the 1-hour guide to stuxnet carey nachenberg vice president, symantec fellow symantec corporation...
TRANSCRIPT
The 1-hour Guide to StuxnetCarey Nachenberg Vice President, Symantec FellowSymantec Corporation
The 1-hour Guide to Stuxnet 1
2
This is Natanz, Iran
The 1-hour Guide to Stuxnet
3
And these are Natanz’s Centrifuges
The 1-hour Guide to Stuxnet
4
And this is how they’re controlledProgrammable Logic Controller
. . . . . .
. . . . . .
CommunicationsProcessors (Routers)
FrequencyConverters
Centrifuges
WindowsPC
STEP7
The 1-hour Guide to Stuxnet
Communications Processors route
commands from the PLC to groups of mechanical
devices.
Frequency Converters are responsible for converting AC frequencies to either
higher-or lower frequencies to operate motors.
Centrifuges enrich Uranium so it can be used to power nuclear plants or weapons.
The PLC is a specialized piece of hardware that orchestrates control of
multiple connected mechanical devices.
Industrial control systems are typically controlled by a
standard PC running industrial control software like STEP7 from Siemens.
5
And this is how they’re isolatedProgrammable Logic Controller
. . . . . .
. . . . . .
CommunicationsProcessors (Routers)
FrequencyConverters
Centrifuges
WindowsPC
STEP7
Research Network
The 1-hour Guide to Stuxnet
6
And this is (probably) an Israeli Mossad Programmer
Who wants to introduce
onto this computer
right here
The 1-hour Guide to Stuxnet
7
So how exactly does this:
Get onto an “air-gapped”network to
disrupt these:
It’s got to spread on its own…
All while evading detection.
Until it discovers the proper computers…
Where it can disrupt the centrifuges…
The 1-hour Guide to Stuxnet
It’s got to spread on its own…Stuxnet uses seven distinct mechanisms to spread to new computers.
Six of these attacks targeted flaws (back doors) that wereunknown to the security industry and software vendors!
It copies itself toopen file-shares.It attacks a hole
in Windows’ print spooler.
It attacks a holein Windows RPC.It password-cracks
SIEMENS DB software.It infects SIEMENS
PLC data files.Peers update other
peers directly.
2.02.0 2.02.02.02.0
Stuxnet uses thumb drives to bridge the gap!
2.0
?Usually we’re surprisedwhen we see a threattargeting one flaw...
But if the centrifuges are air-gapped from the ‘net, how can Stuxnet jump to the enrichment network?
USB drives!The 1-hour Guide to Stuxnet 8
Spreading – A Sidebar
The 1-hour Guide to Stuxnet 9
Task #1:Job: Delete temp files
Run as: Root userRun at: 10pm
Windows Tasks
Task #2:Job: Clean registry
Run as: Jim (non-root)Run at: 6pm
Task #3:Job: Print receipts
Run as: Ted (non-root)Run at: 2am
Windows has a built-in task scheduler system.
Each user can add new tasks to be run at a certain time and with a certain permission level.(Regular users can’t add “root” level jobs)
To prevent tampering, windows computes a CRC32 hash for each task record and stores this in
a protected area of the computer.
Task1 hash: 9B7CC653Task2 hash: 11090343Task3 hash: 40910276
(the tasks themselvesare stored as globally
readable/writable XML files)
The 1-hour Guide to Stuxnet 10
When it arrives on a machine, Stuxnet starts running with non-administrator privileges.
But to do its mischief, Stuxnet needs to run with “root” privileges. Task #1:
Job: Delete temp filesRun as: Root user
Run at: 10pm
Windows Tasks
Task #2:Job: Clean registry
Run as: Jim (non-root)Run at: 6pm
Task #3:Job: Print receipts
Run as: Ted (non-root)Run at: 2am
So first, Stuxnet creates a new task, using the permissions of the current user.
Task #4:Job: Run stuxnet.dll
Run as: Ted (non-root)Run at: 2pm
Task1 hash: 9B7CC653Task2 hash: 11090343Task3 hash: 40910276
And of course, once Windows verifies that the job is legitimate (the user hasn’t tried to create a root-
level job), it calculates the job’s hash and adds it to the security store.
Task4 hash: DE9DBA76
Spreading – A Sidebar
The 1-hour Guide to Stuxnet 11
Task #1:Job: Delete temp files
Run as: Root userRun at: 10pm
Windows Tasks
Task #2:Job: Clean registry
Run as: Jim (non-root)Run at: 6pm
Task #3:Job: Print receipts
Run as: Ted (non-root)Run at: 2am
Task1 hash: 9B7CC653Task2 hash: 11090343Task3 hash: 40910276Task4 hash: DE9DBA76
Task #4:Job: Run stuxnet.dll
Run as: Ted (non-root)Run at: 2pm
Next Stuxnet modifies the XML job file it just added, changing its permission to “root”!
(Remember, the XML files are writable)
Ted (non-root)Root user
But wait! The updated job file hash no longer matches
the protected hash stored by Windows!
If Windows were to process the updated job file, it would
detect this and reject it!
New hash: 66C35150
Ah, but Stuxnet is more clever than that.
Stuxnet knows how to forge a CRC - it computes a set of values which, if appended to the file, will result in its CRC matching the original! And then it appends
these bytes to the file!
XQ
New hash: DE9DBA76
And Windows will happily run the updated job, giving Stuxnet root-level privileges!
ZERO-DAY!
Spreading – A Sidebar
Until it discovers the proper computers…Stuxnet is extremely picky and only activates its payload when it’s found an exact match.
The targeted computer must be runningSTEP7 software from Siemens.
The targeted computer must be directly connected to an S7-315 Programmable Logic Controller from Siemens.
The PLC must further be connected to at least six CP-342-5 Network Modules from Siemens.
STEP7
Each Network Module must be connected to ~31 Fararo Paya or Vacon NX frequency converters.
…
It’s got to spread on its own…
The 1-hour Guide to Stuxnet 12
Until it discovers the proper computers…Stuxnet is extremely picky and only activates its payload when it’s found an exact match.
STEP7
…
Now if you do the math….
Stuxnet verifies that the discovered Programmable Logic Controller…
Is controlling at least 155 total frequency converters…
And recently we learned that Iran’sUranium enrichment “cascade” just happens
to use exactly 160 centrifuges.
What a coincidence!
The creators of Stuxnet must have
guessed all of these details.
The 1-hour Guide to Stuxnet 13
Now Stuxnet gets down to business…
Stuxnet starts by downloading malicious logic onto the PLC hardware.
What you (probably) didn’t realize is that the PLC uses a totally different microchip &
computer language than Windows PCs.
Stuxnet is the first known threat to target an industrial
control microchip!
The 1-hour Guide to Stuxnet
Until it discovers the proper computers…
14
Next, Stuxnet measures the operating speed of the frequency converters during their normal
operation for 13 days!
And makes sure the motors are running between 807Hz and 1210Hz.
(This is coincidentally the frequency range
required to run centrifuges.)
Now Stuxnet gets down to business…
(After all, whoever wrote Stuxnet wouldn’t want it
to take out a roller coaster or something.)
The 1-hour Guide to Stuxnet 15
Once it’s sure, the malicious PLC logic begins its mischief!
Then sleeps for 27 days.
Then slows the spin rate to 2Hz for 50 mins.
Then sleeps for 27 days.
Stuxnet repeats this process over and over.
0Hz 1500Hz
Stuxnet raises the spin rate to 1410Hz for 15 mins.
Now Stuxnet gets down to business…
The 1-hour Guide to Stuxnet 16
Why push the motors up to 1410Hz?
0Hz 1500Hz
Well, ~1380Hz is a resonance frequency.
It is believed that operation at this frequency for even a few seconds will result in disintegration of the enrichment tubes!
Why reduce the motors to 2Hz?
At such a low rotation rate, the vertical enrichment tubeswill begin wobbling like a top (also causing damage).
Now Stuxnet gets down to business…
17
The 1-hour Guide to Stuxnet
What about Iranian failsafe systems?
The 1-hour Guide to Stuxnet 18
(Surely by now you’re thinking that alarmbells should have been blaring at the
enrichment plant, right?)
Now Stuxnet gets down to business…
Maybe Stuxnet pulled a mission impossible?!?
And in fact, that’s exactly what Stuxnet did!
Well, in fact, these facilities typically do
have fail-safe controls.
They trigger a shutdown if the frequency goes out of the acceptable range.
But worry not…Stuxnet takes care of
this too.
Stuxnet records telemetry readings while the
centrifuges are operating normally.
0Hz 1500Hz
And when it launches its attack, it sends this
recorded data to fool the fail-safe systems!
And Stuxnet disablesthe emergency kill switch
on the PLC as well…Just in case someone tries
to be a hero.
Now Stuxnet gets down to business…
The 1-hour Guide to Stuxnet 20
All while evading detection…Stuxnet uses five distinct mechanisms to conceal itself.
#5Stuxnet hides its own files on infected thumb drives using 2 “rootkits.”
The 1-hour Guide to Stuxnet
Now Stuxnet gets down to business…
21
Stuxnet uses five distinct mechanisms to conceal itself.
#4Stuxnet inhibits different behaviors in the presence of different
security products to avoid detection.
Launch Attack ALaunch Attack BLaunch Attack CLaunch Attack D
Launch Attack ALaunch Attack BLaunch Attack CLaunch Attack D
Launch Attack ALaunch Attack BLaunch Attack CLaunch Attack D
All while evading detection.
The 1-hour Guide to Stuxnet 22
Stuxnet uses five distinct mechanisms to conceal itself.
#3Stuxnet completely deletes itself from USB keys after it has
spread to exactly three new machines.
All while evading detection.
The 1-hour Guide to Stuxnet 23
Stuxnet uses five distinct mechanisms to conceal itself.
#2Stuxnet’s authors “digitally signed” it with stolen digital certificates
to make it look like it was created by well-known companies.
Realtek
The two certificates were stolen from
RealTek and Jmicron…
All while evading detection.
…as it turns out, both companies are located less than 1km apart in the same Taiwanese
business park.
The 1-hour Guide to Stuxnet 24
Stuxnet uses five distinct mechanisms to conceal itself.
#1Stuxnet conceals its malicious “code” changes to the PLC from operational personnel (It hides its injected logic)!
Instructions to the Centrifuges
During normal operation:Spin at 1410hz
In case of emergency:IGNORE OPERATOR COMMANDS
SIEMENS
PLC
(To centrifuges)
During normal operation:
Spin at 1064hz
In case of emergency:
Spin down to 0hz
All while evading detection.
The 1-hour Guide to Stuxnet 25
Stuxnet Epidemiology
The 1-hour Guide to Stuxnet 26
Did It Succeed?Well, based on some clever
Symantec engineering, we’ve got some interesting data.
Fact: As Stuxnet spreads between computers, it keeps an internal log
of every computer it’s visited.
Fact: Stuxnet contacts two command-and-control servers every time it runs to report its
status and check for commands.
www.mypremierfutbol.com
www.todaysfutbol.com
Working with registrars, Symantec took control of these domains, forwarding all traffic to our Symantec data centers.
The 1-hour Guide to Stuxnet 27
Stuxnet Bookkeeping
The 1-hour Guide to Stuxnet 28
151.21.32.19 151.21.32.21
27.42.97.152
93.154.11.42 93.154.12.78
151.21.32.19
151.21.32.21151.21.32.19151.21.32.21151.21.32.19151.21.32.21
27.42.97.152
93.154.11.4293.154.12.78
151.21.32.19
151.21.32.19151.21.32.21
151.21.32.19151.21.32.2193.154.11.42
Stuxnet embeds its “visited list” inside its own body as it spreads, enabling detailed forensics!
The 1-hour Guide to Stuxnet 29
Here’s What We Found
Here’s What We Found
The 1-hour Guide to Stuxnet
(These graphs show how the discovered samples spread)
30
31
Here’s What We Found
Data at time of discovery (July, 2010)
The 1-hour Guide to Stuxnet
Here’s What We Found
67.60
8.10 4.98 2.18 2.18 1.56 1.25
12.15
0.00
10.00
20.00
30.00
40.00
50.00
60.00
70.00
80.00
IRAN
SOUT
H KO
REA US
A
GREA
T BR
ITAI
N
INDO
NESI
A
TAIW
AN
INDI
A
OTH
ERS
Distribution of Infected Systems with Siemens Software
Data at time of discovery (July, 2010)
The 1-hour Guide to Stuxnet 32
Did It Succeed?Indications are that it did!
The Institute for Science and International Security writes:
“It is increasingly accepted that, in late 2009 or early 2010, Stuxnet destroyed about 1,000 IR-1 centrifuges out of about
9,000 deployed at the site.”
Symantec telemetry indicates that rather than directly trying to infiltrate Natanz…
These companies (likely) then unknowingly ferried the infection into Natanz’s research and enrichment networks.
The attackers infected five industrial companies with potential subcontracting relationships with the plant.
33
The 1-hour Guide to Stuxnet
Whodunit?
The 1-hour Guide to Stuxnet 34
19790509
According to Wikipedia, On May 9th, 1979 “Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian
Jewish community. He was the first Jew and one of the first civilians to be executed by the new Islamic
government. This prompted the mass exodus of the once 100,000 member strong Jewish community of Iran
which continues to this day.”
June 22, 2009 4:31:47pm GMTJune 22, 2009 6:31:47pm Local
GMT + 2
To Conclude
Stuxnet proves cyber-warfare against physical infrastructure is feasible.
Unfortunately, the same techniques can be used to attack other physical and virtual systems.
Stuxnet has signaled a fundamental shift in the malware space.
The 1-hour Guide to Stuxnet 35
Thank you!
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Thank you!
36
The 1-hour Guide to Stuxnet