a forensic dissection of stuxnet

A Forensic Dissection of StuxnetCarey Nachenberg Vice President, Symantec Fellow Symantec Corporation

Adjunct Professor of Computer ScienceUniversity of California at Los Angeles

The Biology of Stuxnet 1

What I’d Also Like to Discuss… (If I had more time)


1010100

00101101

11111011

01000101

00110100

11011011

00100011

11000100

= 11011011

11000100

1010100

11111011

(Birds do it, bees do itcomputer viruses do it)

10101001101001011010101111101110101000100111

10101101101001011110100001101110101000101011

(We have documentedevidence of both random and

intentional mutation)

(Parasitism is oneof the most common

forms of infection)

3

This is Natanz, Iran

The Biology of Stuxnet

4

And these are Natanz’s Centrifuges


5

And this is how they’re controlledProgrammable Logic Controller

. . . . . .

. . . . . .

CommunicationsProcessors (Routers)

FrequencyConverters

Centrifuges

WindowsPC

STEP7


The PLC decides how fast to spin the centrifuges.

A standard PC controls the entire enrichment process!

Communications Processors route

commands from the PLC to centrifuges.

Frequency Converters ensure the centrifuges spin

at the right speed.

Centrifuges spin Uranium to remove impurities.

6

And this is how they’re isolated

Programmable Logic Controller

. . . . . .

. . . . . .

CommunicationsProcessors (Routers)

FrequencyConverters

Centrifuges

WindowsPC

STEP7

Research Network


7

And this is (possibly) an Israeli Mossad Programmer

Who wants to introduce

onto this computer

right here


8

So how exactly does this:

Get onto an “air-gapped”network to

disrupt these:

It’s got to spread on its own…

All while evading detection.

Until it discovers the proper computers…

Where it can disrupt the centrifuges…


It’s got to spread on its own…Stuxnet uses seven distinct mechanisms to spread to new computers.

Six of these attacks targeted flaws (back doors) that wereunknown to the security industry and software vendors!

It copies itself toopen file-shares.It attacks a hole

in Windows’ print spooler.

It attacks a holein Windows RPC.It password-cracks

SIEMENS DB software.It infects SIEMENS

PLC data files.Peers update other

peers directly.Stuxnet uses thumb

drives to bridge the gap!?Usually we’re surprisedwhen we see a threattargeting one flaw...

But if the centrifuges are air-gapped from the ‘net, how can Stuxnet jump to the enrichment network?

USB drives!The Biology of Stuxnet 9

Until it discovers the proper computers…Stuxnet is extremely picky and only activates its payload when it’s found an exact match.

The targeted computer must be runningSTEP7 software from Siemens.

The targeted computer must be directly connected to an S7-315 Programmable Logic Controller from Siemens.

The PLC must further be connected to at least six CP-342-5 Network Modules from Siemens.

STEP7

Each Network Module must be connected to ~31 Fararo Paya or Vacon NX frequency converters.

…

It’s got to spread on its own…


Until it discovers the proper computers…Stuxnet is extremely picky and only activates its payload when it’s found an exact match.

STEP7

…

Now if you do the math….

Stuxnet verifies that the discovered Programmable Logic Controller…

Is controlling at least 155 total frequency converters…

And recently we learned that Iran’sUranium enrichment “cascade” just happens

to use exactly 160 centrifuges.

What a coincidence!

The creators of Stuxnet must have guessed all of these

details.


Now Stuxnet gets down to business…

Stuxnet starts by downloading malicious logic onto the PLC hardware.

What you (probably) didn’t realize is that the PLC uses a totally different microchip &

computer language than Windows PCs.

Stuxnet is the first known threat to target an industrial

control microchip!


Until it discovers the proper computers…

12

Next, Stuxnet measures the operating speed of the frequency converters during their normal

operation for 13 days!

And makes sure the motors are running between 807Hz and 1210Hz.

(This is coincidentally the frequency range

required to run centrifuges.)


(After all, whoever wrote Stuxnet wouldn’t want it

to take out a roller coaster or something.)


Once it’s sure, the malicious PLC logic begins its mischief!

Then sleeps for 27 days.

Then slows the spin rate to 2Hz for 50 mins.

Then sleeps for 27 days.

Stuxnet repeats this process over and over.

0Hz 1500Hz

Stuxnet raises the spin rate to 1410Hz for 15 mins.



Why push the motors up to 1410Hz?

0Hz 1500Hz

Well, ~1380Hz is a resonance frequency.

It is believed that operation at this frequency for even a few seconds will result in disintegration of the enrichment tubes!

Why reduce the motors to 2Hz?

At such a low rotation rate, the vertical enrichment tubeswill begin wobbling like a top (also causing damage).



What about Iranian failsafe systems?


(Surely alarm bells must have been blaring at the enrichment plant, right?)


Maybe Stuxnet pulled a mission impossible?!?

And in fact, that’s exactly what Stuxnet did!

Well, in fact, these facilities typically do

have fail-safe controls.

They trigger a shutdown if the frequency goes out of the acceptable range.

But worry not…Stuxnet takes care of

this too.

Stuxnet records telemetry readings while the

centrifuges are operating normally.

0Hz 1500Hz

And when it launches its attack, it sends this

recorded data to fool the fail-safe systems!

And Stuxnet disablesthe emergency kill switch

on the PLC as well…Just in case someone tries

to be a hero.



All while evading detection…Stuxnet uses five distinct mechanisms to conceal itself.

#5Stuxnet hides its own files on infected thumb drives using 2 “rootkits.”

The 1-hour Guide to Stuxnet


19

Stuxnet uses five distinct mechanisms to conceal itself.

#4Stuxnet inhibits different behaviors in the presence of different

security products to avoid detection.

Launch Attack ALaunch Attack BLaunch Attack CLaunch Attack D




The 1-hour Guide to Stuxnet 20


#3Stuxnet completely deletes itself from USB keys after it has

spread to exactly three new machines.




#2Stuxnet’s authors “digitally signed” it with stolen digital certificates

to make it look like it was created by well-known companies.

Realtek

The two certificates were stolen from

RealTek and Jmicron…


…as it turns out, both companies are located less than 1km apart in the same Taiwanese

business park.



#1Stuxnet conceals its malicious “code” changes to the PLC from operational personnel (It hides its injected logic)!

Instructions to the Centrifuges

During normal operation:Spin at 1410hz

In case of emergency:IGNORE OPERATOR COMMANDS

SIEMENS

PLC

(To centrifuges)

During normal operation:

Spin at 1064hz

In case of emergency:

Spin down to 0hz



Did It Succeed?Indications are that it did!

The Institute for Science and International Security writes:

“It is increasingly accepted that, in late 2009 or early 2010, Stuxnet destroyed about 1,000 IR-1 centrifuges out of about

9,000 deployed at the site.”

Symantec telemetry indicates that rather than directly trying to infiltrate Natanz…

These companies (likely) then unknowingly ferried the infection into Natanz’s research and enrichment networks.

The attackers infected five industrial companies with potential subcontracting relationships with the plant.


Did It Succeed?Well, based on some clever

Symantec engineering, we’ve got some interesting data.

Fact: As Stuxnet spreads between computers, it keeps an internal

log of every computer it’s visited.

Fact: Stuxnet contacts two command-and-control servers every time it runs to report its

status and check for commands.

www.mypremierfutbol.com

www.todaysfutbol.com

Working with registrars, Symantec took control of these domains, forwarding all traffic to our Symantec data centers.


Stuxnet Bookkeeping


151.21.32.19 151.21.32.21

27.42.97.152

93.154.11.42 93.154.12.78

151.21.32.19

151.21.32.21151.21.32.19151.21.32.21151.21.32.19151.21.32.21

27.42.97.152

93.154.11.4293.154.12.78

151.21.32.19

151.21.32.19151.21.32.21

151.21.32.19151.21.32.2193.154.11.42

Stuxnet embeds its “visited list” inside its own body as it spreads, enabling detailed forensics!


Here’s What We Found

Here’s What We Found(These graphs show how the discovered samples spread)


29

Here’s What We Found

Data at time of discovery (July, 2010)


Whodunit?


19790509

According to Wikipedia, On May 9th, 1979 “Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian

Jewish community. He was the first Jew and one of the first civilians to be executed by the new Islamic

government. This prompted the mass exodus of the once 100,000 member strong Jewish community of Iran

which continues to this day.”

June 22, 2009 4:31:47pm GMTJune 22, 2009 6:31:47pm Local

GMT + 2

To Conclude

Stuxnet proves cyber-warfare against physical infrastructure is feasible.

Unfortunately, the same techniques can be used to attack other physical and virtual systems.

Stuxnet has signaled a fundamental shift in the malware space.


Thank you!

Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Thank you!

32The Biology of Stuxnet

Now Stuxnet gets down to business…All while evading detection…Stuxnet used five distinct mechanisms to conceal itself.

#1 Stuxnet hides its files on thumb drives using a “rootkit”

35

#2 Stuxnet adjusts its behavior basedon which security product was present

Launch Attack A

Launch Attack B

Launch Attack C

Launch Attack D

#3 Stuxnet self-destructs on USB keys once it had spread to 3 new machines

#4 Stuxnet was signed with one of 2 stolen digital certificates, making it look like a trusted file

Realtek

#5 Stuxnet hid its centrifuge controllerchanges using a second “rootkit”


a forensic dissection of stuxnet

Documents