Comprehensive Analysis Report on the Stuxnet Worm Attack on Industrial Control Systems
1. Event Background
Recently, multiple domestic and international media outlets have reported on the Stuxnet worm’s attack on Siemens’ SIMATIC WinCC data acquisition and monitoring system, calling it a “super virus”, a “super factory virus,” and describing it as a “super weapon” and “Pandora’s box”. The Stuxnet worm (commonly known as “Stuxnet” or “Twins”) began its outbreak in July of this year. It exploited at least four vulnerabilities in the Microsoft operating system, including three brand-new zero-day vulnerabilities; used valid digital signatures for its derived drivers; broke through the physical limitations of industrial private area networks through a complete intrusion and propagation process; and exploited two vulnerabilities in the WinCC system to launch its attack. It is the first piece of malware to directly damage real-world industrial infrastructure. According to Symantec, approximately 45,000 networks worldwide have been infected by the worm, with 60% of the affected hosts located in Iran. The Iranian government has confirmed that the country’s Bushehr nuclear power plant was attacked by the Stuxnet worm. On July 15th, Antiy captured the first variant of the Stuxnet worm, immediately launched an analysis, released an analysis report and preventative measures, and has been continuously monitoring it. As of the publication of this report, Antiy has captured a total of 13 variants and over 600 sample entities with different hash values.
2. Typical Behavior Analysis of Samples
2.1 Operating Environment
The Stuxnet worm can be activated and run on the following operating systems:
Windows 2000, Windows Server 2000
Windows XP, Windows Server 2003
Windows Vista
Windows 7, Windows Server 2008
It will immediately quit if it discovers that it is running on a non-Windows NT operating system.
The attacked software systems include:
SIMATIC WinCC 7.0
SIMATIC WinCC 6.2
However, the possibility of other versions of WinCC being attacked cannot be ruled out.
2.2 Local Behavior
After the sample is activated, the typical operation process is shown in Figure 1.
The sample first determines the current operating system type. If it is Windows 9X/ME, it exits directly.
Next, a DLL module is loaded, containing most of the code to be executed later. To evade monitoring and detection by antivirus software, the sample does not release the DLL module as a disk file, but instead copies it directly into memory and then simulates the normal DLL loading process.
Specifically, the sample first allocates a memory space, and then hooks six system functions exported by ntdll.dll:
ZwMapViewOfSection
ZwCreateSection
ZwOpenFile
ZwClose
ZwQueryAttributesFile
ZwQuerySection
To this end, the sample first modifies the protection attributes of the PE header of the ntdll.dll module in its own process’s memory image, then rewrites a segment of data at offset 0x40 bytes into a jump code table to hook the aforementioned function. Subsequently, the sample can use the modified ZwCreateSection to create a new PE section in memory, copy the DLL module to be loaded into memory, and finally use LoadLibraryW to obtain the module handle.
Figure 1. Typical Workflow for the Sample
After this, the sample jumps to the loaded DLL for execution, resulting in the following files:
%System32%\drivers\mrxcls.sys
%System32%\drivers\mrxnet.sys
%Windir%\inf\oem7A.PNF
%Windir%\inf\mdmeric3.PNF
%Windir%\inf\mdmcpq3.PNF
%Windir%\inf\oem6C.PNF
Two of the drivers, mrxcls.sys and mrxnet.sys, are registered as system services named MRXCLS and MRXNET, respectively, to enable automatic startup. Both drivers utilize rootkit technology and are digitally signed.
mrxcls.sys is responsible for finding the WinCC system installed on the host and launching an attack. Specifically, it monitors the image loading operations of system processes and injects a module stored in %Windir%\inf\oem7A.PNF into three processes: services.exe, S7tgtopx.exe, and CCProjectMgr.exe. The latter two are processes that run the WinCC system.
mrxnet.sys hides the lnk and DLL files copied to the USB drive by modifying some kernel calls (Figure 2).
Figure 2. The Driver Hides Certain .Lnk Files
2.3 Propagation Mode
The Stuxnet worm targets the SIMATIC WinCC software. The latter is primarily used for data acquisition and monitoring in industrial control systems, typically deployed within a dedicated internal LAN and physically isolated from the external internet. To carry out its attack, the Stuxnet worm employs various methods for penetration and propagation, as shown in Figure 3.
Figure 3. Multiple Propagation Modes of the Sample
The overall propagation strategy is as follows: First, infect external hosts; then infect USB drives, exploiting shortcut file parsing vulnerabilities to spread to the internal network; within the internal network, propagation between networked hosts is achieved through shortcut parsing vulnerabilities, RPC remote execution vulnerabilities, and printer spooler service vulnerabilities; finally, it reaches the host with WinCC software installed and launches an attack.
Shortcut file parsing vulnerability (MS10-046)
This vulnerability exploits a flaw in Windows’ system mechanism when parsing shortcut files (such as .lnk files), causing the system to load an attacker-specified DLL file, thus triggering an attack. Specifically, when displaying a shortcut file, Windows searches for the necessary icon resource based on the file’s structure information and displays it as the file’s icon to the user. If the icon resource is in a DLL file, the system loads that DLL file. An attacker can construct such a shortcut file, causing the system to load a malicious DLL file they specify, thereby triggering malicious code within the latter. The display of the shortcut file is automatic, requiring no user interaction, making the vulnerability highly effective. The Stuxnet worm searches for removable storage devices on a computer (Figure 4). Once found, it copies the shortcut file and DLL file to it (Figure 5). If a user then plugs this device into a computer on the internal network, the vulnerability is triggered, enabling a so-called “ferry” attack—the infiltration of a physically isolated network using a removable storage device.
Figure 4. Locating the USB Drive
Figure 5. Copying Files to USB Drive
Two DLL files were copied to the USB drive: ~wtr4132.tmp and ~wtr4141.tmp. The latter hooks the following exported functions in kernel32.dll and ntdll.dll:
FindFirstFileW
FindNextFileW
FindFirstFileExW
NtQueryDirectoryFile
ZwQueryDirectoryFile
Stuxnet achieves the hiding of .lnk and DLL files on the USB drive. Therefore, it uses two methods (kernel-mode driver and user-mode API hooking) to hide USB drive files, making the attack process difficult for users to detect and also able to evade antivirus software scans to some extent.
RPC remote execution vulnerability (MS08-067) and privilege escalation vulnerability
This was the most serious Microsoft operating system vulnerability that broke out in 2008, characterized by its ease of exploitation, wide impact, and high degree of harm.
Figure 6. Launching an RPC Attack
Specifically, a system with this vulnerability could allow remote code execution when it receives a carefully crafted RPC request. On Windows 2000, Windows XP, and Windows Server 2003 systems, this vulnerability allows attackers to launch attacks directly by sending maliciously crafted network packets, executing arbitrary code without authentication and gaining full privileges. Therefore, this vulnerability is often used by worms for large-scale propagation and attacks.
The Stuxnet worm exploits this vulnerability to spread within an internal local area network (Figure 6). When exploiting this vulnerability, if insufficient privileges cause the attack to fail, it will use an undisclosed vulnerability to escalate its own privileges (Figure 1) and then attempt the attack again. As of the time of this report, Microsoft has not provided a solution to this privilege escalation vulnerability.
Printer spooler service vulnerability (MS10-061)
This is a zero-day vulnerability, first discovered in the Stuxnet worm.
The Windows print spooler lacks adequate user permissions. An attacker could submit a crafted print request to send files to the %System32% directory of a host that exposes the print spooler interface. Successful exploitation of this vulnerability could allow arbitrary code execution with system privileges, enabling propagation and attacks.
Figure 7 Exploiting a Print Service Vulnerability
The Stuxnet worm exploits this vulnerability to spread within an internal local area network. As shown in Figure 7, it sends two files to the target host: winsta.exe and sysnullevnt.mof. The latter is a Microsoft Managed Object Format (MOF) file, which, under certain event-driven conditions, executes winsta.exe, which is the worm itself.
2.4 Attack Behavior
The Stuxnet worm queries two registry keys to determine whether the WinCC system is installed on the host (Figure 8):
HKLM\SOFTWARE\SIEMENS\WinCC\Setup
HKLM\SOFTWARE\SIEMENS\STEP7
Figure 8. Check the Registry to Determine Whether WinCC Is Installed
Once the WinCC system is discovered, two vulnerabilities within it will be exploited to launch an attack:
First, there is a hard-coded vulnerability in the WinCC system that stores the default username and password for accessing the database. Stuxnet exploited this vulnerability to try to access the system’s SQL database (Figure 9).
Secondly, in the Step7 project required by WinCC, there is a flaw in the DLL loading strategy when opening the project file, leading to an exploit similar to a “DLL preloading attack.” Ultimately, Stuxnet replaced s7otbxdx.dll in the Step7 software with s7otbxsx.dll, and encapsulated the exported functions of this file to hook some query and read functions.
Figure 9. Querying the WinCC Database
2.5 Derivational Relationships of Sample Files
This section provides a comprehensive overview of the derivative relationships among the various files during the aforementioned copying, propagation, and attack processes of the sample.
As shown in Figure 10, the sample may come from various sources.
The original sample, as well as the sample spread through an RPC vulnerability or a print service vulnerability, are all exe files. They implicitly load a module named “kernel32.dll.aslr.<random number>.dll” in their own .stud section.
The sample distributed via USB flash drive triggers the vulnerability when the system displays the shortcut file, loading the ~wtr4141.tmp file. The latter loads a module named “shell32.dll.aslr.<random number>.dll”, which loads another file, ~wtr4132.tmp, as “kernel32.dll.aslr.<random number>.dll”.
The module “kernel32.dll.aslr.<random number>.dll” is responsible for implementing most of the subsequent attack behavior. It exports 22 functions to complete the main functions of the malicious code; in its resource section, it contains some derivative files, which are saved in encrypted form.
Among them, exported function number 16 is used to derive some local files, including two drivers, mrxcls.sys (resource number 201) and mrxnet.sys (resource number 242), as well as four .pnf files.
Figure 10. Relationships Derived from Sample Files
Export function number 17 is used to exploit the second vulnerability in the WinCC system; it releases an s7otbxdx.dll.
Export function number 19 is responsible for propagating the shortcut parsing vulnerability. It releases multiple .lnk files and two DLL files with the .tmp extension.
Export function number 22 is responsible for propagating by exploiting RPC and print service vulnerabilities. Among the files it releases, resource number 221 is used for RPC attacks, resource number 222 for print service attacks, and resource number 250 for privilege escalation.
3. Solutions and Security Recommendations
3.1 Defend Against This Attack
Siemens has provided a solution to this attack, the link of which is in the appendix. Below, based on our analysis, we present more specific measures.
Remove the Stuxnet worm using specialized removal tools or manually.
The steps for manual removal are as follows
Use Antiy Atool to terminate all lsass.exe processes in the system whose parent process is not winlogon.exe;
Forcefully delete the following derived files:
%System32%\drivers\mrxcls.sys
%System32%\drivers\mrxnet.sys
%Windir%\inf\oem7A.PNF
%Windir%\inf\mdmeric3.PNF
%Windir%\inf\mdmcpq3.PNF
%Windir%\inf\oem6C.PNF
Delete the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNET
Install system patches for exploited vulnerabilities.
Install the following patch files provided by Microsoft:
RPC remote execution vulnerability (MS08-067)
Shortcut file parsing vulnerability (MS10-046)
Printer spooler service vulnerability (MS10-061)
In addition, it is important to note that there is an unpatched privilege escalation (EoP) vulnerability, as well as another similar vulnerability subsequently discovered by Microsoft. Users should stay informed about the patching status of these two vulnerabilities.
Install software patches
Install the WinCC system security update patch released by Siemens. The download address is in the appendix.
3.2 Security Recommendations
This attack highlights two issues:
Even physically isolated dedicated local area networks are not unbreakable;
Specialized software systems, including industrial control systems, can also be attacked.
Therefore, we offer the following safety recommendations to relevant departments and enterprises:
Strengthen the security of hosts (especially intranet hosts). Even physically isolated computers should have their operating system patches updated in a timely manner and a comprehensive security strategy established.
Install security software, including antivirus software and firewalls, and update the virus database in a timely manner;
Establish software security awareness, continuously monitor the security issues of the software used on the core computers in the enterprise, and promptly update any software with vulnerabilities.
Further strengthen the security of the enterprise intranet, with particular emphasis on the security of network services, and close unnecessary network service ports on the host;
Weak passwords and default passwords are not enabled in any software or network service;
Strengthen security management of removable storage devices, disable the computer’s autoplay function, scan removable devices for viruses before use, build virus immunity for removable devices, and use hardware-based USB flash drive virus scanning tools.
4. Characteristics of the Attack
Compared to previous security incidents, this attack exhibits many new methods and characteristics, which warrant special attention.
4.1 Targeting Industrial Systems Specifically
The Stuxnet worm targeted Siemens’ SIMATIC WinCC system. This is a Supervisory Control and Data Acquisition (SCADA) system widely used in core industrial sectors such as steel, automotive, power, transportation, water conservancy, chemical, and petroleum, especially in national infrastructure projects. It runs on the Windows platform and is often deployed in a dedicated local area network isolated from the outside world.
Typically, the value of a worm attack lies in its wide reach and the universality of its targets. This attack, however, is entirely different. Its ultimate target is neither an open host nor general-purpose software. Whether it’s penetrating an internal network or exploiting vulnerabilities in large, specialized software, these are beyond the capabilities of ordinary attacks. This indicates that the attack’s intent was very clear, making it a meticulously planned attack.
4.2 Exploiting Multiple Zero-Day Vulnerabilities
The Stuxnet worm exploited the following vulnerabilities in Microsoft operating systems:
RPC remote execution vulnerability (MS08-067)
Shortcut file parsing vulnerability (MS10-046)
Printer spooler service vulnerability (MS10-061)
An undisclosed privilege escalation vulnerability
The latter three vulnerabilities were all first used in Stuxnet and are true zero-day vulnerabilities. Such a large-scale use of multiple zero-day vulnerabilities is rare.
These vulnerabilities were not chosen randomly. Each vulnerability played a unique role in the worm’s propagation method. For example, given that most antivirus software defends against USB viruses based on autoplay functionality, the shortcut vulnerability was used to spread the virus via USB drives.
On the other hand, some of the entities captured by Antiy had timestamps from March of this year. This means that the aforementioned zero-day vulnerability was already known to attackers by at least March. However, the vulnerability was not disclosed until its large-scale outbreak in July. Preventing the vulnerability from being leaked during this period was quite challenging.
4.3 Use Valid Digital Signatures
After running, Stuxnet releases two driver files:
%System32%\drivers\mrxcls.sys
%System32%\drivers\mrxnet.sys
These two driver files used RealTek’s digital signature (Figure 11) to evade antivirus software detection. Currently, this signature has been revoked by the issuing authority and can no longer be verified online. However, most antivirus products currently use static methods to determine whether an executable file has a digital signature, making it possible to be deceived.
Figure 11. Digital Signatures Used by Stuxnet
4.4 Specific Attack Targets
According to Symantec’s statistics, in July, only 25% of Iranian hosts were infected with the Stuxnet worm, but by late September, this proportion had reached 60%.
WinCC is widely used in Iran’s basic defense infrastructure. On September 27, the Iranian state news agency confirmed that the country’s first nuclear power plant, the Bushehr nuclear power plant, had been attacked. It is understood that the plant was originally scheduled to begin operation in August of this year. The Stuxnet report, written in March but only reaching a large scale in July, coincides with this plan. Therefore, there is ample reason to believe that this attack had a clear geographical and targeted purpose.
5. Overall Evaluation
5.1 Industrial System Security Will Face Serious Challenges
In my country, the WinCC system has been widely used in many important industries. Once attacked, it may cause abnormal operation of the infrastructure of related enterprises and engineering projects, or even serious accidents such as the theft of secrets and work stoppages.
The emergence of the Stuxnet worm did not come as a complete surprise to us. More than a year ago, Antiy was commissioned by a user to conduct a similar analysis on the safety of instruments in the chemical industry, and the conclusion was not optimistic.
Industrial control networks, including Industrial Ethernet and fieldbus control systems, have been used in industrial enterprises for many years. Currently, in large heavy industrial enterprises such as power, steel, and chemical industries, technologies such as Industrial Ethernet, DCS (Distributed Control System), and fieldbus have permeated all aspects of control systems. The core of industrial control networks is now industrial PCs, most of which are based on the Windows-Intel platform; there is no fundamental technical difference between industrial Ethernet and civilian Ethernet; and fieldbus technology has applied microcontrollers and embedded systems to every control instrument. Besides being vulnerable to attacks similar to those used on civilian or commercial networks, such as malicious code spread through local area networks, industrial control networks are also susceptible to attacks specifically targeting fieldbuses.
Attacks targeting civilian or commercial computers and networks are currently primarily aimed at gaining economic benefits; however, attacks on industrial control networks and fieldbuses can disrupt the normal monitoring and control of critical equipment and devices, with potentially catastrophic consequences. Taking the chemical industry as an example, attacks on industrial control networks can disrupt the normal temperature and pressure monitoring of reactors, leading to overheating or overpressure, ultimately resulting in catastrophic accidents such as material overflow, fires, or even explosions, and potentially causing secondary disasters and humanitarian catastrophes. Therefore, malicious code attacking industrial networks generally possesses the characteristics of information weapons, targeting the disruption or even severe damage to the normal production of important industrial enterprises, and its instigators are generally not individuals or ordinary underground hacker groups.
Currently, both Industrial Ethernet and Fieldbus standards are open standards, and programmers familiar with industrial control systems do not face a high technical barrier to developing targeted malicious attack code. Therefore, it is essential to strengthen and protect against the following potential vulnerabilities in industrial network security:
Industrial control PCs and industrial Ethernet networks based on the Windows-Intel platform are susceptible to attacks using the same methods employed against civilian or commercial PCs and networks, such as the spread of malicious code and network worms via USB drives.
Configuration software (the core of measurement and control software) is crucial in DCS and fieldbus control systems. Attacks on configuration software can fundamentally disrupt the measurement and control system. Currently, these products, especially industry-specific products, are monopolized by a few companies, such as Siemens SIMATIC WinCC commonly used in the power industry and Zhejiang University Control System Co., Ltd. commonly used in the petrochemical industry.
With the further widespread application of fieldbuses, fieldbuses based on digital communication will become new targets for attacks, and the harm caused by attacks on fieldbuses is no less than that of attacks on industrial Ethernet. Fieldbuses based on RS-485 buses and fiber optic physical layers, such as PROFIBUS and MODBUS (serial link protocol), have relatively good security; however, short-range wireless networks, especially short-range wireless communication measurement and control instruments that do not use common short-range wireless communication protocols such as Zigbee (which have some security), but instead use custom proprietary protocols, have poor security. In particular, some measurement and control instruments such as “wireless sensors” produced by some small domestic enterprises use general-purpose 2.4GHz short-range wireless communication chips in their wireless communication parts, without even using basic encrypted communication, which can be said to have no security whatsoever. They are extremely vulnerable to eavesdropping and attacks, and if used, they will become the most vulnerable point in fieldbuses.
Compared to information networks, the security of traditional industrial networks has relied on internal network isolation, resulting in a lack of robust safeguards. Therefore, security checks and hardening of industrial systems are urgently needed.
5.2 Outlook and Reflections
Against the backdrop of the deepening integration of traditional industry and information technology, and the shift of the core security of traditional industrial systems from physical security to information security, the Stuxnet worm attack is particularly worthy of our in-depth consideration.
This was an extremely unusual attack, specifically manifested in the following ways:
Traditional malicious attacks aim for a wide range of impact, while this attack was highly targeted.
Traditional attacks mostly exploit vulnerabilities in general-purpose software, but this attack targets industry-specific software.
This attack used multiple new zero-day vulnerabilities to launch a comprehensive attack, which is difficult for traditional attacks to achieve.
This attack successfully penetrated the internal private network by exploiting a well-placed vulnerability, which is precisely the weakness of traditional attacks.
Considering the timing, technology, methods, purpose, and attack behavior, it is entirely reasonable to conclude that the attack was not launched by an individual or an ordinary underground hacker group.
Therefore, the numerous new vulnerabilities and propagation methods employed in this attack will provide the most direct impetus for new attacks for a considerable period of time to come. At least two new attack trends are worth noting:
1. Vulnerability discovery and attacks targeting industry-specific software, particularly those targeting software in critical and sensitive industries that have risen to the level of national strategy. Antiy, in its report “Analysis of Commonly Originating Trojan Samples in Multiple Enterprise Network Intrusion Incidents” released earlier this year, explicitly pointed out that “current vulnerability analysis and discovery focus is no longer concentrated on mainstream vendors, but has begun to spread widely.” On the other hand, while these attacks target software, they do not necessarily exploit inherent software flaws; security is a comprehensive issue, and attacks can come from any angle.
2. Attacks targeting enterprise internal networks, especially physically isolated private networks. These networks have higher security requirements and are therefore more valuable for attack. Common methods and techniques for infiltrating these networks via removable storage devices such as USB drives include infection, spoofing, and autoplay. The shortcut file parsing vulnerability discovered in this incident provides a more effective method for such attacks. Furthermore, these internal networks will likely attract attackers’ attention and research due to this incident, and the possibility of new attack methods emerging cannot be ruled out.
Of all the predictions about the future development of viruses, the most frightening is not their impact on the data of computer nodes themselves, but rather their potential cascading effects on related processes, such as the unauthorized control of weapon systems. Unfortunately, the Stuxnet worm attack proves that without effective preventative measures, these predictions will inevitably come true.
The first advancement in industrial electronics was the integration of analog electronics with mechanical manufacturing technology. Subsequently, with the continuous introduction of digital technologies, relying on microcontrollers, embedded programs, and early digital industrial control protocols, it achieved its second leap. At this stage, industrial control systems were heterogeneous and separate from office information networks, and their security considerations primarily focused on physical security.
As the cost of PC environments and the internet gradually decreases, more and more industrial systems and other information systems are moving towards standard x86 environments. An increasing number of control signals and data acquisition transmissions are adopting TCP/IP protocols or even using public networks for transmission. This has provided the vast x86 virus population with new targets that could pose even more lethal threats. Therefore, even data exchange based on traditional physical isolation cannot absolutely guarantee security. In this incident, the threat posed by non-real-time propagation methods such as USB drives has once again become prominent. On the other hand, due to considerations of internal network isolation and stability, industrial systems often use older versions of operating systems without effective patches, further exacerbating security vulnerabilities.
Designers and users of traditional industrial systems have already given considerable thought to physical security, ensuring their normal operation through sufficient sensors, extensive processes, documentation, and proactive human effort. However, in this incident, the system developers hard-coded the database username and password instead of making them configurable and independent of the program. This is a basic software development error, yet it may be prevalent in current dedicated software systems. We can see that almost every pitfall in traditional PC development will be repeated in industrial control systems in terms of security. It can also be concluded that in the next 20 years, the core security issue for industrial systems will no longer be isolated physical security problems, but rather the security of the information systems that are the soul of their operation. This problem is even more pronounced in the Internet of Things (IoT), which humanity sees as the future direction of development.
Security vendors were not considered part of the traditional industrial security system. Therefore, in the early stages of this incident, security vendors and attackers were in a position of information asymmetry. Attackers conducted long-term analysis and preparation against the target industrial system before launching the attack; however, when faced with a sudden incident, security vendors could not reproduce the problem and follow up with analysis immediately, unlike when vulnerabilities appear in common operating systems or internet software. They needed the cooperation of the relevant software developers. From this perspective, exploiting the universality of the PC environment to spread attacks against relatively closed industrial systems or other specialized systems, and taking advantage of the information asymmetry between manufacturers and security vendors to gain effective attack time, will become a new, highly challenging, and ironic attack method. Therefore, the misconception that proprietary systems are independent of security threats, leading to the exclusion of security vendors, is actually opening the door to attackers. As professional security engineers, we will proactively assume greater responsibility. The future will prove that our work is not only protecting a virtual world, but also the real world we depend on for survival.
Appendix 1: References
1. Siemens’ solution to this attack:
http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&objid=43876783
2. The download address for the patch files provided by Microsoft is as follows:
RPC remote execution vulnerability (MS08-067)
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
Shortcut file parsing vulnerability (MS10-046)
http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx
Printer spooler service vulnerability (MS10-061)
http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx
3. Download link for the WinCC system security update patch provided by Siemens:
4. Download address for Antiy ATool: