gershwin.aaron

Cyber security copy writer, tech support with a degree in political science

Stuxnet, or how to destroy a centrifuge with a small piece of code

Stuxnet represents the pinnacle of coding design. This small computer worm, just a half a megabyte in size, managed to infiltrate Iran’s nuclear facilities and destroy about one-fifth of uranium enrichment centrifuges. Furthermore, it was done in such a specific way to prevent political unrest, at least at the level of open conflict.
First uncovered in 2010, it was a surprise to cyber security communities. This is how Eugene Kaspersky, the CEO of notorious Kaspersky Lab, describes his experience:
I got the news about Stuxnet from one of my engineers. He came to my office, opened the door, and he said “So, Eugene, of course, you know that we’re waiting for something really bad…It happened.”
Later on, Kaspersky Lab employees admitted they have never encountered anything as complex, as this small piece of code, and that it took them nearly two months to understand what exactly it is trying to achieve.
Stuxnet is impressive from the beginning to the end: the way it injects itself into the system, erases its traces, replicates, and, in the very end, manages to damage uranium enrichment centrifuges, — here we have the very first and highly sophisticated cyber weapon. So let’s see what it’s all about.

What is Stuxnet?

First of all, this piece of malware had to be named. Since no one came out to tell it’s their creation, and there was no clear understanding of its purpose, experts analyzed the code and, among the binary numbers, found two phrases: “stub” and “xnet”, thus combining it into Stuxnet.
By definition, Stuxnet is a malicious computer worm. It is designed to infect specific devices, replicate itself, and cause damage. Regarding its origins, no one can be absolutely sure, but a safe guess is that it’s a joint effort of American-Israeli forces. The political landscapes are self-explanatory, the tensions between the west and the Middle East are, sadly, still ongoing, and the US expressed their frustrations regarding Iran’s nuclear program many times.
Another argument is that it’s unlikely that any hacker group or community would have the resources to develop such a sophisticated worm. According to the report by Symantec, the development “full cycle may have taken six months and five to ten core developers not counting numerous other individuals, such as quality assurance and management.” And since Stuxnet has no features to extract monetary value, it’s a safe assumption that a nation-state is behind it.
Last, but not least, Stuxnet exploited the same vulnerabilities that were used for Flame malware, and the knowledge of these zero-day vulnerabilities are linked to the Equation group, a semi-secret American organization, dubbed by the same Kaspersky lab as “the most advanced” cyber attack groups. All these are just assumptions and logical conclusions, without any facts whatsoever. And that must be taken into consideration, because Stuxnet is much more than just a simple worm.

Targeting nuclear facilities

If we were to list locations, that are absolutely forbidden to public access, then nuclear facilities would be near the top. Furthermore, due to the high-risk factor, networks of such facilities tend to be surrounded by security barriers, both physical and digital. That’s an obstacle Stuxnet’s creators had to overcome.
The first infection happened via USB. The exact person, who somehow obtained infected USB drive, will never be known since once Stuxnet infects Windows systems it erases itself from the USB drive. Possible scenarios are endless, and you can throw a batch of infected USBs somewhere in Iran and hope someone will pick one up. One way or another, Stuxnet made its way into nuclear facilities. However, this infection method can’t be controlled, and this worm also made its way to India, United Kingdom, even the United States. See the image below for the infection scope.
Once the worm is inside the nuclear facility and is plugged into a computer, the magic starts to happen. Stuxnet can hide its files in a removable drive; furthermore, the driver file itself is digitally signed with a legitimate Realtek certificate, which means that the attackers had to penetrate Realteks security systems and obtain one of the most guarded secrets: an authentic digital signature.
The worm does not execute itself in a standard .exe way. Instead, it consists of a large .dll file that contains many different exports, and two encrypted configuration blocks. All this is compressed in a wrapper program stored in a section name “stub.” When the threat is executed, the .dll file is extracted and starts calling exports. See the image below for complete export functions.
In layman’s terms, the worm does not have a stable preset of functions, but calls various exports/functions depending on the circumstances it finds itself in. This includes checking the operating system, an attempt to gain administrator privileges, verifying whether the device is connected to the internet, or a local LAN, and, most importantly, if it is connected to Siemens PLC devices (this will be explained shortly).
Moreover, computers these days have default protection mechanisms, which was also taken into consideration. Stuxnet has a list of trusted applications, which includes most popular AntiViruses, so before launching an attack on centrifuges, it delineates the environment. Upon scanning the system AntiViruses search for specific actions, and alerts the user if some processes resemble a virus or other malicious programs, it’s called behavior blocking. I couldn’t explain in better words how Stuxnet manages to bypass behavior blocking, Symantec explains:
When Loading DLLs Whenever Stuxnet needs to load a DLL, including itself, it uses a special method designed to bypass behavior blocking and host intrusion-protection based technologies that monitor LoadLibrary calls. Stuxnet calls LoadLibrary with a specially crafted file name that does not exist on disk and normally causes LoadLibrary to fail. However, W32.Stuxnet has hooked Ntdll.dll to monitor for requests to load specially crafted file names. These specially crafted filenames are mapped to another location instead — a location specified by W32.Stuxnet. That location is generally an area in memory where a .dll file has been decrypted and stored by the threat previously.
In other words, Stuxnet cuts itself a space in the infected device, and by exploiting vulnerabilities pretends to be a legitimate program. It also exploits Windows operating system printer sharing vulnerability to spread itself across the network. In short, step by step, infection goes like this:
  1. The worm checks the operating system of the device (only Windows supported);
  2. Checks if it has administrator rights and by exploiting two zero-day vulnerabilities tries to obtains them;
  3. Once obtained, an export nr.16 is executed, and installation takes places;
  4. An attempt to establish a network with other devices (and infections) follows;
  5. Stuxnet checks it’s own version and can update itself; furthermore, each update can store information about previous infections ant worm versions.
This is the main trajectory of infection, and I have deliberately skipped a few complicated steps, that would require far broader explanation than this article is aimed at.

The ultimate goal

Up until now, I have over viewed the infection process and the general architecture of the worm. However, there’s another story that sheds some light on why Stuxnet is dubbed the most complex piece of code ever written.
The very last stop of Stuxnet is a PLC device. That’s programmable logic devices that are mainly used for automation processes in big industries, for example, amusement parks. Siemens PLC devices are also used in Iran’s nuclear facilities and were the primary target of Stuxnet.
Once Stuxnet has successfully installed itself in a necessary environment that has a direct connection to Siemens PLC device, it irreversibly injects it’s code and modifies the machine, meaning that no system clean up, no restart, no effort can restore the device to the factory conditions.
Once there, it can do terrible things. Order it to spin until it blows up, stop them altogether, wreak havoc all over the facilities. However, this was not the case. Kaspersky Lab employees expressed their surprise because, for a few weeks, they could not tell what exactly does this code do. It seemed to replicate itself, check its environment, mostly just lay dormant, sometimes contact world wide web, then fall asleep again. That’s precisely what happened once it reached PLC device.
Instead of hasty action, Stuxnet laid dormant for quite some time. When the worm decides it’s time, it wakes up and targets working uranium enrichment centrifuges. Moreover, not one, but two attack scenarios are executed.
First of all, it locks those centrifuges, so no one can stop them, or make any modification whatsoever. Then the first scenario is launched: Stuxnet modifies the rotor speeds of the centrifuges, but not too much. Just a bit slower, or a bit faster, enough to start ruining them one after another.
A second attack targets the pressure of the UF6 gas that is used to enrich uranium. Once again, just tiny parameters are modified, yet enough to start turning UF6 gas into small solid pieces of rock. Needless to say, solid material in the spinning centrifuges means an assured decay.
There’s a cherry on the top. Employees should get all the malfunctioning information anyway, that’s how monitoring works, and worried employees should see that the rotor speed is wrong, the pressure is too high…However, Stuxnet, before doing its thing, records the last 21 seconds when the centrifuge was working correctly and pushes the results into SCADA monitors. That left Iranian scientists in the dark, because the monitors showed no errors, yet the centrifuges were failing one after another.

The small perfection

Cyber security experts were scratching their heads, trying to make sense of this small piece of code. At one point, they even noticed requests being sent to http://www.mypremierfutbol.com or http://www.todaysfutbol.com.This makes no sense…except, that these pages were configured to accept encrypted traffic from Stuxnet and contains the latest updates, so when Stuxnet confirms it has access to the global internet, it can update itself and proceed with the mission.
And all this was achieved with a half of a megabyte data. As Kaspersky lab noted, they have never seen a code so compressed, as if there were no unnecessary lines, and everything served a purpose. For the reasons outlined above, Stuxnet can be rightly called the most sophisticated piece of code ever written, and reveals the true capabilities of cyber weapons.

Tags

More by gershwin.aaron