“We have analyzed the code, and compared it to other, similar known malware, this new code has definitely the parameters of a ‘military code’, but it lacks some aspects one would expect to find in military cyber warfare application” Shai Blitzblau, Head of Maglan-Computer Warfare and Network Intelligence Labs, interviewed by Defense Update. Among these parameters are communications, encryption, internal self-protection (anti-anti debug) and certain methodologies that are followed by western cyber warfare specialists.
While Iran was marked as Stuxnet’s most popular target, other countries falling prey to the new malware were many third world nations where Siemens equipment is widely used and security and legal discipline in licensing and security methods are not strictly enforced. Stuxnet also attacked Indonesia, India, Russia, Belarus, and in Kirgizstan. What’s more important is where the Stuxnet didn’t attack – China and – most surprisingly – Germany, where only few systems were compromised yet none of the reports was confirmed!
“Siemens is reporting that industrial plants in Germany have also been hit by the Stuxnet worm. According to Wieland Simon, press spokesman at Siemens, approximately one third of the 15 infections discovered at industrial plants worldwide have been found at sites in German process industry sector. Siemens’ own plants are said not to be affected” simon added.
Although it was ‘discovered’ by the media in late September, Stuxnet is definitely not a new threat and, in fact, most of the vulnerabilities it exploited have already been ‘patched’. It was created sometime in January-February according to the ‘time stamps’ embedded into the compiled code. Initial anomalies related to the new threat were reported about two months later. Maglan received the new threat as part of our technical support services to some of our customers, who were hit by the malware. After thorough analysis we have uncovered several interesting aspects of the code that were not familiar before, and lead us to assume that Stuxnet was not created by a western cyber warfare organization. However, the great effort and resources invested in this code testify to its value to its creators, who spent great investments – financial, technical and in – most importantly, in assets considered scarce commodities among the hackers community.
Targeting Industrial and Infrastructure Systems
First, and most important, the code was not written by “home based” hackers – unlike most other malware codes, it is not directed against conventional windows systems, but specifically at industrial systems, by exploiting four different vulnerabilities (security ‘holes’ detected by hackers but not yet patched, three months ago, by the targeted software provider – also called ‘Zero Day’ exploits). Such Zero-Day Exploits are not spent easily by hackers, and would rarely be used in tandem, let alone in a ‘quad’ formation, testifying to the fact that the developer team had no limits on the use of resources.
Multiplicity and redundancy were also employed addressing the targeted operating systems. The creators of Stuxnet also went into great effort to ensure the malware covers all potential avenues of approach – including systems that rarely interest hackers – like WindowsCC, a Microsoft operating system designed for embedded systems. The code also targets all Windows platforms from Windows ME, XP, NT, Vista, 2000, 2003 and 2008 to the latest Windows 7 – again not a simple task for regular hackers. Other aspects of the code target specific vulnerabilities attributed to Siemens PSC7 systems, designed to control Programmable Logic Controllers (PLC) widely used in utility and industrial SCADA systems.
While each of these penetration axes operates independently, these parallel lines are coordinated and supporting each others to achieve the goal – ‘hijack’ as many PLCs as possible and burry embedding itself into the command and control hubs. The malicious code does not carry the type of spyware commonly found in other bots, but is rather ‘attack oriented’ – carrying a ‘payload’ in form of a set of commands designed to bypass those controlling the PLC, and carry out a set of actions as instructed by the hijacker.
Self Contained Weapon’s Payload
The carry out and control such attack the creators of Stuxnet embedded three separate means of communications in the code – two are considered ‘advanced’ and one ‘low level’. However, the code lacks communications elements that would enable a ‘nation state’ operation much more flexibility and control, having the capability and means to conduct operations in the proximity of the targeted site. One of the unique features of Stuxnet is the way its payload is ‘packed’ into the code.
Previous malware attacks employed a communications mechanism that could download the payload – the intelligence collecting ‘spyware’ or ‘attack’ from the command and control center – this enables the use of more compact code, better precision and more flexibility as the attack unfolds. Stuxnet has the payload built-in to the code, alluding to the fact that it was targeted against known targets and its creators had little consideration as to the collateral damage they create. Again, this methodology is rarely used among Western cyber warfare operatives.
Although the code was designed with remotely controlled ‘uninstall’ and termination function, these do not work properly in most cases, as the level of sophistication invested in this segment fall behind the general high standard of Stuxnet.
Countermeasures and Concealment
Nevertheless, the creators took great effort to conceal the malicious code from detection, in an effort to mask its existence, activity and objectives. For example, the malicious code was written as a ‘dynamic link library’ (.dll) commonly associated with hardware device drivers – software elements rarely considered a risk, since these they are written, signed off and distributed by hardware providers to support specific functions of such hardware. Users commonly download these devices as part of hardware installations and support and trust their own anti-virus scanners and the companies that provided the drivers for their security. Alas, Stuxnet exploited this vulnerability – it uses highly sophisticated anti-anti-virus countermeasures, addressing 38 (!) known anti-virus programs, not only few of the most common ones, as most hackers will do.
In addition, the code is digitally signed by VeriSign as genuine Siemens software. Later, Siemens reported that these signatures were stolen but did not explain how such sensitive material was compromised and reached hostile elements. Technically, ‘extracting’ such signature from existing products is possible, but this capability is beyond the reach of hackers and could be done only with massive computing power not available in non governmental levels. In this area, Stuxnet creators have again demonstrated they can be generous – to ensure their code is accepted, they used two different signatures – by chip Taiwanese makers JMicron and Realtek. The fact that these signatures are time-stamped in within more than a week of each other could testify as to the lengthy process of the preparation, testing and operation planning.
