The worm turns
06 October 2010
The Stuxnet worm, a sophisticated piece of malware that targets Windows based industrial monitoring and control systems, surfaced in the summer, but is believed to have been released in its initial version as far back as November 2008. Unlike most forms of malware, Stuxnet infects its targets via removable media such as USB memory sticks and CD-ROMs, rather than through networks or over Internet connections. And it is quite possibly this relatively limited mode of transfer to unsuspecting hosts that has kept reports of Stuxnet off the front pages – until now, that is.
Back in July, it emerged that Stuxnet appeared to be targeting Siemens’ WinCC SCADA system and its PLC programming application, Step 7. This has led many observers to conclude that the worm was created with specific industrial targets in mind, particularly those with Windows based monitoring and control systems, and more specifically Siemens WinCC and Step 7, which are in widespread use around the world. More sinisterly, a particular geographical target has emerged: namely Iran, which has in excess of 60,000 of the known 100,000 infected hosts, leading many to believe that Stuxnet is probably the first real manifestation of ‘cyber warfare’ - hitherto a figment of the science fiction writer’s imagination.
According to US-based Norman Data Defense (NDD), Stuxnet is ‘Generation IV Malware’, or a technically highly competent threat aimed at a specific target (or targets) and not primarily motivated by financial gain. David Robinson, NDD’s UK country manager, says the high profile IT security breach of the new Bushehr nuclear power plant in Iran demonstrates just how easy it is for an employee to introduce malware into an infrastructure provider.
Fortunately, the Stuxnet virus that infected Bushehr stopped at staff PCs and didn’t manage to gain access to the large number of PLCs operating in the main plant. Only last week, the Iranian authorities reported the arrest of several people in connection with the Bushehr IT breach, which some experts believe was an attempt to sabotage Iran’s nuclear programme by means other than military force.
Leading IT security specialist, Symantec has led the field in researching the Stuxnet worm and last month released a detailed technical report on this extraordinarily sophisticated piece of malware, entitled: W32.Stuxnet Dossier, which you can download here. Symantec’s Nicolas Falliere, who co-authored the Dossier, says that while Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, it can also do much more. Stuxnet has the ability to take advantage of the programming software to upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems, he explains. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.
In particular, says Falliere, Stuxnet hooks the programming software, meaning that when someone uses the software to view code blocks on the PLC, the injected blocks are nowhere to be found. This is done by hooking enumeration, read, and write functions so that you can’t accidentally overwrite the hidden blocks as well. Stuxnet contains 70 encrypted code blocks that appear to replace some ‘foundation routines’ that take care of simple yet very common tasks, such as comparing file times and others that are custom code and data blocks. Before some of these blocks are uploaded to the PLC, they are customised depending on the PLC.
By writing code to the PLC, Stuxnet can potentially control or alter how the system operates. A previous historic example cited by Nicolas Falliere includes a reported case of stolen code that impacted a pipeline. Code was secretly ‘Trojanized’ to function properly and only some time after installation, instruct the host system to increase the pipeline's pressure beyond its capacity. This resulted in a three kiloton explosion, about twenty per cent of the explosive energy of the Hiroshima bomb.
In 2009, the US government admitted that software had been found that could shut down the nation’s power grid. This new type of virus has a boot file built in, which activates as soon as the memory stick is powered up on insertion into a USB port. But it’s not just memory sticks that are putting these systems at risk, says David Robinson. These days, anyone with a laptop or a device that connects remotely to a wireless network inside a company’s firewall, is putting that company at risk, he warns. Robinson believes it is just a matter of time before Stuxnet is evolved to wreak havoc on control systems and any other system that the user connects to if their laptop or portable device is infected.
Contact Details and Archive...