NEWS FROM THE LAB - Tuesday, November 23, 2010

Stuxnet Redux: Questions and Answers Posted by Sean @ 11:21 GMT

Stuxnet continues to be a hot topic. Here's an updated set of Questions and Answers on it.

Q: What is Stuxnet?
A: It's a Windows worm, spreading via USB sticks. Once inside an organization, it can also spread by copying itself to network shares if they have weak passwords.

Q: Can it spread via other USB devices?
A: Sure, it can spread anything that you can mount as a drive. Like a USB hard drive, mobile phone, picture frame and so on.

Q: What does it do then?
A: It infects the system, hides itself with a rootkit and sees if the infected computer is connected to a Siemens Simatic (Step7) factory system.

Q: What does it do with Simatic?
A: It modifies commands sent from the Windows computer to the PLC (Programmable Logic Controllers, i.e. the boxes that actually control the machinery). Once running on the PLC, it looks for a specific factory environment. If this is not found, it does nothing.


Q: Which plant is it looking for?
A: We don't know.

Q: Has it found the plant it's looking for?
A: We don't know.

Q: What would it do if it finds it?
A: The PLC modification searches for specific high-frequency converter drives (AC drives) and modifies their operation.

Q: What's a high-frequency converter drive?
A: Basically, it's a device that can control the speed of a motor. Stuxnet searches for specific AC drives manufactured by Vacon (based in Finland) and Fararo Paya (based in Iran).

Q: So does Stuxnet infect these Vacon and Fararo Paya drives?
A: No. They drives do not get infected. The infected PLC modifies how the drives run. The modification happens only when very specific conditions are all true at the same time, including an extremely high output frequency. Therefore, any possible effects would concern extremely limited AC drive application areas.

Q: What are those application areas? What are AC drives used for?
A: They are used for various purposes, for example for efficient air pressure systems.

Q: Any other examples?
A: Well yes, they are also used for enrichment centrifuges.

Q: As in?
A: As in Uranium enrichment where centrifuges spin at a very high speed. This is why high-frequency drives are considered dual-use technology and are under the IAEA export restriction list.

Q: Would the Stuxnet code cause centrifuges to disintegrate into projectiles traveling at around Mach 2?
A: It's more likely the modifications would cause the centrifuges to produce bad-quality uranium. The changes could go undetected for extended periods of time.

Q: Have you been in touch with Vacon?
A: Yes. They have been investigating the matter and they are not aware of any instances where Stuxnet would have created problems in the operations of Vacon's customers.

Q: Some suggest the target of Stuxnet was the Natanz enrichment facility in Iran. Are there Vacon AC drives in these facilities?
Q: According to Vacon, they are not aware of any Vacon drives in use in the Iranian nuclear program, and they can confirm that they have not sold any AC drives to Iran against the embargo.

Q: Have you been in touch with Fararo Paya?
A: No.

Q: What do you know about this company?
A: Nothing. It doesn't seem to be very well known outside of Iran. We're not aware of any AC drive customers they would have outside of Iran.

Q: That would indicate what the target country was, wouldn't it?
A: Next question.

Q: Could there be collateral damage? Could Stuxnet hit another plant that was not the original target?
A: It would have to be very similar to the original target.

Q: Do you know of any plants that would be similar to Iran's uranium enrichment plant?
A: Turns out North Korea seems to have a plant that shares the same design.

Q: Why is Stuxnet considered to be so complex?
A: It uses multiple vulnerabilities and drops its own driver to the system.

Q: How can it install its own driver? Shouldn't drivers be signed for them to work in Windows?
A: Stuxnet driver was signed with a certificate stolen from Realtek Semiconductor Corp.

Q: How do you steal a certificate?
A: Maybe with malware looking for certificate files and using a keylogger to collect the passphrase when it's typed in. Or breaking in and stealing the signing gear, then brute-forcing the passphrase.

Q: Has the stolen certificate been revoked?
A: Yes. VeriSign revoked it on July 16th. A modified variant signed with a certificate stolen from JMicron Technology Corp was found on July 17th.

Q: What's the relation between Realtek and Jmicron?
A: Nothing. But these companies have their HQs in the same office park in Taiwan… which is weird.

Q: What vulnerabilities does Stuxnet exploit?
A: Overall, Stuxnet exploits five different vulnerabilities, four of which were 0-days:

  •  LNK (MS10-046)
  •  Print Spooler (MS10-061)
  •  Server Service (MS08-067)
  •  Privilege escalation via Keyboard layout file (MS10-073)
  •  Privilege escalation via Task Scheduler

Q: And these have been patched by Microsoft?
A: All but one of the two Privilege escalations has been patched. A public exploit for the last remaining vulnerability was released in November.

Q: Did the Stuxnet creators find their own 0-day vulnerabilities or did they buy them from the black market?
A: We don't know.

Q: How expensive would such vulnerabilities be?
A: This varies. A single remote code execution zero-day in a popular version of Windows could go for anything between $50,000 to $500,000.

Q: Why was it so slow to analyze Stuxnet in detail?
A: It's unusually complex and unusually big. Stuxnet is over 1.5MB in size.

Q: When did Stuxnet start spreading?
A: In June 2009, or maybe even earlier. One of the components has a compile date in January 2009.

Q: When was it discovered?
A: A year later, in June 2010.

Q: How is that possible?
A: Good question.

Q: How long did it take to create Stuxnet?
A: We estimate that it took over 10 man-years to develop Stuxnet.

Q: Who could have written Stuxnet?
A: Looking at the financial and R&D investment required and combining this with the fact that there's no obvious money-making mechanism within Stuxnet, that leaves only two possibilities: a terror group or a nation-state. And we don't believe any terror group would have this kind of resources.

Q: So was Stuxnet written by a government?
A: That's what it would look like, yes.

Q: How could governments get something so complex right?
A: Trick question. Nice. Next question.

Q: Was it Israel?
A: We don't know.

Q: Was it Egypt? Saudi Arabia? USA?
A: We don't know.

Q: Was the target Iran?
A: We don't know.

Q: Is it true that there's are biblical references inside Stuxnet?
A: There is a reference to "Myrtus" (which is a myrtle plant). However, this is not "hidden" in the code. It's an artifact left inside the program when it was compiled. Basically this tells us where the author stored the source code in his system. The specific path in Stuxnet is: \myrtus\src\objfre_w2k_x86\i386\guava.pdb. The authors probably did not want us to know they called their project "Myrtus", but thanks to this artifact we do. We have seen such artifacts in other malware as well. The Operation Aurora attack against Google was named Aurora after this path was found inside one of the binaries: \Aurora_Src\AuroraVNC\Avc\Release\AVC.pdb.

Q: So how exactly is "Myrtus" a biblical reference?
A: Uhh… we don't know, really. (However, reader Craig B. left a comment in an earlier version of this post.)

Q: Could it mean something else?
A: Yeah: it could mean "My RTUs", not "Myrtus". RTU is an abbreviation for Remote Terminal Units, used in factory systems.

Q: How does Stuxnet know it has already infected a machine?
A: It sets a Registry key with a value "19790509" as an infection marker.

Q: What's the significance of "19790509"?
A: It's a date. 9th of May, 1979.

Q: What happened on 9th of May, 1979?
A: Maybe it's the birthday of the author? Then again, on that date a Jewish-Iranian businessman called Habib Elghanian was executed in Iran. He was accused to be spying for Israel.

Q: Oh.
A: Yeah.

Q: Obviously the attackers had lots of inside information of the target plant and possibly had a mole inside. Why did they use a worm at all? Why couldn't they just have their mole do the modifications?
A: We don't know. For deniability? Maybe the mole had no access to the key systems? Maybe the mole was not at the plant but had access to the design plans? Maybe there was no mole?

Q: Is there a link between Stuxnet and Conficker?
A: It's possible. Conficker variants were found between November 2008 and April 2009. The first variants of Stuxnet were found shortly after that. Both exploit the MS08-067 vulnerability. Both use USB sticks to spread. Both use weak network passwords to spread. And, of course, both are unusually complex.

Q: Is there a link to any other malware?
A: Some Zlob variants were the first to use the LNK vulnerability.

Q: Disabling AutoRun would have stopped Stuxnet, right?
A: Wrong. Stuxnet used a zero-day. When it was new, it would have infected your Windows box even if you were fully patched, had AutoRun disabled, were running under a restricted low-level user account and had disabled execution of programs from USB drives.

Q: But in general, disabling AutoRun in Windows will stop USB worms, right?
A: Wrong. There are several other spreading mechanisms USB worms use, such as companion infections. It is still a good idea to disable it, but it's not a cure-all.

Q: Will Stuxnet spread forever?
A: The current versions have a "kill date" of June 24, 2012. It will stop spreading on this date.

Q: How many computers did it infect?
A: Hundreds of thousands.

Q: But Siemens has announced that only 15 factories have been infected.
A: They are talking about factories. Most of the infected machines are collateral infections, i.e. normal home and office computers that are not connected to SCADA systems.

Q: How could the attackers get a trojan like this into a secure facility?
A: For example, by breaking into a home of an employee, finding his USB sticks and infecting it. Then wait for the employee to take the sticks to work and infect his work computer. The infection will spread further inside the secure facility via USB sticks, eventually hitting the target. As a side effect, it will continue spread elsewhere also. This is why Stuxnet has spread worldwide.

Q: Did Stuxnet sink Deepwater Horizon and cause the Mexican oil spill?
A: No, we do not think so. Although it does seem Deepwater Horizon indeed did have some Siemens PLC systems on it.

Q: Is it true that the US Senate held hearings on Stuxnet?
A: Yes, in November.

Q: Does F-Secure detect Stuxnet?
A: Yes.

Note: We have learned many of the details mentioned in this Q&A in discussions with researchers from Microsoft, Kaspersky, Symantec, and other vendors.

Video from Virus Bulletin 2010 where Symantec researcher Liam O'Murchu demonstrates a proof of concept Stuxnet-like SCADA modification that changes the operation of an air pump.