analysis stuxnet dissected
TRANSCRIPT
8/7/2019 Analysis Stuxnet dissected
http://slidepdf.com/reader/full/analysis-stuxnet-dissected 1/4
TODAY ON SC MAGAZINE: The case for splitting identity and access Sophos: mobile malware scandal 'damages' industry WhiteGoldSEARCHSEARCHSEARCHSEARCH
Newsletter Sign Up | Site Map | RSS | SC US | SC
UK
Monday March 28, 2011 3:42 PM AEST
Vulnerability Alerts
SANS
Infocon: green
Strange Shockwave File with
Surprising Attachments, (Sun,
Mar 27th)
Microsoft
Microsoft Security Bulletin
Summary for February 2011
MS11-012 - Important:
Vulnerabilities in Windows
Kernel-Mode Drivers Could
Allow Elevation of Privilege(2479628) - Version:2.0
CERT/CC
SA11-067A: Microsoft Updates
for Multiple Vulnerabilities
SA11-039A: Microsoft Updates
for Multiple Vulnerabilities
Latest Comments
Powered by Disqus
RELATED ARTICLES
US warns of SCADA flaws
AG speech transcript creating
cyberwarfare unit
From Stuxnet to Snoop: The
infosec year in lists
CERT Australia chief headlines
AISA Week
Stuxnet pinned for killing Indian
satellite
Exclusive: Trend Micro aims for
cloud top spot
Spam drops but exploits kits are on
the rise
CYBERCRIME
Analysis: Stuxnet dissectedBy Brett Winterford
Feb 23, 2011 11:02 PM
Tags: stuxnet | symantec | security | response
| Iran | nuclear | program | Siemens | SCADA
| supervisory | control | and | data |
acquisition | centrifuge | LNK | vulnerability |
zero-day | exploit | Autorun | vulnerability |
S7-315 | S7-417
How one of the world's most complex
cyber attacks crippled Iran's nuclear programme.
So how did Stuxnet do the damage?
Hogan believes the team has a fairly
accurate idea of how Stuxnet succeeded.
1. Getting inside
Even the most sophisticated virus in the
world would have trouble infecting
machines that aren't connected to the
internet.
The computers connected to the
enrichment program's industrial control
systems are air-gapped - that is, not
connected to the internet or other
insecure networks.
Hogan can only guess that a degree of social engineering would have been required
to convince an operator or engineer that worked at the plant to introduce data from
external media (such as USB key) that was infected with the virus.
"In our experience in cases like this, the target organisation is usually being attacked
through an intermediary like an outsourced partner," Hogan said.
These intermediaries might have offered skilled labour, technology outsourcing, and
any number of services to the program.
Engineers often used ruggedised laptops, he said, that are taken off-site for new
instruction sets to be programmed and taken into the facility to upload these new
commands to the system.
Hogan suspected that the worker that infected the machines made a genuine mistake
rather than a deliberate attempt at spying.
The attacker may have deliberately left memory sticks lying around at the offices of
the outsourced provider. As long as one machine was infected, any network it
connected to was at risk - and the worm was programmed to use these connections
to seek out those devices that could do the damage.
2. Creating a backdoor
Once a USB stick or other external media is plugged in, the worm used the LNK
automatic file execution vulnerability to infect the machine. The code would be
executed simply by the user looking at what contents might be on that USB stick
MOST READ MOST DISCUSSED LATEST NEWS
Popular porn site hacked by prudes
RSA breach leaves customers waiting for answers
Facebook user profiles hacked
Adobe patches 0-day flaws in Flash, Acrobat and
Reader
Hacker takes off with TripAdvisor's customer email
database
2 million child porn images seized in QLD, nine
arrested
Microsoft details Rustock botnet takedown
Security experts, DHS, lawmakers react to RSAhack
Hackers breach RSA IT systems
Privacy group raises concerns over Skype
Legal Whitepapers
Cloud First IT: Managing a Growing Network of SaaS
Applications
Controlling who is granted sec ure access to which
applications and data becomes a real challenge when
users can get access from any browser, at any...View Now
Data Protection For Businesses With Remote Offices
Across Multiple Locations
This white paper drills into the security c hallenges that IT
organizations face and the considerations for a better way
to approach data protection.View Now
Finding an Effective Antivirus Solution to Please
Users and Administrators
Download this Tech Brief to learn the five common
complaints IT professionals have with antivirus software
and how you can find software that does ...View Now
Power and Cooling Capacity Management for Data
Centers
High density IT equipment stresses the power density
capability of modern data centers. Installation and
unmanaged proliferation of this equipment ...View Now
View More Research
Popular Tags
acqusition asioautorunvulnerabilitycentrifuge cert china control cyberwar
dr dsd iran nuclear program lnkvulnerability malware
s7315 s7417 scada
Vulnerabilities & Exploits Breaches & Exposures Messaging Mobile Access Control Biometrics & Forensics Legal Risk Management Patch Management
SC Magazine Australia/NZ > News > Legal > Cybercrime > Analysis: Stuxnet dissected
HOME NEWS PRODUCTS ALERTS STATS BLOGS WHITEPAPERS EVENTS JOBS DOWNLOADS
AWARDS
ysis: Stuxnet dissected > Cybercrime > Legal > News > SC Magazin... http://www.securecomputing.net.au/News/249061,analysis-stuxne
3/27/2011
8/7/2019 Analysis Stuxnet dissected
http://slidepdf.com/reader/full/analysis-stuxnet-dissected 2/4
using internet explorer - they would not have to click on anything.
The Stuxnet worm then used compromised security certificates from two Taiwanese
device manufacturers - JMicron and Realtek - to allow Stuxnet to run more deeply
inside the target computer.
"Someone got access to private keys of those two organisations - which curiously are
based within a few kilometres of each other," Hogan said.
Stuxnet would then log-in, create an internet connection and connect to two command
and control servers to download instructions.
3. Looking around the network
The worm also used vulnerability in Microsoft's Windows print spooler to spread to
other devices connected to the local area network for infection, copying itself and
executing on network shares.
Stuxnet then created a peer-to-peer network between infected machines to efficiently
download the latest version of the virus from the command-and-control servers.
The virus also performs a check to see whether a Siemens Step 7 SCADA software is
running on any devices connected to the infected machine.
If any computers with this software are found on the network, Stuxnet copies itself and
executes on these machines, too.
4. Doing the damage
Once the virus finds machines running the Siemens software, it infects the Step7
project files as another way to spread around the target installation.
Ultimately, Stuxnet attempts to upload its own code to the Siemen's controllers or
programmable logic controllers that act as a hardware-software interface. In the case
of the Iranian nuclear enrichment facility, the controllers were connected to frequency
modulators that ran high-speed motors to spin the centrifuges used for nuclear
enrichment.
So Stuxnet was able to download a fresh set of commands to the controllers that
would override instruction sets.
This code instructed frequency converters on how fast the 164 motors in the
centrifuges should spin and for how long.
Stuxnet was programmed to first watch the frequency modulation for 13 days to
calculate what instructions could cause the most physical damage. Symantec
believes Stuxnet would have inserted a set of instructions to spin up the frequency
converters at 1410Hz for 15 minutes, well above the usual limit of 1064Hz.
"We assume it was spinning it up quickly to malfunction," Hogan said. "It was an
attempt to create sympathetic vibrations that would cause problems," he said,
potentially even breaking the rotors or centrifuges themselves.
Next, Stuxnet's instruction set aimed to set the frequency converters back to nominal
speed for at least 27 days, then set the speed way back down to 2Hz for some 50
minutes, before spinning back to normal speed, screaming back up to 1410Hz, and so
on and so forth.
5. Masking its tracks
In order to inflict maximum damage, Stuxnet would intercept any attempt by operators
to upload new code onto the controller chips. As new instructions are uploaded,
Stuxnet would shunt the code aside and keep its own instructions running, butpresent a picture back to the operators that suggested all was running as it should be.
"If you went in and looked at the .DLL file, you would see your original code," Hogan
remarked. "Stuxnet is hiding what it is doing."
Best in class, and hopefully the last.
After months of pulling Stuxnet apart and documenting its ability, Hogan is convinced
it is the "first publicly known malware to intend real-world damage".
He believes the development of such a sophisticated threat "required resources
characteristic of a nation state".
Symantec has noted that the attacker would have required access to the design
schematics of the plant, to the private keys of the two Taiwanese manufacturers, and
siemens stuxnetsupervisory controland data acquisitionsymantec securityresponse zerodayexploit
ysis: Stuxnet dissected > Cybercrime > Legal > News > SC Magazin... http://www.securecomputing.net.au/News/249061,analysis-stuxne
3/27/2011
8/7/2019 Analysis Stuxnet dissected
http://slidepdf.com/reader/full/analysis-stuxnet-dissected 3/4
a team of "five to 10 core developers" taking about six months to develop the exploit.
With the LNK vulnerability now known, and Stuxnet analysed in every corner, Hogan
is confident it will be a relatively isolated attack.
"I don't believe there will be a Stuxnet II," he said.
"But the whole area of industrial controls systems security is now an open to a lot
more eyes and brains than it was before - for both good and bad."
The writer attended Symantec's research labs in Japan as a guest of the anti-vi rus
vendor.
Copyright © iTnews.com.au . All rights reserved.
«
Ads by Google
Thoughts on this article? Add a comment below.
Add New Comment
Required: Please login below to comment.
Type your comment here.
Showing 0 comments
Sort by Subscribe by email Subscribe by RSS
Real-time updating is enabled. (Pause)
Reactions
From Twitter
#Gnews Analysis: Stuxnet dissected - Secure Computing http://bit.ly/dSKvZU
From Twitter
Dissecting #Stuxnet: Behind the news w virus chasers who found the world's first state-
sponsored malware http://bit.ly/dJBHuO
From Twitter
Analysis: Stuxnet dissected http://tinyurl.com/4h6a28l
Image
ysis: Stuxnet dissected > Cybercrime > Legal > News > SC Magazin... http://www.securecomputing.net.au/News/249061,analysis-stuxne
3/27/2011
8/7/2019 Analysis Stuxnet dissected
http://slidepdf.com/reader/full/analysis-stuxnet-dissected 4/4
From Twitter
Analysis: Stuxnet dissected: How one of the world's most complex cyber attacks
crippled Iran's nuclear programme. http://bit.ly/eCatoU
Trackback URL
blog comments powered by DISQUS
Ads by Google
SC MAGAZINE SITEMAP CATEGORIES
News
Latest News
Latest Features
Latest Opinions
Alerts
Latest Security Alerts
Products
Latest Reviews
Latest Group Tests
Stats
Latest Stats
Blogs
Latest Blogs
Photo Galleries
Latest Galleries
Whitepapers
Latest Whitepapers
Events
Latest Events
Submit an Event
Jobs
Latest Jobs
Advertise a Job Vacancy
Downloads
Latest Downloads
Vulnerabilities & Exploits
Application Flaws
Web
Spyware
Malware
Botnet
Trojan
DDoS
Social Networking
Endpoint Security
Breaches & Exposures
Identity
Corporate Data
Health
E-Commerce Security
Messaging
Email Security
IM Security
VoIP Security
Storage
Mobile
Wi-fi Security
Smartphone
Remote Acc ess
iPhone
Virtualisation
Access Control
PKI
Password Manager
Single Sign On
Smart Cards Tokens
Network Ac cess
Biometrics & Forensics
Biometrics
Forensics
Legal
Cybercrime
Audit
Privacy
Risk Management
Training
Policy Management
Incident Response
Managed ServicesConferences
Job Centre
Job Centre
Patch Management
Microsoft
Oracle
Apple
Cisco
Other
Atomic MPC | CRN Australia | iTnews | PC & Tech Authority | PC & Tech Authority Business Centre | SC Magazine
Copyright © 2011 Haymarket Media. All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of Haymarket Media's Privacy Policy and Terms & Conditions.
Contact Us | Advertise | About Us | SC Awards | Editorial | Newsletter | Syndication | Site Map | RSS
ysis: Stuxnet dissected > Cybercrime > Legal > News > SC Magazin... http://www.securecomputing.net.au/News/249061,analysis-stuxne
3/27/2011