Stuxnet Report II: A Worm’s Life

Wednesday, March 2, 2011 @ 06:03 PM gHale

EDITOR’S NOTE: Make no mistake about it, Stuxnet was a vicious attack on an industrial control system with the intent to destroy. Analyzing the worm it is easy to see Stuxnet was one of the most complex and well-engineered worms ever seen. Security professionals Eric Byres, Andrew Ginter and Joel Langill teamed to publish a white paper entitled “How Stuxnet Spreads – A Study of Infection Paths in Best Practice Systems.” This is the second part in a series of stories detailing just how the Stuxnet worm was able to infiltrate a system, and how automation professionals can keep an eye out for the next type of attack.

By Eric Byres, Andrew Ginter and Joel Langill
Whether you are talking about the animal kingdom, human interaction and now, even computer worms, finding a weakness in a target and then taking advantage of it has existed from Day One. Stuxnet was no different.

Stuxnet is a computer worm designed to infect Siemens SIMATIC WinCC and S7 PLC products, either installed as part of a PCS 7 system, or operating on their own. It starts by taking advantage of vulnerabilities in the Windows operating systems and Siemens products.

Stuxnet is capable of infecting unsupported/legacy and current versions of Windows including Windows 2000, Windows XP, Windows Server 2003/2003R2, Windows Vista, Windows Server 2008/2008R2 and Windows 7. It also infects the Siemens STEP 7 project files in such a way that it automatically executes when the STEP 7 project loads in an uninfected Siemens system.

Once it detects a suitable victim, it modifies control logic in specific models of Siemens PLCs. The objective appears to be to sabotage a specific industrial process using two vendors’ variable-frequency drive controllers, along with a supervising safety system for the overall process.

Part I: Stuxnet attacked the Siemens SIMATIC PCS 7; Why that system?
Part II: How did Stuxnet infect a system?
Part III: A “high security site” targeted by Stuxnet or the Next Gen of Stuxnet-like worms.
Part IV: How Stuxnet infected a minor computer and then got deep inside a control system.
Part V: What should this mean for security of industrial control systems in the future?
Download the complete White Paper at Tofino Security.
Talk to Me: Stuxnet: Joint Operation Nets Victim

While there has been much speculation on Stuxnet’s intended target, the latest news seems to point the worm toward Iran’s nuclear program and more specifically, its uranium enrichment process.

How Does Stuxnet Spread?
Most of the focus in the mainstream media on Stuxnet has been on its ability to spread via USB drives. However, this is only a small part of the story.

The USB technique was probably only used to get it into a site’s nework. Once it had a foothold, the worm used six other techniques for spreading to new computers in a control system.

How Stuxnet actually used those seven spreading techniques in an industrial process network is the subject for later articles in this series. For now, we will focus on understanding some of the important characteristics of the worm:

  • Stuxnet propagates slowly between sites, typically via USB flash drives and other “removable” media,
  • It propagates quickly within a site via multiple network pathways,
  • It searches for vendors’ anti-virus technologies on machines being attacked and modifies its behavior to avoid detection,
  • It contacts a command and control server on the Internet for instructions and updates,
  • It establishes a peer-to-peer network to propagate instructions and updates within a site, even to equipment without direct Internet connectivity,
  • It modifies PLC programming logic, causing physical processes to malfunction,
  • It hides the modified PLC programs from control engineers and system administrators who are trying to understand why their system has malfunctioned,
  • It is signed with certificates stolen from one of two major hardware manufacturers, so no warnings rise when the worm is installed, and
  • If a particular machine is not the intended target, the worm removes itself from the machine after it has replicated itself to other vulnerable media and machines.

Stuxnet hitting Siemens PCS 7 objects.

Stuxnet hitting Siemens PCS 7 objects.


The worm propagates using three completely different mechanisms:

  1. Via infected Removable Drives (such as USB flash drives and external portable hard disks);
  2. Via Local Area Network communications (such as shared network drives and print spooler services), and
  3. Via infected Siemens project files (including WinCC and STEP 7 files).

Within these three propagation mechanisms, it uses seven different vulnerability exploitation techniques for spreading to new computers in a system. The worm:

  • Exploits a zero-day vulnerability in Windows Shell handling of LNK files; a vulnerability present in all versions of Windows since at least Windows NT 4.0,
  • Uses several techniques to try to copy itself to accessible network shares and spread from there if at all possible,
  • Copies itself to printer servers using a zero-day vulnerability,
  • Uses an older “Conficker” RPC vulnerability to propagate through unpatched computers,
  • An earlier version of the worm used a variant of the old “autorun.inf” trick to propagate via USB drives,
  • Contacts Siemens WinCC SQLServer database servers and installs itself on those servers via database calls, and
  • Puts copies of itself into Siemens STEP 7 project files to auto-execute whenever the files are loaded.

In addition to the propagation techniques described above, the worm used two zero-day vulnerabilities to escalate privilege on targeted machines. This provided the worm with “system” access privileges so it could copy itself into system processes on compromised machines.

What Does Stuxnet do to Control Systems?
When first installed on a computer with any STEP 7 software installed, Stuxnet attempts to locate Siemens STEP 7 programming stations and infect these. If it succeeds, it replaces the STEP 7 DLL routines on the programming stations, so any person viewing a PLC’s logic would not see any changes Stuxnet later makes to the PLC. These actions occur on all computers with STEP 7 software installed, irrespective of whether the compromised computers are connected to PLCs.

Stuxnet then looks for specific models of Siemens PLCs (6ES7-315-2 and 6ES7-417). If it is able to connect to one of these two models, it “fingerprints” the PLC by checking for the existence of certain process configurations and strings in the PLC.

If Stuxnet finds what it is looking for in the PLC, it starts one of three sequences to inject different STEP 7 code “payloads” into the PLC. The worm replaces the PLC’s PROFIBUS driver and then significantly modifies the main PLC program block (Organizational Block 1) and the primary watchdog block (Organizational Block 35). As well, depending on which sequence is selected, the worm will inject between 17 and 32 additional function blocks and data blocks into the PLC.

Two of Stuxnet’s injected payloads are designed to change the output frequencies of specific Variable Frequency Drives (VFDs) and thus the speed of the motors connected to them, essentially sabotaging an industrial process. This attack only affects the S7-315 model PLCs.

A third payload appears to control the overall safety system for the centrifuges. This payload takes the inputs coming from an S7-417 PLC’s I/O modules and modifies them so the PLC safety logic uses incorrect information, effectively creating a “man-in-the-middle” attack on the PLC. The Stuxnet logic then tells the PLC’s outputs to do what it wants. This is possibly to prevent a safety system from alarming on or overriding the changes the worm is making to the VFD operations. (NOTE: Stuxnet experts currently disagree on whether the code path targeting S7-417 PLCs is actually disabled (blocked by an exception) in Stuxnet. If this is correct, why the author(s) disabled but did not remove the 417 code altogether is unknown.)

Swiss Army Knife of Computer Worms
With all those tricks and tools at its disposal, you can see why ESET calls Stuxnet “perhaps the most technologically sophisticated malicious program developed” and Symantec describes it as “one of the most complex threats [they] have ever analyzed”. No other worm has taken advantage of four zero-day vulnerabilities or shown so much sophistication in its exploitation of the Windows platform. And of course, its dark manipulation of the Siemens control system is unheard of.

All this begs the question – why did Stuxnet’s designers make it so complicated? In the next part of this series we will begin to answer that, as we look at how Stuxnet’s victims might have tried to secure their critical control systems against an attack.

Part III: Stuxnet targets a site.

Eric Byres, P. Eng., ISA Fellow, is the chief technology officer at Byres Security Inc. (eric@byressecurity.com); Andrew Ginter, CISSP, is the chief technology officer at Abterra Technologies (aginter@abterra.ca) and Joel Langill, CEH, CPT, CCNA, is the chief security officer at SCADAhacker.com (joel@scadahacker.com) and Dept. of Critical Infrastructure Officer with The Cyber Security Forum Initiative (csfi.us).