An Analysis of Stuxnet (win32/Stuxnet)

An Analysis of Stuxnet
One of the most Advanced Computer Malwares in Recent Times
Institution
Name
Course
Due Date

Introduction:
This is an analysis of the Stuxnet virus (win32/Stuxnet) that was identified in mid-2010 by Information Security Company Virus BlokAda after having achieved worldwide propagation within a short period of time. Stuxnet is a sophisticated Malware that primarily attacks SCADA (Supervisory Control And Data Acquisition) systems and PLCs (Programmable Logic Controllers) by exploiting the various vulnerabilities in those systems. It uses remote communication protocols (http) to communicate with the remote Command and Control server which allows the hacker control and manipulation as well as download updated versions of the virus into the infected system or network.
It was the first Malware that monitored and also take control of industrial systems as well as having a PPLC rootkit. Most of the research carried out on the Stuxnet virus has led many to speculate that the intricate design and architecture as well as the complex modules the virus implemented was probably the work of a large skilled and resourceful group working through collaborative efforts.
However, as the public awareness of the attacks grew, it became easier to identify and patch the vulnerabilities it exploited hence mitigating its attacks. We also discuss about the threat it posed on targeted systems, its infection and distribution methods, and the various detection and countermeasures that were developed to slow down its propagation.

Threat Posed:
The Stuxnet virus was a particularly interesting Malware in that it infected many computers but only caused harm to the systems targeted by its developer. Many companies and organizations attacked by the Stuxnet virus were reluctant to disclose the attempted or successful attacks on their systems for fear of a public relations issue that might arise from public knowledge.
This is because the primary targets of the Stuxnet virus (SCADA & PLC systems) are critical to the day to day operations of critical processes in infrastructure, industrial processes etc. As a result, many speculated that in the wrong hands, the virus could be used to shut down a transport network or even make a nuclear power plant go critical, potentially putting the lives of millions at risk.
The Stuxnet attack of 2010 was a semi-targeted one, with the largest reported incidences occurring in Asian countries and more specifically Iran. The most affected area being the country’s nuclear enrichment program, leading some to speculate the involvement of the USA or Israel in the development of the virus. The virus was dormant during its propagation stage, spreading far and wide infecting the targeted systems before it activated. This made it very hard to detect and therefore no countermeasures could be deployed against it. It probably bypassed existing security software installed in the targeted systems through the assistance of other malware developers who provide means for malicious software to remain undetected in a system or network.
The virus is also able to present itself as a legitimate software by providing legitimate digital certificates that have been stolen from credible software. This in itself provided problems to the general public as the credibility of legitimate software came into question.
It is important to note that the Siemens step 7 industrial application, which runs on the windows platform were primarily targeted by the Stuxnet virus. Its use of hard-coded database of passwords made it susceptible to the CVE-2010-2772 Vulnerability, allowing the virus the ability to access these databases and through reverse engineering, access the stored passwords. The virus may even modify these passwords therefore locking out any users from accessing the system.

Infection & Distribution:
The Stuxnet virus initially spread indiscriminately through the use of flash drives and shared folders in a network. This was in preparation for the zero-day trigger event that would allow the payload to be delivered and allow the virus manipulate the infected systems and also ensure that most of the targeted systems were infected. The virus was designed to have various levels of infection to the targeted system. The first being through the Windows platform by exploiting the LNK and MS10-061 (found in the Windows Spooler Service) vulnerabilities. This allowed the virus to spread itself by attaching to flash drives as well as shared folders in a network. We can therefore conclude that the Windows infection was merely a way for the virus to propagate itself as it sought out the target systems.
For the virus to exploit the CVE-2010-2568 vulnerability of the .LNK exploit, it only requires to display a specific shortcut in the Windows Shell of Windows explorer (when displaying shortcuts for icons) which allows code execution. Using this principle, the virus is also able to propagate itself through removable media such as flash drives without the need for the Autorun function. As this was a very fundamental flaw in the architecture of the Windows platform, it was very hard to detect and hence patch. Therefore its exploitation by the Stuxnet virus suggests that its developer had an intimate knowledge of these vulnerabilities.
The Stuxnet virus spreads itself over the network by exploiting the MS10-061vulnerability. Any machine with printer or file sharing turned on was susceptible to infection by the virus. This vulnerability allowed a remote user using a Guest logon to write on the system directory of the target machine.

The virus was therefore engineered to be able to impersonate a request to print a document and by so doing, write itself into the system directory. For the virus to be able to elevate itself to System privileges, it exploits further vulnerabilities in the win32k.sys driver and Windows Task Scheduler Service. This happens in systems where it is not able to install itself. At this level, it is able to perform any task on the infected machine. The Stuxnet virus loads a specific keyboard layout file into the kernel, which enables the virus to execute any code with the System privileges. The virus is able to adapt to the conditions it finds on the system it is infecting.

Detection & Counter Measures:
The Stuxnet virus developers employed the help of other Malware developers, enabling the virus evade existing antivirus software by presenting themselves as legitimate software. The virus used device drivers signed with certificates stolen from Digital of Realtek and JMicron Technologies to mask its identity. The driver signing helped it install itself the kernel mode into the system without notifying the user making itself stay undetected in the infected system for some time. But in so doing, it presented an opportunity for detection through heuristics. As the attacks became more and more widespread, more data was collected about the virus and research carried out. This enabled characteristics and behaviors of the virus be documented and the databases of Antivirus companies updated to seek out its characteristics. In so doing, the vulnerabilities it exploited in the various systems were also discovered.
Although they required a lot of time and resources to sort out, various patches were released over the course of a few months after the attacks began. These were done through installation of regular security updates of the various versions of Microsoft Windows that had these vulnerabilities. This also included the various application softwares that had vulnerabilities that could be exploited. There was also a global effort to disable the malware by closing down the main websites used as command and control Servers were taken down. Several tools were also developed to remove the virus from infected systems. Research is still on going in finding better ways of protecting systems against sophisticated attacks as the one done by the Stuxnet virus.

Conclusion:
We probably are going to see more sophisticated Malware in the future as the resources and intelligence of attackers is backed by collaborative efforts. As systems get more secure, more Malwares with increased sophistication are being developed in a technological arms race. The Stuxnet virus has demonstrated to the Information Security industry that with dedication and proper planning, a group of coders can create a sophisticated piece of code able to circumvent detection and also render existing techniques redundant. There probably are more vulnerabilities that haven’t been discovered yet and these could be the backdoors to our systems. Only through collaboration and research can these threats be dealt with.

Bibliography:
Matrosov, A., Rodionov, E., Harley, D., & Malcho, J. (2013). Stuxnet Under the Microscope, 2010.
Microsoft Security Advisory 2286198. (n.d.). Retrieved October 12, 2016, from https://technet.microsoft.com/en-us/library/security/2286198
SIOS. (n.d.). Retrieved October 12, 2016, from http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=43876783&caller=view

1