Download - A Forensic Dissection of Stuxnet
A Forensic Dissection of StuxnetCarey Nachenberg Vice President, Symantec Fellow Symantec Corporation
Adjunct Professor of Computer ScienceUniversity of California at Los Angeles
The Biology of Stuxnet 1
What I’d Also Like to Discuss… (If I had more time)
The Biology of Stuxnet 2
1010100
00101101
11111011
01000101
00110100
11011011
00100011
11000100
= 11011011
11000100
1010100
11111011
(Birds do it, bees do itcomputer viruses do it)
10101001101001011010101111101110101000100111
10101101101001011110100001101110101000101011
(We have documentedevidence of both random and
intentional mutation)
(Parasitism is oneof the most common
forms of infection)
3
This is Natanz, Iran
The Biology of Stuxnet
4
And these are Natanz’s Centrifuges
The Biology of Stuxnet
5
And this is how they’re controlledProgrammable Logic Controller
. . . . . .
. . . . . .
CommunicationsProcessors (Routers)
FrequencyConverters
Centrifuges
WindowsPC
STEP7
The Biology of Stuxnet
The PLC decides how fast to spin the centrifuges.
A standard PC controls the entire enrichment process!
Communications Processors route
commands from the PLC to centrifuges.
Frequency Converters ensure the centrifuges spin
at the right speed.
Centrifuges spin Uranium to remove impurities.
6
And this is how they’re isolated
Programmable Logic Controller
. . . . . .
. . . . . .
CommunicationsProcessors (Routers)
FrequencyConverters
Centrifuges
WindowsPC
STEP7
Research Network
The Biology of Stuxnet
7
And this is (possibly) an Israeli Mossad Programmer
Who wants to introduce
onto this computer
right here
The Biology of Stuxnet
8
So how exactly does this:
Get onto an “air-gapped”network to
disrupt these:
It’s got to spread on its own…
All while evading detection.
Until it discovers the proper computers…
Where it can disrupt the centrifuges…
The Biology of Stuxnet
It’s got to spread on its own…Stuxnet uses seven distinct mechanisms to spread to new computers.
Six of these attacks targeted flaws (back doors) that wereunknown to the security industry and software vendors!
It copies itself toopen file-shares.It attacks a hole
in Windows’ print spooler.
It attacks a holein Windows RPC.It password-cracks
SIEMENS DB software.It infects SIEMENS
PLC data files.Peers update other
peers directly.Stuxnet uses thumb
drives to bridge the gap!?Usually we’re surprisedwhen we see a threattargeting one flaw...
But if the centrifuges are air-gapped from the ‘net, how can Stuxnet jump to the enrichment network?
USB drives!The Biology of Stuxnet 9
Until it discovers the proper computers…Stuxnet is extremely picky and only activates its payload when it’s found an exact match.
The targeted computer must be runningSTEP7 software from Siemens.
The targeted computer must be directly connected to an S7-315 Programmable Logic Controller from Siemens.
The PLC must further be connected to at least six CP-342-5 Network Modules from Siemens.
STEP7
Each Network Module must be connected to ~31 Fararo Paya or Vacon NX frequency converters.
…
It’s got to spread on its own…
The Biology of Stuxnet 10
Until it discovers the proper computers…Stuxnet is extremely picky and only activates its payload when it’s found an exact match.
STEP7
…
Now if you do the math….
Stuxnet verifies that the discovered Programmable Logic Controller…
Is controlling at least 155 total frequency converters…
And recently we learned that Iran’sUranium enrichment “cascade” just happens
to use exactly 160 centrifuges.
What a coincidence!
The creators of Stuxnet must have guessed all of these
details.
The Biology of Stuxnet 11
Now Stuxnet gets down to business…
Stuxnet starts by downloading malicious logic onto the PLC hardware.
What you (probably) didn’t realize is that the PLC uses a totally different microchip &
computer language than Windows PCs.
Stuxnet is the first known threat to target an industrial
control microchip!
The Biology of Stuxnet
Until it discovers the proper computers…
12
Next, Stuxnet measures the operating speed of the frequency converters during their normal
operation for 13 days!
And makes sure the motors are running between 807Hz and 1210Hz.
(This is coincidentally the frequency range
required to run centrifuges.)
Now Stuxnet gets down to business…
(After all, whoever wrote Stuxnet wouldn’t want it
to take out a roller coaster or something.)
The Biology of Stuxnet 13
Once it’s sure, the malicious PLC logic begins its mischief!
Then sleeps for 27 days.
Then slows the spin rate to 2Hz for 50 mins.
Then sleeps for 27 days.
Stuxnet repeats this process over and over.
0Hz 1500Hz
Stuxnet raises the spin rate to 1410Hz for 15 mins.
Now Stuxnet gets down to business…
The Biology of Stuxnet 14
Why push the motors up to 1410Hz?
0Hz 1500Hz
Well, ~1380Hz is a resonance frequency.
It is believed that operation at this frequency for even a few seconds will result in disintegration of the enrichment tubes!
Why reduce the motors to 2Hz?
At such a low rotation rate, the vertical enrichment tubeswill begin wobbling like a top (also causing damage).
Now Stuxnet gets down to business…
The Biology of Stuxnet 15
What about Iranian failsafe systems?
The Biology of Stuxnet 16
(Surely alarm bells must have been blaring at the enrichment plant, right?)
Now Stuxnet gets down to business…
Maybe Stuxnet pulled a mission impossible?!?
And in fact, that’s exactly what Stuxnet did!
Well, in fact, these facilities typically do
have fail-safe controls.
They trigger a shutdown if the frequency goes out of the acceptable range.
But worry not…Stuxnet takes care of
this too.
Stuxnet records telemetry readings while the
centrifuges are operating normally.
0Hz 1500Hz
And when it launches its attack, it sends this
recorded data to fool the fail-safe systems!
And Stuxnet disablesthe emergency kill switch
on the PLC as well…Just in case someone tries
to be a hero.
Now Stuxnet gets down to business…
The Biology of Stuxnet 18
All while evading detection…Stuxnet uses five distinct mechanisms to conceal itself.
#5Stuxnet hides its own files on infected thumb drives using 2 “rootkits.”
The 1-hour Guide to Stuxnet
Now Stuxnet gets down to business…
19
Stuxnet uses five distinct mechanisms to conceal itself.
#4Stuxnet inhibits different behaviors in the presence of different
security products to avoid detection.
Launch Attack ALaunch Attack BLaunch Attack CLaunch Attack D
Launch Attack ALaunch Attack BLaunch Attack CLaunch Attack D
Launch Attack ALaunch Attack BLaunch Attack CLaunch Attack D
All while evading detection.
The 1-hour Guide to Stuxnet 20
Stuxnet uses five distinct mechanisms to conceal itself.
#3Stuxnet completely deletes itself from USB keys after it has
spread to exactly three new machines.
All while evading detection.
The 1-hour Guide to Stuxnet 21
Stuxnet uses five distinct mechanisms to conceal itself.
#2Stuxnet’s authors “digitally signed” it with stolen digital certificates
to make it look like it was created by well-known companies.
Realtek
The two certificates were stolen from
RealTek and Jmicron…
All while evading detection.
…as it turns out, both companies are located less than 1km apart in the same Taiwanese
business park.
The 1-hour Guide to Stuxnet 22
Stuxnet uses five distinct mechanisms to conceal itself.
#1Stuxnet conceals its malicious “code” changes to the PLC from operational personnel (It hides its injected logic)!
Instructions to the Centrifuges
During normal operation:Spin at 1410hz
In case of emergency:IGNORE OPERATOR COMMANDS
SIEMENS
PLC
(To centrifuges)
During normal operation:
Spin at 1064hz
In case of emergency:
Spin down to 0hz
All while evading detection.
The 1-hour Guide to Stuxnet 23
Did It Succeed?Indications are that it did!
The Institute for Science and International Security writes:
“It is increasingly accepted that, in late 2009 or early 2010, Stuxnet destroyed about 1,000 IR-1 centrifuges out of about
9,000 deployed at the site.”
Symantec telemetry indicates that rather than directly trying to infiltrate Natanz…
These companies (likely) then unknowingly ferried the infection into Natanz’s research and enrichment networks.
The attackers infected five industrial companies with potential subcontracting relationships with the plant.
The Biology of Stuxnet 24
Did It Succeed?Well, based on some clever
Symantec engineering, we’ve got some interesting data.
Fact: As Stuxnet spreads between computers, it keeps an internal
log of every computer it’s visited.
Fact: Stuxnet contacts two command-and-control servers every time it runs to report its
status and check for commands.
www.mypremierfutbol.com
www.todaysfutbol.com
Working with registrars, Symantec took control of these domains, forwarding all traffic to our Symantec data centers.
The Biology of Stuxnet 25
Stuxnet Bookkeeping
The Biology of Stuxnet 26
151.21.32.19 151.21.32.21
27.42.97.152
93.154.11.42 93.154.12.78
151.21.32.19
151.21.32.21151.21.32.19151.21.32.21151.21.32.19151.21.32.21
27.42.97.152
93.154.11.4293.154.12.78
151.21.32.19
151.21.32.19151.21.32.21
151.21.32.19151.21.32.2193.154.11.42
Stuxnet embeds its “visited list” inside its own body as it spreads, enabling detailed forensics!
The 1-hour Guide to Stuxnet 27
Here’s What We Found
Here’s What We Found(These graphs show how the discovered samples spread)
The Biology of Stuxnet 28
29
Here’s What We Found
Data at time of discovery (July, 2010)
The Biology of Stuxnet
Whodunit?
The Biology of Stuxnet 30
19790509
According to Wikipedia, On May 9th, 1979 “Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian
Jewish community. He was the first Jew and one of the first civilians to be executed by the new Islamic
government. This prompted the mass exodus of the once 100,000 member strong Jewish community of Iran
which continues to this day.”
June 22, 2009 4:31:47pm GMTJune 22, 2009 6:31:47pm Local
GMT + 2
To Conclude
Stuxnet proves cyber-warfare against physical infrastructure is feasible.
Unfortunately, the same techniques can be used to attack other physical and virtual systems.
Stuxnet has signaled a fundamental shift in the malware space.
The Biology of Stuxnet 31
Thank you!
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Thank you!
32The Biology of Stuxnet
Now Stuxnet gets down to business…All while evading detection…Stuxnet used five distinct mechanisms to conceal itself.
#1 Stuxnet hides its files on thumb drives using a “rootkit”
35
#2 Stuxnet adjusts its behavior basedon which security product was present
Launch Attack A
Launch Attack B
Launch Attack C
Launch Attack D
#3 Stuxnet self-destructs on USB keys once it had spread to 3 new machines
#4 Stuxnet was signed with one of 2 stolen digital certificates, making it look like a trusted file
Realtek
#5 Stuxnet hid its centrifuge controllerchanges using a second “rootkit”
The Biology of Stuxnet