Safe From Stuxnet? Think Again

Thursday, October 14, 2010 @ 03:10 PM gHale


By Gregory Hale
Stuxnet. Just mention of the worm sends shivers down the spine of manufacturing automation security suppliers and users across the globe.
Siemens and quite a few unsuspecting users faced the music this time around, but who knows what lurks around the next corner? Security professionals have to keep on top of this case so they can figure out how they may be able to safeguard their systems in the future.
While some users in the industry may think they are in the clear because they don’t use Siemens software, think again because any Windows-based system can suffer from this malware, regardless of whether or not it uses Siemens software, according to a white paper entitled “Analysis of the Siemens WinCC / PCS7 “Stuxnet” Malware for Industrial Control System Professionals” written by Eric Byres, chief technology officer at Byres Security.
Stuxnet is a computer worm designed to take advantage of a number of security vulnerabilities in the Windows operating system and Siemens SIMATIC WinCC, PCS7 and S7 product lines. The list of vulnerable systems has expanded to include all unsupported and current versions of Windows including Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7, according to Byres’ paper. Of particular importance are the Windows 2000 systems, as there are no patches for these systems. It appears that Stuxnet will infect Windows NT machines, but will then abort.
It also infects the Siemens STEP 7 project files in such a way that it automatically executes when the STEP 7 project loads by an uninfected Siemens system, according to the white paper.
Stuxnet appears to be able to reprogram and sabotage one or more very specific industrial processes. While there has been rampant speculation on Stuxnet’s intended target, no definitive victim has been identified or come forward.
The impact on how the worm would affect the targeted industrial process remains unknown, but if the creator placed this amount of time, energy and money into the malware, you can imagine the outcome would have been significant and destructive.
For Siemens-based SCADA or ICS systems not the target system, the impact is less severe, but not insignificant, according to Byres’ white paper. Several Siemens users reported the virus would modify the communication configuration for the PLC’s Ethernet ports or processors in offline project files. This could potentially cause loss of communications for the control system should these files download to the PLCs in the field.
Stuxnet will not modify PLC logic where there is no Siemens product present, according to the white paper. However, it is important to note any Windows-based system can suffer from this malware, regardless of whether or not it uses Siemens software.
Of particular interest to the operators of ICS and SCADA system, the white paper said, is Stuxnet infects its victims using any one of three different propagation pathways:
1. Via infected Removable USB Drives;
2. Via Local Area Network communications and
3. Via infected Siemens project files
Within these pathways, it takes advantage of seven independent mechanisms to spread to other computers.
Removable USB Drives Propagation:
1. Infects computers via removable USB drives (even when autorun is disabled) via a previously undiscovered shortcut (*.lnk file) vulnerability (MS10-046).
2. Versions of Stuxnet created prior to March 2010 did not use the *.lnk file exploit, but instead spread via removable USB drives using an autorun-based exploit.
Local Area Network Propagation:
3. Spreads over local area networks to computers with network shares by enumerating all user accounts of the computer and the domain. It then tries all available network resources in order to copy and execute on the remote share, thereby infecting the remote computer.
4. Spreads over local area networks to computers offering print sharing via a Windows Print Spooler zero-day vulnerability (MS10-061).
5. Spreads over local area networks via the Server Service Vulnerability (MS08-067).
6. Infects computers running Siemens WinCC database software by using Siemens “internal” system passwords (that cannot be changed) to log into the SQL server, transfer a version of Stuxnet and execute it locally.
Siemens Project File Propagation:
7. Propagates by copying itself to any discovered Siemens STEP 7 projects (*.S7P, *.MCP and *.TMP files) and then auto-executes whenever the user opens the infected project.
Stuxnet also has a separate P2P (peer-to-peer) networking system to automatically update all installations of the Stuxnet worm in the wild, even if they cannot connect back to the Internet, according to the white paper.
Here is one warning from Byres: Disabling AutoRun does not prevent infection! Simply viewing an infected USB drive using Windows Explorer will infect your computer.
This diversity of propagation mechanisms means that “single-answer” security solutions will not prevent the worm from spreading. A multi-tier/multi-step “defense-in-depth” solution is needed in order to provide effective security.
“Stuxnet is one of the most complex and well engineered worms ever seen,” Byres said. “It takes advantage of at least four zero-day vulnerabilities and shows considerable sophistication in its exploitation of Siemens systems.”
When installed on a computer, Stuxnet attempts to locate Siemens STEP 7 programming stations and infect these. If it succeeds, it replaces the STEP 7 DLL routines, so any person viewing a PLC’s logic would not see any changes Stuxnet later makes to the PLC(s), the white paper said.
Stuxnet then looks for specific models of Siemens PLCs (6ES7-315-2 and 6ES7-417). If it is able to connect one of these two models, it “finger-prints” the PLC by checking for the existence of process configurations and certain strings in the PLC. If it doesn’t find them, Stuxnet quits.
If it finds what it is looking for, Stuxnet starts one of three sequences to inject STEP 7 code into the PLC, according to the white paper. The PLC’s PROFIBUS driver is replaced and the main PLC program block (Organizational Block 1) and the primary watchdog block (Organizational Block 35) are significantly modified. As well, depending on which sequence is selected, between 17 and 32 additional function blocks and data blocks are injected into the PLC.
The infected PLC now appears to wait for a specific event to occur, which it detects by monitoring a variable. If that variable matches a specific value (0xDEADF007), then it significantly changes the executing process logic and prevents the original logic in the watchdog block from executing. How this change in logic impacts the actual industrial process is unknown.
What happens when you detect Stuxnet? What is the detection and removal process?
All major anti-virus vendors have released signatures to detect the presence of Stuxnet, according to the white paper. Make certain that you are using signatures from July 25, 2010 or later.
The ISC-Cert released an advisory listing primary Stuxnet indicators. Six are files that may be present in infected machines regardless of whether Siemens WinCC/STEP 7 software is installed. Another three are files that are changed in Siemens WinCC/STEP 7 system and project folders. Details are at: http://www.us-cert.gov/control_systems/pdf/ICSA-10-272-01.pdf
In addition, Siemens is offering Sysclean, a tool from TrendMicro for detecting and removing the virus, for downloading. It is available at http://support.automation.siemens.com/WW/view/en/43876783
ICS-CERT said the SysClean tool removes multiple malware components and restores the affected DLL file necessary for the STEP 7 software to run. However our tests indicated Sysclean did not clear infected STEP 7 project files, making it possible that the malware could re-infect a cleaned system when an infected project file was accessed, according to the white paper.
Siemens also offers a SIMATIC Security Update (updated 18th August 2010) which performs the following actions:
• Closes the Microsoft security hole by disabling icons if the Microsoft Security Update for the *.lnk file vulnerability has not been installed
• Enforces stricter SQL Server authentication settings
• Scans SIMATIC projects The WinCC and STEP 7 project data for Stuxnet infection.
Thus it appears the combination of these two tools will remove all active instances of Stuxnet from a system.
Note: Siemens also makes the following statement on its web site:
“The malware carries its own blocks (for example, DB890, FC1865, 1874) and tries to load them into the CPU and integrate them into the program sequence. If the above-mentioned blocks are already present, the malware does not infiltrate the user program.”
We do not believe that checking for these blocks is a reliable test, as Stuxnet loads fake DLLs into the Siemens programming stations, specifically to hide the existence of these blocks, according to Byres paper. Thus while the existence of these blocks in a PLC indicates infection, the opposite does not hold true.
As of October 8 patches for most (but not all) versions of the Windows operating system are available from Microsoft for three of the vulnerabilities exploited by Stuxnet (MS08-067, MS10-046 and MS10-061). Two other vulnerabilities that allow escalation of privilege on Windows systems were not patched at this time.
Patches to address the three above noted vulnerabilities are available from Microsoft for the following operating systems:
• Windows XP Service Pack 3
• Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP2 for Itanium-based Systems
• Windows Vista Service Pack 1 and Windows Vista Service Pack 2
• Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
• Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
• Windows 7 for 32-bit Systems
• Windows 7 for x64-based Systems
• Windows Server 2008 R2 for x64-based Systems
• Windows Server 2008 R2 for Itanium-based Systems
You can download these patches from:
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx
http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx



Leave a Reply

You must be logged in to post a comment.