Stuxnet is a ‘Weapon’

Stuxnet just won’t go away as Microsoft said the worm exploited four additional zero day flaws, and two of those four remain unpatched. Now the speculation begins with experts saying various facilities, including a nuclear reactor in Iran or a nuclear enrichment facility also in Iran were among the targets.

09/22/2010


Stuxnet just won’t go away as Microsoft said the worm exploited four additional zero day flaws, and two of those four remain unpatched.
Now the speculation begins with experts saying various facilities, including a nuclear reactor in Iran or a nuclear enrichment facility also in Iran were among the targets. No one has confirmed those were the actual targets, officials said.


“Security experts agree that the purpose of the worm is sabotage of an industrial process,” said Andrew Ginter, chief security officer at Industrial Defender. “The details that have been released regarding the design of the worm no longer support the theory that the purpose was information theft.”
“Whoever designed this knew what they were doing,” said Eric Byres, chief technology officer at Byres Security. “It is pretty clear now it was developed to disable a process and destroy equipment.”


Siemens learned about the malware program (Trojan) targeting the Siemens software Simatic WinCC and PCS 7 on July 14. The company immediately formed a team to evaluate the situation and worked with Microsoft and the distributors of virus scan programs, to analyze consequences and the exact mode of operation of the virus.


The Trojan, which spreads via USB sticks and uses a Microsoft security breach, can affect Windows computers from XP upward.
According to analysis of the worm from Siemens, the virus can theoretically influence specific processes and operations in a very specific automation environment or plant configuration in addition to passing on data. This means the malware is able, under certain boundary conditions, to influence the processing of operations in the control system. However, this behavior has not yet been verified in tests or in practice.


Also, the behavioral pattern of Stuxnet suggests the virus is apparently only activated in plants with a specific configuration, Siemens said. It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process. This pattern can, for example, be localized by one specific data block and two code blocks.
This means Stuxnet is obviously targeting a specific process or a plant and not a particular brand or process technology and not the majority of industrial applications, according to the Siemens analysis.


This conclusion also coincides with the number of cases known to Siemens where the virus was detected but had not been activated, and could be removed without any damage being done up to now. This kind of specific plant was not among the cases that we know about.


To date, Siemens said 15 systems were infected worldwide. In none of these cases did the infection cause an adverse impact to the automation system, Siemens said.


“To find one zero day is rare, but to come up with four zero days and to steal certificates and to find and exploit flaws in Siemens code is amazing,” Byres said. “It is an amazing professional project. Absolutely no one person could do this.”


“We are in a weapons race here,” Byres said. “This is a crash lesson for everybody on how to recognize malware.”
“The consensus out there is this was a weapon,” Ginter said. “There is a lot of technology in Stuxnet. It has a lot of stuff in it. Now it looks like somebody’s infrastructure has been targeted. It has been proven it can be done; who else will pick up on it? We will see other attacks like this.”
In a blog post last week, Alexander Gostev, who heads the Global Research and Analysis Team at Kaspersky Lab, said “Until now, most of the focus has been on the LNK/PIF vulnerability which Stuxnet exploits in order to spread via removable storage media and networks. But this has turned out not to be Stuxnet’s only surprise. The worm doesn’t just spread by using the LNK vulnerability. Once it’s infected a computer on a local network, it then attempts to penetrate other computers using two other propagation routines.
“Firstly, Stuxnet is designed to exploit MS08-067, the same vulnerability used by Kido (aka Conficker) at the beginning of 2009. The exploit code that Stuxnet uses to target MS08-067 is slightly different to that used by Kido. However, what’s really interesting is the second propagation routine.


“In addition to exploit code for MS08-067, Stuxnet contains an exploit for a previously unidentified vulnerability in the Print Spooler service; this vulnerability makes it possible for malicious code to be passed to, and then executed on, a remote machine. Two files (winsta.exe and sysnullevent.mof) appear on attacked systems. It’s not just the way in which the malicious code gets on to the remote machine which is interesting, but also how the code then gets launched for execution.


“As soon as we identified the vulnerability we informed Microsoft about the problem and they confirmed our findings. The vulnerability has been identified as “Print Spooler Service Impersonation Vulnerability” and rated “critical”. Today Microsoft released MS10-061, a patch which fixes this vulnerability.
“Analysis of the vulnerability shows computers with shared access to a printer are at risk of infection.


“During analysis, we searched our collection for other malicious programs capable of using this vulnerability. Happily, we didn’t find anything.
“On top of all this, we’ve identified yet another zero-day vulnerability in Stuxnet’s code, this time an Elevation of Privilege (EoP) vulnerability. The worm uses this to get complete control over the affected system. A second EoP vulnerability was identified by Microsoft personnel, and both vulnerabilities will be fixed in a security bulletin in the near future.

“The fact that Stuxnet uses four previously unidentified vulnerabilities makes the worm a real standout among malware. It’s the first time we’ve come across a threat that contains so many “surprises”. Add to this the use of Realtek and JMicron certificates, and remember that Stuxnet’s ultimate aim is to access Simatic WinCC SCADA systems.


“Stuxnet was undoubtedly created by professionals who’ve got a thorough grasp of antivirus technologies and their weaknesses, as well as information about as yet unknown vulnerabilities and the architecture and hardware of WinCC and PSC7.”
The worm that hit Siemens’ Simatic WinCC and PCS 7 users has been around for over a year and at the beginning of the new year its creators made it more sophisticated, officials said.
A Symantec researcher said they identified an early version of the worm created in June 2009, but it wasn’t until early this year when the malicious software became much more intense.


This earlier version of Stuxnet acts in the same way as its current incarnation; it tries to connect with Siemens’s management systems and steal data, but it does not use some of the newer worm’s techniques to evade antivirus detection and install itself on Windows systems.
The amount of components and code used is very large, in addition to this the authors ability to adapt the threat to use an unpatched vulnerability to spread through removable drives shows the creators of this threat have huge resources available to them and have the time needed to spend on such a big task; this is most certainly not a “teenage-hacker-coding-in-his-bedroom” type operation, Symantic researchers said.
After Stuxnet came to life, its authors added new software that allowed it to spread among USB devices with virtually no intervention by the victim. And they also got their hands on encryption keys belonging to chip companies Realtek and JMicron and digitally sign the malware so antivirus scanners would have a harder time detecting it.

Supplied by ISSSource.com



No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2013 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
The true cost of lubrication: Three keys to consider when evaluating oils; Plant Engineering Lubrication Guide; 11 ways to protect bearing assets; Is lubrication part of your KPIs?
Contract maintenance: 5 ways to keep things humming while keeping an eye on costs; Pneumatic systems; Energy monitoring; The sixth 'S' is safety
Transport your data: Supply chain information critical to operational excellence; High-voltage faults; Portable cooling; Safety automation isn't automatic
Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Plant Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.

Maintaining low data center PUE; Using eco mode in UPS systems; Commissioning electrical and power systems; Exploring dc power distribution alternatives
Synchronizing industrial Ethernet networks; Selecting protocol conversion gateways; Integrating HMIs with PLCs and PACs
Why manufacturers need to see energy in a different light: Current approaches to energy management yield quick savings, but leave plant managers searching for ways of improving on those early gains.

Annual Salary Survey

Participate in the 2013 Salary Survey

In a year when manufacturing continued to lead the economic rebound, it makes sense that plant manager bonuses rebounded. Plant Engineering’s annual Salary Survey shows both wages and bonuses rose in 2012 after a retreat the year before.

Average salary across all job titles for plant floor management rose 3.5% to $95,446, and bonus compensation jumped to $15,162, a 4.2% increase from the 2010 level and double the 2011 total, which showed a sharp drop in bonus.

2012 Salary Survey Analysis

2012 Salary Survey Results

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.