Stuxnet Questions and Answers

[StrontiumDog]

Stuxnet Questions and Answers - F-Secure Weblog : News from the Lab

Stuxnet Questions and Answers

Posted by Mikko [at] 02:55 GMT | Comments

Stuxnet continues to be a hot topic. Here are answers to some of the questions we've received.

Q: What is Stuxnet?
A: It's a Windows worm, spreading via USB sticks. Once inside an organization, it can also spread by copying itself to network shares if they have weak passwords.

Q: Can it spread via other USB devices?
A: Sure, it can spread anything that you can mount as a drive. Like a USB hard drive, mobile phone, picture frame and so on.

Q: What does it do then?
A: It infects the system, hides itself with a rootkit and sees if the infected computer is connected to a Siemens Simatic (Step7) factory system.

Q: What does it do with Simatic?
A: It modifies commands sent from the Windows computer to the PLC. One running on the PLC, it looks for a specific factory environment. If this is not found, it does nothing.



Q: Which factory is it looking for?
A: We don't know.

Q: Has it found the factory it's looking for?
A: We don't know.

Q: What would it do if it finds it?
A: It makes complex modifications to the system. Results of those modifications can not be detected without seeing the actual environment. So we don't know.

Q: Ok, in theory: what could it do?
A: It could adjust motors, conveyor belts, pumps. It could stop a factory. With right modifications, it could cause things to explode.

Q: Why is Stuxnet considered to be so complex?
A: It uses multiple vulnerabilities and drops its own driver to the system.

Q: How can it install its own driver? Shouldn't drivers be signed for them to work in Windows?
A: Stuxnet driver was signed with a certificate stolen from Realtek Semiconductor Corp.

Q: Has the stolen certificate been revoked?
A: Yes. Verisign revoked it on 16th of July. A modified variant signed with a certificate stolen from JMicron Technology Corporation was found on 17th of July.

Q: What's the relation between Realtek and Jmicron?
A: Nothing. But they have HQs in the same office park in Taiwan.

Q: What vulnerabilities does Stuxnet exploit?
A: Overall, Stuxnet exploit five different vulnerabilities, four of which were 0-days:

LNK (MS10-046)
Print Spooler (MS10-061)
Server Service (MS08-067)
Privilege escalation via Keyboard layout file
Privilege escalation via Task Scheduler

Q: And these have been patched by Microsoft?
A: The two Privilege escalations have not yet been patched.

Q: Why was it so slow to analyze Stuxnet in detail?
A: It's unusually complex and unusually big. Stuxnet is over 1.5MB in size.

Q: When did Stuxnet start spreading?
A: In June 2009, or maybe even earlier. One of the components has a compile date in January 2009.

Q: When was it discovered?
A: A year later, in June 2010.

Q: How is that possible?
A: Good question.

Q: Was Stuxnet written by a government?
A: That's what it would look like, yes.

Q: How could governments get something so complex right?
A: Trick question. Nice. Next question.

Q: Was it Israel?
A: We don't know.

Q: Was it Egypt? Saudi Arabia? USA?
A: We don't know.

Q: Was the target Iran?
A: We don't know.

Q: Is it true that there's are biblical references inside Stuxnet?
A: There is a reference to Myrtus (myrtle plant). However, this is not "hidden" in the code. It's an artifact left inside the program when it was compiled. Basically this tells us where the author stored the source code in his system. The specific path in Stuxnet is: \myrtus\src\objfre_w2k_x86\i386\guava.pdb. The authors probably did not want us to know they called their project "Myrtus", but thanks to this artifact we do. We have seen such artifacts in other malware as well. The Operation Aurora attack against Google was named Aurora after this path was found inside one of the binaries: \Aurora_Src\AuroraVNC\Avc\Release\AVC.pdb.

Q: So how exactly is "Myrtle" a biblical reference?
A: Uhh...we don't know, really.

Q: How does Stuxnet know it has already infected a machine?
A: It sets a Registry key with a value "19790509" as an infection marker.

Q: What's the significance of "19790509"?
A: It's a date. 9th of May, 1979.

Q: What happened on 9th of May, 1979?
A: Maybe it's the birthday of the author? Then again, on that date a Jewish-Iranian businessman called Habib Elghanian was executed in Iran. He was accused to be spying for Israel.

Q: Oh.
A: Yeah.

Q: Is there a link between Stuxnet and Conficker?
A: It's possible. Conficker variants were found between November 2008 and April 2009. First variants of Stuxnet were found shortly after that. Both exploit the MS08-067 vulnerability. Both use USB sticks to spread. Both use weak network passwords to spread. And, of course, both are unusually complex.

Q: Is there a link to any other malware?
A: Some Zlob variants were the first to use the LNK vulnerability.

Q: Disabling Autorun in Windows will stop USB worms, right?
A: Wrong. There are several other spreading mechanisms USB worms use. The LNK vulnerability used by Stuxnet would infect you even if Autorun and Autoplay were disabled.

Q: Will Stuxnet spread forever?
A: The current versions have a "kill date" of June 24, 2012. It will stop spreading on this date.

Q: How many computers did it infect?
A: Hundreds of thousands.

Q: But Siemens has announced that only 15 factories have been infected.
A: They are talking about factories. Most of the infected machines are collateral infections, i.e. normal home and office computers that are not connected to SCADA systems.

Q: How could the attackers get a trojan like this into a secure facility?
A: For example, by breaking into a home of an employee, finding his USB sticks and infecting it. Then wait for the employee to take the sticks to work and infect his work computer. The infection will spread further inside the secure facility via USB sticks, eventually hitting the target. As a side effect, it will continue spread elsewhere also. This is why Stuxnet has spread worldwide.

Q: Anything else it could do, in theory?
A: Siemens announced last year that Simatic can now also control alarm systems, access controls and doors. In theory, this could be used to gain access to top secret locations. Think Tom Cruise and Mission Impossible.


Image Copyright (c) Paramount Pictures

Q: Did Stuxnet sink Deepwater Horizon and cause the Mexican oil spill?
A: No, we do not think so. Although it does seem Deepwater Horizon indeed did have some Siemens PLC systems on it.

Q: Does F-Secure detect Stuxnet?
A: Yes.

Note: We have learned many of the details mentioned in this Q&A in discussions with researchers from Microsoft, Kaspersky, Symantec and other vendors.


Video from Virus Bulletin 2010 where Symantec researcher Liam O'Murchu demonstrates a proof of concept Stuxnet-like SCADA modification that changes the operation of an air pump.

[harrybarracuda]

I'd go with the blue suede shoes, probably in Haifa.

[StrontiumDog]

http://www.atimes.com/atimes/Global_.../LJ02Dj03.html

Stuxnet raises virus stakes
By Martin J Young

HUA HIN, Thailand - The term "cyber-warfare" has until recently been reserved primarily for spy novels or the corridors of clandestine government security departments. That changed in recent weeks when a nuclear installation in Iran was attacked by a piece of malicious (malware) called Stuxnet.

The viral code has been circulating since June, but the specific targeting of this particular attack sets a precedent as the first of its kind and a new era of cyber warfare.

The Bushehr nuclear power plant, on Iran's southwest coastline, was the target of the well-orchestrated digital assault. The method of infection would probably have been via a USB memory stick (or sticks), which may have been left in strategic locations to be

stumbled upon by employees who would subsequently pocket the device and later plug it into their laptop or workstation.

Iranian authorities estimated that at least 30,000 at the reactor and owned by employees were infected. Efforts to remove the viral code were fraught with problems. "The virus is not stable, and since we started the clean-up process three new versions of it have been spreading,” said Hamid Alipour, deputy head of Iran's state run Information Technology Co.

Industrial control made by German company Siemens, which are widely used in Iran, were the targets of the worm, indicating that its creators had advanced knowledge of these types of systems far beyond the scope of a most information technology experts. The code is so specialized that it targets only two models of Siemens programmable logic controllers, the S7 300 and S7 400, and will execute only if it finds very specific parameters within the machine. These controllers are usually associated with the management of oil pipeline systems, electrical power grids, and nuclear power plants.

Alipour went on to state that due to the code's complexity, reach, and huge investment behind its creation it was likely to have originated from a foreign country or organization.

Writers and purveyors of malware and viruses have usually been motivated by a desire for notoriety or financial gain. Stuxnet breaks that mould by being malicious code designed as a weapon. It attacks industrial control systems and alters the code in them, allowing hackers to gain control of the physical machinery and manipulate real-world equipment. This makes the threat far more dangerous than a regular virus, which is designed to wreak havoc in cyberspace.

According to online security company Symantec, Stuxnet is sophisticated, well funded and has been created by a highly skilled team over a six-month period. There are not many groups globally that could have pulled this threat off and fingers are already being pointed.

Over the past week, security companies have been dissecting the malware code in an effort to reveal clues about its creators. Feeding conjecture that is spreading across the Internet and media are obscure biblical references discovered hidden in the code.

The word "Myrtus" offers an ephemeral reference to an Old Testament tale in the Book of Esther, depicting a story about a pre-emptive move by the Jews against a Persian plot to destroy them. The Hebrew word for myrtle, "Hadassah", was the birth name of Esther, a Jewish queen of Persia.

Other cryptic messages include the date "05091979" which refers to May 9, 1979 - the day Jewish Iranian businessman and philanthropist Habib Elghanian, who played a significant role in bringing Western technology to Iran in the 1960s and 1970s, was executed in Tehran.

The digital calling cards in the code could be red herrings designed to flummox investigators or, as many suspect, they could be confirmation of an Israeli effort to thwart Iranian nuclear ambitions.

Israel has never hidden its intentions to undermine the computer systems that manage Iran's large uranium-enrichment plant at Natanz, but the malware has also appeared in other countries, including China, India and Indonesia.

It has been reported that Iranian engineers have been struggling to control the huge centrifuges at Natanz that are required for uranium enrichment. The emergence of Stuxnet at another plant only adds to their suspicions.

Israel's secret cyberwar division, Unit 8200, has received huge resources in recent times so it is entirely possible that the Stuxnet attack on Bushehr - which does not process uranium - was a warm-up for something bigger.

Cyber warfare stakes have now moved up a level, to one that leaves it highly unlikely Iran will be able to retaliate through USB sticks and computer code.

Martin J Young is an Asia Times Online correspondent based in Thailand.

[harrybarracuda]

Iran claims it wasn't affected.....

TEHRAN, Iran – Iran's nuclear chief said Tuesday that the malicious computer worm known as Stuxnet has not harmed the country's atomic program and accused the West of being behind a failed sabotage attempt.


Vice President Ali Akbar Salehi's remarks came a day after diplomats told The Associated Press in Vienna that Iran's nuclear program recently suffered major technical problems that forced the temporary shutdown of thousands of centrifuges enriching uranium — the cornerstone of Iran's program.


Salehi said details about the virus became known only after Iran's "enemies failed to achieve their goals." Over the past several months, Iranian officials have acknowledged that the Stuxnet code had spread widely through Iranian industrial sites and infected several personal laptops belonging to employees at the country's first nuclear power plant.


The West has accused Iran of trying to develop a weapons capability under the cover of a civil nuclear energy program. Tehran denies the accusation, saying the program is only for peaceful purposes and insisting it has every right under the Nuclear Nonproliferation Treaty to enrich uranium for the production of reactor fuel.


"One year and several months ago, Westerners sent a virus to (our) country's nuclear sites," Salehi said, according to the official IRNA news agency. He did not specify which sites.
"They had hoped to stop our speedy peaceful nuclear activities through software. But, with the grace of God, we discovered the virus exactly at the same spot it wanted to penetrate because of our vigilance and prevented the virus from harming (equipment)," IRNA quoted him as saying.


The diplomats who spoke to the AP in Vienna on Monday said they had no specifics on the nature of the problem that they say led Iranian experts in recent months to briefly power down the centrifuge machines they use for enrichment — a nuclear technology that has both civilian and military uses.


The three senior diplomats, who are from member countries of the U.N. nuclear watchdog agency, spoke on condition of anonymity because the information was confidential.
Suspicions focused on the Stuxnet worm, the computer virus thought to be aimed at Iran's nuclear program, which experts last week identified as being calibrated to destroy centrifuges by sending them spinning out of control. No one has claimed to be behind Stuxnet, but some analysts have speculated it originated in Israel.


More details on Iran's nuclear activities could be contained in a confidential update on Iran by the U.N.'s International Atomic Energy Agency — the latest report by the Vienna-based agency to its 35-nation board on its attempts to get an overview of Tehran's nuclear activities. The diplomats said it would again focus on Tehran's refusal to heed U.N. Security Council demands to stop enrichment.


Before the report's Tuesday release, diplomats told the AP in Vienna that it would also publicize an Iranian decision to reduce the planned output capacity of a new enrichment plant near the holy city of Qom.
Existence of the still-unfinished plant was unexpectedly revealed by Iran a little more than a year ago, in what the West says was an admission prompted by fears that it would soon be made public by Washington and its allies.


Iranian officials subsequently told the IAEA that the heavily fortified underground facility would have around 2,600 centrifuges. But the diplomats said Tehran recently revised plans and now envisaged fewer than 2,000 machines — a move they said could show less interest in using the facility now that its existence is known.


The resulting extra space would be used to work on centrifuge prototypes less prone to breakdown and more efficient than the present machines, said the diplomats, who asked for anonymity because their information was privileged.
According to reports released by the IAEA, Iran's uranium enrichment capacity has stagnated in recent years after initial rapid growth. Tehran has taken hundreds of centrifuges off line over the past 18 months, prompting speculation of technical problems.


At the Natanz enrichment facility in central Iran, the number of operating centrifuges declined from 4,920 in May 2009 to 3,772 in September 2010, the IAEA said.
Salehi said if the West is convinced that Iran's program has been sabotaged, then there is no need for the U.N. agency to continue to investigate the program.


"If some people believe this virus has crossed the firewall, then they should have no concern and Iran's nuclear dossier should be considered closed," Salehi was quoted as saying by another Iranian news agency, ISNA.
"But, thank God, our work ... clearly shows their failure. IAEA reports and the passage of time will prove this," he was quoted as saying.
Iran is under four sets of U.N. Security Council sanctions as well as economic and other penalties from the U.S. and some of its European allies because of its refusal to stop enriching uranium.
The technology is of key concern because, besides making fuel to run power plants, it can be re-engineered to make material for nuclear warheads.

[harrybarracuda]

Give me strength. Sky News has just "learned" of it. They're calling it a "supervirus".