Oct
21
Written by:
admin
10/21/2011 5:58 PM
By now many in the computing world have heard of the infamous "Stuxnet" malware virus, a military grade 21st century cyber weapon which targeted Iran's nuclear power plants.
Around 95% of the source code has been available online for a while now.
Stuxnet marks a new era for malware its not only a new virus or worm it’s a military grade cyber weapon that can potentially cause death. This code changed the meaning of software viruses and their intent. Stuxnet is the first discovered malware that actually spies on and subverts industrial systems(Software & Hardware), and the first software virus to specifically include a programmable logic controller (PLC) rootkit.
A programmable logic controller (PLC) or programmable controller is a digital computer used for automation of electromechanical processes, such as control of machinery on factory assembly lines
A rootkit is software that enables continued elevated normally administrative privileged access to a computer while actively hiding its presence from administrators & users by subverting standard operating system functionality.
Whereas a traditional computer virus could wreck your operating system which at worst has to be reinstalled Stuxnet has the ability to wreck industrial systems which can put lives at risk. Stuxnet targets Siemens industrial software and equipment running Microsoft Windows. The worm spreads indiscriminately and includes a highly specialised malware payload that is designed to target only Siemens supervisory control and data acquisition (SCADA) systems that are configured to control and monitor specific industrial processes. Stuxnet infects Programmable Logic Controllers by subverting the Step-7 software application that is used to reprogram these devices. This tells us that the teams involved in developing Stuxnet not only needed to be skilled & experienced C/C++ software engineers but the software development teams would have needed domain expertise in Siemens SCADA systems and knowledge of programming them. It has been widely identified already that Stuxnet components were developed and compiled at different times and that some components show signs of different coding styles & practices. Over the past few months I have been inspecting the decompiled Stuxnet source code dump (found here) , one of the first things I noticed was the quality of the code and the complexity of the code. Complexity of this depth is rare for malware software.
The Stuxnet code contains a layered attack against three different systems:
- The Windows operating system,
- Siemens PCS 7 and
- STEP7 industrial software applications that run on Windows and One or more Siemens S7 PLCs.
The Stuxnet code exploits five different vulnerabilities, four of which were 0-days:
• LNK (MS10-046)
• Print Spooler (MS10-061)
• Server Service (MS08-067)
• Privilege escalation via Keyboard layout file (MS10-073)
• Privilege escalation via Task Scheduler
The use of not one but four zero-day vulnerabilities in windows OS indicates that a high degree of effort, time and money was put into developing this code. If the development teams responsible for putting Stuxnet together did not have their own zero day exploit then they would most certainly have to buy it or go to great lengths to find their own. It is estimated that 1 zero day exploit on the black market can fetch anywhere between $50,000 and $500,000. So for Stuxnet to use 4 zero day vulnerabilities shows a lot of effort went in to finding their own zero day exploits or they went to the effort of buying those exploits. The Stuxnet code uses several techniques to avoid being detected by the behavioral blocking antivirus software programs. These are discussed by some people like egyptian student Amr Thabet, Bruce Dang from Microsoft and others have done a great job of analysing this devastating malware & its lethal payloads.
Having analysed both Amr Thabet's Stuxnet rootkit code which is about 95% complete and then cross referencing his work and paper with the decompiled Stuxnet source code dump that Crowdleaks published which can be found here, anyone with knowledge of programming in 'C' can start to connect the dots. Any aspiring software developer who wants to be at the top his or her game could start by studying this codebase.
On first inspection of the "Crowdleaks" decompiled source code is the noticeable quality of the code and its complexity.
In this talk Bruce Dang from Microsoft shares his first-hand account of the entire story from the task landing on his desk to solve and shares several tricks that were used to quickly identify the vulnerabilities used by Stuxnet. Bruce describes quite well the thought processes that went into debugging and triaging the vulnerabilities that Stuxnet code exploited.
Symantec researcher Liam O'Murchu also demonstrates a proof of concept Stuxnet-like SCADA modification that changes the operation of an air pump.
There will be a follow up to this article with some interesting code examples and a video showing the debugging process.
After studying this code for several weeks it is amazing how a few zeros and one's can do so much damage in the physical world. As the Stuxnet source code has been online for a while now anyone that understands C/C++ and how its layered attack works can easily modify the payloads. I suspect that their already is multiple variations of this code base in the wild using different payloads and exploits searching for different industrial control systems. If these new Stuxnet variant cyberweapons have not already been deployed into the wild we can rest assured that many governments & militaries around the world are already actively engaged in developing these software projects as well as developing tools to detect and prevent a Stuxnet variant gaining control of a system.
Prevention is still better than cure, strict enterprise policies on removable media drives, external files & attachments entering into the enterprise and strict asset inventory control system in place will go some way to minmize risk and exposure to malware. A thorough education program for staff on current and emerging software based threats to the business will go a long way to helping you prevent any malicious software gaining a hook into your internal systems.
If your business requires some advice, guidance and help in understanding how to tighten up IT security or help in putting stronger IT security measures in place feel free to get in contact to discuss your options. admin@northernirelandsoftware.com
Copyright ©2011 N.IrelandSoftware