Follow-up Analysis Report on the Stuxnet Worm
1.Overview
This report is a supplement to Antiy Labs’ “Comprehensive Report on the Stuxnet Worm Attack on Industrial Control Systems”.
In subsequent analysis, we discovered that the Stuxnet worm sends host information, including IP address, operating system information, and software version, to two URL addresses and uses these addresses to update itself, thereby enabling attackers to have fine-grained control over the scope, targets, and methods of their attacks.
Stuxnet’s propagation via USB drive is determined by some configuration data. It attempts to connect to the Internet to determine if it is on the internal network, and then decides whether to propagate via USB drive.
In addition to enabling RPC services, sharing services, and remote access to the WinCC system database, Stuxnet also achieves propagation and updates within the local area network.
Finally, Stuxnet attacks Siemens systems’ PLCs (Programmable Logic Controllers) by hijacking DLLs. The injected PLC code only functions correctly in specific hardware devices, further demonstrating its highly targeted nature. However, because worms can update themselves, they can be easily used by attackers to launch attacks against other targets.
2.Configuration Data
After Stuxnet runs, it generates two driver files and four .PNF files on the local disk. Among them, %Windir%\inf\mdmcpq3.PNF stores the runtime configuration data and host information.
The first 1860 bytes of this file contain configuration data, including:
• URL address of the Stuxnet upgrade server
• Stuxnet version
• Activation time and expiration time
• Markers that determine propagation behavior
• Other
These 1860 bytes are encrypted and stored in the original file using a byte-by-byte XOR 0xff algorithm. During Stuxnet’s operation, this is decrypted into memory, and the attacker determines how to proceed based on its contents.
3.Version Update
The Stuxnet configuration data contains four URLs:
• www.windowsupdate.com
• www.msn.com
• www.mypremierfutbol.com
• www.todaysfutbol.com
The first two parameters are used to determine whether the host is connected to the Internet, while the latter two are Stuxnet’s update servers. Stuxnet collects the following information about the local host:
• IP address and network interface card information
• Operating system version, username, and other information
• WinCC system and Step7 software versions
After encrypting it, append it to the end of the configuration file mdmcpq3.PNF.
Next, it attempts to establish connections with the first two URLs. Once successful, it sends this information as parameters to the latter two update servers via HTTP GET requests. The latter then return the corresponding data based on the information.
The returned data contains a complete, latest version of the virus, including more specific configuration data. Upon receiving this data, Stuxnet loads it into memory as a new execution module and jumps to it to begin execution, thus updating the attack code in real time. Simultaneously, Stuxnet also reads the configuration data into the main functional DLL module in memory and recalculates the DLL’s checksum, thereby achieving real-time configuration switching.
If the connection fails, Stuxnet will still begin execution based on local files. In other words, whether or not there is an internet connection does not affect its continued operation, but may affect some specific details.
Furthermore, the Stuxnet worm itself implements RPC service functionality, forming a peer-to-peer network among infected hosts on a local area network (LAN) to share version information and update to the latest available version in real time. Therefore, even if a host is not directly connected to the Internet, the Stuxnet worm may still be able to update.
We believe that Stuxnet updates are possible in the following ways:
• Attackers can determine the host’s geographical location based on the received information (IP address, operating system version, etc.), thereby deciding whether to launch the next attack and achieving precision in the attack;
• Attackers can determine which technology to use or launch different types of attacks based on the returned industrial control system information, thereby achieving targeted and diverse attacks.
4.Spread via USB Drives
To infiltrate isolated industrial private networks, Stuxnet spreads via USB drives. For activation and deployment, it utilizes a Microsoft shortcut file parsing vulnerability (MS10-046). According to Symantec, earlier variants also used the traditional autorun.inf file to activate the virus.
Whether Stuxnet infects the USB drive depends on several fields in the configuration data, including:
• Flag bits at offsets 0x6c, 0x70, and 0xc8;
• The timestamp at offset 0x78, 0x7c;
• Values at offsets 0x80 and 0x84.
The USB drive will only be infected if the conditions corresponding to each field are met. The bit at offset 0xc8 is set to not be infected by default.
Stuxnet does not actively modify configuration data; configuration updates are accomplished through version updates. Therefore, we believe it attempts to connect to the internet to determine if it is on an internal network. If so, it spreads only through other means; it only infects USB drives after connecting to a server or other infected host for updates.
When Stuxnet infects a USB drive, it copies multiple .lnk shortcut files and two .tmp files to the root directory. One of the .tmp files is digitally signed and used to hide its own driver; the other contains the virus itself and a delivery program, with configuration information already present in the virus.
5.Other modes of communication
In addition to using RPC to implement P2P mutual updates, Stuxnet also uses the following methods to achieve propagation within the intranet:
• Weak password access to LAN sharing services
• MS10-061 Print Service Zero-Day Vulnerability
• MS08-067 server service vulnerability
• Propagation via hard-coded passwords from the WinCC database
The last method is the one mentioned earlier. It uses a hard-coded default account to remotely connect to the database system of the host machine with WinCC installed, writes a piece of binary code into it, then dumps it to a file and executes it.
6.Attacks on PLCs
Because the attack on the WinCC system involves a specific industrial environment, we were unable to successfully establish a simulation environment. This section is compiled from a relevant report by Symantec.
Stuxnet injects runtime library functions into the Step 7 project by replacing a DLL file in the WinCC system. The Step 7 control software runs on a standard PC platform and controls PLC (Programmable Logic Controller) devices. Stuxnet adds executable code from several specific PLC models (specifically, the Siemens 6ES7-315-2 and 6ES7-417 series) to the DLL file, thus enabling the attack.
These hard-coded attack codes are not universal across different PLC series, which further proves the precision of the attack’s target.
However, we cannot let our guard down. Stuxnet implements two update and upgrade mechanisms, one for the Internet and one for the local area network. It is entirely possible to replace this part of the code with the code of other PLC series through updates, thereby launching attacks on other systems.