Stuxnet Whitepaper Updated

Posted on by

The Stuxnet situation seems to have settled down recently. Industrial Defender has published an update to our whitepaper “The Stuxnet Worm and Options for Remediation” to reflect the latest findings. The bottom line: Stuxnet is a “rootkit” for Siemens S7 PLCs. That is, the worm contains some 70 PLC function blocks and can send some or all of them to PLCs connected to a compromised WinCC host. Further, the worm is able to hide the modified PLC programs from users of compromised WinCC hosts.

stuxnet-ics-rootkit

Figure 1: Stuxnet ICS Rootkit
(click for larger image)

The worm hides the modified PLC programs by marking each of the worm’s function blocks in a particular way. In addition to the function blocks, the worm contains a “wrapper” for the Siemens s7otbxdx.dll library that Siemens programming tools use to read and write function blocks in PLCs. The wrapper contains code to recognize the worm’s marked function blocks. When you bring up a PLC programming tool on a compromised WinCC host to look at a PLC whose programming the worm has modified, the wrapper looks at the list of PLC function blocks and filters out the Stuxnet blocks. As a result, the programming tool shows only the function blocks legitimately in the PLC — everything else is invisible to the programming tool.

The purpose of these function blocks and of the worm overall is still under investigation. It seems obvious though, that the new function blocks are going change either the way the PLC controls the physical process, or the way the PLC reports the behavior of the physical process. Many commentators have suggested that the purpose of the worm is to steal intelligence or industrial secrets. The presence of these function blocks in the worm strongly suggests that the purpose of the worm is sabotage rather than intelligence gathering. Intelligence gathering can be done by reading data or by reading programming from a PLC. You do not need to modify a PLC program to gather intelligence.

The latest statistics from Microsoft indicate that while the United States experienced the largest number of Stuxnet infections, the American infections represent only some 0.03% of the installed base for the Microsoft Malicious Software Removal Tool. The second and third highest infection counts were found in Indonesia and Iran, where they represented 1.7% and 1.8% of the MSRT installed base, respectively, nearly a 6000% higher rate of infection than in the United States:

Geography Stuxnet Cleanings % of Installed Base
United States 31,740 0.03%
Indonesia 11,030 1.66%
Iran 4,818 1.83%
India 2,130 0.10%
Russia 714 0.01%

 

The worm moves between sites primarily by people physically carrying infected USB sticks past security measures, and the worm contains a propagation counter to halt propagation after only 3 “hops”. As a result, by seeding infected USB sticks into a geography, the authors of the worm could be assured that the worm would not propagate widely beyond that geography. It would seem that Indonesia and/or Iran were specifically targeted by the authors of the worm.

As to what you can do about the worm, the whitepaper describes a number options for preventing compromise and repairing damage done by the worm. We’ve also made available recording of the recent Industrial Defender “Stuxnet Worm: Part 2″ webinar, and the focus of which is preventing infection by sophisticated exploits such as Stuxnet.

The bottom line on prevention is that while anti-virus technologies and patching are now available to protect you against Stuxnet, those technologies did you no good for the first year the worm circulated. During that period, patches for the LNK vulnerability and signatures for the vulnerability and the worm simply did not exist. Firewalls, physical security and other perimeter security were no help either, because the worm was propagated by trusted personnel carrying USB sticks past those perimeter mechanisms. Disabling USB mass storage on all control systems hosts would have prevented the worm at some sites, but some functions of the Siemens PCS7 control system require the use of USB sticks. The current technology that would have provided the strongest protection is whitelisting / HIPS technology. All control system security practitioners should become familiar with this kind of technology as soon as is feasible.

You can find out more about Industrial Defender’s HIPS solution here.

This entry was posted in Security by Andrew Ginter. Bookmark the permalink.

About Andrew Ginter

Industrial Defender welcomes Andrew Ginter to Findings from the Field as a guest editor, focused on security solutions. For the 25 years, Andrew developed control systems, control system to enterprise middleware, and control system security products at Hewlett-Packard, Agilent Technologies and then at Industial Defender. Until 2010, Andrew served Industrial Defender as CTO and CSO, before serving as CTO at Abterra Technologies. Andrew holds degrees in Mathematics and Computer Science, as well as ISP, ITCP, and CISSP accreditations.

Leave a Reply