Security Now 291

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 291

Security Now 291: Stuxnet

The anatomy of Stuxnet, plus Pwn2Own is underway meaning updates from Apple, Google, Microsoft, and more.

Security Updates

6:53 - 11:02

  • Microsoft Patch Tuesday
  • Four security vulnerabilities fixed, one with a CRITICAL rating in video media playback affecting XP, Vista and Win7.
    • User opens a malicious video and can execute code on the user's machine.

11:03 - 12:40

  • Pwn2Own is happening right now
    • Security researchers try to exploit 0 day problems in browsers in return for a prize
  • Browser prizes were increased to $15K.
  • Prizes are phones, laptops, & cash.
  • Google tossed in $20K for a Chrome browser prize.

12:41 - 14:12

  • Apple Updated Windows iTunes (to 10.2) fixing more than 50 security vulnerabilities.
    • A huge number of them in the Windows iTunes Webkit layout engine with rendering Fonts and HTML.
  • Mac iTunes updated to v10.2.1

14:13 - 15:26

  • Mozilla fixes Multiple Vulnerabilities all the following software prior to these versions have known vulnerabilities
  • Firefox prior to 3.6.14
  • Firefox prior to 3.5.17
  • Thunderbird prior to 3.1.8
  • SeaMonkey prior to 2.0.12
  • Fixes problems in the Javascript engine and code for handling HTML, stylesheets, SVG objects, and JPEG images.
  • By enticing a target to view a malicious site, an attacker can exploit some of these vulnerabilities in order to execute arbitrary code on the target's machine.

15:27 - 22:36

  • Google's Chrome Browser updated to 9.0.597.107
    • Fixed 19 security issues
    • The vulnerabilities included several stale pointer vulnerabilities, an integer overflow, and a memory use after-free vulnerability.
    • User visits malicious site to compromise.

Security News

22:37 - 26:04

  • BBC News Reporting:
  • “The way websites track visitors and tailor ads to their behaviour is about to undergo a big shake-up.”
  • From 25 May, European laws dictate that "explicit consent" must be gathered from web users who are being tracked via text files called "cookies".
  • The changes are demanded by the European e-Privacy directive which comes into force in the UK in late May.
  • The section of the directive dealing with cookies was drawn up in an attempt to protect privacy and, in particular, limit how much use could be made of behavioural advertising.
  • The directive demands that users be fully informed about the information being stored in cookies and told why they see particular adverts.
  • “Specifically excluded by the directive are cookies that log what people have put in online shopping baskets.“

26:05 - 30:55

  • Google's problems with Android Marketplace
  • About 50 apps were found to be infected with malware known as DroidDream.
  • They have been removed from the Android Market.
  • Google has suspended the accounts of the developers who were believed to be responsible for the infected applications and plans to take legal action.
  • Malware used a vulnerability in Android before v2.2.2.
  • Google used their "Remote Application Removal Feature" to remove any that had been installed
  • Users receive a notification that "Android Market Security Tool March 2011" has been installed ~ this closes the vulnerability in the user's phone.

30:56 - 35:35

  • Microsoft is actively working to discourage use of IE6:
  • After ten years it’s time to retire IE6
  • China: 34.5% are still using IE6
  • India: 12.3%, Saudi Arabia: 10.7%, Japan 10.3%
  • GRC's visitors - IE5:0.07% IE6: 2.87%

35:36 - 40:00

  • Adobe Labs released “Wallaby”
  • Converts simple FLASH games and animations into JavaScript / HTML5 / SVG so that they can run on “devices that do not support the FLASH runtimes.”
  • "Complex animations crashes the browser and “zooming in and out can cause odd artifacts in the browser.”
    • Wallaby is delivered as a 32-bit application for Windows and Macintosh.
    • Wallaby is designed to emit HTML5 files compatible with Webkit based browsers.
    • The only supported Webkit browsers at this time are Chrome and Safari on OSX, Windows, and iOS (iPad, iPhone, iPod). Because Wallaby uses Webkit specific animation primitives, animation will not work and has not been tested on other browsers.

40:01 - 42:05

  • Researchers in Australia claim that SSD firmware is making forensics difficult
  • Murdoch University in Perth, Australia
  • "Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Discovery?"

  • Steve will address this issue in a future podcast


42:06 - 42:58

  • MANY people wrote and Tweeted that they love the long shows!


42:59 - 50:27

Kent Nelson found a post on the internet recommending Spinrite

Stuxnet: Anatomy of a True Cyberweapon

52:29 - 1:33:27

Source: W32.Stuxnet Dossier [1], Symantec Security Resrouces.

What is it?

  • One of the most complex threats Symantec has ever analyzed
  • A large complex piece of malware with many different functions
  • Its final goal is to reprogram the PLC ~ Programmable Logic Controllers ~ used in industrial control systems and to hide those changes from the system's operators
  • To increase the likelihood of success Stuxnet's creators amassed a vast array of components
    • Multiple zero-day exploits
    • Windows rootkit
    • The first ever PLC rootkit
    • Antivirus evasion techniques
    • Process injection and hooking code
    • Network infection techniques
    • Peer-to-peer updates
    • And a command and control interface

Functionally, Stuxnet is able to:

  • Self-replicate through removable drives exploiting a vulnerability allowing auto-execution.
    • Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732)
  • Spread in a LAN through a vulnerability in the Windows Print Spooler.
    • Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073)
  • Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).
  • Copies and executes itself on remote computers through network shares.
  • Copies and executes itself on remote computers running a Siemens WinCC database server.
  • (WinCC is a Windows-hosted automation control system)
  • Copies itself into Siemens Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded.
  • Updates itself through a peer-to-peer mechanism within a LAN.
  • Exploit a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed.
  • Contact command and control servers that allows the hacker to download and execute code, including updated versions.
  • Contain a Windows rootkit that hide its binaries.
  • Logic to bypass security products.
  • Fingerprint a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system.
  • Hide modified code on PLCs, essentially a rootkit for PLCs.

Significantly, Stuxnet could have NEVER been designed blind.

  • Stuxnet's designers needed to have insider-level information ~ essentially schematics ~ of the target process control system
  • It could not have been developed "blind" ~ a "mirrored" environment had to be created in the lab.

Stuxnet needed, and had, digitally signed drivers

  • Stuxnet's drivers were somehow signed with the valid private keys of two companies located in close physical proximity to each other:
  • Realtek Semi & JMicron
  • It's likely that some "agent" physically entered both facilities and signed the driver files ~ or stole the signing credentials

The machines used to program and control PLC's are never connected directly to the Internet

  • Stuxnet was probably dropped "close" to the target system
  • Perhaps by infecting an unwitting contractor who had access to the environment
  • Perhaps by using an accomplis who had some limited access.
  • It would then have used all of its various propagation techniques to get itself over onto the Windows machines used to program the PLC's.
  • It's likely that the initial infection was carried on a removable drive.

  • Since the target PLC-controlling PC was unlikely to have direct Internet access, the Command and Control system worked through intermediate instances of Stuxnet which did have Internet access.
  • Stuxnet's use of viral self-replication meant that there would be collateral damage.
  • Stuxnet's designers must have felt that the problem of collateral damage was unavoidable.

Command & Control

  • Encrypted traffic ○ Reports: ○ Internal & External IPs ○ Computer Name / OS Version ○ It is running --> Siemens SIMATIC Step 7 industrial control software

  • Infections HEAVILY country biased
    • 58.31% Iran
    • 17.83% Indonesia
    • 9.96% India
  • The main reason for the HUGE difference is that the infection was probably INITIATED in Iran. Everything else was collateral damage.

  • Infections HEAVILY "Siemens Step 7" biased:
  • 67.60% of Iran infections had Step 7 installed
  • 8.10% South Korea
  • 4.98% USA
  • 2.18% UK

Stuxnet logs its own infection successes

  • Timestamp
  • Various system information
  • Each Stuxnet sample contains a growing history of every computer that was infected, all the way back to the first infection
  • Symantec was able to obtain a total of 3,280 unique samples of Stuxnet. From those, they were able to determine:
  • Stuxnet was a TARGETED attack on exactly FIVE organizations each having a presence within Iran. ○ 12,000 subsequent infections can be traced back to exactly five organizations:
  • #1 was targeted twice, in June 2009 and again in April 2010
  • #2 was targeted three times in June 2009, March 2010, and May 2010
  • #3 was targeted once in July 2009
  • #4 was targeted once in July 2009
  • #5 was targeted once in May 2009, but had three initial infections because the same initially infected USB drive was inserted into three different PCs.

  • The 12,000 early infections resulted from those ten infection-launch events.
  • The shortest span of time between Stuxnet compile time and initial infection was 12 hours.
  • The longest span was 28 days.
  • The average span was 19 days.

  • Overall, there were three attack waves:
    • June 22nd, 2009 ~ This infected the first four of the five organizations, about one week apart each.
    • March 1st, 2010 ~ Reinfection of the second organization
    • April 14th, 2010 ~ Reinfection of the 1st and 2nd organizations and first infections of the 5th organization.
  • The March 1st attack was the start of 69% of all infections
  • Probably more successfully seeded, and it had more and better replication methods than the initial June 2009 variant.

Stuxnet Structure

  • Primarily a single large Windows DLL file.
  • DLL is injected into the running memory of other processes.
  • Stuxnet hooks six kernel functions in NTDLL.DLL in order to bypass host intrusion-protection defenses.
  • This allows it to get its large DLL payload into memory.
  • Stuxnet is aware of the following security-related products:
    • Kaspersky KAV (v6 to v9)
    • Mcafee
    • AntiVir
    • BitDefender
    • Etrust
    • F-Secure
    • Symantec
    • Symantec Common Client
    • Eset NOD32
    • Trend Pc-Cillin
  • If one of those security products is detected the security product's version number is determined and Stuxnet determines the optimal strategy for bypassing the protections, including the use of two still- undisclosed privilege escalation Windows vulnerabilities.

Command & Control

  • The two domains previously pointed to servers in Malaysia and Denmark. (Since redirected)
  • After connecting to those servers, the Stuxnet status sneaks out as an HTTP Query parameter
  • The response was an XOR encrypted binary that was loaded and directly executed

The Windows Rootkit

  • Malicious (signed) driver monitors "Directory Query" activity
  • Two types of files will be filtered out from a query directory result:
  • Files with a “.LNK” extension having a size of 4,171 bytes.
  • Files named “~WTR[FOUR DIGITS].TMP”, whose size is between 4Kb and 8Mb and the sum of the four numbers modulo 10 is 0. ○ For example, 4+1+3+2=10=0 mod 10


  • Propagation via removable drive infection and network exploits
  • Network Propagation
    • Peer-to-peer communication and updates
    • Stuxnet establishes an RPC server and contains a client
    • Any new instances are able to query the network for the versions of other Stuxnet instances and update if they are older.
  • Infecting WinCC machines via a hardcoded database server password
    • Uses a fixed password and an SQL query to install itself in any visible WinCC machine
  • Propagating through network shares
  • Propagating through the MS10-061 Print Spooler Zero-Day Vulnerability
    • Only until June 1st, 2011
  • Propagating through the MS08-067 Windows Server Service Vulnerability
    • Only if various product's A/V signatures are earlier than jan 1st, 2009.
    • And Kernel32.dll and Netapi32.dll showing not patched

  • Removable Drives:
  • Since industrial control systems are non-networked (for security!) removable drives are typically used to carry updates from the development machine to the industrial control machine.
  • Once an infected removable drive as successfully infected three machines the drive will be disinfected (to prevent discovery.)
  • The drive is checked to see if it is suitable, checking the following conditions:
    • The drive was not just infected, determined by the current time.
    • The infection source is less than 21 days old.
    • The drive has at least 5MB of free space.
    • The drive has at least 3 files.
  • The .lnk files contain an exploit that will automatically execute ~WTR4141.tmp when simply viewing the folder.
  • ~WTR4141.tmp deploys a mini-rootkit to hide the files on the removable drive on the new system
  • Then it loads ~WTR4132.tmp containing the entire Stuxnet payload.

Compromising Siemen's WinCC/Step7 PLC Programmer

  • Simatic’s s7otbxdx.dll file is replaced with a malicious imposter
  • The original s7otbxdx.dll is renamed s7otbxsx.dll.
  • This is the communications interface between the WinCC PLC programmer and the PLC device
  • Monitor PLC blocks being written to and read from the PLC.
  • Infect a PLC by inserting its own blocks and replacing or infecting existing blocks.
  • Mask the fact that a PLC is infected.



  • offer code SecurityNow
  • Carb 3
  • Ad Times: :45-1:01 and 3:49-6:43

Production Information

  • Edited by: Jason
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.