TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... Frost and Sullivan announced in their Feb. 2007 report, "Analysis of Vulnerability Discovery and Disclosure", that TippingPoint was the fastest growing discoverer of new vulnerabilities and the leader in the discovery of both high-severity and Microsoft vulnerabilities.

Elegant Worm: How Stuxnet Is Redefining The Game

Brilliance and elegance are powerful adjectives most often used to describe things of beauty -- people, places, and things.  Works of art whether they are literary or visual; aural or editable often bear these designations but it is rare indeed when we see them used to describe malicious code & content.   Prior to the discovery and release of information related to the Stuxnet Worm, you may never have heard anyone outside of security researchers or security evangelists use such powerful language to describe a threat.   Not ‘Storm’, not ‘Mariposa’, not ‘Aurora’, not even might ZeuS had been spoken of with the same reverence or awe.  Stuxnet marks a departure from the norm.  It is a superb example of the sophistication and professionalism at work in the sub-economic ecosystems of the Internet; one which demonstrates professional grade production and artful execution. 

There is a great deal of speculation surrounding this threat.  Some are asserting that this is the first real world example of a purpose built cyber weapon (I don’t believe this to be the case) seen and identified by commercial security research organizations.  Whether you subscribe to that belief or not is irrelevant.  What is relevant is the arrival of this worm and its implications on the threat landscape going forward.   Currently the worm is proliferating through the world at a rapid clip affecting primarily (though not exclusively), industrial control systems with approximately 45,000 such systems worldwide having been reported infected though the severity associated with said infections is debatable.   Many industry experts suspect that the worm has been targeted toward the Iranian Bushehr Nuclear reactor citing its initialization issues as being evidence of potential success of compromise.  Should the reactor not initialize in the course of the next few months it would not surprise me if the Stuxnet worm was implicated. 

The worm itself was discovered back in June 2010 by the folks at VirusBlokADA out of Minsk, Belarus.  Researchers there added the analyzed samples to their database as Trojan-Spy.0485 and Malware-Cryptor.Win32.Inject.gen.2.  The analysis of the malware revealed that it leverages…wait for it…wait for it…USB storage for propagation!  Though not novel, a certainly effective approach.   According to the researchers at VirusBlokADA, the malware dropped to drivers: mrxnet.sys and mrxcls.sys used for inject code into systems processes and then subsequently obfuscate itself within the operating system.  In July of 2010 the Siemens Corporation announced the presence of what they called a highly sophisticated virus to members of their customer base who utilize computers in the management of their industrial control systems.  According to various sources the Siemens Corporation had been made aware of the issue on July 14, and immediately took action assembling a team to being incident response investigations and evaluations.  

Those involved were fearful as I mentioned earlier that this was an example of the sort of threat which had been warned against for years; a threat that can actually compromise, infiltrate and endanger the control systems that run manufacturing environments of all types in all sectors in addition to utilities organizations comprising localized and global critical infrastructure.  In the case of the malware in question, it had appeared to have been weaponized, targeting Siemens management software (Simatic WinCC) which runs on everyone’s favorite operating system Windows!  In fact the following Microsoft Vulnerability was referenced and noted as been exploitable in certain instances.   In the case of the malware in question, it had been architected to target Siemens management software which for the most part resides within SCADA environments (Supervisory Control and Data Acquisition).  SCADA environments are traditionally architected in such a way that they are not directly connected to the Internet though this is not always the case.   

Stuxnet applies a mult-vector approach to propagation.   It takes advantage of a remote procedure call (RPC) that is only effective against computers that have not applied the patch for the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). Additionally, it exploits the Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073) in order to copy itself from one compromised host to another. The vulnerability allows for a file to be written to the %System% directory of a vulnerable computer. Stuxnet first uses this vulnerability to deploy a copy of itself on a vulnerable machine and later it uses a feature of WBEM to achieve execution of that file on the remote computer.  What makes Stuxnet so interesting to researchers and analysts alike is the forethought and efficacy seen in its design.  Were the first two propagation methods to fail there is a third option which may be explored.  This option sees Stuxnet compromising hosts via the threat of USB drive propagation.   Upon being introduced to a computer the device is scanned with the code initiating itself.   It subsequently begins seeking out either Siemens WinCC systems or another USB device to further propagate itself.   This in and of itself is fairly normative worm like behavior however, what is different is the level of discretion associated with it.  The last time I saw malicious code and content that possessed that level of discretion was when Clampi had been released back in 2009. 

The worm has been found to possess command and control infrastructural elements and has been noted to update itself via a peer-to-peer element according to researchers at Symantec such as Liam O.Murchu.  Additionally, it deploys and installs a RPC (remote procedure call) server and client on all infected hosts similar to the way in which botnets do to their victims.  At the end of the day it remains to be seen whether this is an example of a state sponsored weaponized malware sample or  if this was the result of an industrial espionage driven by competition.  Regardless of who created it or what their reasoning was(or is), what is important to note and cannot be ignored is that the game has changed and what was once viewed as an academic bugbear is now a reality. 


Tags: Targeted Attacks,Advanced Persistent Threats,Cyber Warfare
Published On: 2010-09-23 15:40:00

Comments post a comment

  1. Dilbert commented on 2010-09-26 @ 07:16

    The time has come. While surrounded with armed guards, many corporations completely neglected their virtual security. But you can't make it work from day to day. There will me more pain, Stuxnet is just the pioneer.

  2. Spooler commented on 2010-11-30 @ 04:01

    Print Spooler is still one of the most vulnerable and problem-causing service in Windows.