Authors: Rahat Masood Um-e-Ghazia Zahid Anwar

National University of Sciences and Technology, Islamabad, Pakistan

Stuxnet is one of the most sophisticated and recent worm that hit Iranian nuclear facilities in June 2010. Senior Director at Symantec reported that Iran is the only country that suffers a lot (about 60%) through this worm. Stuxnet mainly targets uranium facility at Natanz which affects centrifuges speed. It targets computer control systems, commonly used to manage water supplies, oil rigs, power plants and other facilities.

An assumption is that 10% of centrifuges in Natanz have been affected through this worm from 2009 to 2010. Rotational speed of centrifuges first increases then drop to introduce distortions and disturb their normal behavior.

A complex piece of malware, intended to sabotage the normal functioning of certain critical systems Two main Phases":


Propagation Phase: Propagation of the virus, which is based upon the vulnerabilities inherent in the Windows platform. Injection Phase: Attack on SCADA Siemens systems, which controls Programmable logic controllers (PLC)

Stuxnet contains user level as well as kernel level Rootkit that hides their existence to gain root level privileges. Penetrate the target infrastructure through:
 Removable storage media

such as USB drives.

 Network (LAN)  Propagation via network shares  Propagation via print spooler zeroday vulnerability(MS10061)

When a target (WinCC) is discovered, the behaviour of the various items controlling the target architecture is modified in order to physically impair the integrity of the industrial production system. This concerns modifying the normal function of certain critical systems by manipulating their controllers.

Copy of Shortcut to.lnk Copy of Copy of Shortcut to.lnk Copy of Copy of Copy of Shortcut to.lnk Copy of Copy of Copy of Copy of Shortcut to.lnk ~WTR4141.TMP ~WTR4132.TMP

First four .lnk files controls the display of shortcut icons of all the files on system.  Various .lnk files corresponds to different versions of windows.  These .lnk files load the library "-WTR4141.tmp" which, in turn, loads the file "-WTR4132.tmp".


The worm is also capable of distributing itself over the network through shared folders. Malicious payload is copied and executed through shared credentials on network. Assessment of shared files by LAN user will result in the copy of this file into his system directories. It scans network shares on the remote computers and installs a file (dropper) there with the name DEFRAG<GetTickCount>.TMP .

When a printer is shared on a system, a user is able to "print" (read and write) files in the "%System%" directory. It allows a remote user to copy files in %SYSTEM% directory in which user has no access. Exploitation in this case comprises two phases: injection & execution phase.
3 3

Injection Phase: involves copying winsta.exe and"sYsnuIlevnt.m0f" in windows %SYSTEM% directory. Execution Phase: Executing the script "sysnullevnt.mof". This file is used to trigger aforementioned copied files

Vulnerability relates to the way that the icon for the link is loaded.  This image is normally loaded from a CPL (Windows Control Panel) file using the system function "LoadLibraryW()".  Forcing the CPL file to change the "File Location Info field of a LNK file, stuxnet is therefore able to force any Windows system to execute arbitrary code. User is redirected to malicious path by opening shortcut file.


   

Backtrack 4 acts as C&C server Metasploit Framework within backtrack 4 is used. Metasploit Framework act as USB Drive to exploit vulnerabilities. 3 windows XP machines  2 connected in LAN  1 XP containing Keil and proteous softwares (in place of PLC)
Virtual Box Linux Backtrack 4 Metasploit Framework

XP1

XP2

XP3 Keil & Proteous

    

MS08_067 and MS10_061 are exploited through LAN. MS08_067 exploits through shared folder in LAN. MS10_046 exploited in PLC assumed machine. Hardware printer is not attached but a print server is shared on LAN through which MS10_061 exploits. We have created Stuxnet.exe which propagates in LAN and Plc.exe which specifically targets PLC machine and affects normal behaviour.

Connecting C&C server & PC s on network

Enter commands for ms08_067

Through meterpreter upload stuxnet.exe in shared folder

After copying hide itself

Stuxnet.exe executes & copy itself in C:/drive

PC1 opens a shared folder & stuxnet.exe

LAN PC s when open this exe , Stuxnet.exe propagates

Connecting C&C, PC s and Print server in LAN

Enter commands for ms10 _061

Print Command is send to print server via Metasploit

Malicious exes are copied to PC5 & PC3

PC3 & PC5 on LAN sends print command to print server

Two Malicious exes are inserted in print server in location windows/system32

Connecting C&C server & PC 6 with each other

Enter commands for ms10_046

PC6 opens a internet explorer shortcut file

Upload plc.exe & execute it through meterpreter

Meterpreter session is opened

Two dll files are opened on PC6

KEIL project file changes i.e. code change

Proteous circuit Diagram output changed i.e. Pressure Sensor gives alert

Exploits MS08_067_netapi Service)

Results (Server Copies a malicious file Stuxnet.exe in a folder shared on LAN. Any machine on LAN when use this file, this exe automatically copies into that machine. (Print Print command send to print server containing two random files. These files are copied to windows system directory. Sending print command to server automatically copies these two files in system directory.

MS10_061_spoolss Spooler)

MS10_046_dllloader (.LNK Opening of shortcut file , results in session establishment with Vulnerability) attacker machine. Malicious plc.exe file uploaded to victim machine. Plc.exe targets specifically PLC machine (Keil & Proteus) , which disturbs normal functioning of pressure sensor. Value of pressure Sensor drops to 0 & alert is generated.

This work shows simulations through dummy malicious Stuxnet exe files. This work will be extended by analyzing the original six Stuxnet files in original PLC software or by implementing pure Stuxnet worm (writing source code). Next version of Stuxnet i-e Duqu Stuxnet 2.0 is under consideration. Its payload is different from Stuxnet 1.0: targets certificate authorities and redirect victims to rogue servers. Alien Vault is a tool that can provide information about Stuxnet detection by analyzing different events logs and writing specific rules related to it.

[1] Nicolas Falliere, Liam O Murchu, and Eric Chien, W32.Stuxnet Dossier, Symantec Security Response, Version 1.4, February 2011. [2] Aleksandr Matrosov, Eugene Rodionov, David Harley, Juraj Malcho, Stuxnet Under the Microscope2, Revision 1.31, 24 Sep 2010. [3] David Helan, Stuxnet: Analysis, Mythes and Realities ACTU SECU 27, XCMO, 2011. [4] Martin Brunner, Hans Hofinger, Christoph KrauSS, Christopher Roblee, Peter Schoo, Sascha Todt, Infiltrating Critical Infrastructures with Next-Generation Attacks W32.Stuxnet as a Showcase Threat, Version 1.4, December 17, 2010. [5] Shon Harris, Allen Harper, Chris Eagle, Jonathan Ness, Gray Hat Hacking: The Ethical Hackers Handbook, Copyright 2008 by McGraw-Hill Companies Second Edition. [6] WikiPedia, Stuxnet, http://en.wikipedia.org/wiki/Stuxnet, October 21, 2011. [7] Rahat Masood, Stuxnet Simulation via Metasploit.wmv, http://www.youtube.com/watch?v=AZNU7bCRvJg