4 replies to this topic

[iamlost]

I spent a most interesting couple of hours reading W32.Stuxnet Dossier v1.0, pdf file: 2.5MB by Nicolas Falliere, Liam O Murchu, and Eric Chien of Symantec, 30-September-2010.
From the Introduction:

W32.Stuxnet has gained a lot of attention from researchers and media recently. There is good reason for this. Stuxnet is one of the most complex threats we have analyzed. In this paper we take a detailed look at Stuxnet and its various components and particularly focus on the final goal of Stuxnet, which is to reprogram industrial control systems. Stuxnet is a large, complex piece of malware with many different components and functionalities.
...
Stuxnet is a threat that was primarily written to target an industrial control system or set of similar systems. Industrial control systems are used in gas pipelines and power plants. Its final goal is to reprogram industrial control systems (ICS) by modifying code on programmable logic controllers (PLCs) to make them work in a manner the attacker intended and to hide those changes from the operator of the equipment. In order to achieve this goal the creators amassed a vast array of components to increase their chances of success. This includes zero-day exploits, a Windows rootkit, the first ever PLC rootkit, antivirus evasion techniques, complex process injection and hooking code, network infection routines, peer-to-peer updates, and a command and control interface.

Perhaps the most complex worm ever written.

Stuxnet contains many features such as:
* Self-replicates through removable drives exploiting a vulnerability allowing auto-execution.
Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732)

* Spreads in a LAN through a vulnerability in the Windows Print Spooler.
Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073)

* Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).

* Copies and executes itself on remote computers through network shares.

* Copies and executes itself on remote computers running a WinCC database server.

* Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded.

* Updates itself through a peer-to-peer mechanism within a LAN.

* Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed.

* Contacts a command and control server that allows the hacker to download and execute code, including updated versions.

* Contains a Windows rootkit that hide its binaries.

* Attempts to bypass security products.

* Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system.

* Hides modified code on PLCs, essentially a rootkit for PLCs.

Industrial sabatoge at the n-th level.
Besides the technical complexity, which is astounding, is that something can be so carefully aimed yet leave precisely which controller(s) were the target a mystery; the creators an enigma: theorised to be at least six experts working a minimum of six months.

The current media finger pointing (Iran nuclear facilities by Israel or USA) all based on one man's guess with all his cautions ignored. Regardless, a technical masterpiece of the black art of computer infection.

[A.N.Onym]

iamlost, I can't wait to be so relaxed to actually enjoy spending 2-3 hours on reading a paper on a virus analysis

I too get an impression that this is a very, very elaborate job and this is practically what everyone is saying on TV.

Our resident antivirus hero, Mr. Kaspersky, guesstimates that
- the attack was done by a government to sabotage the works, since it doesn't steal anything or send spam, but the creators had intimate knowledge of industry/manufacturing software of plants, airports and even military bases worldwide
- it was just a prototype of a cyberweapon
- we are entering the race of cyberweapons.

The report doesn't even attempt to guess who the attacker was, however - this is what surprises me, since Symantec have so much data to try to guess/identify this.

iamlost, do you know any reliable source, who has tried to guess who the attacker was?

P.S. What strucks me is that the report says the industrial complexes are often controlled by unconnected Windows machines. Seriously, people rely on this virus-prone bugware to run factories? I'm stunned - they surely should've seen it coming, since viruses can jump from flashdrives in no time.

Edited by A.N.Onym, 08 October 2010 - 04:53 AM.

[jonbey]

One day they will win the the Internet all computers will die. Stuff folk lore and movies are made of. We need a hero.

[iamlost]

Yura,

There are several ways that malware is pinned on a responsible party, i.e.:
* the idjit signs it or otherwise self-identifies.
* the code or mindset is identified via similarities to prior art.
* inadvertent identifiers left behind, i.e. debugging comments.
* tracing back infection spread routes.
etc.

Stuxnet is unusual, not only in it's complexity, but in the lack of typical origin pointers.
* it may have been quietly spreading for a year before it was originally detected. Time has likely obliterated original infections.

* several experts have commented on how clean the code is. A couple have suggested that there was a deliberate effort not to leave identifiers behind.

The bolded (my emphasis) part in the following quote from the Symantec pdf is a cited basis for the Israel involvement.

In the driver file, the project path b:\myrtus\src\objfre_w2k_x86\i386 \guava.pdb was not removed.
Guavas are plants in the myrtle (myrtus) family genus. In addition, according to Wikipedia, “Esther was originally named Hadassah. Hadassah means ‘myrtle’ in Hebrew.” Esther learned of a plot to assassinate the king and “told the king of Haman’s plan to massacre all Jews in the Persian Empire...The Jews went on to kill only their would-be executioners.” Symantec cautions readers on drawing any attribution conclusions. Attackers would have the natural desire to implicate another party.

The caution in the last sentence seems reasonable as that is the only (public) 'identifier' left by the coders. Accident or deliberate misdirection? Or double bluff? Given the rest of the complexity involved why not here as well...

Ralph Langner is the German security researcher whose words caused mainstream media to go bonkers - and forget the 'highly speculative' heading to his blog entry:

Ralph's theory -- completely speculative from here

It is hard to ignore the fact that the highest number of infections seems to be in Iran. Can we think of any reasonable target that would match the scenario? Yes, we can. Look at the Iranian nuclear program. Strange -- they are presently having some technical difficulties down there in Bushehr. There also seem to be indications that the people in Bushehr don't seem to be overly concerned about cyber security. When I saw this screenshot last year (http://www.upi.com/N...in-Iran/1581/2/) I thought, these guys seem to be begging to be attacked. If the picture is authentic, which I have no means of verifying, it suggests that approximately one and a half year before scheduled going operational of a nuke plant they're playing around with software that is not properly licensed and configured. I have never seen anything like that even in the smallest cookie plant. The pure fact that the relevant authorities did not seem to make efforts to get this off the web suggests to me that they don't understand (and therefore don't worry about) the deeper message that this tells.

Now you may ask, what about the many other infections in India, Indonesia, Pakistan etc. Strange for such a directed attack. Than, on the other hand, probably not. Check who comissions the Bushehr plant. It's a Russian integrator that also has business in some of the countries where we see high infection rates. What we also see is that this company too doesn't seem to be overly concerned about IT security. As I am writing this, they're having a compromised web site (removed web address) that tries to download stuff from a malware site that had been shut down more than two years ago (removed web address). So we're talking about a company in nukes that seems to be running a compromised web presence for over two years? Strange.

Note: bold emphasis mine.

Let's get back to plan A, a.k.a. Stuxnet, or operation Myrtus. The main factors to analyze who is behind it are, as always, motivation and capability. Determining who has the motivation to cripple Iran's nuclear program is not a big deal. Israel, for sure. Then look at the 5+1 talks on Iranian nukes that are going on. The US can be found here, too.

Now let's look at the second factor, capability. Some of the different pieces of Stuxnet could be developed by many. Many actors are able to steal digital certificates, or to buy these on the black market. Few actors are able to figure out the four zero-days vulnerabilities and to combine that with the peer-to-peer update functionality. The most telling part, however, is Stuxnet's digital warhead, the PLC code injections.

When Ralph told a reporter from BBC Worldwide that presently, perhaps ten people on the globe would be able to invent and implement this attack vector, and three of them could be found in Langner's office, the reporter was smart enough to ask: Did you do it? No, we didn't. But the guy got the point here. Anyone who is interested in determining the forces behind Stuxnet has a good chance of success in following this trace.

As another hint, as far as our experience and crystal ball goes, neither Israel nor the US presently have this capability. If you are a movie buff, think about that old black & white movie with Orson Welles, The third man. 'There was a third man.' But his name is not Harry Lime.

Something that is surprisingly hard to nail down is actual infections. There are three input sources:
1. the various AV companies.
Unfortunately their customer numbers per country will vary greatly. Unless you can pool several major vendors data including market share in each country the margin of error will be substantial.

In studying this from the outside comes the further complications that no two companies release data in the same format or the data logic may be unclear.

2. Stuxnet's callbacks to it's two (known) command and control (C&C) servers.
Unfortunately we only know about those after discovery, perhaps an entire year after. We may only be seeing escallating remnants long after real target attacked.

3. self-identification by infected organisations (highly variable and unreliable).

For instance Symantec released infection numbers are based on the traffic to the Stuxnet command and control servers since 20-July-2010.
* by geographic location of infection:
Iran 58.85%, Indonesia 18.22%, India 8.31%, Azerbaijan 2.57%, USA 1.56%, Pakistan 1.28%, Others 9.20%.

* by percentage of infected Hosts with Siemens software installed:
Iran: 67.6%, South Korea 8.1%, USA 4.98%, UK 2.18%, Indonesia 2.18%, Taiwan 1.56%, India 1.25%, Others 12.15%.

Kaspersky released numbers based on infected clients in each country.
Note: I calculated percentages for easier comparisons.
India 49%, Indonesia 19.39%, Iran 8.05%, Russia 4.49%, Kazakhstan 3.59%, Afghanistan 1.75%, Syria 1.66%, Uzbekistan 1.6%, Pakistan 1.57%, Azerbaijan 1.46%, Bangladesh 1.41%, Others 6.03%.

You will notice quite a difference in the data sets. And no mention of what number of these clients have Siemens software installed.

One interesting stat from Kaspersky is the rate of change comparing September to July:
* Afghanistan: -55%
* Azerbaijan: -73%
* Bangladesh: +370% (in comparison with August)
* India: -5%
* Indonesia: -41%
* Iran: -75%
* Iraq: +35%
* Kazakhstan: +1711%
* Russia: +308%
* Pakistan: +2%
* Syria: +47%
* Uzbekistan: -37%

Some final words from the Symantec pdf:

Analyzing the different types of samples Symantec has observed to date has shed some light on how long this threat has been under development and/or in use. The development of the threat dates back to at least June of 2009. The threat has been under continued development as the authors added additional components, encryp-
tion, and exploits. The amount of components and code used is very large. Inaddition to this the authors ability to adapt the threat to use an unpatched vulnerability to spread through removable drives shows that the creators of this threat have huge resources available to them and have the time needed to spend on such a big task; this is not a teenage hacker coding in his bedroom type operation.

Stuxnet represents the first of many milestones in malicious code history – it is the first to exploit four 0-day vulnerabilities, compromise two digital certificates, and inject code into industrial control systems and hide the code from the operator. Whether Stuxnet will usher in a new generation of malicious code attacks towards real-world infrastructure - overshadowing the vast majority of current attacks affecting more virtual or individual assets - or if it is a once- in-a-decade occurrence remains to be seen.

Stuxnet is of such great complexity - requiring significant resources to develop - that few attackers will be capable of producing a similar threat, to such an extent that we would not expect masses of threats of similar in sophistication to suddenly appear. However, Stuxnet has highlighted direct-attack attempts on critical infrastructure are possible and not just theory or movie plotlines.

The real-world implications of Stuxnet are beyond any threat we have seen in the past. Despite the exciting challenge in reverse engineering Stuxnet and understanding its purpose, Stuxnet is the type of threat we hope to never see again.

So we have just had a tiny taste of what cyberwar might look like. We are fortunate that this attack actually has done very little, surprisingly little actual damage.

[A.N.Onym]

The small amount of damage has surprised me as well. Maybe we don't really know what it has done to access the damage or the actual event hasn't happened yet?

It'd be really bold to call this attack a practice session: I'd actually expect more damage from such an elaborated thread.

Edited by A.N.Onym, 09 October 2010 - 04:41 AM.