect of the virus is that it encompasses some interesting dates that fall on times that could only be associated with events in Iran.
The export 16 first checks the configuration data is valid, after that it checks the value “NTVDM TRACE” in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation
If this value equals to 19790509 the threat will exit. It just so happens that on May 9,1979 “Habib Elghanian” was executed by a firing squad in Tehran sending shock waves through the close knit Iranian Jewish community. This prompted a mass exodus of some 100,000 members of the Jewish community in Iran. This just could be an arbitrary date, or birth date or something else, but it does raise some interesting questions as to who might have created this virus.
Export 16 read/write process :
When Stuxnet active’s the Export 16 process and creates the MrxNet.sys file so it can read and write files to different locations on removable drives. It creates a driver path for the project. The path that it sets up has some very political overtones; because this is the path it creates.
Path b:\ myrtus\ src\objfre_w2k_x86\i386\ guava .pdb
Guavas are plants in the myrtle (myrtus) family genus. The string can be interpreted to mean, “MyRTUs”. RTU stand for remote terminal unit and are similar to a PLC and, in some environments, used as a synonym for PLCs.
In addition, “
Esther was originally named Hadassah
. Hadassah means ‘myrtle’ in Hebrew.” Esther learned of a plot to assassinate the king and “told the king of Haman’s plan to massacre all Jews in the Persian Empire.
But like anything you read in Wikipedia. It could be true or it could be false ?
It looks like Israel is the most likely source for the virus which brings up some critical issues that could affect other nations. If Israeli cyber-warriors from Unit 820 or the Mossad created Stuxnet, it then becomes what some might call state sponsored cyber terrorism. Furthermore, what’s to stop other hackers or even Islamist hackers from improving on the virus and turning its focus on Israel or one of the U.S’s production facilities.
In the last couple of years the Dept of Defense has been hit with some major hacks to the DOD server network and a lot of people suspect the Chinese behind these attacks. What’s to stop the Chinese from improving on the Stuxnet and using it against Taiwan, Pakistan, or India to name a few.
When you look into the Stuxnet virus it appears to be designed to go after the centrifuges and programmable logic controllers at the Natanz plant that houses the many centrifuges used in the production of nuclear material in Iran. But even thou this might have been the key target for the virus. Its structure and design techniques could be used to attack industrial plants around the world, and cause chaos in more interconnect countries, like the United States.
The U.S. industrial infrastructure has already shown it can be hacked!, In addition the way the
Internet is designed; it’s a perfect medium for the job. Furthermore, we have not spend any money on upgrading our electrical or power planet grids for some thirty years now. A virus like Stuxnet could cripple our power grid in ways that could take us weeks to recover.
In my analysis of the Stuxnet virus and how it relates to risk management. In order to secure any system from this type of virus you will need a multi-tier approach, because no one solution can stop it. Moreover, given the fact that it uses technology to even hide it existence on a system. You will have to design a risk program that not only looks at internal processes, but processes after they have interacted with an infected system.
Furthermore, this virus targets your key anti-virus programs, so you will have to design a mitigation strategy around this fact, because I don’t know of any system administrator who buys all of the anti-virus programs on the market to runs on his or her servers. So the plan should not only be multi-tier, but multi-layered which would not only include server and software logging, but also using a more statistical approach of sampling systems at random. This could be the only way to find a virus like Stuxnet or it future incarnation. This sampling process could be set-up based on a number of different patterns; from the number of users on your system, the number of IP addresses, the traffic around a given network node, or people
.
hitting you outer parameter firewalls.
In addition, have a comprehensive backup system In place with ghost copies of your key applications ready to go at any given time, because with a virus like the Stuxnet and others to follow. The only sure way to get rid of it will be to reformat the hard-drive. Most IT managers will have backup ghost copies of a given system, but given the current nature of N-tier software design being build into the more sophisticated programs. These object based methodologies rely on a number of different servers, and services in order to function across a server farm. This could make your backup plans quit complex if not mapped out with system inter-dependability in mind. This also means having a great change management policy build into any risk management plan. The last thing for any modern plan of today must include IT training for your staff. A well trained IT person will be able to think on his or her feet, and in the cyber-war to come.
This might be the only contingency plan that survives the first attack on your network.
Richard Falkenrath (Stuxnet and the United States) A Bloomberg interview http://www.richardsilverstein.com/tikun_olam/2010/09/26/bush-counter-terror-official-on-stuxnet-israel-likely-did-it
WILLIAM J. BROAD, JOHN MARKOFF & DAVID E. SANGER (Israeli Test on Worm Called Crucial in Iran Nuclear Delay)
The New York Times http://www.standwithus.com/app/inews/view_n.asp?ID=1728
Eric Byres (No Silver Bullet for Stuxnet / Siemens WinCC Malware - White Paper) http://www.tofinosecurity.com/blog/no-silver-bullet-stuxnet-siemens-wincc-malware-white-paper
Jarrad Shearer: Symantec (Stuxnet Security Response) http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99
David Hatchell: McAfee (Stuxnet-A View From an Energy Perspective) http://blogs.mcafee.com/enterprise/critical-infrastructure-protection/stuxnet-a-view-from-an-energy-perspective
McCumber John(1956). Document Type: Book.
Assessing and Managing Security Risk in IT Systems
– A Structured Methodology
Auerbach Publications: www.auerach-publications.com
Daniel M. Kammen and David M. Hassenzahl. Document Type Book.
Should We Risk It? Exploring Environmental, Health, and Technological Problem Solving.
Princeton University Press (copyright 1999)
Wikipedia: The Free Encyclopedia http://en.wikipedia.org/wiki/Stuxnet