Software [In]security: How to p0wn a Control System with Stuxnet
As recently as June this column pondered whether Cyber War is overhyped. The Stuxnet "worm" may well provide an existence of proof of a subtle offensive weapon.
How Stuxnet Works
The Stuxnet worm is a very sophisticated, narrowly targeted collection of malware. Though Stuxnet was accidentally discovered by anti-virus researchers in working for VBA in Belarus way back in June 2010, analysis is still underway. Current thinking indicates that the malware originated in the wild sometime in the first half of 2009. One of the researchers leading the analysis charge is Ralph Langner, a German consultant to Siemens who is an expert in control systems automation. Langner recently spoke to an audience of control systems experts at the Industrial Control Systems Cyber Security conference. I was there (and was also a speaker at the conference) .
What sets Langner apart from other analysts who have looked into Stuxnet is his background in control systems — and in particular Siemens control systems. It turns out that though the code exploits a number of Microsoft 0days (MS10-061, MS10-046, plus two still to be patched elevation of privilege vulnerabilities), includes stealthy rootkit features, is digitally signed by valid stolen private keys, has a design that avoids standard malware detection, and is 500KB in size, its most interesting feature is a way to inject code into a running control system.
The size of Stuxnet alone makes it difficult to reverse, but what puts it beyond the reach of the anti-virus vendors who usually explain malware is its interaction with specific Siemens control systems.
That's where Langner comes in. Langner's lab includes the requisite Siemens equipment, properly instrumented for analysis with a debugger and wireshark. In addition to the specialized equipment, working knowledge of the Siemens proprietary control protocol is also required. The major parts of the control system are the SIMATIC Manager (an engineering tool), the SIMATIC WinCC (a digital control system) and the S7 PLC (which is a programmable logic controller interfacing directly with the physical system being controlled) .
Original reporting focused attention on the fact that Stuxnet infects a SCADA system (there are references to such reports all over the web, including this example). Though these reports were interesting, they were barking up the wrong tree. A more thorough analysis determines that Stuxnet is actually designed to attack a physical process, and for that reason resides on the process controller. Stuxnet is in essence a stealthy control system that can be used to disrupt a physical process that just so happens to be under the control of a particular Siemens process control system.
Stuxnet does most of its real dirty work (after installing itself and hiding itself from detection) by injecting a DLL called s7otbxox.dll. This classic DLL injection/interposition attack is used to manipulate data flow between the PLC and the SIMATIC control systems. One slightly amusing aside, the original Siemans DLL is not stripped and thus includes its symbol information; the Stuxnet attack DLL is stripped and is thus better protected against snooping!
Langner explains what the rogue DLL does by referencing its decompiled code. Basically, the code ensures that it is running on a valid PLC target (making various probes of specific words in memory, checking CPU type and Control Process type, and identifying individual targeted controllers). If it has acquired a target, it injects code directly into the PLC's Ladder Logic (LL). This is the code that directly impacts a physical process.
The Stuxnet LL injection (as shown by Langner in the STEP 7 programming language) changes the OB 35 (a process watchdog that runs on a 100 ms timer). It also hides itself by clearing accumulator registers under various conditions. The keyword DEADF007 triggers an attack condition inside the timer code. (While I was writing this, Symantec released a very nice detailed analysis of the PLC infection process.) In essence, the LL code can be used to disrupt a physical process.
Turns out all those 0day exploits were used to set up command and control for the Stuxnet. The worm uses the network to check for updates and determine whether it has been compromised. It can be updated by peer-to-peer mechanisms, and it can cut itself off from central control.
Why Go To All That Trouble?
According to Kaspersky, the Stuxnet worm has infected well over 100,000 machines, mostly in Iran (which accounts for over 50% of the infections), India, Indonesia, and Pakistan. There is a definite geographic pattern to its spread. Incidentally, Kaspersky calls the malware "the most sophisticated attack ever seen."
The main vector for Stuxnet appears to be USB devices. Theories hold that it was probably designed to be injected (probably unintentionally) by system integrators working directly with the target. Stuxnet also has network spreading capabilities, but it intentionally avoids spreading in a corporate network environment in order to avoid detection.
The kind of team required to assemble and deliver Stuxnet is worth some consideration. Langner points out on his website that the preparation would likely require a team including intelligence, covert operations, exploit writers, process engineers, control system engineers and product specialists. At the least this team would be tasked with assembling a development and test lab (including the correct process model), gathering intelligence on target specifics, and stealing private crypto keys. That's one reason why many researchers believe this to be the work of a nation-state (or at least a group of contractors assembled by a nation-state) .
Conjecture about why Stuxnet exists is rampant on the web. Some people, including Langner, believe that Stuxnet was designed to target the Bushehr nuclear plant in Iran. Others believe that the target was the uranium centrifuges in Natanz (a theory that seems more plausible to me). Everyone seems to agree that Iran is the target, and data regarding the geography of the infection lends credence to that notion.
And Now for the Bad News
Stuxnet is a fascinating study in the future of malware. Not only did it reveal at least 4 0days (which are still being patched by Microsoft), it clearly demonstrated that physical process control systems of the sort that control power plants and safety-critical industrial processes are ripe for compromise.
Now that the genie is out of the bottle, it is hardly possible to stuff it back in. Expect the techniques and concepts seen in Stuxnet to be copied. Attacks on process control systems are no longer the fantasies of paranoids in tinfoil hats — they are here.