Report on the Worm Stuxnet Attack

by www.antiy.net
Hosted at: EmbeddedSw - Security News

Chapter 1: Background of the Attack

Recently, numerous news media have reported incidence about Stuxnet worm, described as "super weapon", "Pandora's Box", has attacked the SIMATIC WinCC SCADA system of Siemens.

The Stuxnet worm erupted in July this year. It utilizes at least four vulnerabilities of Microsoft operating system, including three new zero-day vulnerabilities; uses digital signature for its generated drivers; breaks through the physical limitations of industry-specific LAN (local area network) through various ways of invasion for mass spread out; and carries out a devastating attack by exploiting two vulnerabilities in WinCC system. It is the first malicious code that damages the industrial infrastructures directly. According to Symantec's statistics, about 45,000 networks around the world have been infected with the worm so far, and 60% of the victim hosts are in Iran. Iranian government has confirmed that the country's Bushehr nuclear power plant has been attacked by Stuxnet.

On July 15, Antiy labs has captured the first variant of the Stuxnet worm and conducted an immediate analysis, publishing the corresponding report and preventive proposal instantly as well as keep tracking on them. By now, Antiy Labs has captured 13 variations, and 600+ samples with different hash values.

Chapter 2: Behavior Analysis

Stuxnet can be activated in the following operating systems:

Stuxnet exits immediately if the current operating environment is not the Windows NT families.

The attacked software targets include:

However, it doesn't mean that other versions of the WinCC can be ruled out from the target.

Local Behavior

When the sample is activated, its running process is shown in Figure 1.

First of all, the sample gets the version of current OS. It will exit when detecting itself running on Windows 9X/ME.

Next, the sample will load a DLL module, which the subsequent behavior will be executed. In order to prevent being scanned or killed, the sample copies the DLL module into memory directly and simulates the regular DLL loading style, rather than dumps the DLL module into a file and loads it.

In fact, the sample allocates enough memory space, and then hooks six system-level APIs which exported from the ntdll.dll:

In order to hook them, the sample modifies the security parameters of PE header from ntdll.dll module into its process's memory space, and then moves the valid data at offset 0x40b into jump code.

Stuxnet_report_Figure1.jpg

Then, the sample will creates a new PE section in memory space through modified API ZwCreateSection, and copies the DLL module into it. Finally, it gets the module handle through LoadLibraryW API.

Thereafter, the sample jumps into loaded DLL to execute, and generates the following files:

Besides of them, there are two drivers: mrxcls.sys and mrxnet.sys, which are registered as two system services with the name of MRXCLS and MRXNET, to make sure the attack load could start with the system startups. Both of two drivers use Rootkit technology, and rogue digital signatures.

The former one attacks WinCC system, and the other one hides some critical files in the kernel-level, such as some LNK files and DLL files which are copied into flash disks.

The driver mrxcls.sys will check if host has installed WinCC system. In fact, it could monitor almost all of the processes environments, and then inject a module stored in %Windir/inf /oem7A.PNF into three processes: services.exe, S7tgtopx.exe, and CCProjectMgr.exe. As approved, S7tgtopx.exe and CCProjectMgr.exe are belongs to WinCC system natively.

In other way, the driver mrxnet.sys will try to hide lnk files and DLL files which should be copied to flash disk by modifying some kernel-mode system calls. (See Figure 2)

Stuxnet_report_Figure2.jpg

Spread Method

The target of Stuxnet worms is the SIMATIC WinCC software, which is mainly used in the data acquisition and monitoring in the industrial control system. It is usually installed in special Intranet, which is isolated physically from the Internet. In order to begin the attack, Stuxnet uses various methods to penetrate and spread, shown in Figure 3.

Firstly, Stuxnet infects the external host. Secondly, it infects flash disk, and then penetrates into the Intranet by exploiting the shortcut ("lnk") file parsing vulnerability (MS10-046). If succeeded, it spreads more hosts by exploiting the shortcut file parsing vulnerability (MS10-046), RPC remote execution vulnerability (MS08-067), and the print spooler service vulnerability (MS10-061). Finally, it arrives at the hosts which have been confirmed to install the WinCC system and then attack them.

Stuxnet_report_Figure3.jpg

1. Shortcut File parsing Vulnerability (MS10-046)

Windows Shell in Microsoft Windows XP SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 SP2 and R2, and Windows 7 allows local users or remote attackers to execute arbitrary code via a crafted (1) .LNK or (2) .PIF shortcut file, which is not properly handled during icon display in Windows Explorer, as demonstrated in the wild in July 2010, and originally reported for malware that leverages CVE-2010-2772 in Siemens WinCC SCADA systems.

If exploited successfully, MS10-046 allows hackers to gain remote control of the affected computer with the same privileges as the logged on user. If the logged-on user is with administrative privileges, the attacker could take complete control over the system: create, modify or delete files, install programs, create new user accounts, etc.

This vulnerability can be exploited through removable drives with a malicious shortcut file and an associated malicious binary. It can also be exploited by placing the malicious components in a malicious website or a remote network share.

If activated, it will automatically search the needed icon resource according to the file structure and be presented as the icon. If the icon resource is packaged into a DLL file, the system will load this DLL file. Therefore, an attacker can build a malicious shortcut file which could get the system to load the specified DLL files. And then the malicious code can be executed. Because the display of a shortcut file is executed by the system automatically, with no any interaction with users, the damage of exploits is bigger than others.

Stuxnet searches the removable storage devices in the computer (shown as Figure 4). While finding the device, it will copy the shortcut file and DLL files into it (shown in Figure 4). If the user uses this device in the internal network, the related vulnerability is triggered, and then it makes the attack so-called "ferry" real, that is, successfully penetrate into the physically isolated network with the help of the dangerous removable storage devices.

Stuxnet_report_Figure4.png

There are two DLL files copied to flash disk: ~wtr4132.tmp and ~wtr4141.tmp (Figure 5). The last one hooks some APIs in kernel 32.dll and ntdll.dll as follow:

It hooks these APIs in order to hide the lnk files and DLL files in flash disk. Now we can conclude that Stuxnet using two ways to hide flash disk files. The one is using kernel mode driver, the other one is hook APIs in user mode.

Stuxnet_report_Figure5.jpg

2. RPC remote execution vulnerability (MS08-067) ,and privilege escalation vulnerability

This is the most critical vulnerability of Microsoft operating system in 2008, featured with these followed: simple, widly spreaded, highly damaged, etc.

Stuxnet_report_Figure6.jpg

Specifically, it is possible to allow remote code execution when the system with this vulnerability receives the constructed RPC requests. In Windows 2000, Windows XP and Windows Server 2003, the attacker could attack directly through build a malicious network packet to exploit this vulnerability, execute the attack load with no any authentications, and then get the root access. Therefore, the vulnerability is most probably used by typical worms for the large-scale spread of and attacks.

Stuxnet worms spread into the Intranet by exploiting this vulnerability (Figure 6). With help of this vulnerability, it fails just because the privilege is not sufficient, it will use an unknown and unpatched privilege escalation vulnerability (Figure 1), and then try to attack again. By now, Microsoft has not offered any solution to this vulnerability.

Print Spooler Service Vulnerability (MS10-061)

It is a critical vulnerability in the Windows Print Spooler service on Windows 2008/7/Vista/2003/XP computers, which allows arbitrary code to be remotely executed in the vulnerable computer.

If exploited successfully, MS10-061 allows hackers to gain remote control of the affected computer with the same privileges as the logged on user. If this user had administrator rights, the hacker could take complete control of the system: create, modify or delete files, install programs, create new user accounts, etc.

This vulnerability is usually exploited by sending a specially crafted print request to a vulnerable system that has a print spooler interface exposed over RPC.

Windows print spooler does not set user privileges reasonably. An attacker can submit a crafted print request to send the file to %System32% directory of the hosts which expose the print spooler interface. Arbitrary code can be executed successfully with system privileges exploiting this vulnerability, in order to achieve spread and attacks.

Stuxnet worms use this vulnerability to achieve the spread in Intranet. As shown in Figure 7, it sends two files to target host: winsta.exe and sysnullevnt.mof. The sysnullevnt.mof is a Managed Object Format file of Microsoft. It will execute winsta.exe when some events occur. Otherwise, winsta.exe is just the Stuxnet worm itself.

Stuxnet_report_Figure7.jpg

Attack Behavior

Stuxnet query two registry key values to check whether the targeted hosts have installed WinCC system or not (Figure 8):

Stuxnet_report_Figure8.jpg

Stuxnet uses two vulnerabilities in the WinCC system.

The first one is a hard-coded problem in WinCC system, which saves a default account and password to access the database. Stuxnet uses this vulnerability to access the SQL database of the system (as shown in Figure 9).

Stuxnet_report_Figure9.jpg

The other one is that, in the Step7 project, which WinCC needs to use, there is a bug on the DLL loading strategy when the open project file, resulting in a exploiting patterns similar with "DLL pre-loaded attack". Finally, Stuxnet achieves to hook some query functions and reading function by replacing a DLL file in Step7 software.

Generation Relationship

As mentioned before, many worm variants have been captured, what are the general and specific characters instead of the copying, distributing, attacking and derived files?

Stuxnet_report_Figure10.jpg

As Figure 10 shows, there are several possible sources of the samples.

The original samples, or the samples which were exploiting the RPC vulnerability or the print spooler services vulnerability are all exe files. They load a module in their own .stud section invisibly, named "kernel32.dll.aslr..dll".

Other samples, which are spreaded through flash disk, have been exploiting the vulnerability as soon as the system displays the shortcut file. As a result, ~wtr4141.tmp file is loaded. The tmp file loads a file named "shell32.dll.aslr.< random number >.dll" module. This module will modify another file ~ wtr4132.tmp as "kernel32.dll.aslr..dll".

The module "kernel32.dll.aslr..dll" will start up to finish the following operations. It exports 22 functions to complete the main function about malicious code. Its resource section contains a bunch of files to be derived, which are stored in encrypted form.

As shown, the No. 16 exported function is used for the derivative of local files, including resources No. 201 mrxcls.sys and No. 242 mrxnet.sys drivers, and four .pnf files.

No. 17 exported function is used to attack the second vulnerability of WinCC system, it releases s7otbxdx.dll, the same name files in the WinCC system are modified to s7otbxsx.dll, and derived functions of this document are to be conducted a package, in order to hook APIs.

No. 19 exported function is used to spread by the shortcut file parsing vulnerability. It generates some lnk files and two .tmp files.

No. 22 derived function is responsible for RPC vulnerability and print spooler service vulnerability to spread. Among the files it generates, resources

No. 221 is used to exploit RPC vulnerability, resources No. 222 is used to attack print spooler service, resources No. 250 is used to escalate privilege.

Chapter 3: Solutions and Proposals

Attack Prevention

Siemens has offered the normal solution on this attack. The URL is given in Appendix. Some other actions should be listed as follows according to our analysis.

1. Scan and Kill Stuxnet by Relevant Tools or Manually

Steps of killing this worm manually are as follow:

  1. Use the Antiy Atool to terminate all of lsass.exe process whose parent process is not winlogon.exe;
  2. Delete the following derivative files forcibly:
  3. Delete the following registry key:

2. Install Related System Patches

Install the following patches provided by Microsoft:

In addition, users should pay attention to the unpatched privilege escalation vulnerability, and another similar vulnerability found by Microsoft recently. Users should always keep the latest security events informed.

3. Install the Software Patches

Install the latest WinCC patches released by Siemens, please see the appendix part.

Proposals on Security

This significant attack has taught us that:

Therefore, some proposals are offered to the relevant departments and enterprises as following:

Chapter 4: New Characteristics of the Attack

As compared with the previous security incidents, this Stuxnet's attack showed us many newly invented methods and features. This attracts us.

Attacks the industrial system

The direct target of the Stuxnet worms is Siemens SIMATIC WinCC system. This is a Supervisory Control and Data Acquisition systems (SCADA), it has been widely used in steel, automobiles, electric power, transportation, water conservancy, chemicals, oil and other critical industries, esp. the national-level projects. It runs on Windows platform, and often deployed in the private LAN which is fully physically isolated from Internet.

Normally, the value of worm is broad range of communication, and the universality of target. But this attack is diametrically opposed to principles,its ultimate goal is neither the opened host nor the common software. Whether it is to penetrate to the internal network, or mining the vulnerabilities of large proprietary software, it is difficult for an usual attacker. It also shows that the intention of attack is clear, and it is a careful planning of the attacks.

Exploit multiple zero-day Vulnerabilities

Stuxnet exploits the Microsoft operating system with the vulnerabilities as follows:

The last three vulnerabilities aboveed are firstly used in the Stuxnet,which are the real zero-day flaws. Such a large scale use of multiple zero-day flaws is rare to see before.

These vulnerabilities are not randomly selected. From the point of analyzing worm propagation, each vulnerability has acted the unique role. For example,auto play function has been denied by most of the antivirus software,shortcut file parsing vulnerability could probably be used as the middle tunnel.

On the other hand, the timestamps of some samples which are captured by Antiy labs are March this year. This means that at least in March, the zero-day vulnerabilities have been exploited by the attacker. It was not until a major outbreak in July, the vulnerability was the first time disclosed. During this period the vulnerabilities are limited to be spread, there are real difficulties for antivirus companies.

Use Digital Signatures

After Stuxnet running, two driver files are released:

The two driver files use RealTek's digital signature to avoid being killed by the anti-virus software. At present, the signature has been issued by the agency revoked, and it is no longer valid. However, most of the current anti-virus products use the static method to indentify whether the executable file has a digital signature, so it is likely to be deceived.

Definite Purposes

According to Symantec,Stuxnet infected hosts in Iran was only 25% of total in July despite of a rapid growth to 60% by this September.

WinCC is widely used in the basic defense facilities at Iran. At Sep. 27, Iran's state news agency confirmed that the country's first nuclear power plant "the Bushehr nuclear power plant" has been under attack. It is known that the nuclear power plant was originally scheduled to begin official operation in August this year. Therefore, the attack has definite purposes.

Chapter 5: Comprehensive Evaluation

The industry will face serious security challenges

In every country of the world, WinCC has been widely used in many important industries. If it is attacked, the operation of facilities related to the enterprise may be controlled, and even give rise to the commercial spy events, production downtime and other serious accidents.

We did not feel very surprised on the emergence of Stuxnet. As early as last year, submitted by user, Antiy Labs has researched on the security of the instrument of chemical industry, and the situation was not optimistic.

Industrial control network, including industrial Ethernet, and FieldBus control system have been already used in industrial enterprises for many years, currently in power, steel, chemicals and other large enterprises in the heavy chemical industry, industrial Ethernet, DCS (Distributed Control System), fieldbus and other technologies have already penetrated into every aspect of the control system. Now the core of the industrial control networks is industrial control PC, and most of them are based the same Windows-Intel platforms. There are not essential differences between industrial Ethernet and civil Ethernet on technology, and the fieldbus technology applies the microcontroller or embedded system to the every control instruments. In addition to the same attacks as in civilian / commercial network, such as the spread of malicious code through the LAN, industrial control network may be attack with specialized means for the field bus, which should not be underestimated.

Currently, the economic interests are the main target of most attacks on civilian / commercial computer and network. However, the special attack for the industrial control network and fieldbus, may be is to destroy the companies' important equipments and the natural tracking and command of those equipments. The consequences resulted in may be catastrophic. Take the chemical industry as an example, the special attacks for the industrial control network may destroy the natural temperature or pressure tracking of reactors. The reactor will be in overtemperature or overpressure. It will result in the catastrophic accidents, such as fire alarm or explosion, it probably cause the secondary or humanitarianism disasters. As a result, this kind of attacks, which aims at the industrial network, always have the characteristic of information weapons. It aims at the interference or fatal destroying of natural production of those important industrial enterprises. Their background is not some individual or normal hackers.

At present, the industrial Ethernet and fieldbus standards are public standards, and there is not a high technical threshold to develop targeted malicious code for programmers who are familiar with the industrial control system. Therefore, it is very necessary to enhance and protect the following potential weak points of industrial network security:

Industrial control networks are often independent network, whose transmission data is relatively small compared to civil / commercial networks, but the requirements of real-time and reliability are higher, which results in a very serious consequences of having problems.

Compared with information network, the security of traditional industrial network neglects prevention, and always depend on Intranet isolation. Thus, it is extremely urgent to check security and reinforce prevent for industrial systems.

Observation and Thinking

On the tendency and background, which the traditional industry and information technology mix together gradually, and the safety core in traditional industrial system transfers from physical safety to information safety, the Stuxnet attack incident is worthy of further thinking for us.

This is a very unusual attack, specifically reflects in:

Thereby, the newly exploited vulnerabilities and spread method adopted by this attack will be used by other attackers at least for a long time. There are two newly typical directions to be focused:

Among the various predictions of the future virus, the most frightening one is not the impact of computer node data itself, but the associated impact on the related links, such as the illegal control of weapons systems and so on. Unfortunately, the Stuxnet attack proves that: the prophecy will come true if there is no effective prevention.

The first progress of electronic system of industrial is to analog the combination of electronic technology and machinery manufacturing. Since then, with the continuous introduction of digital technology, it completes the second jump relying on SMC (Single Chip Micro Controller), embedded programs and early digital industrial control protocol. At this time, industrial control systems and office information networks are heterogeneous and separated, and its security should be mainly in physical security.

With the decreasing cost of PC environment and the Internet, more and more industrial systems, and other information systems begin to move toward a standard x86 environment, meanwhile, more and more control signal and the collection transmission begin to use TCP / IP protocol standards, or even to use public network transmission, which allows vast x86 virus to focus new target with more deadly threat possible. Therefore, it can NOT absolutely guarantee security to use data exchange even based on the traditional physical isolation. In this case, the threat is highlighted, which comes from non-real time transmission such as flash disk. On the other hand, older versions of OS are often used in industrial systems based on the isolation and stability, without effective patching conditions, which exacerbates the security risk.

The designers and users of traditional industrial system has been made a lot of consideration in the physical security. Industrial system is ensured to operate normally by a sufficient number of sensors, a large number of processes, documents and people's active efforts. However, in this case, system developers try to make the user name connected to the database and password be the hard code, not with the program content which can be configured independently. This is a low-level mistake in the software development, but they maybe prevalent in the current special software system. We can see that, in terms of security, the every detour through which the traditional pc developers went. And the pictures will be repeated in industrial control system. We can also be determined, in the next 20 years, the core of security in the industrial system is no longer an isolated problem of physics and physical security, but the security problem of information security which is the sole of operation. And this problem is more present in the Internet of things, which is regarded as the human's future development and direction.

Security vendors have not been considered as one of the members in traditional industrial security system. Therefore, in the beginning of this matter, the security vendors and the attacker were not located at the same position of asymmetric information. Attackers make a completely analysis and preparation for the target industrial system, and then launched the attack; when the security vendors faced the unexpected events, but they could not reproduce the problem as quickly as possible, follow and analysis, as the emergence of vulnerability in common software or internet software, wait until coordinated with some related software developers. From this perspective, commonly transmitted by PC environment, and then launched the attack to the relatively closed industrial system or other proprietary system, got the time of attack by making use of information asymmetry between the manufactures and security vendors, this will become a new attack method full with challenge and great irony. Therefore the misconception, that the proprietary system is independent of security threats, results in shutting doors to the security vendors but opening the doors to the attackers.

As a professional security engineer, we will take greater responsibility intuitively. The future will prove that our work is not only to protect a virtual world, but a real world we live.

Referred Links:

  1. Siemens has offered the regular solution
  2. Microsoft links are followed about vulnerabilities:
  3. WinCC Patch released by Siemens
  4. Download Antiy Atool