You are on the Cert-IST public site
The Stuxnet worm (continued)

Date :October 11, 2010

Publication: Article

Since the publication last month of our first article on the Stuxnet worm, important discoveries have been made about this worm. We cover these new findings in this new article.

Notes:

  • The technical elements described in our previous article are still valid (they have not been denied by the new analysis results). We do not describe them again here.
  • This article is based on the report published by Symantec for Stuxnet (see [1])

The discoveries done in September 2010 about Stuxnet, can be summarized in two points:

  • Stuxnet was designed as a "cyber-weapon" to target a specific industrial plant. This is technically proven and we will explain that point below. However, it is not possible to determine exactly which industrial plant was actually the attack target.
  • Several sources have speculated that Stuxnet was designed by the Israeli Intelligence Services to damage Iran's nuclear sites. This hypothesis is unverifiable. It is based on a single tangible item: Symantec shows (see [1]) that the vast majority of infections occurred in Iran (60% of infected machines). Other factors have also been developed to try to show that Stuxnet was related to Israel (dates and strings found in the code) but none seems really credible.

 

Is Stuxnet a cyber-weapon?

The technical analysis published by Symantec late September 2010 (see [1]) shows that Stuxnet was designed to spread from machine to machine in search of PCs connected to specific industrial equipments (PLCs: Programmable Logic Controllers).

  • The main (and initial) infection vector is the transmission of the Stuxnet malware via USB devices: if an infected USB device is inserted into a clean PC and later accessed with the Windows Explorer, then the infection of that PC is triggered. This is due to either a malicious "Autorun.inf" file present on the USB device (for the oldest variants of Stuxnet) or to the usage of the "LNK" Windows vulnerability (MS10-046, CERT-IST/AV-2010.313 advisory) for the variants found in June 2010.
  • Once a PC has been infected, Stuxnet can then spread from PC to PC via various vectors:
    • the "Print Spooler" vulnerability in Windows (MS10-061, CERT-IST/AV-2010.412 advisory),
    • the "Conficker" vulnerability (Bulletin MS08-067, CERT-IST/AV-2008.460 advisory),
    • the remote shared disks (or administrative shares such as "C$") on which the infected PC has the right to drop files,
    • any remote computer which runs the Siemens WinCC software and uses the same WinCC database as the infected PC.
    • any other PC on which an S7P project taken from the infected PC is opened with the Siemens Step7 software.

These propagation vectors give the opportunities for Stuxnet to infect new PCs which, most probably, will be PCs located in the same environment (same LAN or same factory) as the first infected PC. It should not result in a massive propagation of the worm on Internet. However, according to Symantec, there were around 100,000 infected machines (distinct IP addresses) in the world. This shows that by combining all the vectors, the spreading of Stuxnet was actually quite large than initially thought.

Note: The following elements should be considered when looking at these figures:

  • For infamous Conficker worm, F-Secure estimated at 9 millions the number of machines infected by Conficker in 2009. The Stuxnet spreading is indeed much lesser than Conficker's one
  • It is possible that Stuxnet had spread silently for several months before it was discovered.

 

When Stuxnet infects a PC on which the Siemens Step7 software is present, it looks at the industrial equipments (PLCs) that are connected to this PC. If it finds a device of a particular model (from a list of 2 models hardcoded in the malware) then it changes the code installed on this industrial equipment and makes the change invisible to the legitimate users. The exact impact of this change is not known. Symantec explains in its report that:

  • It is not possible to determine this impact without getting access to the exact industrial equipment targeted by Stuxnet.
  • The code Stuxnet installs on the targeted industrial equipment interacts with the industrial bus (the "Profibus" media) which connects it to other equipments on the industrial platform.
  • The type of equipment targeted by Stuxnet could be equipments such as turbines, pumps, centrifuges, etc. ...

 

The attack description above demonstrates that Stuxnet behaves like a self-guided missile that would seek for its target (the specific industrial equipment) and then disrupt this industrial equipment. The exact consequence of the "disruption" is not known: does it destroy some physical components? Does it just degrade the equipment performance? Other?

 

Should we care about it?

Stuxnet is considered as the most sophisticated malicious code that has been discovered up to now. Symantec said that it is a project that had probably required the work from 5 to 10 developers for 6 months. It is probably a targeted attack against a specific industrial site and the owner of this site has probably already seen the damage caused by Stuxnet. At first glance, this could be seen as good news for any other industrial sites which consequently are not directly targeted by Stuxnet.

Unfortunately Stuxnet is definitely a real threat for any industrial site because:

  • First, it demonstrates that attacks against industrial infrastructures are truly possible and could be very destructive. Stuxnet will undoubtedly be a model for other (future) attacks.
  • If Stuxnet was targeting a specific site, it also infected by "collateral effects" almost 100 000 other sites, which for the most of them, have nothing to do with the intended target. Will Stuxnet be completely harmless for these collateral victims? Or, is it possible that other industrial sites will also be attacked by mistake by Stuxnet? Unfortunatly the answer to that question is probably "yes". Stuxnet code contains deadlines that make it stop using the MS10-061 vulnerability after 01-Jun-2011 and stop infecting systems after 24-Jun-2012. But until that time, Stuxnet can continue to infect new systems.

 

How to protect against Stuxnet infections ?

Identify the infected PCs

If the following files are present on a Windows machine, then this machine is probably infected by Stuxnet. These files are visible directly with the Windows file explorer (they are not hidden by Stuxnet).

  WINDOWS/system32/drivers/mrxcls.sys
  WINDOWS/system32/drivers/mrxnet.sys
  WINDOWS/inf/oem6C.PNF
  WINDOWS/inf/oem7A.PNF

If an infected machine has the software Siemens WinCC or Step7 installed, then it is necessary to involve an expert to ensure that industrial equipments connected to that machine were not altered by Stuxnet.

 

Protect Windows machines against further Stuxnet infections

Firstly Microsoft has released patches for the main infection vectors used by Stuxnet:

  • MS08-067: for the "Windows Server" vulnerability (the one previously used by Conficker),
  • MS10-046: for the "LNK" vulnerability,
  • MS10-061: for the "Print Spooler" vulnerability.

Secondly, even if these patches have been installed, the other infection vectors should also be treated. This requires establishing strong internal control procedures to stop the other infection vectors used by Stuxnet:

  • Infection through USB (using the "autorun.ini" files),
  • Infection through "Siemens Step7" projects or shared "Siemens WinCC" database,
  • Infection through writable Windows network shares (or administrative shares such as "C$").

 

Conclusion

As said in this article, Stuxnet is really worrying:

  • First, it shows that industrial systems must be prepared to deal with cyber attacks, and that such attacks could be specifically designed to hit these environments.
  • Second, even if it was a targeted attack, all the companies that use the Siemens products targeted by Stuxnet are in jeopardy because it could be unintentionally hit by Stuxnet.

 

For more information

[1] Symantec technical analysis on Stuxnet (50 pages):
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf