In-depth Analysis of Stuxnet Virus

In October 2010, a number of domestic and foreign media successively reported the attack of Stuxnet worm on SIMATIC WinCC, the data acquisition and monitoring system of Siemens, calling it "super virus" and "super factory virus" and describing it as "super weapon" and "Pandora's Box". "and described it as a "super weapon" and a "Pandora's Box".

The Stuxnet worm (commonly known as "Shocknet" and "Twin") began to break out in July 2010. It exploits at least four vulnerabilities in Microsoft's operating system, including three brand new zero-day vulnerabilities; forges digital signatures of drivers; breaks through the physical constraints of industrial private local area networks (LANs) through a complete set of intrusion and propagation processes; and exploits two vulnerabilities in the WinCC system to carry out a destructive attack on it. It is the first malicious code to directly damage real-world industrial infrastructure. According to Symantec's statistics, as of September 2010, about 45,000 networks around the world have been infected by the worm, of which 60% of the victim hosts are located in Iran. The Iranian government has confirmed that the country's Bushehr nuclear power plant was attacked by the Stuxnet worm.

Anthem Labs captured the first variant of the Stuxnet worm on July 15, analyzed it immediately, released an analysis report and preventive measures, and continued to track it. Until the release of this report, Anthem has captured 13 variants and more than 600 sample entities with different hash values. 2.1 Operating Environment

The Stuxnet worm can be activated and run on the following operating systems: Windows 2000, Windows Server 2000 Windows XP, Windows Server 2003 Windows Vista Windows 7, Windows Server 2008 When it finds itself running on a non-Windows NT family of operating systems, it exits immediately.

The software systems attacked include: SIMATIC WinCC 7.0 SIMATIC WinCC 6.2, but do not rule out the possibility that other versions have this problem.

2.2 Local Behavior

A typical runtime flow after the sample is activated is shown in Figure 1.

The sample first determines the current operating system type, and if it is Windows 9X/ME, it simply exits.

Next, a major DLL module is loaded, and all subsequent actions are performed in this DLL. To avoid detection, the sample does not release the DLL module as a disk file and then load it, but copies it directly into memory and then simulates the DLL loading process.

Specifically, the sample first requests enough memory space and then Hookntdll.dll exports six system functions: ZwMapViewOfSection ZwCreateSection ZwOpenFile ZwClose ZwQueryAttributesFile ZwQuerySection To do this, the sample first modifies the protection attributes of the PE header in the memory image of the ntdll.dll file, and then rewrites the useless data at offset 0x40 as a jump code to be used to implement the hook.

To do this, the sample can then use ZwCreateSection to create a new PE section in the memory space and copy the DLL module that is to be copy the loaded DLL module into it, and finally use LoadLibraryW to get the module handle.

Figure 1 Typical runtime of the sample

After that, the sample jumps to the loaded DLL and executes it, deriving the following files:

%System32%\drivers\mrxcls.sys %System32%\drivers\mrxnet.sys%Windir%\inf\ oem7A.PNF%Windir%\inf\mdmeric3.PNF %Windir%\inf\mdmcpq3.PNF%Windir%\inf\oem6C.PNF Two of these drivers, mrxcls.sys and mrxnet.sys, are registered under the names MRXCLS and MRXNET, respectively, which are registered as system services to enable bootstrapping. Both drivers use Rootkit technology and are digitally signed.

mrxcls.sys is responsible for finding WinCC systems installed in the host computer and attacking them. Specifically, it monitors the image loading operations of system processes and injects a module stored in %Windir%\inf\oem7A.PNF into the services.exe, S7tgtopx.exe, and CCProjectMgr.exe processes, the latter two being WinCC system runtime processes.

mrxnet.sys hides the lnk and DLL files copied to the USB flash drive by modifying some kernel calls (Figure 2 ).

Figure 2 Driver hides some lnk files

Figure 3 Multiple propagation modes of the sample

2.3 Propagation modes The Stuxnet worm targets the SIMATIC WinCC software. The latter is mainly used for data acquisition and monitoring of industrial control systems, and is usually deployed in a dedicated internal LAN and physically isolated from the external Internet. In order to realize the attack, the Stuxnet worm adopts a variety of means to infiltrate and spread, as shown in Figure 3.

The overall propagation idea is: first infect the external host; then infect the USB flash drive, using the shortcut file parsing vulnerability, spread to the internal network; in the intranet, through the shortcut parsing vulnerability, the RPC remote execution vulnerability, the printer backend program service vulnerability, the realization of the dissemination of the networked hosts; and finally arrived at the host of the installation of WinCC software, to carry out the attack.

2.3.1. Shortcut File Parsing Vulnerability (MS10-046)

This vulnerability exploits a flaw in the system mechanism of Windows when parsing shortcut files (e.g., .lnk files), which allows the system to load a DLL file specified by the attacker, thus triggering an attack. Specifically, when Windows displays a shortcut file, it looks for the icon resource it needs based on the information in the file and presents it to the user as the file's icon. If the icon resource is in a DLL file, the system loads the DLL file. An attacker can construct such a shortcut file to cause the system to load the specified DLL file to execute the malicious code in it. The display of the shortcut file is automatically executed by the system without user interaction, making the vulnerability highly exploitable.

The Stuxnet worm searches the computer for removable storage devices (Figure 4). Once found, it copies shortcut files and DLL files to it (Figure 5). If the user then plugs the device into a computer on the internal network, the vulnerability is triggered, enabling what is known as a "ferrying" attack, which uses the removable storage device to infiltrate a physically isolated network.

Figure 4 Finding a USB flash drive

There are two DLL files copied to the USB flash drive: ~wtr4132.tmp and ~wtr4141.tmp. The latter Hooks the following export functions in kernel32.dll and ntdll.dll:

FindFirstFileW FindNextFileW FindFirstFileExWNtQueryDirectoryFile ZwQueryDirectoryFile Enables hiding of lnk files and DLL files in USB flash drives. Therefore, Stuxnet I*** uses two measures (kernel driver, user-state Hook API) to achieve the hiding of USB flash drive files, so that the attack process is difficult to be detected by the user, and also to a certain extent to avoid the scanning of antivirus software.

Figure 5 Copying files to a USB flash drive

2.3.2. RPC Remote Execution Vulnerability (MS08-067) and Elevation of Privilege Vulnerability

This is the most serious vulnerability in Microsoft operating systems in 2008, and it is characterized by simple exploitation, wide reach, and high level of harm.

Figure 6 Launching an RPC attack

Specifically, a system with this vulnerability could allow remote code execution when receiving a carefully constructed RPC request. On Windows 2000, Windows XP, and Windows Server 2003 systems, exploitation of this vulnerability allows an attacker to launch an attack directly from a maliciously constructed network packet, run arbitrary code without authentication, and gain full privileges. As a result, this vulnerability is often used by worms for large-scale propagation and attacks.

The Stuxnet worm exploits this vulnerability to propagate across internal LANs (Figure 6). When exploiting this vulnerability, if insufficient privileges result in failure, it will also use an as-yet-undisclosed vulnerability to elevate its own privileges (Figure 1) and then attempt the attack again. As of the publication of this report, Microsoft has not yet given a solution for this elevation of privilege vulnerability.

2.3.3. Printer Backend Program Services Vulnerability (MS10-061)

This is a zero-day vulnerability first discovered in the Stuxnet worm.

The Windows Printing Backend Program does not set user privileges appropriately. An attacker could send files to the %System32% directory of a host that exposes the interface to the printing backend program by submitting a carefully constructed print request. Successful exploitation of this vulnerability could allow the execution of arbitrary code with system privileges, allowing for propagation and attack.

Figure 7 Exploitation of Print Services Vulnerability

The Stuxnet worm exploits this vulnerability to achieve propagation across an internal LAN. As shown in Figure 7, it sends two files to the target host: winsta.exe, sysnullevnt.mof. The latter is a Microsoft Managed Object Format (MOF) file that drives winsta.exe to be executed under some specific event-driven circumstances.

2.3.4. Kernel Mode Driver (MS10-073)

2.3.5. Task Scheduler Vulnerability (MS10-092)

2.4 Attacks

The Stuxnet worm queries two registry keys to determine whether WinCC is installed in the host (Figure 8):

HKLM\SOFTWARE\SIEMENS\WinCC\Setup

HKLM\SOFTWARE\SIEMENS\STEP7

Figure 8 Querying the registry to determine whether WinCC is installed

Once the WinCC system is found, two of the vulnerabilities are exploited to launch the attack:

One, there is a hard-coded vulnerability in the WinCC system that saves the default account name and password for accessing the database, which Stuxnet exploits to try to access the system's SQL database (Figure 9).

The second was a flaw in the DLL loading policy when opening the project file in the Step7 project that WinCC needs to use, leading to an exploit similar to the "DLL preloading attack". In the end, Stuxnet replaces s7otbxdx.dll in the Step7 software to realize the Hook for some query and read functions.

Figure 9 Querying WinCC database

2.5 Derivative Relationships of the Sample Files

This section comprehensively introduces the derivative relationships of the sample files in the process of the above mentioned copying, spreading and attacking. relationships.

As shown in Figure 10. There are multiple possibilities for the origin of the sample.

For the original sample, the sample propagated through the RPC vulnerability or the print service vulnerability, it is an exe file, which invisibly loads a module in its own .stu section called "kernel32.dll.aslr.<randomnumber>.dll".

For the USB flash drive propagation sample, the vulnerability is triggered when the system displays the shortcut file, loading the ~wtr4141.tmp file, which loads a module named "shell32.dll.aslr.<randomnumber>.dll", which takes the other The file ~wtr4132.tmp is loaded as "kernel32.dll.aslr.<randomnumber>.dll".

Figure 10 Relationships between sample file derivatives

The module "kernel32.dll.aslr.<randomnumbers>.dll", which initiates most of the subsequent operations, exports 22 functions to perform the main functions of the malicious code; in its resource section it contains some of the files to be derived. contains some of the files to be derived, which are saved in encrypted form.

Of these, exported function No. 16 is used to derive local files, including two drivers, mrxcls.sys, resource No. 201, and mrxnet.sys, No. 242, as well as four .pnf files.

Export function #17 is used to attack a second vulnerability in the WinCC system by releasing a s7otbxdx.dll while modifying a file of the same name in the WinCC system to s7otbxsx.dll and wrapping the export function of this file once for a Hook.

Export function #19 is responsible for exploiting the Shortcut Parsing vulnerability to propagate. It releases multiple lnk files and two files with the extension tmp.

Export function #22 is responsible for propagation using the RPC vulnerability and the Print Service vulnerability. It releases files with resource number 221 for RPC attacks, file number 222 for print service attacks, and file number 250 for power lifting. 3.1 Defending against this attack

Siemens has given a solution to this attack, the link address is in the appendix. More specific measures are given below based on our analysis.

1. Remove the Stuxnet worm by using the relevant antivirus tools or manually

The steps to remove the worm manually are as follows: Use the Atool management tool to terminate all lsass.exe processes in the system whose parent process is not winlogon.exe; forcibly delete the following derived files:

%System32%\\ drivers\mrxcls.exe.exe.exe.exe. drivers\mrxcls.sys

%System32%\drivers\mrxnet.sys

%Windir%\inf\oem7A.PNF

%Windir%\inf\mdmeric3.PNF

%Windir%\inf\mdmeric3.PNF

%Windir%\inf\mdmcg.exe.exe. \inf\mdmcpq3.PNF

%Windir%\inf\oem6C.PNF Delete the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNET 2. Installation of system patches for exploited vulnerabilities

Install the following patch files provided by Microsoft: RPC Remote Execution Vulnerability (MS08-067) Shortcut File Parsing Vulnerability (MS10-046) Printer Background Program Service Vulnerability (MS10-046) 046) Printer Backend Program Service Vulnerability (MS10-061) Kernel Mode Driver Vulnerability (MS10-073) Task Scheduler Program Vulnerability (MS10-092) 3. Installing Software Patches

Install the security update patch for WinCC system released by Siemens at the address in the appendix.

3.2 Security Recommendations

This attack highlights two issues: even physically isolated private LANs are not unbreakable; and dedicated software systems, including industrial control systems, can be attacked. Therefore, we put forward the following security recommendations to the relevant departments and enterprises:

Strengthen the security of host computers (especially intranet hosts), even if they are physically isolated computers should be updated in a timely manner to update the operating system patches, to establish a sound security policy;

Install security protection software, including anti-virus software and firewalls, and update the virus database;

Establish the awareness of software security, to the enterprise in the Awareness of software security, for the core computers in the enterprise, keep track of the security of the software used, and timely update the software with vulnerabilities;

Further strengthen the security of the enterprise's intranet, with special emphasis on the security of network services, and close unnecessary network service ports in the host computer;

All the software and network services do not enable the weak passwords and the default password;

Strengthen the security management of removable storage devices, disable the autoplay function of computers, perform virus scanning before using removable devices, build virus immunity for mobile devices, and use hardware-based USB flash drive virus checking tools. Compared to previous security incidents, this attack presents many new tactics and features that deserve our special attention.

4.1 Specialized Attacks on Industrial Systems

The Stuxnet worm targeted Siemens' SIMATIC WinCC system. This is a data acquisition and supervisory control (SCADA) system that is widely used in core industries such as steel, automotive, power, transportation, water conservancy, chemical, petroleum, and especially in national infrastructure projects; it runs on the Windows platform and is often deployed in a dedicated LAN isolated from the outside world.

In general, the attack value of worms lies in the vastness of their propagation range and the universality of their attack targets. This attack was the polar opposite of that, with the ultimate target being neither on top of open hosts nor generalized software. Whether it is to penetrate the internal network, or to exploit the vulnerability of large-scale specialized software, it is not an unusual attack. This also suggests that the intent of the attack was very clear and that it was a well-planned attack.

4.2 Exploitation of Multiple Zero-Day Vulnerabilities

The Stuxnet worm exploits the following vulnerabilities in the Microsoft operating system: RPC Remote Execution Vulnerability (MS08-067) Shortcut File Parsing Vulnerability (MS10-046) Printer Backend Program Services Vulnerability (MS10-061) Kernel Mode Driver Vulnerability (MS10-073) Task Scheduler Program Vulnerability (MS10-092) The last four vulnerabilities were all first used in Stuxnet and are true zero-day vulnerabilities. It is not often that multiple zero-day vulnerabilities are used on such a large scale.

These vulnerabilities were not picked at random. Each vulnerability plays a unique role in terms of how the worm spreads. For example, a USB flash drive virus based on autoplay credit is defended by the vast majority of antivirus software in the current situation, the shortcut vulnerability is used to achieve USB flash drive propagation.

On the other hand, some of the entities in the samples captured by Anthem have a March 2013 timestamp. This means that at least as early as March, the aforementioned zero-day vulnerability was already in the hands of attackers. However, the vulnerabilities were not disclosed for the first time until the massive outbreak in July. It was difficult to control the vulnerability from being disclosed during this period.

4.3 Using digital signatures

Stuxnet releases two driver files after running:

%System32%\drivers\mrxcls.sys

%System32%\drivers\mrxnet.sys

These two driver files Disguise RealTek's digital signature (Figure 7) to avoid antivirus detection. Currently, the digital certificate for this signature has been revoked by the issuer and can no longer be verified online, but most current anti-virus products use static methods to determine whether an executable file is digitally signed or not, so it is possible to be spoofed. Figure 11 Stuxnet's forged digital signatures

4.4 Clear targets

According to Symantec, only 25 percent of hosts in Iran were infected with the Stuxnet worm in July, and by late September, that percentage had reached 60 percent.

WinCC is widely used in Iran's defense infrastructure, and on Sept. 27, Iran's state-run news agency confirmed that the country's first nuclear power plant, the Bushehr Nuclear Power Plant, had been attacked. It is understood that the plant was scheduled to begin official operation in August 2013, so the attack has a clear geographic origin. Therefore, the attack has a clear geographical and purposeful nature. 5.1 Industrial system security will face serious challenges

In China, WinCC has been widely used in many important industries, and once attacked, it may cause abnormal operation of the facilities of the relevant enterprises, and even lead to serious accidents such as the theft of business information and shutdown of production.

We are not surprised by the emergence of the Stuxnet worm. As early as last year, Antenna was commissioned by users to conduct a study on the security of instrumentation in the chemical industry, and the situation was not optimistic.

Industrial control networks, including industrial Ethernet, and fieldbus control systems have long been used in industrial enterprises for many years, and at present, in large-scale heavy industrial enterprises such as electric power, iron and steel, and chemical industry, industrial Ethernet, DCS (Distributed Control System), and fieldbus technologies have long been infiltrated into all aspects of the control system. The core of the industrial control network is now industrial control PC, most of the same Windows-Intel-based platform, Industrial Ethernet and civil Ethernet in the technology is not essentially different, fieldbus technology is a microcontroller/embedded system applied to each control instrument. In addition to the same attacks on residential/commercial networks, such as malicious code propagated over LANs, industrial control networks may also be subject to fieldbus-specific attacks, which should not be taken lightly.

Attacks on civilian/commercial computers and networks are mostly aimed at obtaining economic benefits, but attacks on industrial control networks and fieldbuses may damage the normal measurement and control of important devices and equipment, and the consequences may be disastrous. Taking the chemical industry as an example, attacks against industrial control networks may damage the normal temperature/pressure measurement and control of the reactor, leading to over-temperature/over-pressure of the reactor, which will ultimately lead to catastrophic accidents such as flushing, fire or even explosion, and may also cause secondary disasters and humanitarian disasters. Therefore, this kind of malicious code attacking the industrial network generally carries the nature of information weapons, and the goal is to interfere with or even seriously damage the normal production of important industrial enterprises, whose background is generally not an individual or an ordinary underground hacker organization.

Currently, industrial Ethernet and fieldbus standards are open standards, and there is no high technical threshold for programmers familiar with industrial control systems to develop targeted malicious attack code. Therefore, it is essential to enhance and protect the following possible industrial network security weaknesses: Industrial PCs and industrial Ethernet based on Windows-Intel platforms may be subject to the same means of attack as those used to attack civil/commercial PCs and networks, such as the spreading of malicious code and network worms via USB flash drives, of which the Stuxnet virus this time around is a typical example. DCS and fieldbus control system configuration software (the core of measurement and control software), its products, especially industry products are monopolized by a small number of companies, such as Siemens SIMATIC WinCC commonly used in the electric power industry, the petrochemical industry commonly used in the ZDZC and so on. Attacks against the configuration software will fundamentally damage the measurement and control system, Stuxnet virus attack target is the WinCC system. Based on the RS-485 bus and fiber-optic physical layer of the fieldbus, such as PROFIBUS and MODBUS (serial link protocol), its security is relatively good; but the short-range wireless network, in particular, do not use Zigbee and other general short-range wireless protocol (with a certain degree of security), and the use of customized special protocols for short-range wireless communication measurement and control instrumentation, the security of the poor. In particular, some domestic small enterprises produce "wireless sensors" and other measurement and control instrumentation, the wireless communication part of the general 2.4GHz short-range wireless communication chip, even the basic encrypted communication is not used, so it can be said that there is no security to speak of, and is very easy to be eavesdropped on and attacked, if you use it, it will become a very easy to be attacked in the fieldbus. Weak point. Industrial control networks are usually standalone networks with relatively low data transmission compared to civil/commercial networks, but the requirements for their real-time and reliability are very high, thus the consequences of problems are quite serious.

The security of traditional industrial networks has always been sparse by virtue of intranet isolation relative to information networks. Therefore, for the industrial system security checks and preventive reinforcement is imminent.