v1.4, February 2011, Symantec
(Nicolas Falliere, Liam O Murchu, and Eric Chien)
In order to achieve this goal the creators amassed a vast array of components to increase their chances of success. This includes 4 zero-day exploits, a Windows rootkit, the first ever PLC [Programmable Logic Controller] rootkit, [compromise 2 digital certificates] antivirus evasion techniques, complex process injection and hooking code, network infection routines, peer-to-peer updates, and a command and control interface. We take a look at each of the different components of Stuxnet to understand how the threat works in detail while keeping in mind that the ultimate goal of the threat is the most interesting and relevant part of the threat.
Stuxnet contains many features such as:
• Self-replicates through removable drives exploiting a vulnerability allowing auto-execution. "Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732) CVE-2010-2568"
• Spreads in a LAN through a vulnerability in the Windows Print Spooler. "Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073) CVE-2010-2729"
• Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874), CVE-2008-4250
• Copies and executes itself on remote computers through network shares.
• Copies and executes itself on remote computers running a WinCC database server.
• Copies itself into Step 7 projects [ Siemens SIMATIC Step 7 industrial control software] in such a way that it automatically executes when the Step 7 project is loaded.
• Updates itself through a peer-to-peer mechanism within a LAN.
• Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed.
• Contacts a command and control server that allows the hacker to download and execute code, including updated versions.
• Contains a Windows rootkit that hide its binaries.
• Attempts to bypass security products.
• Fingerprints a specific industrial control system (ICS) and modifies code on the Siemens PLCs to potentially sabotage the system.
• Hides modified code on PLCs, essentially a rootkit for PLCs.
Stuxnet Malware and Natanz: Update of ISIS December 22, 2010 Report - update Feb 15, 2011
(David Albright, Paul Brannan, and Christina Walrond)
In the December 22, 2010 ISIS [Institute for Science and International Security] report on Stuxnet, ISIS found that this malware contained important evidence indicating that its target was the IR-1 centrifuges at the Fuel Enrichment Plant (FEP) at Natanz. ISIS focused on the attack sequences generated by a Siemens S7-315 programmable logic controller (PLC) connected to frequency converters of a particular type. The ISIS analysis centered on the rotational frequencies listed in these detailed attack sequences. These frequencies matched, in two cases identically, key frequencies characteristic of the IR-1 centrifuge at the FEP.
A further analysis of another attack sequence has revealed that this code contains a description of what appears to be an exact copy of the IR-1 cascade at the FEP. The attack is titled “Sequence C” by Symantec, the computer security company that has conducted the most thorough and reliable open analysis of the malware’s code, or “417 code” after the advanced Siemens S7-417 programmable logic controller that Stuxnet targets. However, the 417 code is not activated and thus unable to launch an attack. Moreover, key data is missing from the code available to Symantec that would define exactly what is affected or sabotaged. Symantec has assessed that the 417 code is likely unfinished, perhaps a work in progress.
Additional analysis also lends more support to the conclusion that the Stuxnet malware is aimed principally at centrifuges, not manipulating parameters of the centrifuge cascades so as to lower the production low enriched uranium (LEU) on a sustained basis. To date, Stuxnet is known to have had at least one attack. It is increasingly accepted that, in late 2009 or early 2010, Stuxnet destroyed about 1,000 IR-1 centrifuges out of about 9,000 deployed at the site. The effect of this attack was significant. It rattled the Iranians, who were unlikely to know what caused the breakage, delayed the expected expansion of the plant, and further consumed a limited supply of centrifuges to replace those destroyed. Nonetheless, Iran took steps in the aftermath of the attack that likely reduced further damage by Stuxnet, principally shutting down many centrifuge cascades for months. The shutdown lasted long enough for the malware to be discovered publicly, which time Iran could have found Stuxnet on the Natanz control systems.
New Finding: Evidence of Targeting Natanz in Sequence C or 417 Code
Soon after the publication of the ISIS December 22 report, Ralph Langner, a German security expert, contacted ISIS after noticing that each of the Natanz centrifuge cascades contained 164 centrifuges. He said that the 417 code, or sequence C, is grouped in six arrays of 164 units each, perhaps representing six cascades, each with 164 centrifuges.
Based on Symantec’s analysis of this array, ISIS discovered that this array is identical to an IR-1 centrifuge cascade at the FEP. This evidence is perhaps the strongest evidence that Stuxnet is aimed at Natanz.
But with key data missing, one can only speculate about what the 417 code aims to sabotage. According to Symantec, the data sent to the cascades appear more aimed at flipping a series of on/off values rather than sending a packet of commands like the 315 code sends to frequency converters.