Last-minute paper: An indepth look into Stuxnet

Liam O'Murchu Symantec

Stuxnet is the first publicly known worm to target industrial control systems, often generically referred to as SCADA systems. Not only did Stuxnet include malicious STL (Statement List) code, an assembly-like programming language, which is used to control industrial control systems, it included the first ever PLC (programmable logic controller) rootkit hiding the STL code. It also included a zero-day vulnerability to spread via USB drives, a Windows rootkit to hide its Windows binary components, and it signed its files with certificates stolen from other unrelated third-party companies. All of these characteristics are noteworthy in their own right, however when they all converge within one threat it is clear that there is a special force at work. Any threat that is capable of taking control of a real-life physical system is worthy of a closer look, and here we present our analysis of such a threat.

We will report on the conclusions from our extensive analysis of the Stuxnet threat including outlining the functionality of the vast array of components used by the threat and illuminating how each component is used. The analysis exposes the true intention of the creators to takeover industrial control systems (ICS) and details exactly how this is performed. The threat's ability to control physical machinery is what sets it apart from any other threat we have seen to date and is the aspect of the threat that we find most concerning.

In addition to analysis of the code we also examine the data we received from compromised systems via the command and control servers. Using this data allows us to draw conclusions about who was the target of this threat and who may have been responsible for creating the threat.

During the presentation we will also show the code used and give demonstrations on the more malevolent and intriguing parts of the threat, namely the PLC/STL rootkit and the ability to control real-life physical systems. With this threat, the attackers are capable of injecting code into industrial control systems and hiding that code from the designers and operators of the ICS giving the attackers full control over the day-to-day functionality of the physical system under attack.

Many aspects of the threat have not been reported widely in public, but we believe they have significant repercussions within the security industry and they will no doubt become more commonplace in the future threat landscape.

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 23 comments

Jobs Recruit Sidebar

VB100 certification
VB100 For the first time in living memory, this test saw a clean sweep of certification passes, with all products reaching the required standard for a VB100 badge, and most also doing well in terms of stability.
See full results.

Virus Bulletin currently has 231,295 registered users.