Analysis Stuxnet dissected

8/7/2019 Analysis Stuxnet dissected

http://slidepdf.com/reader/full/analysis-stuxnet-dissected 1/4

TODAY ON SC MAGAZINE: The case for splitting identity and access Sophos: mobile malware scandal 'damages' industry WhiteGoldSEARCHSEARCHSEARCHSEARCH

Newsletter Sign Up | Site Map | RSS | SC US | SC

UK

Monday March 28, 2011 3:42 PM AEST

Vulnerability Alerts

SANS

Infocon: green

Strange Shockwave File with

Surprising Attachments, (Sun,

Mar 27th)

Microsoft

Microsoft Security Bulletin

Summary for February 2011

MS11-012 - Important:

Vulnerabilities in Windows

Kernel-Mode Drivers Could

Allow Elevation of Privilege(2479628) - Version:2.0

CERT/CC

SA11-067A: Microsoft Updates

for Multiple Vulnerabilities

SA11-039A: Microsoft Updates

for Multiple Vulnerabilities

Latest Comments

Powered by Disqus

RELATED ARTICLES

US warns of SCADA flaws

AG speech transcript creating

cyberwarfare unit

From Stuxnet to Snoop: The

infosec year in lists

CERT Australia chief headlines

AISA Week

Stuxnet pinned for killing Indian

satellite

Exclusive: Trend Micro aims for

cloud top spot

Spam drops but exploits kits are on

the rise

CYBERCRIME

Analysis: Stuxnet dissectedBy Brett Winterford

Feb 23, 2011 11:02 PM

Tags: stuxnet | symantec | security | response

| Iran | nuclear | program | Siemens | SCADA

| supervisory | control | and | data |

acquisition | centrifuge | LNK | vulnerability |

zero-day | exploit | Autorun | vulnerability |

S7-315 | S7-417

How one of the world's most complex

cyber attacks crippled Iran's nuclear programme.

So how did Stuxnet do the damage?

Hogan believes the team has a fairly

accurate idea of how Stuxnet succeeded.

1. Getting inside

Even the most sophisticated virus in the

world would have trouble infecting

machines that aren't connected to the

internet.

The computers connected to the

enrichment program's industrial control

systems are air-gapped - that is, not

connected to the internet or other

insecure networks.

Hogan can only guess that a degree of social engineering would have been required

to convince an operator or engineer that worked at the plant to introduce data from

external media (such as USB key) that was infected with the virus.

"In our experience in cases like this, the target organisation is usually being attacked

through an intermediary like an outsourced partner," Hogan said.

These intermediaries might have offered skilled labour, technology outsourcing, and

any number of services to the program.

Engineers often used ruggedised laptops, he said, that are taken off-site for new

instruction sets to be programmed and taken into the facility to upload these new

commands to the system.

Hogan suspected that the worker that infected the machines made a genuine mistake

rather than a deliberate attempt at spying.

The attacker may have deliberately left memory sticks lying around at the offices of

the outsourced provider. As long as one machine was infected, any network it

connected to was at risk - and the worm was programmed to use these connections

to seek out those devices that could do the damage.

2. Creating a backdoor

Once a USB stick or other external media is plugged in, the worm used the LNK

automatic file execution vulnerability to infect the machine. The code would be

executed simply by the user looking at what contents might be on that USB stick

MOST READ MOST DISCUSSED LATEST NEWS

Popular porn site hacked by prudes

RSA breach leaves customers waiting for answers

Facebook user profiles hacked

Adobe patches 0-day flaws in Flash, Acrobat and

Reader

Hacker takes off with TripAdvisor's customer email

database

2 million child porn images seized in QLD, nine

arrested

Microsoft details Rustock botnet takedown

Security experts, DHS, lawmakers react to RSAhack

Hackers breach RSA IT systems

Privacy group raises concerns over Skype

Legal Whitepapers

Cloud First IT: Managing a Growing Network of SaaS

Applications

Controlling who is granted sec ure access to which

applications and data becomes a real challenge when

users can get access from any browser, at any...View Now

Data Protection For Businesses With Remote Offices

Across Multiple Locations

This white paper drills into the security c hallenges that IT

organizations face and the considerations for a better way

to approach data protection.View Now

Finding an Effective Antivirus Solution to Please

Users and Administrators

Download this Tech Brief to learn the five common

complaints IT professionals have with antivirus software

and how you can find software that does ...View Now

Power and Cooling Capacity Management for Data

Centers

High density IT equipment stresses the power density

capability of modern data centers. Installation and

unmanaged proliferation of this equipment ...View Now

View More Research

Popular Tags

acqusition asioautorunvulnerabilitycentrifuge cert china control cyberwar

dr dsd iran nuclear program lnkvulnerability malware

s7315 s7417 scada

Vulnerabilities & Exploits Breaches & Exposures Messaging Mobile Access Control Biometrics & Forensics Legal Risk Management Patch Management

SC Magazine Australia/NZ > News > Legal > Cybercrime > Analysis: Stuxnet dissected

HOME NEWS PRODUCTS ALERTS STATS BLOGS WHITEPAPERS EVENTS JOBS DOWNLOADS

AWARDS

ysis: Stuxnet dissected > Cybercrime > Legal > News > SC Magazin... http://www.securecomputing.net.au/News/249061,analysis-stuxne

3/27/2011



using internet explorer - they would not have to click on anything.

The Stuxnet worm then used compromised security certificates from two Taiwanese

device manufacturers - JMicron and Realtek - to allow Stuxnet to run more deeply

inside the target computer.

"Someone got access to private keys of those two organisations - which curiously are

based within a few kilometres of each other," Hogan said.

Stuxnet would then log-in, create an internet connection and connect to two command

and control servers to download instructions.

3. Looking around the network

The worm also used vulnerability in Microsoft's Windows print spooler to spread to

other devices connected to the local area network for infection, copying itself and

executing on network shares.

Stuxnet then created a peer-to-peer network between infected machines to efficiently

download the latest version of the virus from the command-and-control servers.

The virus also performs a check to see whether a Siemens Step 7 SCADA software is

running on any devices connected to the infected machine.

If any computers with this software are found on the network, Stuxnet copies itself and

executes on these machines, too.

4. Doing the damage

Once the virus finds machines running the Siemens software, it infects the Step7

project files as another way to spread around the target installation.

Ultimately, Stuxnet attempts to upload its own code to the Siemen's controllers or

programmable logic controllers that act as a hardware-software interface. In the case

of the Iranian nuclear enrichment facility, the controllers were connected to frequency

modulators that ran high-speed motors to spin the centrifuges used for nuclear

enrichment.

So Stuxnet was able to download a fresh set of commands to the controllers that

would override instruction sets.

This code instructed frequency converters on how fast the 164 motors in the

centrifuges should spin and for how long.

Stuxnet was programmed to first watch the frequency modulation for 13 days to

calculate what instructions could cause the most physical damage. Symantec

believes Stuxnet would have inserted a set of instructions to spin up the frequency

converters at 1410Hz for 15 minutes, well above the usual limit of 1064Hz.

"We assume it was spinning it up quickly to malfunction," Hogan said. "It was an

attempt to create sympathetic vibrations that would cause problems," he said,

potentially even breaking the rotors or centrifuges themselves.

Next, Stuxnet's instruction set aimed to set the frequency converters back to nominal

speed for at least 27 days, then set the speed way back down to 2Hz for some 50

minutes, before spinning back to normal speed, screaming back up to 1410Hz, and so

on and so forth.

5. Masking its tracks

In order to inflict maximum damage, Stuxnet would intercept any attempt by operators

to upload new code onto the controller chips. As new instructions are uploaded,

Stuxnet would shunt the code aside and keep its own instructions running, butpresent a picture back to the operators that suggested all was running as it should be.

"If you went in and looked at the .DLL file, you would see your original code," Hogan

remarked. "Stuxnet is hiding what it is doing."

Best in class, and hopefully the last.

After months of pulling Stuxnet apart and documenting its ability, Hogan is convinced

it is the "first publicly known malware to intend real-world damage".

He believes the development of such a sophisticated threat "required resources

characteristic of a nation state".

Symantec has noted that the attacker would have required access to the design

schematics of the plant, to the private keys of the two Taiwanese manufacturers, and

siemens stuxnetsupervisory controland data acquisitionsymantec securityresponse zerodayexploit


3/27/2011



a team of "five to 10 core developers" taking about six months to develop the exploit.

With the LNK vulnerability now known, and Stuxnet analysed in every corner, Hogan

is confident it will be a relatively isolated attack.

"I don't believe there will be a Stuxnet II," he said.

"But the whole area of industrial controls systems security is now an open to a lot

more eyes and brains than it was before - for both good and bad."

The writer attended Symantec's research labs in Japan as a guest of the anti-vi rus

vendor.

Copyright © iTnews.com.au . All rights reserved.

«

Ads by Google

Thoughts on this article? Add a comment below.

Add New Comment

Required: Please login below to comment.

Type your comment here.

Showing 0 comments

Sort by Subscribe by email Subscribe by RSS

Real-time updating is enabled. (Pause)

Reactions

From Twitter

#Gnews Analysis: Stuxnet dissected - Secure Computing http://bit.ly/dSKvZU

From Twitter

Dissecting #Stuxnet: Behind the news w virus chasers who found the world's first state-

sponsored malware http://bit.ly/dJBHuO

From Twitter

Analysis: Stuxnet dissected http://tinyurl.com/4h6a28l

Image


3/27/2011



From Twitter

Analysis: Stuxnet dissected: How one of the world's most complex cyber attacks

crippled Iran's nuclear programme. http://bit.ly/eCatoU

Trackback URL

blog comments powered by DISQUS

Ads by Google

SC MAGAZINE SITEMAP CATEGORIES

News

Latest News

Latest Features

Latest Opinions

Alerts

Latest Security Alerts

Products

Latest Reviews

Latest Group Tests

Stats

Latest Stats

Blogs

Latest Blogs

Photo Galleries

Latest Galleries

Whitepapers

Latest Whitepapers

Events

Latest Events

Submit an Event

Jobs

Latest Jobs

Advertise a Job Vacancy

Downloads

Latest Downloads

Vulnerabilities & Exploits

Application Flaws

Web

Spyware

Malware

Botnet

Trojan

DDoS

Social Networking

Endpoint Security

Breaches & Exposures

Identity

Corporate Data

Health

E-Commerce Security

Messaging

Email Security

IM Security

VoIP Security

Storage

Mobile

Wi-fi Security

Smartphone

Remote Acc ess

iPhone

Virtualisation

Access Control

PKI

Password Manager

Single Sign On

Smart Cards Tokens

Network Ac cess

Biometrics & Forensics

Biometrics

Forensics

Legal

Cybercrime

Audit

Privacy

Risk Management

Training

Policy Management

Incident Response

Managed ServicesConferences

Job Centre

Job Centre

Patch Management

Microsoft

Oracle

Apple

Cisco

Other

Atomic MPC | CRN Australia | iTnews | PC & Tech Authority | PC & Tech Authority Business Centre | SC Magazine

Copyright © 2011 Haymarket Media. All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.

Your use of this website constitutes acceptance of Haymarket Media's Privacy Policy and Terms & Conditions.

Contact Us | Advertise | About Us | SC Awards | Editorial | Newsletter | Syndication | Site Map | RSS


3/27/2011

Analysis Stuxnet dissected

Documents

Transcript of Analysis Stuxnet dissected