By Gregory Hale
It seems as though Iran is a heavy target of the Stuxnet attack as the Iranian government agency that runs the country’s nuclear facilities reported its engineers are trying to protect their facilities from a sophisticated computer worm that has infected industrial plants across that country.
The agency, the Atomic Energy Organization, did not specify whether the worm had already infected any of its nuclear facilities, including Natanz, the underground enrichment site that for several years has been a main target of American and Israeli covert programs, according to a report in The New York Times.
But the news continues to raise questions about where the malware came from and what is, or are, the targets. Stuxnet is a self-replicating malware computer program.
Stuxnet, which was first publicly identified in July, is aimed solely at industrial equipment made by Siemens that controls oil pipelines, electric utilities, nuclear facilities and other large industrial sites. While it is not clear that Iran was the main target — the infection has also been reported in Indonesia, Pakistan, India and elsewhere — a disproportionate number of computers inside Iran appear to have been struck, according to reports by computer security monitors.
Microsoft said the worm exploited four additional zero day flaws, and two of those four remain unpatched.
“Security experts agree that the purpose of the worm is sabotage of an industrial process,” said Andrew Ginter, chief security officer at Industrial Defender. “The details that have been released regarding the design of the worm no longer support the theory that the purpose was information theft.”
“Whoever designed this knew what they were doing,” said Eric Byres, chief technology officer at Byres Security. “It is pretty clear now it was developed to disable a process and destroy equipment.”
Siemens learned about the malware program (Trojan) targeting the Siemens software Simatic WinCC and PCS 7 on July 14. The company immediately formed a team to evaluate the situation and worked with Microsoft and the distributors of virus scan programs, to analyze consequences and the exact mode of operation of the virus.
The Trojan, which spreads via USB sticks and uses a Microsoft security breach, can affect Windows computers from XP upward.
According to analysis of the worm from Siemens, the virus can theoretically influence specific processes and operations in a very specific automation environment or plant configuration in addition to passing on data. This means the malware is able, under certain boundary conditions, to influence the processing of operations in the control system. However, this behavior has not yet been verified in tests or in practice.
Also, the behavioral pattern of Stuxnet suggests the virus is apparently only activated in plants with a specific configuration, Siemens said. It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process. This pattern can, for example, be localized by one specific data block and two code blocks.
This means Stuxnet is obviously targeting a specific process or a plant and not a particular brand or process technology and not the majority of industrial applications, according to the Siemens analysis.
This conclusion also coincides with the number of cases known to Siemens where the virus was detected but had not been activated, and could be removed without any damage being done up to now. This kind of specific plant was not among the cases that we know about.
To date, Siemens said 15 systems were infected worldwide. In none of these cases did the infection cause an adverse impact to the automation system, Siemens said.
In a blog post last week, Alexander Gostev, who heads the Global Research and Analysis Team at Kaspersky Lab, said “Until now, most of the focus has been on the LNK/PIF vulnerability which Stuxnet exploits in order to spread via removable storage media and networks. But this has turned out not to be Stuxnet’s only surprise. The worm doesn’t just spread by using the LNK vulnerability. Once it’s infected a computer on a local network, it then attempts to penetrate other computers using two other propagation routines.
“Firstly, Stuxnet is designed to exploit MS08-067, the same vulnerability used by Kido (aka Conficker) at the beginning of 2009. The exploit code that Stuxnet uses to target MS08-067 is slightly different to that used by Kido. However, what’s really interesting is the second propagation routine.
“In addition to exploit code for MS08-067, Stuxnet contains an exploit for a previously unidentified vulnerability in the Print Spooler service; this vulnerability makes it possible for malicious code to be passed to, and then executed on, a remote machine. Two files (winsta.exe and sysnullevent.mof) appear on attacked systems. It’s not just the way in which the malicious code gets on to the remote machine which is interesting, but also how the code then gets launched for execution.
“As soon as we identified the vulnerability we informed Microsoft about the problem and they confirmed our findings. The vulnerability has been identified as “Print Spooler Service Impersonation Vulnerability” and rated “critical”. Today Microsoft released MS10-061, a patch which fixes this vulnerability.
“Analysis of the vulnerability shows computers with shared access to a printer are at risk of infection.
“During analysis, we searched our collection for other malicious programs capable of using this vulnerability. Happily, we didn’t find anything.
“On top of all this, we’ve identified yet another zero-day vulnerability in Stuxnet’s code, this time an Elevation of Privilege (EoP) vulnerability. The worm uses this to get complete control over the affected system. A second EoP vulnerability was identified by Microsoft personnel, and both vulnerabilities will be fixed in a security bulletin in the near future.
“The fact that Stuxnet uses four previously unidentified vulnerabilities makes the worm a real standout among malware. It’s the first time we’ve come across a threat that contains so many “surprises”. Add to this the use of Realtek and JMicron certificates, and remember that Stuxnet’s ultimate aim is to access Simatic WinCC SCADA systems.
“Stuxnet was undoubtedly created by professionals who’ve got a thorough grasp of antivirus technologies and their weaknesses, as well as information about as yet unknown vulnerabilities and the architecture and hardware of WinCC and PSC7.”
The worm that hit Siemens’ Simatic WinCC and PCS 7 users has been around for over a year and at the beginning of the new year its creators made it more sophisticated, officials said.
A Symantec researcher said they identified an early version of the worm created in June 2009, but it wasn’t until early this year when the malicious software became much more intense.
This earlier version of Stuxnet acts in the same way as its current incarnation; it tries to connect with Siemens’s management systems and steal data, but it does not use some of the newer worm’s techniques to evade antivirus detection and install itself on Windows systems.
The amount of components and code used is very large, in addition to this the authors ability to adapt the threat to use an unpatched vulnerability to spread through removable drives shows the creators of this threat have huge resources available to them and have the time needed to spend on such a big task; this is most certainly not a “teenage-hacker-coding-in-his-bedroom” type operation, Symantic researchers said.
After Stuxnet came to life, its authors added new software that allowed it to spread among USB devices with virtually no intervention by the victim. And they also got their hands on encryption keys belonging to chip companies Realtek and JMicron and digitally sign the malware so antivirus scanners would have a harder time detecting it.
By Gregory Hale