STUXNET: Opening Pandora’s Box?

13 07 2012

In June of 2010, VirusBlokada an antivirus company identified a new threat called the W32.STUXNET.  Stuxnet had hitherto unheard of complexity for a virus/worm. It is billed to be one of the most sophisticated and complex malware ever to be created. In no less than a Hollywood spy thriller fashion, it has been alleged that the whole purpose of the STUXNET creation was to destroy/damage nuclear facilities of IRAN to stop it from Uranium enrichment. (References [1] through [5])

What is STUXNET?

STUXNET is a malware targeted specifically at Industrial Control Software from Siemens running on their PLCs. STUXNET is reported to have infected about 100,000 systems worldwide; a majority of them in IRAN, Indonesia and India. [1]

This article describes some basic details of the STUXNET worm drawn from the information in the references. For a detailed report of STUXNET and its modus operandi, see [1] and [3]

According the security experts who identified and studied the malware, its sophistication, significantly large size (~1MB) and ability to exploit more than one vulnerability was not usual for a malware.

The STUXNET malware contains of two parts:

  • The Delivery mechanism or the dropper
  • The payload

The delivery mechanism made use of at least 4 WINDOWS “0-day vulnerabilities” known at the time of its creation. The virus spread from one computer to another either by portable drives or using 2 network vulnerabilities.  It also used 2 stolen Digital certificates (Certificates of Realtek and JMicron) to install itself without being flagged as suspicious. Once installed, if the computer has WINCC database and STEP7 software from SIEMENS, it infects the folders belonging to these software. These computers do not have to be remotely controlled or connected to a network. The malware has all the required components within itself.

The malware intercepts the communication between the PLC and the WINCC/STEP7 software and able tin install itself on the PLC. Once on the PLC, it looks for highly specific type of SCADA configurations connected to the PLC. If the configuration matches its targets, it carries out the attack by modifying the process being controlled, while also modifying the sensor inputs that are reported back to the human supervisor and the control software. This ensures that the human operator and the control software do not suspect abnormal behavior. It also makes use of a vulnerability in the WINCC software.

The detailed presentation video from Ralph Langner who was one of the researchers who worked on figuring out the targets/purpose of STUXNET can be found at: http://www.digitalbond.com/2012/01/31/langners-stuxnet-deep-dive-s4-video/ (reference [3])

The Natanz enrichment plant in IRAN reported the enrichment program to have been delayed. Security experts attribute this delay to the successful STUXNET attack.

Predecessors, Successors and derivatives…….

At least two newer malware have been declared by security experts to be using a part of the STUXNET code and attack strategy.

  • Duqu: As per Symantec, Duqu “seems to be the precursor to a future, Stuxnet-like attack. Parts of Duqu are nearly identical to Stuxnet, but its sole purpose is to gather intelligence which could be used to give attackers the insight they need to mount future attacks. Duqu is not widespread, but it is highly targeted, and its targets include suppliers to industrial facilities.” [6]
  • Flame: Also known as SkyWiper, a large malware of ~20MB in size with a number of components, primarily for espionage and intelligence gathering uses exploits similar to ones used by STUXNET [7]. Although there are differing opinions about its similarities/links to STUXNET.

Variations of the STUXNET available online for any interested hacker/cracker/attackers to modify and use for their own agenda. Detailed analysis available from various security companies and experts may also provide details of STUXNET to anyone with malicious intent to recreate such malware.

Pandora’s Box….

The Stuxnet targeted a specific software and hardware; Siemens PLC and associated software. With sufficient mal-intent and resources, such threats could be mounted against similar industrial control systems or other computerized systems that are part of our daily life. Possibility to target any kind of software intensive system cannot be ruled out in this scenario.

If newer malware can have the level of complexity and precision targeting that STUXNET is attributed to have, a number of industries, facilities and economic systems could be targeted.

Some of the potential targets are Utilities such as water, electric, transportation system, Refineries, medical, food processing, large plants, manufacturing industries, oil pipelines, etc..

Whether the handiwork of terrorist groups or adversary states; the cyber security threat is significantly higher than before.

Improvisation……

While the STUXNET’s purpose was allegedly to halt or delay Iran’s nuclear program only, improvised variants of the same could be used for:

1. Espionage

2. Cybercrime

3. Destruction of specific facilities or targets

4. Control

Hard Questions…..

Governments:

1. Identifying the facilities and systems that are vulnerable

2. Drafting strategies to counter the threat

Private organizations:

Companies whose manufacturing systems use such control components need to figure out ways to secure and reduce threat to their operations.

Companies developing and deploying such control systems need to identify all such vulnerabilities in the software and hardware components that they sell.

Companies specializing in security and threat monitoring need to widen their scope of operations to include PLCs, SCADA, portable smart devices, etc.

Challenges:

1. Identifying the level of security that is sufficient to protect a given system is extremely hard given the nature of attacks that are devised.

2. Integration of handheld and mobile devices into control and IT infrastructure poses new challenges to companies that may use remote monitoring of machinery/processes.

3. A lot of control systems are what are popularly known as embedded systems. These systems essentially work on very stringent memory/power/price constraints.  These factors make it hard for the developing companies to add significant amount of security on these devices. Therefore the motivation to implement good security measures is low.

4. Financial and resource burden prevent companies from over-hauling security aspects of devices/software until it becomes mandatory or regulated.

5. Companies have to find effective ways to deal with INSIDER threats. Creation of STUXNET would not have been possible without insider involvement and highly detailed and confidential information specific to the targeted products.

The intentions or the identity of the creators of STUXNET may never be fully known. But it is going to be very hard for the world to successfully plug the vulnerabilities and weaknesses that it has exposed.

___________

[1]:http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

[2]: http://spectrum.ieee.org/podcast/telecom/security/how-stuxnet-is-rewriting-the-cyberterrorism-playbook

[3]: http://www.digitalbond.com/2012/01/31/langners-stuxnet-deep-dive-s4-video/

[4]: http://en.wikipedia.org/wiki/Stuxnet

[5]:http://www.ted.com/talks/lang/en/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html

[6]: http://www.symantec.com/outbreak/?id=stuxnet

[7]: https://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: