Stuxnet: Analysis and Impact of the Malware Marvel

With U.S.-supplied, highly enriched uranium Iran was able to fuel a small nuclear reactor, effectively beginning their nuclear program in the 1960’s.  Though advancement of the nuclear program slowed during the Islamic revolution and Iran-Iraq war, by the middle of the 1990’s, Iran publicly pursued continuation of their nuclear program.  (“Iran Sanctions”, 2010, p.1)  In 2002, satellite photos verified Iran’s construction projects of nuclear plants to enrich uranium, a chemical element that in highly purified form can be used to create nuclear weapons. (Amanpour, Ensor, & Labott, 2010, p.1)  Once this information came to light, Iran agreed to negotiation talks with France, Germany and the United Kingdom.  With the talks failing to progress, the International Atomic Energy Agency (IAEA) voted that Iran was in violation of the Nuclear Non-Proliferation Treaty (NPT)[1] and deferred the matter to the United Nations Security Council.  Iran’s defiance to terminate its nuclear program upon the Security Council’s demand in 2006 was met with imposed sanctions, which have been intensified since, but to no avail.  (“Iran Sanctions”, 2010, p.1) While the evaluation of methods for dealing with the perceived danger Iran poses to the United States and the rest of the world continues, Iran maintains its right to nuclear power. On June 17th 2010 a Belarusian antivirus software company, VirusBlokAda, discovered a computer worm, which was later branded “Stuxnet”[2] based on file names uncovered in the source code.  (Krebs, 2010, p.1)  The worm was written in multiple programming languages and contained almost half a megabyte of code, atypical for common malware, which generally are 10-15k bytes.  (Zetter, 2011)  Stuxnet consists of a main dropper .DLL file containing all of its files and functions.  Upon execution of the .DLL file, Stuxnet checks the administration rights it is granted.  If Stuxnet finds it is not on the administrator level, it employs one of two zero-day exploits in order to escalate its privileges to that of an administrator of the machine.  After achieving the necessary rights on the computer, Stuxnet begins installation by injecting itself into a system process that is determined based on the manufacturer of antivirus software present on the computer being infected.   If no antivirus software is present, a default Windows process is used for injection.  In addition to writing four encrypted files, two driver files, mrxnet.sys and mrxcls.sys, are installed and the computer registry is updated to ensure the device drivers are loaded every time the computer boots up, ensuring no disruption to the worm’s plans.  Both of these drivers are digitally signed with the signature of Realtek Semiconductor Corp.,[3] a legitimate provider of system drivers, which further allowed Stuxnet to exist undetected.  Stuxnet’s last step of installation is to make modifications to the system registry to ensure the Windows Defender firewall program does not block it, as it can receive updates through the internet as well as peer-to-peer networking.  (Falliere, O Murchu, & Chien, 2011) The Stuxnet worm was discovered to have several ways of spreading across computers.  At the time of its discovery, Stuxnet was determined to use a previously unknown vulnerability in the way Microsoft Windows handles .LNK[4] files to automatically run the malware executable from a USB storage device.  Interestingly, the worm contained an infection counter that was referenced to ensure an infected USB would only infect up to three other computers before Stuxnet removed itself from the USB drive.  The Stuxnet worm also could spread throughout a network through two different methods.  The first method is by using an exploit implemented by the unrelated but widely known Conficker worm[5] that looks for shared and writable directories on remote systems.  Upon finding such directories, Stuxnet copies to the directory and then runs itself.  The second method of spreading throughout a network involved a vulnerability in shared printers that allowed files to be copied to another computer that was also connected to the printer.  (Falliere, O Murchu, & Chien, 2011) Once Stuxnet has self-replicated onto a machine, it checks for a programmable logic controller (PLC)[6] that is running a specific supervisory control and data acquisition (SCADA) software, Siemens WinCC.  If the infected machine does not meet this condition, the worm does not attack.  However, if the logical condition described is met, Stuxnet gains access to the PLC using the manufacturer’s default passwords and uploads configuration data about the system, such as IP addresses, computer name, and operating system to a command-and-control server.   There were two command and control servers, www.mypremierfutbol.com and www.todaysfutbol.com, hosted on servers in Malaysia and Denmark.  Those on the receiving end of the command-and-control server are then able to select a target infected PLC and manipulate the way it operates.  (Falliere, O Murchu, & Chien, 2011) Given the vast capabilities of the worm, the detail that Stuxnet does not always attack is peculiar given that generally computer worms and viruses aim to spread and do their bidding to as many computers as possible.  The specific software Stuxnet was looking for suggested Stuxnet was a directed attack.  However, the question remained: At whom was the attack directed?  A global team of researchers at Symantec, including Liam O Murchu, Eric Chien, and Nicolas Falliere, were intrigued by the complexity of the worm and delved into reviewing the source code.  After noting the aforementioned command and control servers, Symantec requested that the DNS providers for the servers redirect the traffic to a Symantec-owned computer for analysis.  The DNS providers agreed and Symantec’s machine received information for 38,000 infected machines.  As the Symantec team plotted the geographical locations of the infected machines, they discovered that 22,000 of the 38,000 infected machines resided in Iran.[7] (Zetter, 2011) In September 2010, a control system security expert named Ralph Langner posted his hypothesis regarding the purpose of the Stuxnet worm and its intended target.   Langner posited that Stuxnet was an act of sabotage against a highly prized target for the attacker.  He also noted the complexity of the worm itself, the technical expertise needed to reap the benefit of the vulnerabilities suggests a resourceful team of highly qualified individuals with insider knowledge about their target and the systems the target uses.  Taking this data into consideration, along with the fact that most infections were present in Iran, Langner concluded the target of Stuxnet to be the Iranian nuclear program, specifically the Bushehr plant. (Langner, 2010)  In December 2010, a team at the Institute for Science and International Security (ISIS) released a report with details that linked Stuxnet and Iran’s Natanz uranium enrichment facility. (Zetter, 2011)  The ISIS report notes the centrifuges in Natanz are arranged in cascades containing centrifuges in groups of 164, a number prevalent in the Stuxnet source code.  Additionally the ISIS report states that Stuxnet commands return the motor frequency to a value of 1410 Hz., which happens to be the nominal frequency of the IR-1 centrifuges used by Iran to enrich uranium at the Natanz facility.  (Albright, Brannan, & Walrond, 2010) With Stuxnet’s target seemingly confirmed, suspicions that the United States and/or Israel were authors of the Stuxnet worm seemed plausible, however, no one publicly acknowledged involvement.  In June 2012, a New York Times article by David Sanger described a detailed report of the origin of Stuxnet based on the accounts of American, Israeli, and European officials involved in a program called “Olympic Games”.  According to Sanger, the program, started during 2006 under the Bush Administration, was an effort to disrupt the Iranian nuclear program through sabotage by gaining access to the Natanz facility’s industrial controls.  Code was developed to serve as espionage software, sending back electronic blueprints of the devices within the Natanz facility over the course of months.  With the inner-workings of Natanz in hand, the NSA and Israel’s NSA equivalent, Unit 8200, collaborated on creating Stuxnet, what at the time was referred to as “the bug.”  Using previously acquired P-1 centrifuges, the United States created replica centrifuges in order to create a model Natanz environment in which to test the worm.  Over time, the tests proved successful ultimately resulting in the desired destruction of centrifuges.  The initiative received presidential approval for deployment in Iran, and the United States was faced with the challenge of getting the worm into the Natanz facility.  Besides the standard physical securities of the facility, at Natanz the Iranians had implemented an air gap, a method of deliberately preventing the internal networks from being able to connect to the Internet as a security precaution.  The challenge of crossing the air gap was met with what a Sanger informant described as “our holy grail”, a USB drive, noting “there is always an idiot around who doesn’t think much about the thumb drive in their hand”.   Once activated, Stuxnet would slow down some centrifuges, while speeding others up to the point where they would be physically destroyed.  Sanger reported what an American official described as the “most brilliant” capability of Stuxnet, which was to capture the normal operations of the plant so that they could be fed back to the workers monitoring the centrifuges to mask the havoc Stuxnet was wreaking. Without alerts from their trusted monitoring systems, Sanger cites reports that spread throughout the IAEA saying Iran had people sit in front of the centrifuges to radio back their observations.  The Stuxnet attackers would issue version updates to the worm’s attack frequency in an effort to throw off suspicions.  Sanger quotes someone close to the attacks with saying “The intent was that the failures should make them feel they were stupid” and mentions that before long there was finger pointing and Natanz workers being fired.  With President Bush’s term in the White House coming to a close, the onus of operation Olympic Games was passed to President Obama.  Under the Obama Administration, the cyber attacks continued, with President Obama emphasizing that the malware must not be linked back to the United States.  In summer 2010, due to a defect in a newly released version of Stuxnet, the worm failed to realize its environment was no longer the Natanz facility when taken home by a worker at Natanz, and began spreading itself over the Internet.  While these claims are debatable as Sanger’s sources are unnamed, presumably to elude the consequences of supplying details of a highly classified operation, what is undeniable is Stuxnet’s place in cyber history as the first malware attack on a critical infrastructure that caused physical destruction.[8]  (Sanger, 2012, pp. 1073-1209) In review, if the conjecture of United States involvement in Stuxnet is indeed true, there is great irony that in an attempt to keep weapons of mass destruction from the hands of a United States opponent, they have supplied the blueprint for what could be repurposed to the digital equivalent of a nuclear weapon.  In September 2011, a new worm named Duqu was discovered by the Laboratory of Cryptography and System Security (CrySys Lab), which had a similar design as Stuxnet.  However, instead of destroying Iranian centrifuges the purpose was stealing information.  In May of the following year, a new malware known as Flame was discovered that was capable of recording and reporting screenshots, keystrokes, network traffic and even audio.  Flame has been described as twenty times more complex than Stuxnet with full analysis of the malware possibly taking ten years. (Zetter, 2012)  A month after the Flame discovery, a very similar malware, Gauss, was uncovered that also engaged in espionage activities.  A key difference of Gauss from Flame was that in addition to the data collected by Flame, Gauss also took credentials for banking systems, social networks, email and instant messaging accounts.  It is telling that in a relatively short amount of time following Stuxnet, we have discovered even more sophisticated attacks.  Even with the assumption that all of the aforementioned malware are products of government intelligent agencies, they are nonetheless available to the public and are supplementary blueprints to be added to the arsenal of a motivated attacker. (Bencsath, Pek, Buttyan & Felegyhazi, 2012) Non-state actors aside, other countries, Iran in particular, may feel obligated or justified to launch their own attacks at the United States or its allies.  Additionally, there is the threat that the response to Stuxnet from another country may be potentially more destructive and perhaps even involve kinetic force.  Whether or not a cyber attack is a use of force remains a gray area, allowing other countries to draw their own conclusions.  The Stuxnet worm made this distinction even more perplexing by inflicting physical damage. With reports attributing the Stuxnet attacks to the United States and Israel, these countries will likely face the retribution, whether they were actually involved in the attacks or not. The history of this malware marvel is intriguing, yet the focus of the cyber security community must shift towards the future.  With the discovery and dissection of the Stuxnet worm, we have observed the execution of a cyber weapon that has changed the cyber security landscape.  No longer is malware limited to just computers, but now it extends to critical physical infrastructures as well.  The implementation of an air gap to isolate one’s systems from the Internet does not grant invulnerability.  The sophistication of Stuxnet alone should rightfully change future cyber security methodologies. (Chen & Abu-Nimeh, 2011) A key point to be cognizant of is that by the time Stuxnet was discovered it had already compromised its target.  From a cyber defense perspective, this is an important take-away.  Just as it likely took the alliance of many specialists to author and deploy Stuxnet, so too did it require a team of a variety of professionals to analyze, address, and attribute the threat following discovery. For professionals to adequately secure the cyber domain in a post-Stuxnet world where malware sophistication outpaces security measures and threat assessment capabilities, and attack attribution can lead to retribution and escalation, collaboration is paramount.

---

References

Albright, D., Brannan, P., Walrond, C. (2010). Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant? Preliminary Assessment. Retrieved from http://isis-online.org/isis-reports/detail/did-stuxnet-take-out-1000-centrifuges-at-the-natanz-enrichment-plant/ Amanpour, C., Ensor, D., & Labott. (2002). U.S.: Iran working on nuclear weapons. CNN World. Retrieved from http://archives.cnn.com/2002/WORLD/meast/12/13/iran.nuclear/ Benscath, B., Pek, G., Buttyan, L., & Felegyhazi, M. (2012). The Cousins of Stuxnet: Duqu, Flame, and Gauss. Future Internet. Retrieved from http://www.crysys.hu/~mfelegyhazi/publications/Bencsath2012cousins.pdf Chen, T. M., Abu-Nimeh, S. (2011). Lessons from Stuxnet. Computer, vol. 44. Retrieved from http://proxy-bc.researchport.umd.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=inh&AN=11909873&site=eds-live Falliere, N., O Murchu, L., & Chien, E. (2011). W32.Stuxnet Dossier. Retrieved from http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf Finkle, J. (2013). Researchers say Stuxnet was deployed against Iran in 2007. Reuters. Retrieved from http://www.reuters.com/article/2013/02/26/us-cyberwar-stuxnet-idUSBRE91P0PP20130226 Krebs, B. (2010). Experts Warn of New Windows Shortcut Flaw. Retrieved from http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/ Kushner, D. (2013). The Real Story of Stuxnet. Retrieved from http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet O Murchu, L. (2010). W32.Stuxnet Installation Details. Retrieved from http://www.symantec.com/connect/pt-br/blogs/w32stuxnet-installation-details Sanger, D. (2012). Obama Order Sped Up Wave of Cyberattacks Against Iran. The New York Times. Retrieved from http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=all&_r=0 Zetter, K. (2011). How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History. Retrieved from http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1 Zetter, K. (2012). Meet ‘Flame,’ The Massive Spy Malware Infiltrating Iranian Computers. Retrieved from http://www.wired.com/threatlevel/2012/05/flame/all/ (2010). Iran Sanctions. International Debates, vol. 8 (Issue 9). Retrieved from http://proxy-bc.researchport.umd.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=f5h&AN=57213811&site=eds-live (2010). Rootkit.TmpHider. Retrieved from http://anti-virus.by/en/tempo.shtml