It’s been four months since VirusBlokAda discovered W32.Stuxnet, and the worm poses more of a threat today than when it was first discovered. Stuxnet is a different kind of malware; with many individuals in the security industry agreeing that the shear sophistication and capability of the worm are unprecedented. This malware was designed to target supervisory control and data acquisition (SCADA) systems; for those not familiar with SCADA infrastructure, the quick explanation is that these systems control vital infrastructure. This vital infrastructure usually includes facilities that manufacture, fabricate or refine products as well as power plants, or nuclear plants. SCADA systems are effectively industrial control systems for facility-based processes.
Stuxnet is a heavily weaponized worm; utilizing four zero-day (previously undisclosed) vulnerabilities to compromise system security. To date, only two of the four zero-day vulnerabilities have been patched by Microsoft. Once the worm has propagated successfully to a host, it begins to investigate the presence of Siemens’ WinCC/PCS 7 SCADA software. This software is used to program Programmable Logic Controller’s (PLC). PLC’s effectively contain code instructing various mechanical or electric devices on operation. For example, a PLC can be used to control operation of automation machines along the assembly line.
If the compromised host is found to have the WinCC/PCS 7 software, the worm will utilize the default software passwords to establish control of the software. The WinCC/PCS (Step) 7 software uses a library to communicate with PLC’s. This library facilitates reading and writing to and from the PLC device. Stuxnet will essentially rename the default library to another file name and replace it with an infected library. This allows Stuxnet to strategically place itself between the communications of the controlling system and the PLC; modifying data sent to, or read from, the PLC. Once Stuxnet has created this DLL it will intercept certain calls exported by the original DLL, leaving the rest of the calls largely unaltered and passed to the original renamed DLL. Without going in to specific details, Stuxnet will essentially modify the entry points for the PLC code blocks in order to create a rootkit on the PLC. Also, if queries are made to data blocks that contain malicious code, the malicious DLL will clean the returned information on the fly so that the malicious code is not visible to an individual operating the WinCC/ PCS 7 software.
With some understanding of the worm’s behavior, we can now begin to see the potential impact of this malicious activity in the real world. With ability to modify PLC code, the worm can change the way that the PLC’s operate and potentially create both dangerous and financially detrimental conditions on the infected devices. One can imagine an assembly line that creates chemical mixtures that are contained within pressurized cans and the danger of having malware that is capable of altering mixture and pressure levels.
The above mentioned capability and sophistication itself is unique to Stuxnet, but other unique features are also present. For example, Stuxnet is about 0.5MB in size, which is unusually large for any kind of malware. Secondly, Stuxnet was written in a combination of C and C++, which is usually not typical for malware. Lastly, Stuxnet uses four zero day vulnerabilities as infection vectors; this is very odd as zero day vulnerabilities in Microsoft software are usually used quite sparingly. The idea is that these vulnerabilities would be used only as a last resort; once they are in the wild, it is only a matter of time before they are remediated.
In the end, this really begs the question as to the origin of this malicious code; with such a deviance from normal malware traits, as well as unprecedented sophistication, it is certainly not a surprise that many media outlets and security professionals believe that Stuxnet was created by a highly organized and financially backed team of individuals. Certain reports even speculate a government backed origin of Stuxnet. Regardless of the origin of this worm, it serves as a harsh reminder of how much reliance is placed on computing systems that support vital infrastructure.