Realworldexample:StuxnetWorm
Stuxnet:Overview
• June2010:Awormtarge<ngSiemensWinCCindustrialcontrolsystem.
• Targetshighspeedvariable‐frequencyprogrammablelogicmotorcontrollersfromjusttwovendors:Vacon(Finland)andFararoPaya(Iran)
• Onlywhenthecontrollersarerunningat807Hzto1210Hz.Makesthefrequencyofthosecontrollersvaryfrom1410Hzto2Hzto1064Hz.
• hWp://en.wikipedia.org/wiki/Stuxnet2
StuxnetInfec<onSta<s<cs
• 29September2010,FromSyman<c• InfectedHosts
IndustrialControlSystems(ICS)
• ICSareoperatedbyaspecializedassemblylikecodeonprogrammablelogiccontrollers(PLCs).
• ThePLCsareprogrammedtypicallyfromWindowscomputers.
• TheICSarenotconnectedtotheInternet.• ICSusuallyconsideravailabilityandeaseofmaintenancefirstandsecuritylast.
• ICSconsiderthe“airgap”assufficientsecurity.
SeimensSIMATICPLCs
5
NuclearCentrifugeTechnology
• Uranium‐235separa<onefficiencyiscri<callydependentonthecentrifuges’speedofrota<on
• Separa<onistheore<callypropor<onaltotheperipheralspeedraisedtothe4thpower.Soanyincreaseinperipheralspeedishelpful.
• Thatimpliesyouneedstrongtubes,butbrutestrengthisn’tenough:centrifugedesignsalsorunintoproblemswith“shaking”astheypassthroughnaturallyresonantfrequencies– “shaking”athighspeedcancausecatastrophicfailurestooccur.– www.fas.org/programs/ssp/nukes/fuelcycle/centrifuges/
engineering.html
6
ConceptuallyUnderstanding“Shaking”
7
Video: http://www.youtube.com/watch?v=LV_UuzEznHs
SomeNotesAboutThatVideo• Thenaturalresonantfrequencyforagivenelementisnotalways
the“highest”speed–the“magic”frequencyisdependentonavarietyoffactorsincludingthelengthofthevibra<ngelementandthes<ffnessofitsmaterial.
• Whilethetallest(rightmost)modelexhibitedresonantvibra<onfirst,themagnitudeofitsvibra<ondidn’tnecessarilycon<nuetoincreaseasthefrequencywasdialedupfurther.Therewasapar<cularvalueatwhichthevibra<oninducedineachofthemodelswasatitsmostextreme.
• Specula<on:CouldthefrequencyvaluesusedbyStuxnethavebeenselectedtopar<cularlytargetaspecificfamilyofIraniancentrifuges?
• TheIranianshaveadmiWedthat*something*happenedasaresultofthemalware.
8
StuxnetandCentrifugeProblems
9
AchievingAPersistentImpact
• ButwhywouldStuxnetwanttomakethecentrifugesshakedestruc<vely?Wasn’tinfec<ngtheirsystemsdisrup<veenoughinandofitself?No.
• Ifyouonlycauseproblemssolelyinthecybersphere,itis,atleastconceptually,possibleto“wipeandreload”therebyfixingboththeinfectedcontrolsystemsandthemodifiedprogrammablemotorcontrollersatthetargetedfacility.Sojware‐onlycyber‐onlyimpactsareseldom“longterm”or“persistent”innature.
• However,ifthecyberaWackisabletocausephysicaldamage,suchascausingthousandsofcentrifugestoshakethemselvestopieces,orageneratortoselfdestruct,thatwouldtakefarlongertoremediate.
10
ADeptHomelandSecurityVideo2007
11
http://www.youtube.com/watch?v=fJyWngDco3g
AnotherKeyPoint:AvoidingBlowback
• Whywouldana<on‐stateadversaryreleasesuchanarrowlytargetedpieceofmalware?
• Blowback– atermborrowedfromchemicalwarfare– anunexpectedchangeinwindpaWernscansendanairbornechemical
weapondrijingawayfromitsintendedenemytargetandbacktowardfriendlytroops.
• WhilemostoftheStuxnetinfec<onstookplaceinIran,someinfec<onsdidhappeninothercountries,includingtheU.S.
• Prudent“cyberwarriors”mighttakeallpossiblestepstoinsurethatifStuxnetdid“getawayfromthem,”itwouldn’twreakhavoconfriendlyorneutraltargets.
• SonowyouknowwhyStuxnetappearstohavebeensonarrowlytailored.
12
Timeline
• 2009June:EarliestStuxnetseen– Doesnothavesigneddrivers
• 2010Jan:Stuxnetdriversigned– Withavalidcer<ficatebelongingtoRealtekSemiconductors
• 2010June:VirusblokadareportsW32.Stuxnet– VerisignrevokesRealtekcer<ficate
• 2010July:An<‐virusvendorEsetiden<fiesnewStuxnetdriver– Withavalidcer<ficatebelongingtoJMicronTechnologyCorp
• 2010July:Siemensreporttheyareinves<ga<ngmalwareSCADAsystems– VerisignrevokesJMicroncer<ficate
Stuxnet:TechOverview
• Componentsused– Zero‐dayexploits– Windowsrootkit– PLCrootkit(firstever)– An<virusevasion– Peer‐to‐Peerupdates– Signeddriverwithavalidcer<ficate
• Commandandcontrolinterface• Stuxnetconsistsofalarge.dllfile• DesignedtosabotageindustrialprocessescontrolledbySiemensSIMATICWinCCandPCS7systems.
PossibleAWackScenario(Conjecture)
• Reconnaissance– EachPLCisconfiguredinauniquemanner– TargetedICS’sschema<csneeded– Designdocsstolenbyaninsider?– RetrievedbyanearlyversionofStuxnet– StuxnetdevelopedwiththegoalofsabotagingaspecificsetofICS.
• Development– MirroreddevelopmentEnvironmentneeded
• ICSHardware• PLCmodules• PLCdevelopmentsojware
– Es<ma<on• 6+man‐yearsbyanexperiencedandwellfundeddevelopmentteam
AWackScenario(2)
• Themaliciousbinariesneedtobesignedtoavoidsuspicion– Twodigitalcer<ficateswerecompromised.– Highprobabilitythatthedigitalcer<ficates/keyswerestolen
fromthecompaniespremises.– RealtekandJMicronareincloseproximity.
• Ini<alInfec<on– Stuxnetneededtobeintroducedtothetargetedenvironment
• Insider• Thirdparty,suchasacontractor
– Deliverymethod• USBdrive• WindowsMaintenanceLaptop• TargetedemailaWack
AWackScenario(3)
• Infec<onSpread– LookforWindowscomputerthatprogramthePLC’s• TheFieldPGaretypicallynotnetworked• SpreadtheInfec<ononcomputersonthelocalLAN
– Zero‐dayvulnerabili<es– Two‐yearoldvulnerability– SpreadtoallavailableUSBdrives
– WhenaUSBdriveisconnectedtotheFieldPG,theInfec<onjumpstotheFieldPG• The“airgap”isthusbreached
AWackScenario(4)
• TargetInfec<on
– LookforSpecificPLC• RunningStep7Opera<ngSystem
– ChangePLCcode• Sabotagesystem
• Hidemodifica<ons
– CommandandControlmaynotbepossible
• Duetothe“airgap”• Func<onalityalreadyembedded
Stuxnet Architecture: 32 Exports
1. Infectconnectedremovabledrives,Startsremoteprocedurecall(RPC)server2. HooksAPIsforStep7projectfileinfec<ons3. ?4. Callstheremovalrou<ne(export18)5. Verifiesifthethreatisinstalledcorrectly6. Verifiesversioninforma<on7. CallsExport68. ?9. UpdatesitselffrominfectedStep7projects10. UpdatesitselffrominfectedStep7projects11. ?12. ?13. ?14. Step7projectfileinfec<onrou<ne15. Ini<alentrypoint16. Maininstalla<on17. ReplacesStep7DLL18. UninstallsStuxnet19. Infectsremovabledrives20. ?21. ?22. Networkpropaga<onrou<nes23. ?24. CheckInternetconnec<on25. ?26. ?27. RPCServer28. Commandandcontrolrou<ne29. Commandandcontrolrou<ne30. ?31. UpdatesitselffrominfectedStep7projects32. Sameas1
19
StuxnetArchitecture:15Resources• RIDFunc<on 1. 201MrxNet.sysloaddriver,signedbyRealtek 2. 202DLLforStep7infec<ons 3. 203CABfileforWinCCinfec<ons 4. 205DatafileforResource201 5. 207AutorunversionofStuxnet 6. 208Step7replacementDLL 7. 209Datafile(%windows%\help\winmic.js)8. 210TemplatePEfileusedforinjec<on 9. 221ExploitsMS08‐067tospreadviaSMB. 10. 222ExploitsMS10‐061PrintSpoolerVulnerability 11. 231Internetconnec<oncheck 12. 240LNKtemplatefileusedtobuildLNKexploit 13. 241USBLoaderDLL~WTR4141.tmp 14. 242MRxnet.sysrootkitdriver 15. 250Exploitsundisclosedwin32k.sysvulnerability
BypassingIntrusionDetec<on
• StuxnetcallsLoadLibrary– Withaspeciallycrajedfilenamethatdoesnotexist
– WhichcausesLoadLibrarytofail.
• However,W32.StuxnethashookedNtdll.dll– Tomonitorspeciallycrajedfilenames.– Mappedtoaloca<onspecifiedbyW32.Stuxnet.– Wherea.dllfilewasstoredbytheStuxnetpreviously.
CodeInjec<on• StuxnetusedtrustedWindowsprocessesorsecurityproducts
– Lsass.exe– Winlogin.exe– Svchost.exe– KasperskyKAV(avp.exe)– Mcafee(Mcshield.exe)– An<Vir(avguard.exe)– BitDefender(bdagent.exe)– Etrust(UmxCfg.exe)– F‐Secure(fsdfwd.exe)– Symantec(rtvscan.exe)– SymantecCommonClient(ccSvcHst.exe)– EsetNOD32(ekrn.exe)– TrendPc‐Cillin(tmpproxy.exe)
• Stuxnetdetectstheversionofthesecurityproductandbasedontheversionnumberadaptsitsinjec<onprocess
Configura<on
• Stuxnetcollectsandstoresthefollowinginforma<on:
– MajorOSVersionandMinorOSVersion
– FlagsusedbyStuxnet– Flagspecifyingifthecomputerispartofaworkgroupordomain– Timeofinfec<on
– IPaddressofthecompromisedcomputer
– filenameofinfectedprojectfile
Installa<on:ControlFlow
Installa<on:Infec<onrou<neflow
Command&Control
• Stuxnettestsifitcanconnectto– www.windowsupdate.com– www.msn.com– Onport80
• Contactsthecommandandcontrolserver– www.mypremierfutbol.com– www.todaysfutbol.com– ThetwoURLsabovepreviouslypointedtoserversinMalaysiaandDenmark
– Sendsinfoaboutthecompromisedcomputer
Command&Control(2)
Command&Controlpayload
Part10x00byte1,fixedvalue0x01bytefromConfigura<onData0x02byteOSmajorversion0x03byteOSminorversion0x04byteOSservicepackmajorversion0x05bytesizeofpart1ofpayload0x06byteunused,00x07byteunused,00x08dwordfromC.Data0x0Cwordunknown0x0EwordOSsuitemask0x10byteunused,00x11byteflags0x12stringcomputername,null‐terminated0xXXstringdomainname,null‐terminated
Part20x00dwordIPaddressof
interface1,ifany0x04dwordIPaddressof
interface2,ifany0x08dwordIPaddressof
interface3,ifany0x0Cdwordfrom
Configura<onData0x10byteunused
0x11stringcopyofS7PstringfromC.Data(418h)
WindowsRootkitFunc<onality
• StuxnetextractsResource201asMrxNet.sys.– Registeredasaservice:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet\”ImagePath”=“%System%\drivers\mrxnet.sys”
– Digitallysignedwithalegi<mateRealtekdigitalcer<ficate.• Thedriverthenhidesfilesthat:
– have“.LNK”extension.– arenamed“~WTR[fournumbers].TMP”,
• thesumofthefournumbers,modulo10is0.– sizebetween4Kband8Mb;– Examples:
• “CopyofCopyofCopyofCopyofShortcutto.lnk”• “CopyofShortcutto.lnk”• “~wtr4141.tmp”
Propaga<onMethods:Network
• Peer‐to‐peercommunica<onandupdates
• Infec<ngWinCCmachinesviaahardcodeddatabaseserverpassword
• Networkshares
• MS10‐061PrintSpoolerZero‐DayVulnerability• MS08‐067WindowsServerServiceVulnerability
Propaga<onMethods:USB
• LNKVulnerability(CVE‐2010‐2568)
• AutoRun.Inf
ModifyingPLC’s• TheendgoalofStuxnetistoinfectspecifictypesofPLCdevices.• PLCdevicesareloadedwithblocksofcodeanddatawriWeninSTL• ThecompiledcodeisinassemblycalledMC7.
– TheseblocksarethenrunbythePLC,inordertoexecute,control,andmonitoranindustrialprocess.
• Theoriginals7otbxdx.dllisresponsibleforhandlingPLCblockexchangebetweentheprogrammingdeviceandthePLC.– Byreplacingthis.dllfilewithitsown,Stuxnetisabletoperformthe
followingac<ons:• MonitorPLCblocksbeingwriWentoandreadfromthePLC.• InfectaPLCbyinser<ngitsownblocks
ModifyingPLC’s
Whatwasthetarget?
• 60%Infec<onsinIran• Noothercommercialgain
• Stuxnetselfdestructdate
• SiemensspecificPLC’s
• BushehrNuclearPlantinIran
Whodidit?
• Israel?– 19790509.Asafecodethatpreventsinfec<on
• WhereisthiscodealreadyinICScoded?– May9,1979:HabibElghanianwasexecutedbyafiringsquadinTehran
– HewasthefirstJewandoneofthefirstcivilianstobeexecutedbythenewIslamicgovernment
• USA?• Russia?• UK?• China?
Propaganda
• Iran’sMinistryofForeignAffairs:– "WesternstatesaretryingtostopIran's(nuclear)ac<vi<esbyembarkingonpsychologicalwarfareandaggrandizing,butIranwouldbynomeansgiveupitsrightsbysuchmeasures,“
– "NothingwouldcauseadelayinIran'snuclearac<vi<es“
• Iran’sMinisterofintelligence– “Enemyspyservices"wereresponsibleforStuxnet
Propaganda:debka.com(2)
• AnalarmedIranasksforoutsidehelptostopStuxnet• NotonlyhavetheirownaWemptstodefeattheinvadingwormfailed,buttheymademaWersworse:– ThemalwormbecamemoreaggressiveandreturnedtotheaWackonpartsofthesystemsdamagedintheini<alaWack.
• Oneexpertsaid:“TheIranianshavebeenforcedtorealizethattheywouldbebeWeroffnot'irrita<ng'theinvaderbecauseithitsbackwithabiggerpunch.”
Conclusion
• Stuxnetisasignificantmilestoneinmaliciouscodehistory– Itisthefirsttoexploitmul<ple0‐dayvulnerabili<es.– Usedtwo(compromised)digitalcer<ficates.– Injectedcodeintoindustrialcontrolsystems.– Hidthecodefromtheoperator.
• Stuxnetisofgreatcomplexity– Requiringsignificantresourcestodevelop
• Stuxnethashighlightedthatdirect‐aWacksoncri<calinfrastructurearepossible.
References
• NicolasFalliere,LiamOMurchu,andEricChie,“W32.StuxnetDossier”,February2011,Symantec.com
• RalphLangner,“CrackingStuxnet,a21st‐centurycyberweapon”,hWp://www.ted.com/,Mar31,2011.
• EricByres,AndrewGinterandJoelLangill,StuxnetReport:ASystemAWack,Afivepartseries,www.isssource.com/stuxnet‐report‐a‐system‐aWack/,March2011
• “CyberWar,CyberTerrorismandCyberEspionage,”hWp://pages.uoregon.edu/joe/cyberwar/cyberwar.ppt
• ACK:Manysourcesontheweb.I(pmate<@wright.edu)merelyassembledtheslides.May2011.
39