Software Programs, Technology Security

Next@Norton: The Dangers of Stuxnet Analyzed

Kaboom! That?s what can happen when Stuxnet-type threats are unleashed. A new breed of hacker is afoot. Their creation is insidious, destructive, and a harbinger of the future.

Pat Gardner of Symantec explained that malware authors have switched tactics from a macro distribution model that harms many to a micro distribution using a unique model that infects less than 50 users, or just a single facility. Therein lies the danger.

From many to one ? why being aware of Stuxnet is important
From many to one ? why being aware of Stuxnet is important

In the case of Stuxnet, the target was one Iranian enrichment facility. The intended result was not simply a messed up computer, but physical damage to the plant, essentially putting it out of commission. This was a cold, calculated project that took years of effort.

Espionage, complicity, and probably naivety combined to pull off a James Bond scenario with potential geopolitical effect. It required knowing the physical layout of the nuclear enrichment facility, determining which programmable logic controller (PLC) was there, in this case a Siemens model with SCADA (supervisory control and data acquisition) software, and the design specs of that specific PLC.

The targeted configuration was made up of Windows PCs, the Siemens PLC, communications processors/routers, frequency converters, and finally the target ? centrifuges ? which the perpetrators wanted to run at excessive speeds to destroy them from inside. The Next@Norton audience gasped when shown the results of a similar configuration on a much smaller scale that caused a balloon to inflate and explode on stage.

Symantec says it takes more than one approach to foil hackers
Symantec says it takes more than one approach to foil hackers

Symantec emphasized that not all security products are created equal. Their company comes at threats from four directions, going beyond virus protection. Norton?s products also strive to pick up problems through recognition and behavior analysis. Bad behavior is what foiled Stuxnet. Sonar is what pinpointed it.

The catalyst for the invasion of the Iranian plant was a bug that came in on an infected USB taking advantage of a zero-day Windows vulnerability. Subcontractors were the conduit. To make Stuxnet look credible, its creators stole and installed drivers with legitimate digital signatures by RealTek Semiconductor and JMicron Technology, both IC companies in Taiwan. Ben Greenbaum, senior research manager for Symantec Security Response explains that "It involves getting inside an organization and stealing their private PGP key that is used for actually signing files."

Additionally, the culprits were able to hide by essentially copying the plant?s normal operation, than playing a recording of it while their program was in the background doing its dirty work. The malware therefore could run unnoticed.

Symantec released a PDF dossier on Stuxnet

 Symantec released a PDF dossier on Stuxnet

Those computers known as controllers run all kinds of industrial machinery. A widely used Siemens controller, Process Control System 7, was the focal point of Stuxnet. Its complex software, called Step 7, can run multiple industrial instruments, sensors and machines. Therein lies the danger to many environments including power grids, hospitals, and banking systems.

Norton?s Sonar isolated Stuxnet using behavior tracking methods. In July 2010, an official Semantec blog emphasized the complexity and sophistication of Stuxnet indicating that "the zero-day vulnerability, rootkit, main binaries, stolen digital certificates and in-depth knowledge of SCADA software are all high quality attack assets."

The Next@Norton presentation indicated that Stuxnet was comprised of 15 different modules, used two different rootkit techniques, one for the PC, one for the PLC. Two stolen digital certificates were used to sign its files to make them look legitimate. There were many man hours involved in its development. Stuxnet reprograms industrial PLC?s running on a proprietary microchip with 10,000 lines of code.

Ralph Langner, a control system security expert, claimed in a May Cnet interview that he had correctly hypothesized that Stuxnet was specifically targeting the Iranian nuclear program.

Langner runs a consulting company in Hamburg, Germany. He says that although it took "more than one genius to design Stuxnet, understanding and copying the design can be achieved by average engineers." What makes it more frightening is that "the design and production process can be packaged into a software tool, enabling immoral idiots and geniuses alike to configure highly aggressive cyber weapons."

Ralph Langner discusses cracking Stuxnet on TED – 10 minutes that could change the way you look at digital security

Beyond nuclear plants, a country?s infrastructure is at risk from a Stuxnet look alike. The company that delivers your gas and electricity is concerned, your bank is concerned, your telephone service and your internet provider are all concerned
. You should be too.

These things, Stuxnet, nuclear plants, and defense contractors seem far removed from most people?s everyday lives. However, what happened should give us pause as we interface more and more with our personal electronics. Don?t let your computer become a link in the chain that propagates malware.

Protecting your computer, your mobile phone, watching what websites you go to, what links you open, what you copy to a USB and transfer to another computer should be a priority. Similar to health risks such as AIDS or swine flu, you never know who you might unknowingly infect.

If you are concerned about the political implications of the Stuxnet saga, you can click here and glean ideas for great water-cooler topics.