By

Lance Westberg

How does Stuxnet infect industrial control systems?

Stuxnet is a complex piece of malware with many different components and functionalities with one goal in mind, which is to reprogram programmable logic controllers (PLCs). These industrial control systems are used in everything from gas pipelines, power plants and water purification systems. The Stuxnet virus is the next generation in computer viruses because it not only exploits the Zero-Day vulnerabilities within Windows, but it also compromised two digital certificates. Furthermore, it hides its code from the operator using a technique that involves the rootkit development process.

Here is a list of some of the features of the virus:

Self-replicates through removable drives.

Spreads in a LAN Network using Windows Print Spooler vulnerability.

Spread through SMB – Microsoft RPC handling Remote Code Execution

vulnerability.

Copies and Executes itself on remote systems

Updates itself through peer-to-peer mechanism within LAN

Contacts a command and control server that allows a hacker to download and

execute code.

Contains a Windows rootkit that hides its binaries.

Attempts to bypass security products.

Hides modified code on PLC’s, essentially a rootkit for programmable logic

controllers (PLCs).

Attack Methods: Each PLC device is configured differently for each task. So the attacker would need to gain access to the industrial control systems (ICS’s) schematics. These design documents layout the computing environment for the facility. This brings up a major point in any risk management plan, and just how important design documents are to not only the engineers on staff, but to hacker who is planning an attack on your companies network. Once Stuxnet had infected a computer within an organization it begins to spread out in search of field PGs, which are typical Windows computers, but used to program PLCs.  Since most of these devices are non-networked, Stuxnet would first try to spread over the LAN network exploiting a two year old vulnerability called a zero-day bug within the shared printer peer-to-peer network in Windows.

Stuxnet embeds everything it needs to infect a system; since it could not relay on a system to have outside connection to the Internet.

How does it spread to other systems and the internet? Export 15/16

The Stuxnet Architecture consists of a large .dll file that contains many different exports and resources and two encrypted configuration blocks.

When the threat is executed, the wrapper extracts the .dll file from the stub section and maps it into memory. Each export from this .dll file has a different purpose in controlling the threat as outlined in the table.

DLL Export List from Stuxnet

Injection Technique:

When the Stuxnet export is called, it typically injects the entire DLL into another process and then just calls the particular export. The processes are a set of Windows security based products that Stuxnet literally takes over. I have seen only one other virus that goes after an anti-virus package, and that virus was targeted only at a Symantec application.The Stuxnet virus goes after the top anti-virus programs on the market.

Example of Security Products it injects itself into:

Mcafee (Mcshield.exe)

AnitVir (avguard.exe)

Etrust (UmxCfg.exe)

F-Secure(fsdfwd.exe)

Symantec Common Client (ccSvcHst.exe)

Trend Pc-Cillin (tmpproxy.exe)

Stuxnet also searched the Windows registry files for McAfee and Trend PcCillin and other security product process.

Export 15:

Export 15 is the first Stuxnet process called when the .dll file is loaded. It checks to make sure the virus

is running and is compatible with whatever version of windows it’s running on.

Flow chart of how Stuxnet Infects a system when export 15 is activated

List of Windows versions Stuxnet checks for before exporting

Win2K

WinXP

Windows 2003

Vista

Windows Server 2008

Windows 7

Windows Serve 2008 R2 

Stuxnet checks to see if it has administration rights, because it wants to run with the highest level of

privileges it can get. If it does not have the administration rights. It executes one of the two zero-day

escalation of privilege attacks to see if it can acquire the administration rights.

What makes this virus so dangerous and unique?

The use of previously unknown security holes (known in the trade as “Zero-Day vulnerabilities”), is not

that unusual for a virus to take advantage of one security hole. But Stuxnet exploits four entirely different

ones in order to worm its way into a system. This is very unique for a virus! 

Normally, anyone who discovers a new zero-day exploit can sell it on the hacker networks for real money.

So whoever created the Stuxnet virus was willing to pay handsomely to the hacker or hackers who found

the exploit. Furthermore, it would take a team of experts on different platforms and systems to take

advantage of the bugs, once they acquired them. This leads a lot experts to think it was and organized

team backed with government money. 

After Stuxnet gains the administration rights it needs. It would call Export 16. 

Export 16

Export 16 is the main installer for the virus. It decrypts, and creates and installs the rootkit files and

registry keys it needs to operate. (I will explain what a rootkit is shortly). 

It injects itself into the Step7 process to infect all Step 7 projects; sets up the global mutexes that are

used to communicate between different components; and connects to the RPC server.

Main process flow chart of Stuxnet to infect all Step 7 projects

What is Step 7

Step 7 is a single software framework for all your automation tasks within the Siemens software package

running WinCC applications. It’s how you program a programmable logic controller device (PLC). It provides the

engineering software framework that makes it easier for you to configure devices and networks through

straightforward workflows and an intuitive user interface. It lets you drag and drop objects onto the screen and

link them together building relationships between the objects and processes you want to run. It’s like working

with a very sophisticated version of Microsoft Visio with a very advanced design engine build around the C++

language platform.

Stuxnet communicates between different components via global mutexes - (mutexes or Mutual

exclusion executable programs (often abbreviated to mutex) algorithms are used in concurrent programming to

avoid the simultaneous use of a common resource, such as a global variable, by pieces of computer code called

critical sections) Stuxnet tries to create such a global mutex but first it will use “SetSecurityDescriptorDaci” for

Windows XP computers or “SetSecurityDescriptorSaci” API for computers running Windows Vista to reduce

the integrity levels of objects, and thus ensure no write actions are denied.

There are a couple of other infection routines it does by injecting the payload .dll file into the

services.exe process and calling export 32. But the main ones are the export 15 and 16. The other Zero-day

vulnerability is in win32k.sys file which local privilege escalation happens. This has since been patched as of

October 12, 2010 by Microsoft.

Statistics on the number of Infections

The data sent back to servers running the Siemens DIMATIC Step 7 industrial control software which includes internal and external IP addresses. Statistics of Infections by Country

As you can see by all 3 graphsthat Iran, Indonesia, and Indiahave been the hardness hit by this virus

Digital Certificates

The Stuxnet virus uses two stolen digital certificates to spoof its identity over the Internet. This is a grave risk for managers because everyone is starting to use them from the Banking Industry to E-Commerce transactions. One of the digital certificates the Stuxnet virus used was from Realtek. It was finally revoked on July 16, 2010. Another digital certificate was compromised from JMicron which is in the process of being revoked.

Rootkits Functionality – What is a RootKit? The Rootkits uses a cloaking technology or techniques whereby it attempts to hide its presence from spyware blockers, anti-virus, and system management utilities. It gives Stuxnet the ability to hide copies of its files on removable drives. It also prevents the removable drive from noticing it’s infected. What is even more interesting is that it prevents those users from realizing the recently inserted removable drive was the source of the infection….very cool!

The Stuxnet virus sets up a rootkit on any removable drive or flash device it encounters. Stuxnet using Export 16 extracts itself as an MrxNet.sys file and the driver is registered as a service creating the following registry entry: 

HKEY_LOCAL_MACHNE\SYSTEM\CurrentControlSet\Services\MRxNet\”ImagePath”= “%System%\drivers\mrxnet.sys”

 The driver is digitally signed with the Realtek digital certificate, which is now revoked as of July, 16 2010 by VeriSign. The driver scanned the following file-systems driver objects: 

*\FileSystem\ntfs*\FileSystem\fastfat*\FileSystem\cdfs

 

A new device object is created by Stuxnet and attached to the device chain for each device object managed by these driver type objects. The MrxNet.sys driver will manage this driver object by inserting such objects into their process flows. Stuxnet is able to intercept IRP request (example: writes/reads, to devices like VTFS, FAT or CD-ROM devices). Furthermore, once infected, the rootkit helps hide these processes and so making it extremely difficult to remove, often requiring a full disk reformat. The rootkits needs administration rights in order to download and install. That is why one of the first things that this virus does is to invoke a zero-day exploit. In a lot of way most users give Stuxnet a helping hand in this process because the way Windows is installed - its default setting is to give the user – super user privileges. The virus knows of this default and takes full advantage of it. This is something a risk manager should plan for in any risk assessment.

The different types of Rootkits Persistent Rootkits: A persistent Rootkit is malware that activates each time the system boots.

Memory-Based Rootkits: Memory-based Rootkits are malware that have no persistent code and therefore does not survive a reboot of a system.

User-mode Rootkits: This one attempts to evade detection by intercepting all calls to the Windows FindFirstFile/FindNextFile APIs, which programs like Windows Explorer use to find files. It intercepts and modifies the output results returned from Explorer to remove entries that a Rootkit exists on your system.

Kernel-mode Rootkits: Kernel-mode Rootkits can be even more powerful. Since, not only can they intercept the native API in kernel-mode, like the user-mode rootkit above, but they can also directly manipulate kernel-mode data structures. They can spoof the Task Manager and Explorer and are extremely hard to find. This one is the most likely rootkit type used with the Stuxnet virus.

When you look at other things that Stuxnet does with reading and writing files. There is a very interesting path that is created. (Reference the section: Political hacking, vs. the "Normal" types) – Export 16 read/write process.

Using the McCumber Cube Methodology

The McCumber Cube methodology requires the security practitioner to decompose the elements of the IT

system into three primary information states – Transmission, storage and processing. The Stuxnet virus

clearly goes through each of these states in how it first transmits and exports its code into other systems.

Then sit’s

in storage waiting for the Step 7 software, or Windows processes to activate it and start to corrupt a given

system.  

You will notice in reading about the major security vendors like Cisco, Juniper or Symantec have NOT claimed

that their product is the Stuxnet-killer. They know Stuxnet is a very complex worm with no single solution. This

means, that any risk managers will have to attack this virus using a host of different methods in order to first

find the virus, and then to delete it off the device or server it has infected.

Transmission: The Stuxnet transmits or propagates using three completely different transmission

mechanisms:

1. Via infected Removable USB Drives;2. Via Local Area Network communications and 3. Via infected Siemens project files

If one was to look at the information flow, as per examples in the McCumber Cube to determine the

information state and location within a given system. You would have to look at each of these transmission

methods and map out their vulnerabilities using the information already discussed, which would include the

technical, procedural, and the human factors that help this bug get around.

McCumber Cube: continued – Transmission Vulnerabilities.

 1. It infects computers via removable USB flash drives (even when autorun is disabled) via a previously undiscovered shortcut (i.e. *.lnk files) vulnerability.

2. For versions of Stuxnet created prior to March 2010, it spread via removable USB flash drives using an autorun-based exploit rather than the *.lnk file exploit.

3. It spreads over local area networks to computers with network shares by enumerating all user accounts of the computer and the domain. It then tries all available network resources in order to copy itself and execute on the remote share, thereby infecting the remote computer.

4. It spreads over local area networks to computers offering print sharing via a Windows Print Spooler Zero-Day vulnerability.

5. It spreads over local area networks via the Windows Server Service Vulnerability.

6. It infects computers running Siemens WinCC software by using Siemens “internal” system passwords (i.e. passwords that cannot be changed) to log into the SQL server, transferring a version of the worm and then executing it locally.

7. It Propagates by copying itself to any discovered Siemens STEP 7 projects (*.S7P, *.MCP and *.TMP files) and then auto-executing whenever the user opens the infected project.

There is a number of mitigation strategies a risk manager could use to combat this virus now that they have a list of seven of its key methods of transmission.

Furthermore, it also takes advantage of two other Windows vulnerabilities that allow escalation of privileges

(i.e. upgrading its account privileges to Administrator). It uses a special method of loading software designed

to bypass behavior blocking and host intrusion protection-type technologies. Thus hiding itself in storage till

the right processes are activated. To top it off, it detects and subverts most major anti-virus programs,

loading itself into the anti-virus process itself and then executing as part of the AV product.

Storage: When you go about determining the other information states and mapping their flows relating to

storage. This virus is deadly and could if redesigned to go after other systems which would be a nightmare to

system administrators and risk managers alike. This virus can hide itself in storage, and intercept calls to and

from anti-virus programs, waiting for the right process to activate in Windows. There is only a few products

on the market that can detect rootkits, like the RootKitRevealer or the Sysinternals suite software

package, but there are not guarantees with this virus.

This virus takes full advantage of the more advanced Rootkit clocking technology, because it

not only hides its existence, but its trail on how it came to be on that system. Once it infects a system. The

only way to really get it off is to reformat the hard-drive and reinstall the software. If you don’t reformat the

drive this virus can store itself in the file allocation system of Windows waiting for the right process to start

so it can re-infect the system.

McCumber Cube: continued – Storage.

McCumber Cube: continued – Processing.

Processing: One of the key attributes of the computer systems is that they automatically process information. In

the case of the Stuxnet virus it uses the computers own programs to help it process and propagate. A key

element of the McCumber Cube is the mapping of information flow and defining the boundaries of a systems in

question. But this can be very difficult with this type of virus because it does not rely on any one method to infect

a system. You would not only have to map out the systems operating software, but all the applications on any

given system to find the boundaries that this virus might uses to spread.

Moreover, as outlined earlier the Stuxnet virus exploits a number of zero-day vulnerabilities within

windows and Step 7 software products. These systems have shown in the past to have many vulnerabilities not

yet discovered, and the makers of this virus have shown that if needed, they will go to outside resources;

meaning other hackers to acquire new zero-day exploits. The research is not conclusive on this question, but all

the techniques this virus uses leads one to this conclusion.

Define the BoundariesMcCumber methodology is not founded on an educated guess of attackers profiles. All sound security analysis is based on understanding and protecting the assets requiring protection, because new vulnerabilities of attack are always coming forth and being tried by hackers. Make an inventory of all IT ResourceOnce you have identified the extent of your parameters, you need to work within its confines to identify the various technology resources and components that transmit, store, and process the data used by any new threat. Decompose and identify each information states.Keep up-to-date on known security vulnerabilities for the types of components and software currently running on your systems.

Risk Matrix

With 120 countries now in the cyber arms race, intelligence agencies around the world are working to

assess their offensive and defensive cyber capabilities. Developing cyber weapons does not require the massive

infrastructure usually associated with conventional arms. A couple of PCs and a few smart programmers and you

have all you need to create a cyber weapon. But when it comes to the Stuxnet virus which is a very sophisticated

piece of programming, it took a team of skilled programmers who specialized in different types of technology in

order to get it all to work together.

 Political Hacking, vs. “Normal types"  

Some of the more political aspect of the virus is that it encompasses some interesting dates that fall on times that could only be associated with events in Iran. The export 16 first checks the configuration data is valid, after that it checks the value “NTVDM TRACE” in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation If this value equals to 19790509 the threat will exit. It just so happens that on May 9,1979 “Habib Elghanian” was executed by a firing squad in Tehran sending shock waves through the close knit Iranian Jewish community. This prompted a mass exodus of some 100,000 members of the Jewish community in Iran. This just could be an arbitrary date, or birth date or something else, but it does raise some interesting questions as to who might have created this virus.

Export 16 read/write process:

When Stuxnet active’s the Export 16 process and creates the MrxNet.sys file so it can read and write files to different locations on removable drives. It creates a driver path for the project. The path that it sets up has some very political overtones; because this is the path it creates. Path b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb Guavas are plants in the myrtle (myrtus) family genus. The string can be interpreted to mean, “MyRTUs”. RTU stand for remote terminal unit and are similar to a PLC and, in some environments, used as a synonym for PLCs.  In addition, “Esther was originally named Hadassah. Hadassah means ‘myrtle’ in Hebrew.” Esther learned of a plot to assassinate the king and “told the king of Haman’s plan to massacre all Jews in the Persian Empire.

But like anything you read in Wikipedia. It could be true or it could be false?

It looks like Israel is the most likely source for the virus which brings up some critical issues that

could affect other nations. If Israeli cyber-warriors from Unit 820 or the Mossad created Stuxnet, it then

becomes what some might call state sponsored cyber terrorism. Furthermore, what’s to stop other hackers or

even Islamist hackers from improving on the virus and turning its focus on Israel or one of the U.S’s production

facilities.

In the last couple of years the Dept of Defense has been hit with some major hacks to the DOD

server network and a lot of people suspect the Chinese behind these attacks. What’s to stop the Chinese from

improving on the Stuxnet and using it against Taiwan, Pakistan, or India to name a few.  

When you look into the Stuxnet virus it appears to be designed to go after the centrifuges and

programmable logic controllers at the Natanz plant that houses the many centrifuges used in the production of

nuclear material in Iran. But even thou this might have been the key target for the virus. Its structure and

design techniques could be used to attack industrial plants around the world, and cause chaos in more

interconnect countries, like the United States.

The U.S. industrial infrastructure has already shown it can be hacked!, In addition the way the

Internet is designed; it’s a perfect medium for the job. Furthermore, we have not spend any money on

upgrading our electrical or power planet grids for some thirty years now. A virus like Stuxnet could cripple our

power grid in ways that could take us weeks to recover.

 Risk Management and the Future  

 Conclusions  

In my analysis of the Stuxnet virus and how it relates to risk management. In order to secure any system from

this type of virus you will need a multi-tier approach, because no one solution can stop it. Moreover, given the fact that it uses

technology to even hide it existence on a system. You will have to design a risk program that not only looks at internal

processes, but processes after they have interacted with an infected system.

Furthermore, this virus targets your key anti-virus programs, so you will have to design a mitigation strategy

around this fact, because I don’t know of any system administrator who buys all of the anti-virus programs on the market

to runs on his or her servers. So the plan should not only be multi-tier, but multi-layered which would not only include server

and software logging, but also using a more statistical approach of sampling systems at random. This could be the only way to

find a virus like Stuxnet or it future incarnation. This sampling process could be set-up based on a number of different patterns;

from the number of users on your system, the number of IP addresses, the traffic around a given network node, or people

hitting you outer parameter firewalls.

. In addition, have a comprehensive backup system In place with ghost copies of your key applications ready to

go at any given time, because with a virus like the Stuxnet and others to follow. The only sure way to get rid of it will be

to reformat the hard-drive. Most IT managers will have backup ghost copies of a given system, but given the current nature

of N-tier software design being build into the more sophisticated programs. These object based methodologies rely on a

number of different servers, and services in order to function across a server farm. This could make your backup

plans quit complex if not mapped out with system inter-dependability in mind. This also means having a great change

management policy build into any risk management plan. The last thing for any modern plan of today must include IT training

for your staff. A well trained IT person will be able to think on his or her feet, and in the cyber-war to come.

This might be the only contingency plan that survives the first attack on your network.

 References  

Richard Falkenrath (Stuxnet and the United States) A Bloomberg interview http://www.richardsilverstein.com/tikun_olam/2010/09/26/bush-counter-terror-official-on-stuxnet-israel-likely-did-it

WILLIAM J. BROAD, JOHN MARKOFF & DAVID E. SANGER (Israeli Test on Worm Called Crucial in Iran Nuclear Delay) The New York Times http://www.standwithus.com/app/inews/view_n.asp?ID=1728

Eric Byres (No Silver Bullet for Stuxnet / Siemens WinCC Malware - White Paper) http://www.tofinosecurity.com/blog/no-silver-bullet-stuxnet-siemens-wincc-malware-white-paper

Jarrad Shearer: Symantec (Stuxnet Security Response) http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99

David Hatchell: McAfee (Stuxnet-A View From an Energy Perspective) http://blogs.mcafee.com/enterprise/critical-infrastructure-protection/stuxnet-a-view-from-an-energy-perspective

McCumber John(1956). Document Type: Book. Assessing and Managing Security Risk in IT Systems – A Structured Methodology Auerbach Publications: www.auerach-publications.com

Daniel M. Kammen and David M. Hassenzahl. Document Type Book. Should We Risk It? Exploring Environmental, Health, and Technological Problem Solving. Princeton University Press (copyright 1999)

Wikipedia: The Free Encyclopedia        http://en.wikipedia.org/wiki/Stuxnet

Lance Westberg