Stuxnet: A possible attack scenario

Stuxnet: A possible attack scenario

Summary: Symantec security researcher Liam O Murchu posits a possible Stuxnet worm attack scenario. His speculation is driven by the technical features of the sophisticated malware threat.

TOPICS: Hardware, Security

By Liam O Murchu

The following is a possible attack scenario. It is only speculation driven by the technical features of Stuxnet.

Industrial control systems (ICS) are operated by a specialized assembly like code on programmable logic controllers (PLCs). The PLCs are often programmed from Windows computers not connected to the Internet or even the internal network. In addition, the industrial control systems themselves are also unlikely to be connected to the Internet.

First, the attackers needed to perform reconnaissance. As each ICS is quite custom, the attackers would first need design documents. These design documents may have been stolen by an insider or even retrieved by an early version of Stuxnet or other malicious binary. Once attackers had the design documents and potential knowledge of the computing environment in the facility, they would develop the latest version of Stuxnet. Each feature of Stuxnet was implemented for a specific reason and for the final goal of potentially sabotaging the ICS.

Inside Stuxnet: Researcher drops new clues about origin of worm ]

Attackers would need to setup a mirrored environment that would include the necessary ICS hardware, such as PLCs, modules, and peripherals in order to test their code. The full cycle may have taken six months and five to ten core developers not counting numerous other individuals, such as quality assurance and management.follow Ryan Naraine on twitter

In addition their malicious binaries contained driver files that needed to be digitally signed to avoid suspicion. The attackers compromised two digital certificates to achieve this task. The attackers may have compromised these digital certificates by physically entering the premises of the two companies and stealing them as the two companies are in close physical proximity.

To infect their target, Stuxnet would need to be introduced into the target environment. This may have occurred by infecting a willing or unknowing third party, such as a contractor who perhaps had access to the facility, or an insider. The original infection may have been introduced by removable drive.

[ Stuxnet attackers used 4 Windows zero-day exploits ]

Once Stuxnet had infected a computer within the organization it began to spread in search of Field PGs, which are typical Windows computers but used to program PLCs. Since most of these computers are non-networked, Stuxnet would first try to spread to other computers on the LAN through a zero-day vulnerability, a two year old vulnerability, infecting Step 7 projects, and through removable drives.

Propagation through a LAN likely served as the first step and propagation through removable drives as a means to cover the last and final hop to a Field PG that is never connected to an untrusted network. While attackers could control Stuxnet with a command and control server, as mentioned previously the key com- puter was unlikely to have outbound Internet access. Thus, all the functionality required to sabotage a system was embedded directly in the Stuxnet executable. Updates to this executable would be propagated throughout the facility through a peer-to-peer method established by Stuxnet.

When Stuxnet finally found a suitable computer, one that ran Step 7, it would then modify the code on the PLC. These modifications likely sabotaged the system, which was likely considered a high value target due to the large resources invested in the creation of Stuxnet.

Victims attempting to verify the issue would not see any rogue PLC code as Stuxnet hides its modifications. While their choice of using self-replication methods may have been necessary to ensure they’d find a suitable Field PG, they also caused noticeable collateral damage by infecting machines outside the target organization. The attackers may have considered the collateral damage a necessity in order to effectively reach the intended target.

The attackers likely completed their initial attack by the time they were discovered.

* Liam O Murchu is a researcher in Symantec's security response team.  He co-wrote a dossier on Stuxnet with Nicolas Falliere and Eric Chien.

(Click image for full-size version)

Topics: Hardware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Fascinating.

    What we have here is yet another case of DLL injection.
    Same story, seasoned with a bit of international intrigue.

    Do you find this fascinating?
    I do, but, not in the way the author hopes.

    It's fascinating that the direction is turned away from Microsoft onto the 'hackers' and the 'mode of infection'.

    DLL injection has been going on for years now, in fact, Computerworld just the other day wrote an article about <a href="">IE users most at risk from DLL Injection</a>

    Now, we are supposed to be engaged by this most interesting article, yet it overlooks the seriousness of this defect in Microsoft Windows.

    I respond to you with this:
    Please avoid using Microsoft Windows to access the internet.
    Be proactive and install Ubuntu Linux as your base system (Jason Perlow did) and if you truly need Windows, then install it into a VM, e.g., VirtualBox.

    Then make the virtual machine 'immutable', which keeps the VM from getting infected.

    Or, simply surf the internet with Ubuntu Linux Firefox running in an AppArmor sandbox.

    To enable the FF profile for AA, open a terminal window and type:

    [b]$sudo aa-enforce /etc/apparmor.d/usr.bin.firefox[/b]

    Your machine will never get infected if you do this. NEVER.

    So, don't be a victim. Take my advice and run Ubuntu Linux as your base system.

    Be Safe.
    Ubuntu Linux: The safest operating system on the planet.
    I stake my reputation on it.
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • Thanks for the link to that article

      @Dietrich T. Schmitz, Your Linux Advocate
      [i]IE users most at risk from DLL Injection[/i]

      Wow, scary stuff! I noticed that the article stated that IE users on Vista and Windows 7 weren't vulnerable to these attacks because Protected Mode, which is on by default, prevents those attacks from working.

      After a careful analysis, I've decided that it is easier to continue using Windows 7 with its "on by default" browser protection rather than switching to an OS that won't run my applications and has absolutely no browser protections in place by default.

      [i]So, don't be a victim.[/i]

      I won't, I run Windows 7. You know, the OS that is safe by default and doesn't require you to look up a man page article on aa-enforce in order to be safe.

      [i]Your machine will never get infected if you do this. NEVER.[/i]

      PS You are lying. Linux is not immune to malware.
      • Pants on fire.

        @NonZealot <br><br>You resort to calling me a liar.<br>And you resort to putting words in my mouth.<br><br>I remind you that it is official knowledge that Windows 7 64-bit has been rooted and protected mode doesn't help.<br><br><br>Microsoft doesn't provide LSM. There is no arguing that point.<br><br>LSM allows any app to be profiled and sandboxed against any exploit. There is no way for privilege escalation to occur with LSM. No arguing that point either.<br><br>Nobody need read a man page. There is a help icon on the Ubuntu menu. <br><br>To say that you are spouting misinformation is an understatement.<br><br>Pants on fire.
        Dietrich T. Schmitz, ~ Your Linux Advocate
      • RE: Stuxnet: A possible attack scenario


        LOL way to call him out! He just got served!

        LOL he's gotta be feeling like crap right now LOL
        Loverock Davidson
      • RE: Stuxnet: A possible attack scenario

        @deitrich t. schmitz<br><br>Talk about spouting misinformation. The win 7 x64 rootkit requires that the USER AUTHORIZE AN ELEVATION TO ADMIN, before it can install. Protected Mode is not bypassed by any known malware. Makes one question your hacker credentials if you can't get this basic information right. And nonzealot is right, in Windows the browser is sandboxed BY DEFAULT, so it's appropriate for mom and pop and little jimmy who aren't going to have the slightest clue what the hell a CLI is. And there are programs to control sandboxing on Windows, like chml.exe which will allow you to control what is write-able and read-able to any program sandboxed with a low integrity mandatory access control, like for example internet explorer. Additionally there's various programs like sandboxie. Maybe you should get some of your basic facts right before shouting 'misinformation' at people.
    • RE: Stuxnet: A possible attack scenario

      @Dietrich T. Schmitz, Your Linux Advocate

      [i]I respond to you with this:
      Please avoid using Microsoft Windows to access the internet..[/i]

      Um... you must have overlooked the part about SCADA workstations being isolated from all external networks, which would preclude them from getting anywhere close to the internet.

      Mine, for example, all have 35 to 50 ft. air gaps between the SCADA networks and any other network in the same building.

      Any idiot who connects a SCADA workstation to the internet should be terminated on the spot for incompetence.

      Hallowed are the Ori
      • Point well taken

        @Hallowed are the Ori
        But JUST ONE rogue pc on the subnet (unauthorized) is all it takes.
        Dietrich T. Schmitz, ~ Your Linux Advocate
      • Hallowed are the Ori, DTS is right:

        [i]But JUST ONE rogue pc on the subnet (unauthorized) is all it takes[/i]

        He's right. We've seen that happen to Linux a few times.
        John Zern
    • RE: Stuxnet: A possible attack scenario

      @Dietrich T. Schmitz, Your Linux Advocate <br><br> You are Right! I am SOOO tired of Loverock Davidson! OMG and all that!! Mr Davidson Is nothing more than a Smart butt! I am A USER! Linux and Apparmmor are THE BEST! I have used ALL WIN 7, VISTA, XP, ME. ETC.... Nothing but problems with them all! My DAD was got! My brother was got! My freinds were got! AS A USER! You are right! Linux is the way to go! My family uses mint, I use suse! You Go!

      Randy A. Stiles, Linux Advocate
    • RE: Stuxnet: A possible attack scenario

      @Dietrich T. Schmitz, Your Linux Advocate <br><br>Unfortunately, you have missed the main points of the article (which I found fascinating - thanks Mr Murcho) and it was this: This is a sophisticated multi-vector virus designed to exploit many weaknesses, and even the controllers (these do not run Windows). Because they knew the controlling computers did not connect to the internet, they embedded their own communication schemes. And they had access to the correct controller hardware and revs and compromised signatures. Wow.<br><br>What you need to create this is a a large group of dedicated and imaginative hackers, some blacks ops (for the certificates), some serious $$$, and some zero-day exploits. Every operation system has plenty of these zero-day exploits (yes, even your venerable Linux - check out cert dot org if you don't believe me).
      • Focus on the PLC - not Windows/Linux debate


        thank you batpox.

        most of the other posters have missed the point the target device is the PLC which actually controls the equipment.

        Targeting these controllers is totaly manufacturer specific. Virus code for a Siemans PLC will not work on an Allen Bradley controller etc. You need to know how each facility uses PLCs from which manufacturer.

        the windows machine is "only" part of the delivery mechanism to get the virus to the PLC.

        Targeting the machine controllers is a huge step
    • Whu Ubuntu?

      @Dietrich T. Schmitz, Your Linux Advocate <br><br>You really push for Ubuntu. It underwhelms me as compared to fedora or openSuSE, but I digress.<br><br>Linux is great and all, however you highlight why it's not mass adopted. Where is the 'Protect your Web Browsing with AppArmor' check box in a Security preference pane? Remember, you are advising Windows users to type a (to them) cryptic command that if not done perfectly does not work and they won't know it.<br><br>They'll be focusing on sudo, wondering if that is a Japanese word or something and putting spaces after each slash.<br><br>Out.
      • RE: Stuxnet: A possible attack scenario

        Ubuntu is used more than Fedora. Fedora is more experimental; things are tested in Fedora that may be used in Red Hat Linux.

        The biggest user of Red Hat Linux is the United States Army. Most of these systems run
        on the military internet.

        Running command line is no different than running command prompt using Windows. I am more comfortable running ipconfig/release or /renew, than going through network connections and right click then disable. Maybe, because I have used it so much, running just dos no gui.

        sudo: "SUper-user DO"

        sudo is not Japanese. A monk may knock on your door, for mocking there language.

    • RE: Stuxnet: A possible attack scenario

      @Dietrich T. Schmitz, Your Linux Advocate You are an idiot for saying that Ubuntu (and Linux) will NEVER be vulnerable. Since Linux is the os on Android phones (and other mobile devices), it's going to gain a larger market share. This means that hackers are going to start looking at it. And unless there's a completely separate kernel for mobile devices, what affects them will affect your precious desktop.

      Also, I would imagine that App Armor has been updated--not to solely add features, but because of security issues. So don't claim that it's immune. The reality is that hackers aren't even looking at it YET.

      Note, I'm writing this on Firefox (without AppArmor) on Ubuntu 10.04. While it's my main OS, I'm a realist and I don't buy into the "it's impenetrable" line of crap.

      Have a great day:)
      • RE: Stuxnet: A possible attack scenario

        @pdickey043@... You have it exactly right. Mr. Schmitz is under the dangerously mistaken impression that his OS of choice is impermeable by the same types of malware as Windows is and has learned nothing from Apple's pride. Wasn't it Apple who only up until recently shouted from the mountain tops "Ha ha. You can't touch us!" only to fall alongside the Windows? Mr. Schmitz won't be educated until his personal computing world colapses and he has to ask, "Hey! Wait a second... what just happened?!?" ...When whatever his favorite flavor of Linux distro at the time receives the same kind of unfavorable attention for mass infections as Windows... and OS X...

        Currently, no one cares about Linux as a platform for spreading their malicious wares because the reward is so low. No one cared about infecting OS X until there were enough Mac users. Linux is no different.

        I'm not sure why something so logical escapes people who seem to be somewhat rational thinkers otherwise. The common criminal even applies better logic to his targets than does Mr. Schmitz's thinking.
    • RE: Stuxnet: A possible attack scenario

      @Dietrich T. Schmitz, Your Linux Advocate Man you're funny little dude.
    • RE: Stuxnet: A possible attack scenario

      @Dietrich T. Schmitz, Your Linux Advocate
    • RE: Stuxnet: A possible attack scenario

      @Dietrich T. Schmitz, Your Linux Advocate:
      I can't wait to tell my business users to $sudo aa-enforce /etc/apparmor.d/usr.bin.firefox

      Please Linux folks, get out of the dark ages. Command lines are three generations old now. What is the 500 user scenario?
      • RE: Stuxnet: A possible attack scenario


        You do know there is a command prompt in Windows.

        Explain to me what the 500 user scenario are you talking about?

        You do know that the biggest user of Linux Red Hat is the US Army.

      • RE: Stuxnet: A possible attack scenario


        Yes there is a com-prompt in Windows... the difference is that one does not need to use it for what should be average usage or process activation. Security measures that ALL users should be able to easily access/activate need to be kept simple... command-line-only utilities should remain the domain of power-users, with the rest control-panel/application-based access that is easy to use.