STUXNET: Opening Pandora’s Box?

13 07 2012

In June of 2010, VirusBlokada an antivirus company identified a new threat called the W32.STUXNET.  Stuxnet had hitherto unheard of complexity for a virus/worm. It is billed to be one of the most sophisticated and complex malware ever to be created. In no less than a Hollywood spy thriller fashion, it has been alleged that the whole purpose of the STUXNET creation was to destroy/damage nuclear facilities of IRAN to stop it from Uranium enrichment. (References [1] through [5])

What is STUXNET?

STUXNET is a malware targeted specifically at Industrial Control Software from Siemens running on their PLCs. STUXNET is reported to have infected about 100,000 systems worldwide; a majority of them in IRAN, Indonesia and India. [1]

This article describes some basic details of the STUXNET worm drawn from the information in the references. For a detailed report of STUXNET and its modus operandi, see [1] and [3]

According the security experts who identified and studied the malware, its sophistication, significantly large size (~1MB) and ability to exploit more than one vulnerability was not usual for a malware.

The STUXNET malware contains of two parts:

  • The Delivery mechanism or the dropper
  • The payload

The delivery mechanism made use of at least 4 WINDOWS “0-day vulnerabilities” known at the time of its creation. The virus spread from one computer to another either by portable drives or using 2 network vulnerabilities.  It also used 2 stolen Digital certificates (Certificates of Realtek and JMicron) to install itself without being flagged as suspicious. Once installed, if the computer has WINCC database and STEP7 software from SIEMENS, it infects the folders belonging to these software. These computers do not have to be remotely controlled or connected to a network. The malware has all the required components within itself.

The malware intercepts the communication between the PLC and the WINCC/STEP7 software and able tin install itself on the PLC. Once on the PLC, it looks for highly specific type of SCADA configurations connected to the PLC. If the configuration matches its targets, it carries out the attack by modifying the process being controlled, while also modifying the sensor inputs that are reported back to the human supervisor and the control software. This ensures that the human operator and the control software do not suspect abnormal behavior. It also makes use of a vulnerability in the WINCC software.

The detailed presentation video from Ralph Langner who was one of the researchers who worked on figuring out the targets/purpose of STUXNET can be found at: http://www.digitalbond.com/2012/01/31/langners-stuxnet-deep-dive-s4-video/ (reference [3])

The Natanz enrichment plant in IRAN reported the enrichment program to have been delayed. Security experts attribute this delay to the successful STUXNET attack.

Predecessors, Successors and derivatives…….

At least two newer malware have been declared by security experts to be using a part of the STUXNET code and attack strategy.

  • Duqu: As per Symantec, Duqu “seems to be the precursor to a future, Stuxnet-like attack. Parts of Duqu are nearly identical to Stuxnet, but its sole purpose is to gather intelligence which could be used to give attackers the insight they need to mount future attacks. Duqu is not widespread, but it is highly targeted, and its targets include suppliers to industrial facilities.” [6]
  • Flame: Also known as SkyWiper, a large malware of ~20MB in size with a number of components, primarily for espionage and intelligence gathering uses exploits similar to ones used by STUXNET [7]. Although there are differing opinions about its similarities/links to STUXNET.

Variations of the STUXNET available online for any interested hacker/cracker/attackers to modify and use for their own agenda. Detailed analysis available from various security companies and experts may also provide details of STUXNET to anyone with malicious intent to recreate such malware.

Pandora’s Box….

The Stuxnet targeted a specific software and hardware; Siemens PLC and associated software. With sufficient mal-intent and resources, such threats could be mounted against similar industrial control systems or other computerized systems that are part of our daily life. Possibility to target any kind of software intensive system cannot be ruled out in this scenario.

If newer malware can have the level of complexity and precision targeting that STUXNET is attributed to have, a number of industries, facilities and economic systems could be targeted.

Some of the potential targets are Utilities such as water, electric, transportation system, Refineries, medical, food processing, large plants, manufacturing industries, oil pipelines, etc..

Whether the handiwork of terrorist groups or adversary states; the cyber security threat is significantly higher than before.

Improvisation……

While the STUXNET’s purpose was allegedly to halt or delay Iran’s nuclear program only, improvised variants of the same could be used for:

1. Espionage

2. Cybercrime

3. Destruction of specific facilities or targets

4. Control

Hard Questions…..

Governments:

1. Identifying the facilities and systems that are vulnerable

2. Drafting strategies to counter the threat

Private organizations:

Companies whose manufacturing systems use such control components need to figure out ways to secure and reduce threat to their operations.

Companies developing and deploying such control systems need to identify all such vulnerabilities in the software and hardware components that they sell.

Companies specializing in security and threat monitoring need to widen their scope of operations to include PLCs, SCADA, portable smart devices, etc.

Challenges:

1. Identifying the level of security that is sufficient to protect a given system is extremely hard given the nature of attacks that are devised.

2. Integration of handheld and mobile devices into control and IT infrastructure poses new challenges to companies that may use remote monitoring of machinery/processes.

3. A lot of control systems are what are popularly known as embedded systems. These systems essentially work on very stringent memory/power/price constraints.  These factors make it hard for the developing companies to add significant amount of security on these devices. Therefore the motivation to implement good security measures is low.

4. Financial and resource burden prevent companies from over-hauling security aspects of devices/software until it becomes mandatory or regulated.

5. Companies have to find effective ways to deal with INSIDER threats. Creation of STUXNET would not have been possible without insider involvement and highly detailed and confidential information specific to the targeted products.

The intentions or the identity of the creators of STUXNET may never be fully known. But it is going to be very hard for the world to successfully plug the vulnerabilities and weaknesses that it has exposed.

___________

[1]:http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

[2]: http://spectrum.ieee.org/podcast/telecom/security/how-stuxnet-is-rewriting-the-cyberterrorism-playbook

[3]: http://www.digitalbond.com/2012/01/31/langners-stuxnet-deep-dive-s4-video/

[4]: http://en.wikipedia.org/wiki/Stuxnet

[5]:http://www.ted.com/talks/lang/en/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html

[6]: http://www.symantec.com/outbreak/?id=stuxnet

[7]: https://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers

Advertisements




Is Duqu Looking to Build Off of Stuxnet’s Success?

21 11 2011

In October of 2011, a laboratory notified the Symantec Corporation of a piece of malware that had some similarities to the Stuxnet worm that gained worldwide attention in 2010. Given the massive attention and allegations that the Stuxnet worm was a state funded operation, Symantec and other security experts began launching a full investigation into this new piece of malware. The malware was eventually given the name Duqu as a result of the software creating files with the prefix “~DQ” on an infected machine.

Before we delve into the details uncovered of the Duqu Trojan, let’s take some time to refresh our memories on what Stuxnet was and how it operates. Stuxnet is a computer worm that was designed to infect Siemens industrial software to disrupt the centrifuges used to enrich uranium. Stuxnet would rapidly increase and decrease the speed of the nuclear centrifuges in order to cause mechanical failures in the industrial equipment. While Stuxnet was doing its duty on the centrifuges it would also send back false information to the monitoring systems so the human operators would have no idea that their equipment was about to fail. It should be noted that while there is no way to be 100% sure, it is widely accepted that Stuxnet was targeting nuclear centrifuges in Iran. The beauty of the Stuxnet worm was that while it infected Microsoft Windows computers it was not designed to negatively impact the client. Unless it was determined that the host was used a piece of Siemens equipment used in nuclear plants, Stuxnet remained relatively dormant. Furthermore, (and even more staggering) was that Stuxnet’s target was a closed system. The worm couldn’t simply access its target via a network connection. So, it was sent out in the wild to infect as many Windows machines as possible with hopes that it was land on a specific laptop that would occasionally be connected to a Siemens PLC and from there it could start working on the centrifuges.

Stuxnet used Adobe PDF files and removable media such as flash drives to infect clients and once on a system used peer to peer connections to propagate itself across a network. Stuxnet was able to exploit four different zero day flaws in Windows to inject a driver into the operating system kernel. This technique is often typical in rootkits which allows the malicious software to operate outside of the realms of typical malware enabling the rootkit to hide itself or resist removal from anti-virus software. A rather brilliant aspect of Stuxnet was its use of digital signatures.  The Stuxnet software, in particular, the kernel driver was signed using a software signing certificate which gave the software a bit of inherited credibility due to trust chain of signed code.

You may be thinking “Ok…well why was Stuxnet so popular? The targets were such a small subset of the global computer world”. That is exactly why it was such a hot topic in the IT Security circles. Stuxnet was the Wayne Gretzky of malware it changed the way the game was played. Stuxnet was the first piece of malware to specially target an industrial asset and therefore single handedly changed the entire threat landscape for security professionals. Now your security stance needs to address industrial control systems as well as your computer systems. Another daunting thought was that the Stuxnet infection was so large it could have had devastating success of negatively impacting clients if they were the desired target.

Enter Duqu.

Duqu is a combination of malicious files that ultimately work together to exploit a specific target. Duqu, like Stuxnet, exploits a zero day flaw in Microsoft Windows to inject a digitally signed kernel driver into the operating system. The malicious driver will then launch a series of DLLs which in turn load a Remote Access Trojan (RAT) onto the infected client. A remote access trojan is malicious software that allows the operator of Duqu to gain information about the client remotely. In addition to the trojan malware Duqu also implement a key logger on the infected machine which will log the keystrokes entered on a client and then ship those logs off to the threat actor. Unlike Stuxnet the actual infection methods of Duqu are unknown as the initial installer or dropper is removed from the client once infected.  Also unlike Stuxnet, Duqu does not appear to be targeting industrial systems like PLCs. Instead, the end goal is to provide the attacker remote access to a client machine to gain information.  In that brief summary you can gather that at face value there appear to be some links between Duqu and Stuxnet. Both pieces of malware use a zero day exploit to inject kernel drivers into the operating system as a rootkit to hide files and possibly for persistence. They both also used digital signed code in their malware.

Here is a great table from Dell comparing some of the major aspects of Stuxnet and Duqu

Credit: Dell Secure Works “Duqu Trojan Questions and Answers”

However as I mentioned earlier, when first reported many security professionals were quick to label Duqu the “Son of Stuxnet”. There was additional speculation that Duqu was written and launched by the creators of Stuxnet or that it was the next evolution in the Stuxnet infection. However, there has been a shift in these speculations recently stating that the similarities while present don’t necessary provide enough evidence to say without a doubt that they are from the same actors. Dell Secure Works has stated that “One could speculate the injection components share a common source, but supporting evidence is circumstantial at best and insufficient to confirm a direct relationship. The facts observed through software analysis are inconclusive at publication time in terms of proving a direct relationship between Duqu and Stuxnet at any other level” (http://www.secureworks.com/research/threats/duqu/) . I should also mention that the Symantec Corporation has also done extensive research into the Duqu Trojan and they have stood by their initial assessment that Duqu is strongly related to Stuxnet and is likely the work of the same attackers.

In my opinion, I am more likely to side with Dell’s conclusion. I feel that Stuxnet was so widely researched and so much knowledge is available on the internet about the fundamental operations of Stuxnet it is within reason to think that someone could have used some portions of Stuxnet to create Duqu while not being involved in the Stuxnet operation. After all, Stuxnet has been completely reverse engineered and the source code is available for download. Whether or not it is related, it appears that Duqu appears to be a very specific attack and if you are in the cross hairs, you should be paying attention.

_____________________

Dell Secure Works Duqu Trojan Questions and Answers
http://www.secureworks.com/research/threats/duqu/

What is Duqu Up to
http://www.informationweek.com/news/security/cybercrime/231902209

Cyber Warfare: A different way to attack Iran’s reactors
http://www.cnn.com/2011/11/08/tech/iran-stuxnet/

Same authors created malware that infected nuclear facilities?
http://www.msnbc.msn.com/id/45136542/ns/technology_and_science-security/t/same-authors-created-malware-infected-nuclear-facilities/#.TrmqLbJU1Bk

Spotted in Iran, Duqu may not be “son of Stuxnet” after all
http://arstechnica.com/business/news/2011/10/spotted-in-iran-trojan-duqu-may-not-be-son-of-stuxnet-after-all.ars

W32.Duqu
http://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet

Stuxnet Dossier
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf





The Mystery of the DuQu Virus

19 11 2011

By now we have all become familiar with Stuxnet since it has effectively set the stage for the future of cyber attacks.  The virus revealed to the world the importance of information security when in 2010 it methodically infiltrated the controls of industrial facilities, as well of thousands of other computers.  One thing we have noticed is that the worm seemed to be created for the intention of impairing a specific target, though normal computer users, like you and I, don’t have to worry.  Analysis of the program code suggests there is a kill date, which means the virus it will stop spreading by June 24, 2012.[1]  Since the discovery of the worm back in 2010, there have been theories surfacing that indicate the sophisticated code of Stuxnet could be used against others.  And now it appears that those concerns have become a reality.

During mid-October this year, the Symantec Corporation announced it had uncovered instances of malicious code infiltrating Windows based operating systems.  The true origin is unknown but Symantec announced it had been alerted to the existence of a new Trojan virus circulating in Europe.  The lab responsible for first identifying the virus was Hungary’s Laboratory of Cryptography of Systems Security (CrySyS).  Each organization had published a report that stated that they found certain elements of the coding for this new virus had closely resembled the Stuxnet code.  If further investigation confirms what many have already concluded, hackers are now using Stuxnet-like coding to promote their own agenda.[2]

This new worm is now being referred to as the “DuQu” virus, which is in reference to the virus’s trademark to create files with “~DQ” as the prefix.  Microsoft has admitted that the sophisticated attack exploits vulnerabilities in Windows OS and mainly Microsoft Word.  Specifically, the worm manipulates a zero-day flaw in Microsoft Office’s TrueType font parsing engine, the news of which has put into question Microsoft’s ability to perform appropriate risk management for its products.   It has been reported that an estimated nine organizations have officially been compromised.  Some of those firms were located in France, Netherlands, Switzerland, Ukraine, and India. Similar reports indicate Duqu has been able to expand to the United Kingdom, Austria, Hungary, and Indonesia.[3] Many more corporate entities may have been affected as well but have chosen to keep the knowledge of system intrusion from the public.

While observed in the field as an active attack, Duqu would be sent initially in an e-mail, “if a recipient opened the (attached) Word document and infected the PC, the attacker could take control of the machine and reach into an organization’s network to propagate itself and hunt for data,”[4] according to Kevin Haley who is the Director of Symantec’s Security Response division.  Although there has been some debate over whether or not Duqu has been able to propagate successfully or if it just has the potential to do so in the future. Duqu is considered a blended threat since it acts as a worm as well as a Trojan horse. The virus, like Stuxnet, fools the infected PC with a counterfeit digital certificate, and collects information, such as keystrokes and system data, in preparation for possible future attacks.  It is important to note; however, that the Duqu does not contain targeted programmable logic. Another characteristic of the virus is that it has a lifecycle of 36 days; it then removes itself to avoid detection.

Does this Trojan horse affect individual users as well as high profile corporations?  Currently the answer fortunately appears to be no.  Though there are an increasing number of harmful viruses that can operate undetected by average consumer security software.[5] Considering the circumstances of the Duqu virus, so far the infection has at most targeted only a few dozen devices, not nearly the same impact as the Stuxnet virus.[6]  However, the observed capability of the Duqu virus opens the door to the possibility of a new generation of viral attacks that could be used in many different contexts, either against large corporations and banks or individual users.

The potential threat is real and being taken very seriously by government authorities, such as the US Department of Homeland Security, who are aggressively analyzing the virus to identify the source and objective. Currently there seems to be a debate between information security researchers who are attempting to understand where the Duqu virus originated. Symantec has said it believes the Duqu program came from the same entity that launched Stuxnet, indirectly accusing the US.[7]  Other security specialists disagree with the assertion that the US was involved, citing that the virus appears to be targeting allies of the US. Those who do not believe it was the US, assume that whoever designed the Duqu code, borrowed from the architecture of Stuxnet. Amongst the uncertainty and difference of opinion, most analytical sources hint that the complexity of the virus insinuates a government is likely assisting the hackers. Of course more evidence must be collected before this can be confirmed.

Certain media outlets have equated Duqu virus as the “son” of the Stuxnet worm, which should be viewed as indication that we are observing the early stages of hackers researching and developing high-tech cyber weapons that would target the control systems of critical infrastructure and/or steal sensitive and private information.  This also means it will be increasingly difficult to identify and prevent against these attacks.  Most recently, authorities have traced the Duqu virus to a command and control server that was hosted by a Belgian webhosting company, the Combell Group.[8] Though it is doubtful that Belgium or Combell was responsible, mainly because it is not an uncommon practice for hackers to lease servers for malicious purposes. Often leaving the data center operator completely unaware of the activities, which is what happened in this particular instance.

The overall impact of Duqu on the sector of information security is still not entirely evident despite a few analytical reports already published. As a malware, it could be that the actual purpose of the virus is to simply collect financial data illegally instead of being launched with the intention of inciting international cyber warfare.[9]  Only time and further analysis will reveal the truth.  But until then, governments, corporations, and the public at large should learn from this incident so that when/if a cyber superpower does attempt to target and infiltrate our systems, there are protective measures in place.


[1] Elinor Mils, “Stuxnet: Fact vs Theory” http://news.cnet.com/8301-27080_3-20018530-245.html

[3] Jason Mick, “Daily Tech,” Customers Are at High Risk after a Gaping Hole Was Found in MSO’s Security, November 2, 2011, http://www.dailytech.com/Nasty+Duqu+Worm+Exploits+Same+Microsoft+Office+Bug+as+Stuxnet/article23174.htm.

[4] Jim Finkle, “Microsoft Software Bug Linked to ‘Duqu’ Virus” Reuters, November 01, 2011, http://www.reuters.com/article/2011/11/01/microsoft-cyberattack-idUSN1E7A01H620111101.

[5] Joseph Menn, “Threats Pile up in a Cyberwar That Never Ends,” The Globe and Mail, June 2, 2010, http://www.theglobeandmail.com/report-on-business/international-news/global-exchange/threats-pile-up-in-a-cyberwar-that-never-ends/article2044163/.

[6] Jim Finkle, “Duqu computer hackers shift to Belgium after India raid” Reuters, October 28, 2011, http://www.reuters.com/article/2011/10/28/cybersecurity-india-idUSN1E79R1G020111028

[7] W32.Duqu: The Precursor to the next Stuxnet, October/November 2011, Symantec Corp.

[8] Jim Finkle, “Duqu computer hackers shift to Belgium after India raid” Reuters, November 01, 2011, http://www.reuters.com/article/2011/11/03/cyberattack-belgium-idUSN1E7A10Q320111103

[9] Lysa Myers, “The Security Industry That Cried Wolf,” SC Magazine US, November 4, 2011, http://www.scmagazineus.com/the-security-industry-that-cried-wolf/article/216088/?utm_source=dlvr.it.