Stuxnet, a network worm that, during the early part of 2010, began to infect Industrial Control Systems (ICS) and programmable logic controllers (PLCs) becoming the first rootkit for PLCs. PLCs are usually not connected to the Internet, or the internal network, so the creators had to devise a method to get the worm onto these systems. The worm would use 4 zero-day vulnerabilities to propagate through internal networks, and would load itself onto flash drives. Once the flash drive was plugged into an ICS, it would copy itself onto the system, and begin to check to see if there was a PLC attached to the system. The worm would first gather information of its victim to determine if it was its target, and if it found it, the worm would began to alter the code of the PLCs which were believed to sabotage the systems. In the end it is undetermined if Stuxnet reached its goal.
Stuxnet is a worm that is said to be an incredibly large and complex threat. It was primarily written to target a specific ICS or a set of similar systems, likely somewhere in Iran. The final goal of Stuxnet is to reprogram an ICS by modifying the code on the PLCs to make them work in the manner the attacker intended, such as operate outside normal boundaries, and to hid these changes from the operators of the machine. The creators, in order to achieve their goal, amassed a variety of components to increase the chance of success. These components included: zero-day exploits, anti-virus evasion techniques, windows rootkit, the first ever PLC
rootkit, hooking code, process injection, network infection routines, peer-to-peer updates, and a command and control interface.
The worm was found in July of 2010, and is confirmed to have existed a year prior to that, and likely it has existed before that, with a majority of the infections being based in Iran. June 2009 was the earliest Stuxnet sample seen. It did not exploit an auto-run function of a removable storage, and did not contain signed drivers to install itself. In January of 2010, Stuxnet reappeared, this time it had signed certificate from Realtek, and could install itself without any problems. July of 2010 Microsoft revokes the stolen Realtek driver used by Stuxnet, and the very next day, Stuxnet reemerges with a signed JMicron Technology Corp certificate. By September of 2010, the wormâˆ™s exploits have been patched by Microsoft, and all stolen signed certificates revoked.
Stuxnet had many features included into it to make sure it reached its goal. Some of these features included a self-replication through removable storage, spreading with a vulnerability in Windows Print Spooler, making itself execute with the Step 7 project, updating through peer-to-peer, command and control server for updates by a hacker, bypasses security features, and hides all modified code on PLCs. Stuxnet is capable of more, far more, but these are the most noticeable features about this worm that make it a large and complex threat.
The injection method used by Stuxnet was complex, due to the fact that it had to make sure it would infect its target machine, and so it could bypass any security encountered. In order to load any .dll, including itself, Stuxnet would call the LoadLibrary with a specially crafted name that does not exist on the disk and normally cause LoadLibrary to fail. However, W32.Stuxnet has hooked Ntdll.dll to monitor for requests to load specifically crafted file names. These specially crafted file names are mapped to another location instead that is specified by W32.Stuxnet. Once a .dll file has been loaded by this method, GetProcAddress is then used to find the address of a specific export from the .dll file and that export is called, handing control to the new .dll file. If Stuxnet detects any security software, it will get the main version of it and rerun itself in a new process to bypass the scanning of the software.
The process of injecting itself into a process is located in Export 15. First it checks the configuration data of the system, and then it will check to see if the system is 64-bit, which if it is it will exit the system. Once it has determined it is running on a 32-bit system it will check the OS, and then check to see if it has admin rights. If it does not it will check the os once more and determine if it is on XP of Vista. If it is on XP used a zero-day vulnerability in Win32k.sys, and use an escalation of privilege to restart itself in csrss.exe. If it is on Vista is uses a zero-day vulnerability in Task Scheduler, to escalate its privilege, and restart as any new task. Once it has the highest admin rights, Stuxnet will then call Export 16.
Export 16 installs Stuxnet onto the system and will also check the configuration data of the system. It will then check the registry value of NTVDM Trace, and if it is 19790509, it will not proceed. This is thought to be an infection marker, or a do not infect marker. If it is not set to this it will continue installation. Stuxnet then checks the date, if it is past 06/24/2012, it will exit and not install, this is Stuxnetâˆ™s kill switch date. It will then see if it is on XP or Vista. If on XP it will set the DACL, if on Vista it will set the SACL. It will then create its files, including its main payload file Oem7a.pnf. It then checks the date one more time, before decrypting its files and loading itself onto the disk, and then calling export 6 to get its version. It will then compare its version number with one on the disk, and then install its rootkit files, Mrxcls.sys and Mrxnet.sys. It will then hide all its malicious files, and infect any removable storage device, and then finally infects Step 7 projects.
ICS are operated by specialized code on PLCs, which are often programmed from Windows computers that are not connected to any network. The creator would have needed the schematics of the ICS, to know which ones the worm should go after, so it is believed an insider, or an early version of Stuxnet, retrieved them. They would then create the latest version of Stuxnet, which each feature of it was implemented for a reason and for the final goal of the worm. The worm would then need to be tested on a mirrored environment to make sure the program worked correctly. The hackers needed signed certificates to allow Stuxnetâˆ™s drivers to be installed and to get them they would have had to physically go into the companies and take
them. Once this was accomplished the worm would needed to be introduced into the environment of infection, and was done so by a willing or un-willing third party, such as a contractor of the systems, which was most likely done with a flash drive.
Once injected into the systems, Stuxnet would begin to spread in search of Windows computers used to program PLCs, which are called field PGs. Since these computers are not networked, Stuxnet would spread through LAN using a zero-day vulnerability, infecting Step 7 projects, and through removable storage. Once Stuxnet found a computer running Step 7, it would begin to check values from the ICS, determining if it was on the correct system. It would do this for 13 days to 3 months, and then wait two hours, before sending a network burst to the connected devices. These burst were the newly modified PLC code that contained instructs to change the frequency at which the devices operated on, making them operate outside of normal boundaries. Victims would not see the modified code, as Stuxnet hides its modifications by intercepting read and write commands. If someone sent a read command to the PLC, Stuxnet would intercept it, and if it was to read an infected section, Stuxnet would pull an unedited copy from itself, and send it to the person. If it was a write command, Stuxnet would make it seem like it went through. Though the attack caused more damage due to it spreading beyond the target onto outside computers, it is likely this was necessary to achieve their goal. It is believed the attackers accomplished their goal before they were discovered. Due to all this, Stuxnet is believed to be one of the most complex malicious software written to date.