Stuxnet : A worm which targets SCADA systems

Date : September 08, 2010

Stuxnet is the first known example of a worm specifically designed to attack industrial control systems (SCADA systems). Its level of sophistication has stunned the community of experts, and the fact that these techniques are used to target industrial systems is worrisome.

Through this article we present a summary of the analysis that has been published about Stuxnet (and especially the analysis done by Symantec and Industrial Defender that we list at the end of the article), its impact and the possible motivations of its authors.

 

1. How does Stuxnet operate?

Stuxnet was discovered on June 17, 2010 by the Belarusian Company VirusBlokAda (a company that develops antivirus products). At that time most of the attention of the analysts was caught by the fact that this worm uses a previously unknown vulnerability in Windows (a "0-day" flaw): the ". LNK" vulnerability which led Microsoft to release early in August the out-of-band patch MS10-046. This is only after further analysis that analysts found that Stuxnet was in fact designed to target SCADA systems.

 

The infection starts via the USB drives

Stuxnet worm spreads through USB when an infected USB stick is plugged into a PC. Simply viewing the contents of the key with Windows File Explorer causes the infection. This infection mechanism works on all Windows systems (from Windows NT4 to Windows 7) if the patch MS10-046 (which is available since 02-Aug-2010) has not been applied. Once it is launched Stuxnet immediately hides the infected files located on the USB key. For that, it uses a "userland" rootkit which makes invisible all the files with the suffix ".lnk" and the files that start with "~ WTR" and end with ". tmp".

Note: Symantec indicates that Stuxnet might also use two other propagation mechanisms: it could drop an infected file on the network shares to which the infected computer has access (see [SYM-03]) and it could also spread from machine to machine using the MS08-067 vulnerability (see [SYM.05]). This vulnerability is one that had been used by Conficker.

 

A rootkit is installed

The worm continues its installation on the infected computer by dropping various components on the infected computer, and in particular:

  • A "kernel" rootkit (implemented by the mrxcls.sys mrxnet.sys drivers) makes invisible the files that were used during the infection. This second rootkit (also known as “TmpHider”) has the same effect as the "userland" rootkit which was launched early in the infection, but it makes these changes permanent. This rootkit might also have additional features, such as hiding processes, but the analysis published are not very detailed on that topic.
  • Two services (MRXCLS and MRXNET), which are not visible in the list of services displayed by Windows.

Note: This part of the Stuxnet installation process completes successfully only if the user who plugged the infected USB drives uses an account which has the administrative privileges.

The rootkit installed by Stuxnet is partially stealthy as it does not hide all the Stuxnet files. In particular, the following files are still visible with the Windows File Explorer (cf. [IND]):

%SystemRoot%system32driversmrxcls.sys
%SystemRoot%system32driversmrxnet.sys
%SystemRoot%infoem6c.pnf
%SystemRoot%infoem7a.pnf

 

Communication with Internet

Once Stuxnet is installed, it tries to contact two websites on Internet (cf. [SYM.03]) using HTTP requests sent to TCP port 80:

www . mypremierfutbol . com
www . todaysfutbol . com

Stuxnet sends to these sites a message indicating the characteristics of the just infected computer (Windows version, IP address, etc ...) and may receive in response commands such as:

  • Read, write or delete files on the infected PC.
  • Download an additional DLL file from the Internet and run it.
  • Etc.

Presumably when a SCADA system is infected, it is unlikely that this system is allowed to interact with the Internet. However practices at this level are highly variables and depend strongly on the sensitivity of this SCADA system. It is therefore possible that some SCADA systems do not prohibit outgoing traffic which makes possible for Stuxnet to dialog with these machines on Internet.

 

2. Malicious actions against SCADA systems

Stuxnet is specifically designed to attack Siemens SIMATIC PCS 7 products, and more particularly to Siemens SIMATIC WinCC component.

Note: WinCC is used by several products from Siemens, but according to Siemens only the PCS7 environment is targeted by Stuxnet. Several sources (such as [ICS-01]) indicate that the Siemens STEP 7 product is also affected, but the official statement from Siemens (see [ICS-01]) does not mention this product.

While browsing the Stuxnet code, it was found that some sections of its code were designed to retrieve data from the Microsoft SQL database used by WinCC. Stuxnet uses for that an SQL password which is hardcoded in WinCC code and which was disclosed several years ago on a Russian hacking forum. The exact purpose of Stuxnet SQL queries is not known. One source (cf. [IND]) indicates that these queries might allow Stuxnet to identify other machines on the same network that also use WinCC.

It was found also that Stuxnet search for specific files on the infected computer such as for example “*.s7p”, “*.mcp” files  (see SYM-01). These files typically describe the industrial equipments called PLC (Programmable Logic Controllers), operated from the PCS 7 system and the control programs installed on these equipments.

Finally, Stuxnet installs a DLL that allows him to control all the data exchanges between WinCC and the industrial equipments (it intercepts all calls to the Siemens DLL  "s7otbxdx.dll" which is used to dialog with the PLCs) to hide the alterations which have been made in the code installed on  these industrial equipments. It is therefore the first case of a "rootkit" designed to hide malicious code installed on the PLC.

 

The Stuxnet propagation extent

Siemens said it was aware (as of August 24, 2010) of 12 Siemens systems that were infected by Stuxnet, but none of these cases had negative consequences (see [SIE]).

Several other sources have published estimations regarding the number of computers infected by Stuxnet. They used various calculation methods such as:

  • The number of infection attempts blocked by the worm, once the antivirus was updated to detect Stuxnet (ESET, Microsoft, Symantec).
  • The number of computer, which have been disinfected (Microsoft).
  • The number of infected machines that have attempted to connect to C&C (Command and Control) machines on Internet (Symantec).

These data are not fully consistent with each other (because the calculation methods are different and each has its limit) but converge on the following findings:

  • The number of infections should be of tens of thousands of machines (e.g. 14 000 for Symantec, 50,000 for Microsoft). It is very difficult to know how many of these machines are really SCADA systems (because any PC on which an infected USB drive is plugged will be infected by Stuxnet) or how many isolated SCADA systems (which can not communicate with the Internet) have been affected.
  • The most affected countries (in term of percentage of infected systems, but not in absolute number of infections) would be Iran, Indonesia and India

Considering the following two facts, it is curious that so many infections were discovered:

  • Stuxnet is supposed to spread mainly through USB drives
  • Some researchers (cf. [SYM-05] and [IND]) indicate that there is a counter in Stuxnet which prevents its replication beyond a depth of 3 (the counter is decremented whenever Stuxnet passes from one computer to another, or from one USB drive to another).

Either this calculation mechanism for limiting the spread of Stuxnet does not work properly, or the worm has long existed and was dropped by the pirate to many places around the globe.

 

In terms of knowing how long Stuxnet exists, the following elements shows that the worm has existed for some time:

  • Some code sections of Stuxnet are dated June 2009 (see [SYM-04]). The worm is under development at least since that date.
  • Several variants of Stuxnet were found, indicating that the author has changed over time the worm code. For example in some samples, the Stuxnet drivers are signed by "Realtek Semiconductor Corp." while others samples include drivers signed by "JMicron Technology Corp." (see this announcement of ESET, which however, gives little evidence that it is indeed a variant of Stuxnet). It was also found (probably older) variants of Stuxnet, which do not use the .LNK vulnerability to spread (cf. [SYM-04]).

 

4. The attacker motives

In this topic, we can only speculate or make assumptions difficult to verify.

It seems certain that Stuxnet is not the work of a single individual. Too many components have indeed been used together:

  • A deep knowledge of the Siemens PCS 7 SCADA environment.
  • The use of a 0-day vulnerability to infect PC systems thru USB.
  • The use of digital certificates stolen from legitimate companies.
  • The use of advanced hacking techniques (rootkits, DLL interception, communicating via C&C servers, etc ...)
But these different components could have been purchased from different hackers (this is usual practice in the underground economy).

 

A second aspect is to know what Stuxnet can be used for. The published analyses suggest that Stuxnet can potentially:

  • steal documents describing the SCADA environment from the infected SCADA environment and its internal usage.
  • or even worse, silently modify the programs installed on these industrial equipments.
However, it has not been formally proven that these capabilities were fully operational. The evidence found in the code of Stuxnet could be prototypes or not yet used libraries.

 

Finally, with regard to identifying the type of people that would be behind the Stuxnet attacks the following hypothesis have been proposed (see the Stuxnet: Dissecting the Worm article published by TechNewsWorld.com ):

  • A government agency conducting a targeted operation against selected industrial sites. In this case the massive spread of Stuxnet is a mistake.
  • A terrorist group.
  • A cyber-mercenary group trying to gather information or take control of industrial systems with the aim of selling them later.

 

5. Conclusions

The discovery of Stuxnet is a major event for the people involved in the security of the industrial systems. It transforms a theoretical risk, which is known for a long time to an irrefutable reality. The level of sophistication of the attack is surprising and demonstrates that the maturity of the attackers in the SCADA realm is as high as for the common IT environment.

The Stuxnet attack scenario will for sure be examined in depth by the owners of SCADA systems to identify the best measures to protect against such attacks. These measures include first level protections such as :

  • Tight security controls on USB devices
  • Restriction on default accounts and passwords

But it also requires defense in depth measures such as:

  • Hardening of the computer to increase the security level
  • Filtering of outgoing network connections

Some sources (e.g. DigitalBond or [IND]) also recommended more stringent measures such as putting in place "White List" mechanisms (to exhaustively define the list of executables allowed to run on a SCADA system) or HIDS (Host Intrusion Detection System). Using a tool such as Tripwire  to seal system configurations is probably also an alternative in this area.

 

Even if SCADA requirements are very different from those of the regular IT environments (eg in terms of life time or reliability), the SCADA world should take advantage of the security efforts that have been made in the IT world over the last decade to improve its security level (eg in terms of network segregations, security in depth, or more generally on the awareness level on security topics). In the case of Stuxnet, the fact that Siemens uses in its products a hard-coded password that could not be changed by customers (see this article about the Siemens recommendation not to change the default password) shows that the maturity level on security topics is still too low. Because the potential impact of a cyber attack is major, SCADA systems have an absolute need for security. This involves the definition of strict security rules (starting from system design up to the system operation phase) and the strict enforcement of these security rules.

 

6. For further information: 

Official Siemens web page for Stuxnet:
[SIE] http://support.automation.siemens.com/WW/view/en/43876783

"The Stuxnet Worm and Options for Remediation" whitepaper by Industrial Defender:
[IND] http://findingsfromthefield.com/?p=516

Symantec technical analysis:
[SYM.01] http://www.symantec.com/connect/fr/blogs/w32stuxnet-installation-details
[SYM.02] http://www.symantec.com/connect/fr/blogs/distilling-w32stuxnet-components
[SYM.03] http://www.symantec.com/connect/fr/blogs/w32stuxnet-network-operations
[SYM.04] http://www.symantec.com/connect/fr/blogs/w32stuxnet-variants
[SYM.05] http://www.symantec.com/connect/fr/blogs/stuxnet-introduces-first-known-rootkit-scada-devices

ICS-CERT documents describing Stuxnet and the remediation methods
[ICS-01] http://www.us-cert.gov/control_systems/pdf/ICSA-10-238-01%20-%20Stuxnet%20Mitigation.pdf
[ICS-02] http://www.us-cert.gov/control_systems/pdf/ICSA-10-201-01C%20-%20USB%20Malware%20Targeting%20Siemens%20Control%20Software%20-%20Update%20C.pdf

 

Previous Previous Next Next Print Print