Stuxnet: An Analysis

by Doug Sibley

The (((Stuxnet ✡))) attack is a good case study in what a modern computer virus can accomplish.

It is interesting to see how the designers were able to create a program that caused so much alarm, yet only did a very limited amount of real-world damage.  For Stuxnet to be successful, it had to use a wide variety of tactics, and looking at each of these aspects can give us a good example of what modern threats are capable of.

Attacking the Machine

The main part of any virus attack is a good way to spread it around.

With the use of multiple separate zero-day exploits, both to infect machines and elevate local privilege, Stuxnet was able to spread itself very successfully.

First, let's look at how Stuxnet propagated itself.

Removable Media

One of the interesting attack vectors that Stuxnet used was infecting removable media such as USB drives.

MS10-046, referred to as the LNK exploit, is able to infect a computer when the user opens the malicious folder.  By crafting a malicious icon for the LNK file, a sequence of attack code will run on a machine every time the icon is displayed.

For Stuxnet, this vulnerability was used to load the virus from two files also stored on the drive.  Using this method, WTR4141.TMP is loaded on the computer, which then executes the main program WTR4142.TMP.  Once this has happened, your computer has been infected.

Network

Stuxnet also spread itself quickly across networks, primarily by using two network exploits.

MS10-061 is a flaw in the Windows Print Spooler, affecting computers that have printer sharing enabled.  By sending print commands pointing to an executable and a specially crafted file, the local machine would become infected.

Stuxnet would first send the attack payload in a file called WINSTA.EXE, and then send a file called SYNULLEVENT.MOF to execute the code.  Due to the vulnerability, these files would be created in the %SYSTEM% directory of the target computer using only guest privileges.  The MOF file used to execute the attack would, under certain circumstances, cause WINSTA.EXE to be launched.  Normally, MOF files are used to create and register events and event categories.

In addition to targeting the spooler, Stuxnet could spread itself using network shares with exploit MS08-067.

Stuxnet would scan the network looking for C$ and ADMIN$ shares, then attempted to write an attack TMP file to the remote machine.  If successful, a task was also scheduled on the remote machine to execute the payload the next day.

Conficker was best known for using this exploit for roughly the same purpose; however Stuxnet had its own code instead of copying the previous Conficker design.

Using the methods described above, Stuxnet was able to execute attack code on machines its authors wanted to infect.  To successfully do this, Stuxnet would need to elevate its privileges when infecting the machine.  Stuxnet used two separate zero-day vulnerabilities to accomplish this.

First, MS10-073 was used on any Windows 2000/XP computers.

To get system privileges, the exploit uses how Windows handles input from the keyboard to run arbitrary commands at system level.  This exploit allows the attacker to modify different DWORDs in a table, then execute a buffer overload against them and run the attack code.  Stuxnet used this vulnerability to load system level shell code, which would then install the main Stuxnet virus.

MS10-092 is the second zero-day exploit used, targeting x32 and x64 versions of Windows Vista/7.

Windows Task Scheduler allows a user to schedule and execute commands; however, there is a flaw in the way it is implemented.  Task Scheduler creates XML files with the details of every scheduled event, including what permission level to run as.

Normally, tasks created by guest accounts cannot use high-level permissions.  However, this can be bypassed because of the way the XML files are stored.  To prevent the XML files from being modified, Task Scheduler calculates a checksum for the file when it is first created, and will attempt to recalculate and match before the task is run.

Using the CRC-32 algorithm, the idea is that any modifications will be found and the task stopped.  Stuxnet was able to use weakness in the algorithm to modify the XML file, and then append a calculated special character to make the checksum match.  This allowed the attack code to be executed with the highest privileges on the machine.

Controlling the Machine

Once Stuxnet had established itself on the machine, there were a few other tasks it accomplished as well.

Machines attempted to contact command and control servers, initially www.mypremierfutbol.com and www.todaysfutbol.com, to check in and receive further instructions.  Communication between the servers and the machine was done on port 80, limiting the chance that it would be blocked by a firewall.

Some of the information Stuxnet would relay back included: OS version/service pack, computer name, domain name, interface IP addresses, and an indicator if STEP 7 was installed on the machine.  Included in this contact method was the ability for the remote server to send back instructions, such as to stop attacking other computers, as well as a method to update the version of Stuxnet.

To maintain access on Windows machines and to avoid detection, Stuxnet installed a root kit to monitor for removable devices and hide infected files.

Called MRXNET.SYS, this file had a digital certificate issued by Realtek so that it could be considered a trusted driver and installed silently.  After installation, it would monitor directory requests to prevent Stuxnet files from being seen, as well as infecting removable media.

Attacking STEP 7

Once Stuxnet had established itself on the machine, it checked to see if STEP 7 was installed.

STEP 7 is the software used to program a PLC, and was the target of the second part of Stuxnet's attack.  Using this software, a programmer can create and load the complex programs that run PLCs for industrial machinery, and Stuxnet could monitor and edit the programs.

Stuxnet would first modify the software controlling how STEP 7 save files are opened.  The objective was to decrypt the save files, then include a full copy of Stuxnet.  Once an infected save file was loaded on another computer, STEP 7 would automatically load a malicious DLL and infect the machine as well.  Once a computer with STEP 7 was infected, Stuxnet would also replace S7OTBXDX.DLL with a malicious version.  Since Stuxnet now had full control over the data interaction with the PLC, it could inject specific attack code without the user noticing.

Attacking the PLC

Up to this point, everything Stuxnet had done was to allow the final attack to be successful.

Stuxnet was designed to modify a specific PLC, under a specific set of circumstances, and otherwise lay dormant.  It is obvious that whoever created Stuxnet wanted to ensure that this PLC attack would be successful, so it is interesting to see what exactly they wanted to do with the PLC.

Before infecting a PLC, Stuxnet first checked to see if it met the requirements.  Assuming that it was the correct model, it also confirmed that the PLC was connected to a specific frequency converter manufactured in Iran.  If both were true, Stuxnet would then infect the PLC with a specific instruction sequence.  The result of this infection was that the PLC would continue to operate normally, and only sometimes malfunction.

Roughly every 27 days, the infected PLC would send the command to the frequency converter to either spin up to 1410 Hz, or down to 2 Hz.  In both instances, the speed was well outside the normal operating range and could cause damage over time.

These instructions to spin up or down every month represented the end goal of Stuxnet.  It is interesting to note how much concern there was over this virus when it was initially discovered, but in reality it was programmed to cause very unique damage.  It is unlikely that anyone other than the specific target of Stuxnet actually suffered any damage from this virus, even though it had infected a large number of computers.

Often we think a worm or virus is designed to attack a large number of machines, to form a botnet or other malicious activity.  However, Stuxnet serves as a good reminder that this isn't the only option.  If an individual or group is able to assemble the technical talent to design a virus and discover new exploits to run it, they can potentially attack any system or process that is run by a computer.

As computing has advanced, it is important to remember that the types of attacks that can be carried out have advanced as well.  While Stuxnet may have been regarded as the first of its kind seen in the wild, the methodology and ideas behind it are something we will have to deal with for a long time.

Resources
Return to $2600 Index