the 1-hour guide to stuxnet carey nachenberg vice president, symantec fellow symantec corporation...

The 1-hour Guide to StuxnetCarey Nachenberg Vice President, Symantec FellowSymantec Corporation

The 1-hour Guide to Stuxnet 1

2

This is Natanz, Iran

The 1-hour Guide to Stuxnet

3

And these are Natanz’s Centrifuges


4

And this is how they’re controlledProgrammable Logic Controller

. . . . . .

. . . . . .

CommunicationsProcessors (Routers)

FrequencyConverters

Centrifuges

WindowsPC

STEP7


Communications Processors route

commands from the PLC to groups of mechanical

devices.

Frequency Converters are responsible for converting AC frequencies to either

higher-or lower frequencies to operate motors.

Centrifuges enrich Uranium so it can be used to power nuclear plants or weapons.

The PLC is a specialized piece of hardware that orchestrates control of

multiple connected mechanical devices.

Industrial control systems are typically controlled by a

standard PC running industrial control software like STEP7 from Siemens.

5

And this is how they’re isolatedProgrammable Logic Controller

. . . . . .

. . . . . .

CommunicationsProcessors (Routers)

FrequencyConverters

Centrifuges

WindowsPC

STEP7

Research Network


6

And this is (probably) an Israeli Mossad Programmer

Who wants to introduce

onto this computer

right here


7

So how exactly does this:

Get onto an “air-gapped”network to

disrupt these:

It’s got to spread on its own…

All while evading detection.

Until it discovers the proper computers…

Where it can disrupt the centrifuges…


It’s got to spread on its own…Stuxnet uses seven distinct mechanisms to spread to new computers.

Six of these attacks targeted flaws (back doors) that wereunknown to the security industry and software vendors!

It copies itself toopen file-shares.It attacks a hole

in Windows’ print spooler.

It attacks a holein Windows RPC.It password-cracks

SIEMENS DB software.It infects SIEMENS

PLC data files.Peers update other

peers directly.

2.02.0 2.02.02.02.0

Stuxnet uses thumb drives to bridge the gap!

2.0

?Usually we’re surprisedwhen we see a threattargeting one flaw...

But if the centrifuges are air-gapped from the ‘net, how can Stuxnet jump to the enrichment network?

USB drives!The 1-hour Guide to Stuxnet 8

Spreading – A Sidebar


Task #1:Job: Delete temp files

Run as: Root userRun at: 10pm

Windows Tasks

Task #2:Job: Clean registry

Run as: Jim (non-root)Run at: 6pm

Task #3:Job: Print receipts

Run as: Ted (non-root)Run at: 2am

Windows has a built-in task scheduler system.

Each user can add new tasks to be run at a certain time and with a certain permission level.(Regular users can’t add “root” level jobs)

To prevent tampering, windows computes a CRC32 hash for each task record and stores this in

a protected area of the computer.

Task1 hash: 9B7CC653Task2 hash: 11090343Task3 hash: 40910276

(the tasks themselvesare stored as globally

readable/writable XML files)


When it arrives on a machine, Stuxnet starts running with non-administrator privileges.

But to do its mischief, Stuxnet needs to run with “root” privileges. Task #1:

Job: Delete temp filesRun as: Root user

Run at: 10pm

Windows Tasks





So first, Stuxnet creates a new task, using the permissions of the current user.

Task #4:Job: Run stuxnet.dll

Run as: Ted (non-root)Run at: 2pm

Task1 hash: 9B7CC653Task2 hash: 11090343Task3 hash: 40910276

And of course, once Windows verifies that the job is legitimate (the user hasn’t tried to create a root-

level job), it calculates the job’s hash and adds it to the security store.

Task4 hash: DE9DBA76



Task #1:Job: Delete temp files

Run as: Root userRun at: 10pm

Windows Tasks





Task1 hash: 9B7CC653Task2 hash: 11090343Task3 hash: 40910276Task4 hash: DE9DBA76

Task #4:Job: Run stuxnet.dll

Run as: Ted (non-root)Run at: 2pm

Next Stuxnet modifies the XML job file it just added, changing its permission to “root”!

(Remember, the XML files are writable)

Ted (non-root)Root user

But wait! The updated job file hash no longer matches

the protected hash stored by Windows!

If Windows were to process the updated job file, it would

detect this and reject it!

New hash: 66C35150

Ah, but Stuxnet is more clever than that.

Stuxnet knows how to forge a CRC - it computes a set of values which, if appended to the file, will result in its CRC matching the original! And then it appends

these bytes to the file!

XQ

New hash: DE9DBA76

And Windows will happily run the updated job, giving Stuxnet root-level privileges!

ZERO-DAY!


Until it discovers the proper computers…Stuxnet is extremely picky and only activates its payload when it’s found an exact match.

The targeted computer must be runningSTEP7 software from Siemens.

The targeted computer must be directly connected to an S7-315 Programmable Logic Controller from Siemens.

The PLC must further be connected to at least six CP-342-5 Network Modules from Siemens.

STEP7

Each Network Module must be connected to ~31 Fararo Paya or Vacon NX frequency converters.

…

It’s got to spread on its own…


Until it discovers the proper computers…Stuxnet is extremely picky and only activates its payload when it’s found an exact match.

STEP7

…

Now if you do the math….

Stuxnet verifies that the discovered Programmable Logic Controller…

Is controlling at least 155 total frequency converters…

And recently we learned that Iran’sUranium enrichment “cascade” just happens

to use exactly 160 centrifuges.

What a coincidence!

The creators of Stuxnet must have

guessed all of these details.


Now Stuxnet gets down to business…

Stuxnet starts by downloading malicious logic onto the PLC hardware.

What you (probably) didn’t realize is that the PLC uses a totally different microchip &

computer language than Windows PCs.

Stuxnet is the first known threat to target an industrial

control microchip!


Until it discovers the proper computers…

14

Next, Stuxnet measures the operating speed of the frequency converters during their normal

operation for 13 days!

And makes sure the motors are running between 807Hz and 1210Hz.

(This is coincidentally the frequency range

required to run centrifuges.)


(After all, whoever wrote Stuxnet wouldn’t want it

to take out a roller coaster or something.)


Once it’s sure, the malicious PLC logic begins its mischief!

Then sleeps for 27 days.

Then slows the spin rate to 2Hz for 50 mins.

Then sleeps for 27 days.

Stuxnet repeats this process over and over.

0Hz 1500Hz

Stuxnet raises the spin rate to 1410Hz for 15 mins.



Why push the motors up to 1410Hz?

0Hz 1500Hz

Well, ~1380Hz is a resonance frequency.

It is believed that operation at this frequency for even a few seconds will result in disintegration of the enrichment tubes!

Why reduce the motors to 2Hz?

At such a low rotation rate, the vertical enrichment tubeswill begin wobbling like a top (also causing damage).


17


What about Iranian failsafe systems?


(Surely by now you’re thinking that alarmbells should have been blaring at the

enrichment plant, right?)


Maybe Stuxnet pulled a mission impossible?!?

And in fact, that’s exactly what Stuxnet did!

Well, in fact, these facilities typically do

have fail-safe controls.

They trigger a shutdown if the frequency goes out of the acceptable range.

But worry not…Stuxnet takes care of

this too.

Stuxnet records telemetry readings while the

centrifuges are operating normally.

0Hz 1500Hz

And when it launches its attack, it sends this

recorded data to fool the fail-safe systems!

And Stuxnet disablesthe emergency kill switch

on the PLC as well…Just in case someone tries

to be a hero.



All while evading detection…Stuxnet uses five distinct mechanisms to conceal itself.

#5Stuxnet hides its own files on infected thumb drives using 2 “rootkits.”



21

Stuxnet uses five distinct mechanisms to conceal itself.

#4Stuxnet inhibits different behaviors in the presence of different

security products to avoid detection.

Launch Attack ALaunch Attack BLaunch Attack CLaunch Attack D






#3Stuxnet completely deletes itself from USB keys after it has

spread to exactly three new machines.




#2Stuxnet’s authors “digitally signed” it with stolen digital certificates

to make it look like it was created by well-known companies.

Realtek

The two certificates were stolen from

RealTek and Jmicron…


…as it turns out, both companies are located less than 1km apart in the same Taiwanese

business park.



#1Stuxnet conceals its malicious “code” changes to the PLC from operational personnel (It hides its injected logic)!

Instructions to the Centrifuges

During normal operation:Spin at 1410hz

In case of emergency:IGNORE OPERATOR COMMANDS

SIEMENS

PLC

(To centrifuges)

During normal operation:

Spin at 1064hz

In case of emergency:

Spin down to 0hz



Stuxnet Epidemiology


Did It Succeed?Well, based on some clever

Symantec engineering, we’ve got some interesting data.

Fact: As Stuxnet spreads between computers, it keeps an internal log

of every computer it’s visited.

Fact: Stuxnet contacts two command-and-control servers every time it runs to report its

status and check for commands.

www.mypremierfutbol.com

www.todaysfutbol.com

Working with registrars, Symantec took control of these domains, forwarding all traffic to our Symantec data centers.


Stuxnet Bookkeeping


151.21.32.19 151.21.32.21

27.42.97.152

93.154.11.42 93.154.12.78

151.21.32.19

151.21.32.21151.21.32.19151.21.32.21151.21.32.19151.21.32.21

27.42.97.152

93.154.11.4293.154.12.78

151.21.32.19

151.21.32.19151.21.32.21

151.21.32.19151.21.32.2193.154.11.42

Stuxnet embeds its “visited list” inside its own body as it spreads, enabling detailed forensics!


Here’s What We Found



(These graphs show how the discovered samples spread)

30

31


Data at time of discovery (July, 2010)



67.60

8.10 4.98 2.18 2.18 1.56 1.25

12.15

0.00

10.00

20.00

30.00

40.00

50.00

60.00

70.00

80.00

IRAN

SOUT

H KO

REA US

A

GREA

T BR

ITAI

N

INDO

NESI

A

TAIW

AN

INDI

A

OTH

ERS

Distribution of Infected Systems with Siemens Software

Data at time of discovery (July, 2010)


Did It Succeed?Indications are that it did!

The Institute for Science and International Security writes:

“It is increasingly accepted that, in late 2009 or early 2010, Stuxnet destroyed about 1,000 IR-1 centrifuges out of about

9,000 deployed at the site.”

Symantec telemetry indicates that rather than directly trying to infiltrate Natanz…

These companies (likely) then unknowingly ferried the infection into Natanz’s research and enrichment networks.

The attackers infected five industrial companies with potential subcontracting relationships with the plant.

33


Whodunit?


19790509

According to Wikipedia, On May 9th, 1979 “Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian

Jewish community. He was the first Jew and one of the first civilians to be executed by the new Islamic

government. This prompted the mass exodus of the once 100,000 member strong Jewish community of Iran

which continues to this day.”

June 22, 2009 4:31:47pm GMTJune 22, 2009 6:31:47pm Local

GMT + 2

To Conclude

Stuxnet proves cyber-warfare against physical infrastructure is feasible.

Unfortunately, the same techniques can be used to attack other physical and virtual systems.

Stuxnet has signaled a fundamental shift in the malware space.


Thank you!

Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Thank you!

36


the 1-hour guide to stuxnet carey nachenberg vice president, symantec fellow symantec corporation...

Documents

stuxnet slide

hour guide

root user run

jim nonroot run

ted nonroot run

pm task

pm windows tasks task

task record