Find out if you are infected
HouseCall Free Malware Scan
Trend Micro Internet Security Free Trial (for consumers)
Worry Free Business Security Free Trial (for small businesses)
OfficeScan Free Trial (for enterprises)
Register for Free Onsite Security Threat Assessment
(for enterprises)
Threat Encyclopedia
Stuxnet Malware Targeting SCADA Systems

Facts

WHAT IS STUXNET?

STUXNET is a worm that initially made news in July due to its usage of certain vulnerabilities to propagate and execute its routines. The media, as well as the security industry, has taken interest on this threat since its emergence. This is primarily due to new findings suggesting that STUXNET is not just another run-of-the-mill malware, but is instead one designed to target critical infrastructures.



WHAT DOES STUXNET DO?

STUXNET has three components that work in concert, a worm, an LNK file and a rootkit.


WORM_STUXNET – the worm executes all routines related to the main payload of the attack. It uses certain vulnerabilities for its propagation and execution of certain routines. It implements a Microsoft Remote Procedure Call to execute certain functions, enabling affected systems to communicate with one another. It also tests for an active Internet connection on the affected system to communicate with a remote server. It is also the component responsible for attempting to access a database consistent with one used in Siemens WinCC systems.


LNK_STUXNET – this specially crafted .LNK file automatically executes the propagated copies of WORM_STUXNET. It exploits a vulnerability in the way Windows displays icons in shortcut files, and is basically employed by STUXNET for automatic execution.


RTKT_STUXNET – this rootkit component is responsible mainly to hide all files and processes. This is done in order to keep the infection from being traced by the user.



HOW DOES STUXNET PROPAGATE? WHAT VULNERABILITIES WERE USED?



One reason STUXNET has become such a problem is it uses multiple means to propagate:


  • First of all, it uses the MS10-046 Windows shortcut vulnerability (CVE-2010-2568), which allowed it to spread via removable drives even if Autorun was disabled.
  • Secondly, it used the MS08-067 vulnerability (CVE-2008-4250) to spread via the network the same way DOWNAD/Conficker did.
  • Thirdly, it used the MS10-061 Printer Spooler vulnerability (CVE-2010-2729) to spread via networks, if a system was sharing a printer over the network.


Of these three vulnerabilities, the shortcut and spooler vulnerabilities were both unpatched at the time of exploitation.


Note: All of these vulnerabilities have been patched, meaning that patched systems cannot be easily infected. MS10-061 could only be used if anonymous users could use shared printers. By default, this was the case in Windows XP, but not later versions of Windows. The shortcut vulnerability was the most exploitable, as trying to access the removable drive in any way would have been sufficient to trigger the vulnerability.


In addition,
STUXNET uses two currently unpatched vulnerabilities in Windows to gain administrator rights on a system. The Windows shortcut vulnerability only runs code with the same privileges as the current user; using these two vulnerabilities ensures that this malware has the same rights as an administrator of the system.




HOW DOES STUXNET USE P2P?


STUXNET installs both server and client components for a Microsoft Remote Procedure Call in all infected system by exploiting the MS08-067 vulnerability . This enables the affected system to execute the following functions into any client that it can connect to:


  • Get malware version
  • Receive module and inject it
  • Send the malware file
  • Create a process that could be command shell or a file
  • Create a file
  • Delete a file
  • Read a file


All affected systems are set to use the UUID (Universally Unique Identifier) UUID 000204e1-0000-0000-c000-000000000046. Using the said identifier enables systems affected by STUXNET to identify, communicate and update one another



DOES STUXNET TRY TO CONTACT A REMOTE SERVER?


Yes. In attempting to connect with a remote server, STUXNET first tests for an active Internet connection by connecting to the following non-malicious URLs:

  • www.windowsupdate.com
  • www.msn.com


After a connection is established, it then connects to the following URL(s) to send and receive commands from a remote malicious user:

  • www.{BLOCKED}erfutbol.com
  • www.{BLOCKED}futbol.com


It then generates the following URL and posts it to the server:

  • http://www.{BLOCKED}erfutbol.com/index.php?data={data}


Where {data} is an encrypted hex value that contains the IP address of the machine, computer name, domain.



HOW DOES STUXNET RELATE TO SCADA SYSTEMS?

The nature of STUXNET confirms the idea that this malware was not initially designed just to target common users’ systems.


Analysis revealed that WORM_STUXNET.A looks f or the legitimate DLL file S7OTBXDX.DLL used by Siemens WinCC systems in the Windows system folder. Once found, it renames the said file to S7OTBXSX.DLL and then drops a modified .DLL file to replace the original DLL. The new .DLL will have the same exports as the original but with code modifications on the following functions:  

  • s7db_open
  • s7blk_write
  • s7blk_findfirst
  • s7blk_findnext
  • s7blk_read
  • s7_event
  • s7ag_test
  • s7ag_read_szl
  • s7blk_delete
  • s7ag_link_in
  • s7db_close
  • s7ag_bub_cycl_read_create
  • s7ag_bub_read_var
  • s7ag_bub_write_var
  • s7ag_bub_read_var_seg
  • s7ag_bub_write_var_seg



These functions are generally used to access, read, write, and delete code blocks on the PLC. In an infected system, when these functions are called, STUXNET will execute additional codes before calling the true function in S7OTBXSX.DLL. By intercepting these functions, we can say that it can modify the data sent to or from the PLC.


It also scans the system for certain processes which are related to security software. It then attempts to inject itself into the said routines.


Once fully installed into the system, STUXNET exploits Siemens SIMATIC WinCC Default Password Security Bypass Vulnerability to gain access to the back-end SQL database of WinCC SQL server. More information can be found below:


  • CVE-2010-2772 Siemens SIMATIC WinCC Default Password Security Bypass Vulnerability


This enables the attacker of viewing the projects database and projects information from the WinCC server. It can alter configuration settings and can access or delete the file %ALL USERS PROFILE%\sql%05x.dbi. Since .DBI files are database explorer information files, this deletion is most likely done to remove any trace of modification done by the malware in the database.




WAS THIS A TARGETED ATTACK AGAINST SOMEONE OR SOMETHING?

That appears to be the case. The PLC commands that form one of the primary payloads of STUXNET are designed to execute only on systems with very specific hardware configurations. Therefore, we can surmise that the authors of STUXNET knew that their target possessed this specific configuration.



WHO WAS THE TARGET?


We don’t know. No one has come forward and admitted that they were the targets of STUXNET, and short of finding out the exact hardware configuration of every SCADA system in the world we cannot be sure. Speculation pointing to Iran as the likely target is just that–speculation. The large number of STUXNET infections in that country may merely be a consequence of other factors. Trend Micro has noted that countries with high reports of STUXNET infection also have high rates of DOWNAD/Conficker infection.




WHO WAS BEHIND THIS ATTACK?


No one knows. We know even less about who could have written STUXNET than the target. Portions of STUXNET’s code that suggest authorship are vague at best; there is nothing in the code that could be taken to be a definitive link to anyone.


What we do know is that whoever was behind it had good knowledge of SCADA systems, particularly those they targeted. In addition, using so many unpatched vulnerabilities in just one malware family is unheard of outside of STUXNET, again suggesting that whoever wrote STUXNET was more sophisticated than the typical cybercriminal.




WHAT WAS THE MOTIVE OF THESE ATTACKS?


Without better knowledge of the persons behind these attacks, it's near impossible to say with any certainty who was responsible. The combination of sophisticated attacker and target means that any guesses who was behind this is nothing more than speculation.


However, the implications of STUXNET being able to modify commands sent to SCADA systems are significant. Industrial systems under SCADA control that were targeted by STUXNET could be damaged or outright destroyed, depending on the modified commands sent by the cybercriminals.




HOW SHOULD USERS REACT?


Home users and enterprise users without SCADA systems are at relatively little risk. The largest risk for them is attacks that are unrelated to the original STUXNET attack, but instead use it as a springboard for something else. For example, soon after the Windows shortcut vulnerability was found in STUXNET, more conventional malware families like ZBOT and SALITY were soon making use of it. Recent news coverage has also encouraged cybercriminals to use STUXNET as social engineering bait. Blackhat SEO efforts are now using multiple FAKEAV "file scanners" campaigns that use Stuxnet-related search terms on Google and other search engines.


For enterprise users that do have SCADA systems, this would be a good time to re-consider existing security policies regarding these systems. At the very least, these systems should be updated to guard against vulnerabilities, as well as antivirus clients to guard against similar threats that will come in the future.


We have discussed the issues of SCADA security in detail long before STUXNET became an issue:





WHAT ARE TREND MICRO'S SOLUTIONS?

The Trend Micro™ Smart Protection Network™ protects against all components of the STUXNET threat. The new web-based attacks (BSEO) are blocked using web reputation and all the file components are detected using file reputation. The cloud-client architecture ensures all customers are protected immediately, regardless of where users connect, from home, on the road or within their network.


Below are the files detected by Trend Micro:


  • LNK_STUXNET.A
  • LNK_STUXNET.AK
  • LNK_STUXNET.C
  • LNK_STUXNET.SM


The STUXNET worm itself is detected as:


  • WORM_STUXNET.A
  • WORM_STUXNET.AV
  • WORM_STUXNET.SM.


The rootkit component is similarly detected as RTKT_STUXNET.A.

In addition, Trend Micro offers virtual patching for the vulnerabilities used in this attack with Deep Security and OfficeScan with the Intrusion Defense Firewall plug-in, which are able to prevent network propagation of STUXNET files.