23 January 2017

Stuxnet Documentry

Since Stuxnet is a worm, it has a lot of similarity with other worms. What differentiated Stuxnet from any another malicious worm is how differently capable it was to induce damage on its target. Its capability includes exploiting multiple zero-day vulnerabilities, modifying system libraries, attacking Step7 installations (Siemens’ SCADA control software) and running an RPC server and installing signed drivers on Windows Operating Systems. Stuxnet spread via several methods, but all methods were integrated to infect PLCs only. Stuxnet is capable enough auto update itself. It looks for new version in the local area network. Stuxnet hides its presence from the control panel, which is the reason behind unexplained problems in the operation cycle. It remained opaque to its user because the control panel always shows normal functioning.

Journey of Stuxnet

The first time, Stuxnet was detected by a Belarus-based AV company called VirusBlockAda on June 17, 2010. In the initial phase of the analysis, it was not clearly known, what was the exact reason behind this malware. Even after knowing the target, it was difficult to establish the fact that how it was affecting the control system. Later some of the security experts like Ralph Langner, Symantec engineers wrote a complete technical paper which provided every detail about Stuxnet and how it affected the control systems, particularly the Iran nuclear facility. Although Iran never accepted this fact but experts believe that Stuxnet hit them.

Stuxnet is a vicious piece of code, which unprecedentedly and masterfully attacked in three phases; first, it targeted Microsoft Windows systems and networks, by repeatedly replicating itself. Then it searched for Siemens Step7 software, which is a windows based platform, used to program the ICS that operate equipment in the nuclear facility. Finally, it compromises Programmable Logic Controllers (PLC's).

Stuxnet gets itself installed in the industrial root kit which feedbacks the false data to outside controllers so that no alarm or shutdown is done due to unexpected behavior of the process. This idea made Stuxnet more vulnerable because it was able to achieve a large part of its task without getting caught.

The idea of Stuxnet was not only to destroy the nuclear facility completely but also to halt the program as adversely as possible. Stuxnet created a difficult situation for Iranian engineer because even if they were changing the rotors frequently they are not able to get the exact reason behind this error. Stuxnet really frustrates the Iranian engineer to their core.

Stuxnet enters the network through a malicious computer which is already infected by a USB flash drive. For entry in any system, Stuxnet shows a digital certificate that gives an illusion to the system that it comes from a reliable source, thus this worm is able to evade the automated detection system. Once Stuxnet gets inside the local network it proceeded to infect all the machines running Microsoft windows.

After infecting the systems, Stuxnet checks whether a given machine was a part of the targeted ICS or not. By analysis of Stuxnet it was clear that even if Stuxnet gone wild in the world, it was never meant to affect any other device but only Natanz Nuclear plant in Iran. It happened because the controller which Stuxnet was searching was present in Iranian Nuclear Power Plant.

Stuxnet does not need any kind of internet service to update itself, if any updated
version is available on the local network, it can easily update itself. For auto updation, Stuxnet used RPC (Remote Procedure Call) and wait for connections.

The worm then compromises the logic controllers of the target system by using “Zero-day” vulnerabilities. It has been reported that Stuxnet attacked only those PLC systems which were installed by Vacon and Farao paya. Stuxnet monitored the frequency of the attached centrifuge rotors and attacked only those controllers which were spinning in some specific range. Then it installed the payload on the PLC's which resulted in periodic modification of the frequency and as a resultant rotational speed of rotor change.

Facts of Stuxnet

In order to demonstrate the sophistication of this effort, we would like to point out that Stuxnet utilized various vulnerabilities: 

“Zero-day” Vulnerabilities
Stuxnet exploited a lot of different vulnerabilities, four of which were zero-day
vulnerability. Some of the Zero-day attacks is seen before the Stuxnet but concatenating different Zero-day attacks were massive and infectious. Zero-day attack is briefed below:
  • Printer-Spooler vulnerability: This service is used to transfer the malicious code and then execute it on other systems in the shared network. Using this vulnerability Stuxnet copies itself from one machine to another machine via shared printers which are publicly available in the network.
  • .LNK vulnerability: A .LNK file is used to launch the malicious code on an infected windows machine. No test is done to verify the file even by anti-virus. The vulnerability is utilized in Stuxnet to reference a file in an infected drive that holds the virus. After installing of the virus, Stuxnet hides the .LNK file as well as the source file. Later autorun.inf is used to automatically run the file in removable media.
  • This vulnerability utilizes a similar vulnerability used in Conficker attack. Stuxnet uses this flaw in RPC call to infect potential hosts on the network. This vulnerability first ensures whether the host system has Stuxnet installed or not, if it's not infected, then it sends the Stuxnet to the uninfected machine.
Stuxnet probe phase
Stuxnet secretly recorded the every normal operation performed for full operation cycle. It plays all the recorded data back to the controllers to make sure whether industrial rootkit used to fake the data is enabled or not. During this infect other computers. Maintain the database of the infected computer, observe the variations and changes, and keep track of successfully infected systems.

Pre-Attack Phase

During the pre-attack phase, Stuxnet utilizes various tactics to spread itself to other systems: 

  • USB Flash Drives-The PLCs connected to the computers whose main functionality is to control and monitor them is not connected to the internet. In Natanz Nuclear plant, the infected flash drives may have been introduced to the control computers via some other external contractors working at the plant.  
  • WinCC-SCADA systems are hard coded with a password and used to connect into WinCC and attack the database using SQL commands to upload and start a copy of itself on WinCC computer. Stuxnet infected all the Siemens SIMATIC Step7 industrial projects that are opened on an infected system. Some modification is done on the .exe file and DLLs (Dynamic Link Library) in WinCC, so that executes Stuxnet code as well. 
  • Network Shares-Stuxnet also used windows shared folder to spread the virus to the local network. Infected computer placed a dropper file in the shared folder and schedule a task to execute this file. There is a debate between experts about the scheduled execution of the file 
Contributed By: Vivek Pratap Chaurasia
Email id: vivekpratap07@gmail.com