TODAY ON SC MAGAZINE: The case for splitting identity and access Sophos: mobile malware scandal 'damages' industry WhiteGold SEARCH SEARCH SEARCH SEARCH Newsletter Sign Up | Site Map | RSS | SC US | SC UK Monday March 28, 2011 3:42 PM AEST Vulnerability Alerts SANS Infocon: green Strange Shockwave File with Surprising Attachments, (Sun, Mar 27th) Microsoft Microsoft Security Bulletin Summary for February 2011 MS11-012 - Important: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2479628) - Version:2.0 CERT/CC SA11-067A: Microsoft Updates for Multiple Vulnerabilities SA11-039A: Microsoft Updates for Multiple Vulnerabilities Latest Comments Powered by Disqus RELATED ARTICLES US warns of SCADA flaws AG speech transcript creating cyberwarfare unit From Stuxne t to Snoop: The infosec year in lists CERT Australia chief headlines AISA Week Stuxnet pinned for killing Indian satellite Exclusive: Trend Micro aims forcloud top spot Spam drops but exploits kits are on the rise CYBERCRIME Analysis: Stuxnet dissected By Brett Winterford Feb 23, 2011 11:02 PM Tags: stuxnet | symantec | security | response | Iran | nuclear| program | Siemens | SCADA | supervisory | control | and | data | acquisition | centrifuge | LNK | vulnerability | zero-day | exploit | Autorun | vulnerability | S7-315 | S7-417 How one of the world's most complex cyber attacks crippled Iran's nuclearprogramme. So how did Stuxnet do the damage? Hogan believes the team has a fairly accurate idea of how Stuxnet succeeded. 1. Getting inside Even the most sophisticated virus in the world would have trouble infecting machine s that aren't connected to the internet. The computers connected to the enrichment program's industrial control systems are air-gapped - that is, not connected to the internet or otherinsecure networks. Hogan can only guess that a degree of social engineering would have been required to convince an operator or engineer that worked at the plant to introduce data from external media (such as USB key) that was infected with the virus. "In our experience in cases like this, the target organisation is usually being attacked through an intermediary like an outsourced partner," Hogan said. These intermediaries migh t have offered skilled labour, technology outsourcing, and any number of services to the program. Engineers often used ruggedised laptops, he said, that are taken off-site for new instruction sets to be programmed and taken into the facility to upload these new commands to the system. Hogan suspected that the worker that infected the machines made a genuine mistake rather than a deliberate attempt at spying. The attacker may have deliberately left memory sticks lying around at the offices ofthe outsourced provider. As long as one machine was infected, any network it connected to was at risk - and the worm was programmed to use these connections to seek out those devices that could do t he damage. 2. Creating a backdoorOnce a USB stick or other external media is plugged in, the worm used the LNK automatic file execution vulnerability to infect the machine. The code would be executed simply by the user looking at what contents might be on that USB stick MOST READ MOST DISCUSSED LATEST NEWS Popular porn site hacked by prudes RSA breach leaves customers waiting for answers Facebook user profiles hacked Adobe patches 0-day flaws in Flash, Acrobat and ReaderHacker takes off with TripAdvisor's customer email database 2 million child porn images seized in QLD, nine arrested Microsoft details Rustock botnet takedown Security experts, DHS, lawmakers react to RSA hack Hackers breach RSA IT systems Privacy group raises concerns over Skype Legal Whitepapers Cloud First IT: Managing a Growing Network of SaaS Applications Controlling who is granted sec ure access to which applications and data becomes a real challenge when users can get access from any browser, at any... View Now Data Protection For Businesses With Remote Offices Across Multiple Locations This white paper drills into the security c halle nges that IT organizations face and the considerations for a better way to approach data protection. View Now Finding an Effective Antivirus Solution to Please Users and Administrators Downl oad this Tech Brief to learn the five common complaints IT professionals have with antivirus software and how you can find software that does ... View Now Power and Cooling Capacity Manageme nt for Data Centers High density IT equipment stresses the power density capability of modern data centers. Installation and unmanaged proliferation of this equipment ... View Now View More Research Popular Tags acqusition asio autorun vulnerability centrifuge cert china control cyberwardr dsd iran nuclearprogram lnk vulnerability malware s7315 s7417 scada Vulnerabilities & Expl oits Breaches & Expos ures Messaging Mobile Access Control Biometrics & Forensics Legal Risk Management Patch Manageme nt SC M agazine Australia/NZ > News > Legal > Cybercrime > A nalysis: Stuxnet dissected HOME NEWS PRODUCTS ALERTS STATS BLOGS WHITEPAPERS EVENTS JOBS DOWNLOADS AWARDS nalysis: St ux net dissected > Cybercrime > L egal > News > SC Magazin... ht tp://w ww.se curecom put ing .net.au /News/249061,analysis-stuxn et-dissec... 1 of 4 3/27/2011 6:47 PM
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
using internet explorer - they would not have to click on anything.
The Stuxnet worm then used compromised security certificates from two Taiwanese
device manufacturers - JMicron and Realtek - to allow Stuxnet to run more deeply
inside the target computer.
"Someone got access to private keys of those two organisations - which curiously are
based within a few kilometres of each other," Hogan said.
Stuxnet would then log-in, create an internet connection and connect to two command
and control servers to download instructions.
3. Looking around the network
The worm also used vulnerability in Microsoft's Windows print spooler to spread to
other devices connected to the local area network for infection, copying itself and
executing on network shares.
Stuxnet then created a peer-to-peer network between infected machines to efficiently
download the latest version of the virus from the command-and-control servers.
The virus also performs a check to see whether a Siemens Step 7 SCADA software is
running on any devices connected to the infected machine.
If any computers with this software are found on the network, Stuxnet copies itself and
executes on these machines, too.
4. Doing the damage
Once the virus finds machines running the Siemens software, it infects the Step7
project files as another way to spread around the target installation.
Ultimately, Stuxnet attempts to upload its own code to the Siemen's controllers or
programmable logic controllers that act as a hardware-software interface. In the case
of the Iranian nuclear enrichment facility, the controllers were connected to frequency
modulators that ran high-speed motors to spin the centrifuges used for nuclear
enrichment.
So Stuxnet was able to download a fresh set of commands to the controllers that
would override instruction sets.
This code instructed frequency converters on how fast the 164 motors in the
centrifuges should spin and for how long.
Stuxnet was programmed to first watch the frequency modulation for 13 days to
calculate what instructions could cause the most physical damage. Symantec
believes Stuxnet would have inserted a set of instructions to spin up the frequency
converters at 1410Hz for 15 minutes, well above the usual limit of 1064Hz.
"We assume it was spinning it up quickly to malfunction," Hogan said. "It was an
attempt to create sympathetic vibrations that would cause problems," he said,
potentially even breaking the rotors or centrifuges themselves.
Next, Stuxnet's instruction set aimed to set the frequency converters back to nominal
speed for at least 27 days, then set the speed way back down to 2Hz for some 50
minutes, before spinning back to normal speed, screaming back up to 1410Hz, and so
on and so forth.
5. Masking its tracks
In order to inflict maximum damage, Stuxnet would intercept any attempt by operators
to upload new code onto the controller chips. As new instructions are uploaded,
Stuxnet would shunt the code aside and keep its own instructions running, butpresent a picture back to the operators that suggested all was running as it should be.
"If you went in and looked at the .DLL file, you would see your original code," Hogan
remarked. "Stuxnet is hiding what it is doing."
Best in class, and hopefully the last.
After months of pulling Stuxnet apart and documenting its ability, Hogan is convinced
it is the "first publicly known malware to intend real-world damage".
He believes the development of such a sophisticated threat "required resources
characteristic of a nation state".
Symantec has noted that the attacker would have required access to the design
schematics of the plant, to the private keys of the two Taiwanese manufacturers, and
siemens stuxnetsupervisory controland data acquisitionsymantec securityresponse zerodayexploit