Stuxnet

Stuxnet Getting
Getting to
to the
the target
target
Liam O Murchu

Feb 2011

Operations Manager, Symantec Security Response

1

Agenda
1

Stuxnet Capabilities

Network Distribution Tactics

Intel & Targets

Sophistication & Success

Solutions & Lessons Learned

Stuxnet Getting to the target

Stuxnet Features
Discovery disclosed in July, 2010
Attacks industrial control systems likely an Iranian
uranium enrichment facility
Modifies and hides code on Siemens PLCs
connected to frequency converters
Contains 7 methods to propagate, 4 zero day
exploits, 1 known exploit, 3 rootkits, 2 unauthorized
certificates, 2 Siemens security issues, 1 target.
3 versions, June 2009, March 2010, April 2010
Stuxnet - Sabotaging Industrial Control Systems

Stuxnet is targeted
Iranian Target

Stuxnet Getting to the target

PLCs
Programmable Logic Controller

Monitors Input and Output lines

Sensors on input
switches/equipment on outputs
Many different vendors

Stuxnet seeks specific Models

s7-300 s7-400

Stuxnet is Targeted
Targeting a Specific type of PLC
Searches for a Specific Configuration
Stuxnet & PLCs

Programming a PLC
Step7, STL and MC7

Simatic or Step 7 software

Used to write code in STL or other languages

STL code is compiled to MC7 byte code

MC7 byte code is transferred to the PLC
Control PC can now be disconnected
Stuxnet Infecting PLCs

Attack Preparation
Stuxnet Creator

Control
PC

PLC

Stuxnet Getting to the target

Uranium Enrichment
Facility
7

Attack Considerations
Internet Etc

Corporate LAN

Air Gap

Stuxnet Getting to the target

How Stuxnet Attacks Corporations

Stuxnet uses 7 different methods to propagate!
1. USB drives Zero Day
2. Print Spooler Vuln Zero Day

Control
PC

3. Ms08-067 Vuln
4. Network Shares
5. P2P sharing
6. Wincc Hard coded Password
7. Step7 projects

Stuxnet Getting to the target

Self-Replication

Step 7 Project Files

MyProject.s7p

types:

ApiLog
types
hOmSave7
S7HK40AX
s7hkimdb.dll
S7HK41AX
s7hkimdb.dll

DB
+00WORDcount
14 14 00 00 00 00 00
+02BYTE[]records
00 00 00 00
+00WORDcount
+02BYTE[]records

s7hkimdb.dll
%Step7%\S7BIN
%SYSTEM32%
%SYSTEM%
%WINDIR%
project's hOmSave7/* subdirectories

xutils
links
s7p00001.dbf (Stuxnet datafile)
listen
xr000000.mdx (encrypted Stuxnet)
s7000001.mdx (Stuxnet config data file)

Stuxnet - Sabotaging Industrial Control Systems

10

Stuxnet Windows Rootkit

Stuxnet - Sabotaging Industrial Control Systems

11

Attack Execution
Internet Etc

1. Initial Delivery

Corporate LAN
2. Network Exploits

3. Reporting
Updates

Air Gap
4. Bridge
AirGap5. Deliver Payload

Stuxnet Getting to the target

12

Delivering the threat

Stuxnet targeted specific companies in Iran
Only 10 initial targets
Resulting in over 14k infections
Research was needed to identify valuable targets
Companies connected to Uranium enrichment
Hope to infect someone who would visit a Uranium
enrichment facility
Someone who worked on Uranium enrichment
projects
Actual delivery method is unknown
Stuxnet Getting to the target

13

Limited Spread
Attackers wanted limited spread
No Internet capable exploits used
USB exploit only infects 3 machines
USB exploit has deadline of 21 days
All exploits have a deadline
Large configuration file
~430 different settings
Why did it spread so far?

Stuxnet Getting to the target

14

Why did it spread so far?

Zero .lnk vulnerability wildly successful
Step7 project infection very successful
Misunderstanding of how contractors interact
Misunderstanding of how connected companies are
Intended?
Needed to be more aggressive to succeed?

Stuxnet Getting to the target

15

Was Stuxnet Successful

We dont know.
1 year in the wild undiscovered
Over 100k infections
Majority in Iran
Natanz shut down
Industrial Companies Infected
Reports of infections at Natanz and Busheir
IAEA report states 1000 centrifuges offline in Nov
2009
Stuxnet Getting to the target

16

Was Stuxnet Successful

We dont know.
Discovered 3 months after USB zero day added
No report of centrifuges out of action since March
Gained high media attention
Analysis performed
Iranian authorities aware

Stuxnet Getting to the target

17

Sophistication
First threat to target hardware
Targets Uranium Enrichment
Large amount of code
Very configurable
4 zero days
Long Reconnaissance phase
Needed Hardware for testing
Targets 95/98,Win2k,Winxp,Vista,Win7
3 Rootkits
PLC programming knowledge
Stuxnet Getting to the target

18

Sophistication
It was discovered
No advanced encryption
C&C infrastructure easily taken down
Infection information stored
Blue screens?? (unconfirmed)
P2P not protected
Escaped outside of Iran

Stuxnet Getting to the target

19

New Version
Not simple to create new version
Cannot just drop in new zero days
Target specific information required
PLC programming knowledge
Exploit knowledge
Real danger is the idea
Now people know it can be done
People can start their own projects knowing it is
possible
Stuxnet Getting to the target

20

Solutions & lessons learned

Insider threat is significant Employees are major risk
IP is extremely valuable, protect it at all costs
Monitor systems and networks
Watch for red flags
Implemented real air gaps
Or accept this is not possible and protect computers
inside the air gap more vigorously
White listing, behavior blocking and reputation based
solutions can mitigate threat.
Device blocking USBs, contractor laptops, etc..
Vigilance is key
Stuxnet Getting to the target

21

Response
Need dedicated resources in place in advance that
can switch focus to a new threat quickly
Need engineers who are familiar with the latest
developments in the threat landscape
Need to respond quickly critical infrastructure
may be at risk
Private public partnership will be important
Growing market
We will see more of these types of threats in the
future, need to prepare for that.

Stuxnet Getting to the target

22

Summary
Stuxnet is the first publicly known malware to
intend real-world damage
Required resources at the level of a nation-state
While as a whole extremely sophisticated, the
technique to inject code into PLCs is not
Enterprises should assume attackers know how
these systems work
Has changed our job at Symantec
We expect to see more of these threats

Stuxnet Getting to the target

23

White Paper Available

W32.Stuxnet Dossier

Stuxnet Technical Details Available here:

http://www.symantec.com/content/en/us/enterprise
/media/security_response/whitepapers/w32_stuxnet
_dossier.pdf

Stuxnet Getting to the target

24

Thank you!
Liam O Murchu liam_omurchu@symantec.com

Copyright 2010 Symantec Corporation. All rights reserved.Symantec and the Symantec Logo are trademarks or registered trademarks
of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this
document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to
change without notice.

Stuxnet Getting to the target

25