Tuesday, March 15, 2011

Stuxnet Case Study - The Best Malware Ever Created? by Xiaoning Li - Security Community of Practice Blog - Security Community of Practice - Planet Blue

Introduction

In July 2010 a security researcher discovered what has been touted as the most advanced piece of malware ever. It was named Stuxnet. While no one knows the targets for sure, it is widely believed one objective was to undermine Iran’s nuclear program. Stuxnet is advanced weaponized malware. This malware targeted Siemens’ industrial control system (ICS). To access the ICS it included 6 previously unknown OS vulnerability exploits. Once through the operating system protections, it reprogrammed the programmable logic controller (PLC) to cause physical damage to centrifuges used in refining nuclear material. As the number of IA based embedded systems grows, they are expected to become the next attack targets in industrial control systems.

To help us understand this malware and protect IA based solutions from similar attacks, we analyzed the latest malware sample using reverse engineering, to figure out two unpublished kernel privilege escalation zero day attacks and one unique way to inject codes into system service process space, and construct malware design architecture. This analysis clearly helps teams understand how the complex malware works, how it attacks Supervisory Control And Data Acquisition (SCADA) systems as designed.

Zero day attacking happens every day. Successfully preventing zero day attacks will become a major challenge for all security system vendors.

1. Why The Best Malware Ever Created?

  • Special Attack Target-Many media sources report Iran’s nuclear program using Siemens ICS is the likely final attack target for Stuxnet. The attack clearly demonstrates a shift from traditional PC attacking like stealing important data to physical attacking like destroying nuclear infrastructure. Siemens ICS are used by many critical infrastructures like power grids.

    Stuxnet is a definite threat in the field of cyber war. Stuxnet is unique because it limited the attack target to a special Siemens’ PLC model and Step 7 software version, which is used to manage Siemens’ PLC devices.

  • Exploiting Multiple Vulnerabilities And Complex Combination-Stuxnet was designed with the assumption that the final ICS could be run in various windows versions. To compromise Window systems as much as possible, Stuxnet exploited at least 6 vulnerabilities, including 5 windows vulnerabilities and 1 Siemens vulnerability in ICS.

    Unlike other malware, Stuxnet used a complex combination to ensure it could compromise the system successfully. The combination used the remote code execution vulnerability to inject code that further allowed it to escalate system privilege, beyond the current user’s privilege even.

Table 1 shows the window vulnerability coverage via remote code execution. (Siemens vulnerability will be OS neutral)

Table 1
Table 1 Remote Code Execution Coverage

The table 2 shows the window vulnerability coverage via privilege escalation.

Table 2
Table 2 Windows Priviledge Escalation Coverage

  • Signed malicious code-As basic security function, integrity checking in window OS plays very important role to stop malware because it is assumed that it’s very hard to get valid certificate for malware. The Stuxnet malware contained two drivers and one DLL file signed with a valid certificate, which was from Realtek or JMicron.

    Now, no evidence proves how Stuxnet signed the malicious codes, but it’s very possible that Stuxnet authors stole private key via previous Stuxnet (or special malware) or they had opportunity to use the key management facility in Realtek/JMicron. Signed malicious code easily breaks window integrity checking.

  • Filter Driver Based Rootkit-Kernel inline code/data hooking is popular technology to intercept OS and setup rootkit functions. Unlike usual malware, Stuxnet provides rootkit function based on Microsoft filter driver guide lines, which means it’s very hard for antivirus software to know the difference between a valid filter driver and special malware based on same fundamental rules. It will make the malware detection very hard because current security software can’t know if the filter function belongs to a valid driver or malicious code without malware signature.
  • Product Quality, Professional Authors and Life Cycle-The reverse engineering result shows the Stuxnet malware codes carefully handled many exceptions to make sure the attack would be successful, otherwise it quit silently for unsuitable environment to minimize the risk of being detected. Actually, Stuxnet existed more than 1 year before it was discovered.

    Beyond the code style, writing malware this complex required all kinds of knowledge from discovering vulnerability, writing stable exploit, Windows kernel inside and kernel driver development, special Siemens PLC hardware and software, etc.

2. Stuxnet Components

Unlike other internet based popular malware, Stuxnet was designed to attack PLC systems possibly without internet, so it has to include all malicious codes in one package, actually one file for most cases; that package is called Stuxnet dropper.

From a functional perspective, Stuxnet includes three key parts.

  • Stuxnet Dropper
    Stuxnet dropper is one DLL in the control panel application for windows. Dropper file is an all-in-one file including Stuxnet major DLL as data in the .stub section of the PE file. It decodes the .stub section to memory and loads it as a major DLL. The last step for dropper is calling exported API 15 in a major DLL.
  • Stuxnet Major DLL
    The major DLL is the main part for Stuxnet, which will includes all malicious codes. It provides 21 exported functions, which provide most malicious functions.

Diagram 1
Diagram 1 Exported API By Stuxnet Major DLL

It also includes 13 resources. The rootkit files exist as resource.

Diagram 2
Diagram 2 Resource Sections in Stuxnet Major DLL

  • Stuxnet Rootkit
    Stuxnet provides three different rootkit functions:

    1. DLL rootkit in User space
      DLL rootkit will be used to hide malicious files on USB disk before kernel space rootkit is installed into system. It will make it hard to find malicious files in USB disk with window explorer. It will only setup rootkit for infected window explorer process.
    2. Driver rootkit in Kernel space
      After system is compromised, the kernel space rootkit will be installed. There are 2 filter drivers working as rootkit. The functions of driver rootkit are hiding malicious files from file system level and injecting Stuxnet major DLL to system service process space.
    3. PLC rootkit in User space
      For compromising PLC, Stuxnet provides a special PLC rootkit. The rootkit exists as fake Step 7 DLL, which is used to read/write PLC codes from PLC device when Step 7 manages PLC device. The fake DLL passes malicious PLC codes to PLC device and hides malicious codes when users try to read/write PLC codes with Step 7 software.

3. Propagation and Compromising PLC Target

Usually the important infrastructure will be in special intranet without internet access. The key challenge for Stuxnet to compromise final PLC system is figuring out how to initiate attacking cross different physical networks.

Based on the fact that Stuxnet exploited windows vulnerability via USB disk, the Stuxnet designer assumed no internal attacker can help them run codes directly on the intranet and they had to initiate attacking by internet based machine.

Diagram 3
Diagram 3 Propogation Paths

The diagram 3 shows all kinds of propagation paths. The most probable path is shown below.

  1. Attacker released malware to internet or directly attacked special internet target
  2. Eventually malware compromised one internet target, which is owned by the internal employee, who worked with intranet.
  3. USB disk is the most popular device to transfer data/code from internet to intranet. For example, machines in intranet need to be updated with new patch. The compromised internet target (internet capable device) will compromise the USB disk as soon as it is installed into the internet target.
  4. When the employee used the same USB disk in another machine in the intranet, Stuxnet compromises the intranet machine via malware on the USB disk.
  5. Stuxnet compromises more and more machines in the intranet until eventually it compromises the final target running Step 7 software with PLC device.
  6. Stuxnet sets up PLC rootkit on final target and PLC rootkit compromises PLC codes running in PLC device to provide incorrect operations like changing speed of the step motor for pumps or centrifuges supporting Iran’s nuclear infrastructure.

Stuxnet first checks to see what security software is running and what version it is. The malware uses this to determine how to continue or if it should fail quietly. If Stuxnet codes can run on compromised machine, Stuxnet dropper part will install malware to system using the following simplified steps.

  1. Dropper decode major DLL and call API 15
  2. Major DLL will check OS to get system privilege
  3. After obtaining system privilege, Major DLL will inject itself to system service process
  4. Major DLL in system service process space will install rootkit files to hard drive
  5. Major DLL in system service process space will monitor system for any new USB disk mount event, and compromise USB disk with malicious files when system mounts a USB disk.
  6. 6) Major DLL in system service process space will call exploits in resource sections to detect and compromise more machines via remote code execution. This will cause dropper to run again on new system.

Diagram 4
Simplified Installation Steps

4. PLC Rootkits

As key part of Stuxnet, the PLC rootkit works for infecting final PLC device. It includes two parts: fake Step 7 DLL and malicious PLC codes. The DLL part is OS dependent, and PLC codes are only device dependent. Because the PLC rootkit is very specific for every PLC model and PLC management software, the attacker must know some information about PLC model and software to design this rootkit. All attack paths prior to infecting the PLC are traditional attacks. Usually the result is data loss, but PLC rootkit definitely changed the game. Because the malicious PLC codes were used to control PLC device for damaging critical infrastructures, future attacks targets will only depend on what equipment is controlled by the PLC device.

5. Conclusion

Stuxnet defines advanced weaponized malware, and may become the typical case for cyber warfare. Why can’t the security industry prevent it? The key problem is that defense against zero day attacks are still a challenge for the security industry. New zero day attacks can bypass all kinds of security software because signature based solutions will definitely fail without malware signature before we know the malware sample.

How to successfully prevent zero day attacks will become a key challenge for all security system vendors, including Intel. We will need to provide security across all sectors, from CPU to applications.

  If you’re interested in additional information on this topic please take a look at the references or contact SeCoE via email.   References:

1. Stuxnet, http://en.wikipedia.org/wiki/Stuxnet, accessed on February 1, 2010.

2. Stuxnet Under the Microscope. ESET, http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf, accessed on October 1, 2010.

"W32.Stuxnet Dossier". Symantec Corporation. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf, accessed on October 1, 2010.

Amazing software engineering

Posted via email from Mocha Brain Freeze

No comments: