Symantec Stuxnet Dossier

Symantec has published their long-awaited W32.Stuxnet Dossier. The dossier details high-level topics already introduced in the Stuxnet thread in the Symantec blog, and provides a couple of surprises as well. Propagation One of the surprises is a new propagation method: WinCC SQLServer database connections. One of the first behaviors identified for the Stuxnet worm back in July was that it used a default password to connect to SQLServer databases hosted on Siemens S7 WinCC hosts. However, little was published about how the worm interacts with those databases, beyond that the worm seemed to be pulling from the databases the IP addresses of other WinCC hosts in a network of such hosts. The dossier explains in some detail how the worm contacts the SQLServer databases on other WinCC machines and how the worm sends copies of itself to those machines, ultimately compromising those other WinCC hosts. This brings to six the number of propagation techniques the Stuxnet worm uses: the MS10-046 Windows Shell LNK vulnerability used to propagate between sites via USB flash sticks, the MS10-061 Print Spooler vulnerability, the older MS08-067 RPC vulnerability, both of which are used to propagate within a compromised network, writing to accessible filesystem shares and remotely scheduling execution on those file servers, also used to propagate within a compromised network, and embedding itself in S7 project files, as well as sending copies of itself into connected database servers, used to propagate within a project of S7 WinCC hosts. Malware Software Updates The dossier describes in detail how the Stuxnet worm contacts command and control (C&C) servers for instructions and software updates, and in those details, some important details are new. Earlier Symantec blog posts described how the worm contacts C&C servers on port 80, the HTTP port, and how the worm has an additional peer-to-peer networking capability. Earlier posts also described how the worm propagates by embedding itself in S7 project data files. One important detail on the peer-to-peer networking is that the transport used for the networking is not one that is generally available over the internet. The peer-to-peer networking only works to propagate software updates for the Stuxnet worm within a compromised site or enterprise, not to maintain control of the worm even after the C&C servers have been disabled. That was one of few pieces of "good news" in the dossier. A related piece of "bad news" is that the worm not only propagates via S7 project files, it can be updated through such files as well. If the worm finds an S7 project file with a copy of itself in the file, and that copy is newer than the copy on the compromised machine, the worm updates itself from the copy. There are two lessons here - the first is that if any compromised machine in a network of such machines has contact with a C&C server, the Stuxnet worm can propagate new versions to any machine in the network. All of the propagation techniques the worm uses, in addition to the peer-to-peer networking, will serve to propagate new versions. Preventing your critical assets from contacting random addresses on the internet is not enough to prevent compromised assets from being controlled remotely. To prevent remote control of malware as sophisticated as the Stuxnet worm, security managers must think much harder about what kind of communications are allowed between machines with access to the internet, and machines without such access. The second lesson has to do with remediation. If your site has been compromised by Stuxnet, it is not enough to rebuild all your affected machines from original media, and reprogram your PLCs from backed-up configurations. You need to examine the S7 project files that are your back-up configurations and ensure that they do not contain copies of older versions of the Stuxnet worm. S7 project file "data" can in fact contain a copies of the worm. Looking Forward Investigations are still proceeding on a number of fronts and Symantec suggests that an update to the dossier at some future date is likely. For example, the dossier contains no details of the two still-unpatched escalation of priviledge vulnerabilities the Stuxnet worm uses. Presumably those details will be forthcoming when Microsoft has a patch published. Details of the behavior of PLC function blocks in the worm are still being investigated as well. The dossier describes the overall structure of the function blocks, but little detail as to what the function blocks do. Nothing at all has been published regarding investigations into the command and control servers in Malaysia and Denmark. I do assume that someone is carrying out such investigations, but again nothing has been published. If military or intelligence officials are involved in those investigations, it may be that the investigations have been flagged as state secrets and nothing further will ever be published about those servers.