By Gregory Hale
Stuxnet just won’t go away as Microsoft said the worm exploited four additional zero day flaws, and two of those four remain unpatched.
Now the speculation begins with experts saying various facilities, including a nuclear reactor in Iran or a nuclear enrichment facility also in Iran were among the targets. No one has confirmed those were the actual targets, officials said.
“Security experts agree that the purpose of the worm is sabotage of an industrial process,” said Andrew Ginter, chief security officer at Industrial Defender. “The details that have been released regarding the design of the worm no longer support the theory that the purpose was information theft.”
“Whoever designed this knew what they were doing,” said Eric Byres, chief technology officer at Byres Security. “It is pretty clear now it was developed to disable a process and destroy equipment.”
Siemens learned about the malware program (Trojan) targeting the Siemens software Simatic WinCC and PCS 7 on July 14. The company immediately formed a team to evaluate the situation and worked with Microsoft and the distributors of virus scan programs, to analyze consequences and the exact mode of operation of the virus.
The Trojan, which spreads via USB sticks and uses a Microsoft security breach, can affect Windows computers from XP upward.
According to analysis of the worm from Siemens, the virus can theoretically influence specific processes and operations in a very specific automation environment or plant configuration in addition to passing on data. This means the malware is able, under certain boundary conditions, to influence the processing of operations in the control system. However, this behavior has not yet been verified in tests or in practice.
Also, the behavioral pattern of Stuxnet suggests the virus is apparently only activated in plants with a specific configuration, Siemens said. It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process. This pattern can, for example, be localized by one specific data block and two code blocks.
This means Stuxnet is obviously targeting a specific process or a plant and not a particular brand or process technology and not the majority of industrial applications, according to the Siemens analysis.
This conclusion also coincides with the number of cases known to Siemens where the virus was detected but had not been activated, and could be removed without any damage being done up to now. This kind of specific plant was not among the cases that we know about.
To date, Siemens said 15 systems were infected worldwide. In none of these cases did the infection cause an adverse impact to the automation system, Siemens said.
“To find one zero day is rare, but to come up with four zero days and to steal certificates and to find and exploit flaws in Siemens code is amazing,” Byres said. “It is an amazing professional project. Absolutely no one person could do this.”
“We are in a weapons race here,” Byres said. “This is a crash lesson for everybody on how to recognize malware.”
“The consensus out there is this was a weapon,” Ginter said. “There is a lot of technology in Stuxnet. It has a lot of stuff in it. Now it looks like somebody’s infrastructure has been targeted. It has been proven it can be done; who else will pick up on it? We will see other attacks like this.”
“Everyone gets hung up on the payload, and how it wrapped itself around some key WinCC drivers,” said Joel Langill, security consultant and staff engineer at ENGlobal Automation Group. “It is a brilliant piece of malicious code, but that is not the only thing that this malware has demonstrated. It has shown that the overall security posture of control systems still tends to be weak in addressing cyber threats.
In a blog post last week, Alexander Gostev, who heads the Global Research and Analysis Team at Kaspersky Lab, said “Until now, most of the focus has been on the LNK/PIF vulnerability which Stuxnet exploits in order to spread via removable storage media and networks. But this has turned out not to be Stuxnet’s only surprise. The worm doesn’t just spread by using the LNK vulnerability. Once it’s infected a computer on a local network, it then attempts to penetrate other computers using two other propagation routines.
“Firstly, Stuxnet is designed to exploit MS08-067, the same vulnerability used by Kido (aka Conficker) at the beginning of 2009. The exploit code that Stuxnet uses to target MS08-067 is slightly different to that used by Kido. However, what’s really interesting is the second propagation routine.
“In addition to exploit code for MS08-067, Stuxnet contains an exploit for a previously unidentified vulnerability in the Print Spooler service; this vulnerability makes it possible for malicious code to be passed to, and then executed on, a remote machine. Two files (winsta.exe and sysnullevent.mof) appear on attacked systems. It’s not just the way in which the malicious code gets on to the remote machine which is interesting, but also how the code then gets launched for execution.
“As soon as we identified the vulnerability we informed Microsoft about the problem and they confirmed our findings. The vulnerability has been identified as “Print Spooler Service Impersonation Vulnerability” and rated “critical”. Today Microsoft released MS10-061, a patch which fixes this vulnerability.
“Analysis of the vulnerability shows computers with shared access to a printer are at risk of infection.
“During analysis, we searched our collection for other malicious programs capable of using this vulnerability. Happily, we didn’t find anything.
“On top of all this, we’ve identified yet another zero-day vulnerability in Stuxnet’s code, this time an Elevation of Privilege (EoP) vulnerability. The worm uses this to get complete control over the affected system. A second EoP vulnerability was identified by Microsoft personnel, and both vulnerabilities will be fixed in a security bulletin in the near future.
“The fact that Stuxnet uses four previously unidentified vulnerabilities makes the worm a real standout among malware. It’s the first time we’ve come across a threat that contains so many “surprises”. Add to this the use of Realtek and JMicron certificates, and remember that Stuxnet’s ultimate aim is to access Simatic WinCC SCADA systems.
“Stuxnet was undoubtedly created by professionals who’ve got a thorough grasp of antivirus technologies and their weaknesses, as well as information about as yet unknown vulnerabilities and the architecture and hardware of WinCC and PSC7.”
The worm that hit Siemens’ Simatic WinCC and PCS 7 users has been around for over a year and at the beginning of the new year its creators made it more sophisticated, officials said.
A Symantec researcher said they identified an early version of the worm created in June 2009, but it wasn’t until early this year when the malicious software became much more intense.
This earlier version of Stuxnet acts in the same way as its current incarnation; it tries to connect with Siemens’s management systems and steal data, but it does not use some of the newer worm’s techniques to evade antivirus detection and install itself on Windows systems.
The amount of components and code used is very large, in addition to this the authors ability to adapt the threat to use an unpatched vulnerability to spread through removable drives shows the creators of this threat have huge resources available to them and have the time needed to spend on such a big task; this is most certainly not a “teenage-hacker-coding-in-his-bedroom” type operation, Symantic researchers said.
After Stuxnet came to life, its authors added new software that allowed it to spread among USB devices with virtually no intervention by the victim. And they also got their hands on encryption keys belonging to chip companies Realtek and JMicron and digitally sign the malware so antivirus scanners would have a harder time detecting it.