Forensics for Stuxnet

Tuesday, September 20, 2011 @ 06:09 PM gHale

By Gregory Hale
To learn how to fight a virus like Stuxnet is to study where it came from and its intentions. In other words, just work the forensics.

The problem is a sophisticated worm like Stuxnet had over 15,000 lines of code that investigators had to look over. Along with all that code, there were the doubters in the industry saying we will most likely never find who created Stuxnet what was behind it.

Communication, Language Vital to Security
Top Research Priorities for Cyber Security
One Flip Means Victims for Hackers
Executive Fear: APT Attacks

Wrong, said Ralph Langner, founder and chief executive of Langner Communications during his talk Tuesday entitled “Forensics on a complex attack – Lessons learned from Stuxnet” at the Control Systems Cyber Security Conference in Washington, DC. “We had a whole bunch of forensic evidence to analyze. Stuxnet was a dream for forensics.” Langner and his team worked last year after discovering the virus to find out as much detail about Stuxnet as possible.

To find leads for a forensic investigation, “we started with a hypothesis to disprove.”

“Our first theory was to ask if it did anything to do with controllers,” Langner said. “It was quite easy to find out if it does anything to controllers. If it was going after a controller you look at three areas – set points, firmware and ladder logic.”

“We found in one test scenario the SCADA software was in constant communication to the server. The traffic was so prevalent you had to be blind to miss it. It was not about just changing set points, it was all about injecting rogue ladder logic.”

“That led to other questions like what was it trying to achieve?” Langner said. “Was it a DoS (denial of service) timing, product quality, destructive?”

One line of information led Langner to the next step and that was to extract the rogue ladder logic and that is where they had to dig into 15,000 lines of code.

“We found some interesting codes that would not normally be in a PLC,” Langner said.

What Langner also said was Stuxnet was not a total targeted attack. It had some very generic attack exploits on the controller. “Yes, there were some specific targets to increase the RPMs on the centrifuges and then lower them. But there were exploits that were generic. That means we have to look at copy cats,” he said.

After they found the code, they had to take that and find out just what the target was. They talked asked what target was worth the effort? At that point they had to match targets and reverse engineer the code.

One of the hints they ended up finding was finding code that showed 2 oo 3, which represented redundancy in nuclear plants.

After going through a few scenarios, they came up with the Natanz.

Stuxnet traced to its core.

What Langner did say was Stuxnet was one huge sophisticated attack. But what the code can also show is, attackers can use a scaled down version of the virus and use it to attack anyone.

“Stuxnet created a substantial threat and unfortunately no one paid attention,” Langner said. “We documented a basic Stuxnet-like attack without needing any inside information and it took me five minutes to come up with the code. One unsophisticated attack can cause heavy damage.”

One Response to “Forensics for Stuxnet”

  1. […] Stuxnet was extremely pervasive, infecting millions of PCs – voraciously attacking any system it encountered yet seemingly doing nothing to the untrained eye. Upon closer inspection Symantec discovered Stuxnet had an objective but its target was oddly specific: PLC’s or programmable logic controllers.  Why would a “million dollar virus” spread across dozens of countries and millions of users go to all that trouble just to affect a PLC? Fistly The PLC it was after happened to control a set of uranium enriching centrifuges in the Iranian Nuclear Facility in Natanz, Iran. The NSA was reportedly furious that Israel’s unit 8200 inadvertently modified their code, making it far wider reaching (and exposable) than ever intended.  Unit 8200 took the meticulously and expensively calculated NSA produced Olympic Games and attached a blowtorch and air raid siren to it, ensuring it hit it’s target with no subtlety or secrecy at all. […]

Leave a Reply

You must be logged in to post a comment.