Forensics for Stuxnet
Tuesday, September 20, 2011 @ 06:09 PM gHale
By Gregory Hale
To learn how to fight a virus like Stuxnet is to study where it came from and its intentions. In other words, just work the forensics.
The problem is a sophisticated worm like Stuxnet had over 15,000 lines of code that investigators had to look over. Along with all that code, there were the doubters in the industry saying we will most likely never find who created Stuxnet what was behind it.
Wrong, said Ralph Langner, founder and chief executive of Langner Communications during his talk Tuesday entitled “Forensics on a complex attack – Lessons learned from Stuxnet” at the Control Systems Cyber Security Conference in Washington, DC. “We had a whole bunch of forensic evidence to analyze. Stuxnet was a dream for forensics.” Langner and his team worked last year after discovering the virus to find out as much detail about Stuxnet as possible.
To find leads for a forensic investigation, “we started with a hypothesis to disprove.”
“Our first theory was to ask if it did anything to do with controllers,” Langner said. “It was quite easy to find out if it does anything to controllers. If it was going after a controller you look at three areas – set points, firmware and ladder logic.”
“We found in one test scenario the SCADA software was in constant communication to the server. The traffic was so prevalent you had to be blind to miss it. It was not about just changing set points, it was all about injecting rogue ladder logic.”
“That led to other questions like what was it trying to achieve?” Langner said. “Was it a DoS (denial of service) timing, product quality, destructive?”
One line of information led Langner to the next step and that was to extract the rogue ladder logic and that is where they had to dig into 15,000 lines of code.
“We found some interesting codes that would not normally be in a PLC,” Langner said.
What Langner also said was Stuxnet was not a total targeted attack. It had some very generic attack exploits on the controller. “Yes, there were some specific targets to increase the RPMs on the centrifuges and then lower them. But there were exploits that were generic. That means we have to look at copy cats,” he said.
After they found the code, they had to take that and find out just what the target was. They talked asked what target was worth the effort? At that point they had to match targets and reverse engineer the code.
One of the hints they ended up finding was finding code that showed 2 oo 3, which represented redundancy in nuclear plants.
After going through a few scenarios, they came up with the Natanz.
Stuxnet traced to its core.
What Langner did say was Stuxnet was one huge sophisticated attack. But what the code can also show is, attackers can use a scaled down version of the virus and use it to attack anyone.
“Stuxnet created a substantial threat and unfortunately no one paid attention,” Langner said. “We documented a basic Stuxnet-like attack without needing any inside information and it took me five minutes to come up with the code. One unsophisticated attack can cause heavy damage.”
Leave a Reply
You must be logged in to post a comment.