The Amazing Mr. Stuxnet

Week after week, the Stuxnet worm continues to amuse and astound all of us that have studied it. Last week it was Ralph Langner’s detailed analysis that showed Stuxnet wasn’t just infecting Windows boxes and stealing data, it was specifically designed to modify PLC logic so it could destroy a physical process. Next it is the amazing number of Windows zero-day vulnerabilities* it exploits to do its dirty work. Yesterday it was the new revelations from Symantec.

Just to recap for those of you that have a real job and can’t spend hours each day reading up on the latest Stuxnet analysis, here is a summary of some of the amazing things that Stuxnet and its designers have done (I am sure I have missed a few and that there are still more surprises on their way):

1. Uses the previously undiscovered Windows shortcut (*.lnk file) vulnerability to infect computers via USB key, even when AutoRun is turned off (Zero-day #1 - MS10-046)
2. Uses valid certificates created from the private keys of two reputable hardware manufacturers to fool Windows 7 and Vista into thinking its packages are valid driver software and silently installing them (will anyone ever trust certificates again?)
3. Has a Command and Control (C&C) capability to call home to servers in Malaysia and Denmark, so it can be remotely managed by its creators (actually this one is pretty standard stuff)
4. Uses a P2P (peer-to-peer) networking system to automatically update all installations of the Stuxnet worm in the wild, even if they can’t call home to the C&C server because there is a firewall in the way (cool – now that is automated patch management and the PC doesn’t even need a reboot).
5. Once installed on a computer, it uses another Windows zero-day vulnerability to escalate its privileges and take full control of the system. (Zero-day #2 )
6. Uses two more Windows vulnerabilities to spread to other computers on the same network (Zero-day #3 -  MS10-061, plus a vulnerability that had patches available that might not have been installed by the victim)
7. Uses an (almost) unknown Siemens “internal” system passwords (that can’t be changed) to log into the WinCC SCADA database, mine it for information and infect the computer running it.
8. Locates Siemens S7 programming stations and replaces the STEP7 DLL routines, so that any person viewing a PLC’s logic would not see any changes Stuxnet later makes to the PLC(s).
9. Looks for a specific PLC victim by checking for the existence of process configurations and certain strings in the PLC. If it doesn’t find them, Stuxnet quits.
10. If it finds what it is looking for, Stuxnet does a few more tests and then injects STEP7 code into the PLC. (Ralph’s interpretation is that Stuxnet is changing the PLC logic so that the code that controls a very fast running critical process will no longer be executed. And then something blows up…)

Most of these tricks would be newsworthy in their own right. As a group they are stunning. The fact that its designers managed to do all this in one package is an indication that a very professional and determined team of experts were behind Stuxnet. There is simply no other malware in the world that we know of that shows this level of complexity (of course there might be some other equally nasty malware lurking out there that we haven’t found yet – I hope not).

We industrial automation and control systems people are always a few steps behind the IT world when it comes to designing and deploying new computer software. For once, the SCADA world is leading the way in computer technology – too bad we are leading in malware technology.

What is your perspective on Stuxnet? How is it affecting your security planning? Let me know your thoughts.

*Zero-day vulnerabilities are those that are unpatched by the affected software’s manufacturer. The “days” start counting once a patch is released.