This article is shared from HUAWEI CLOUD Community's "[Security Technology] Stuxnet Virus In-Depth Analysis: The First Virus to Attack Real-World Infrastructure (1) [Original Analysis]-Cloud Community-HUAWEI CLOUD", author: Cloud Storage Developer Support Team.
Chapter 1: Stuxnet Virus Background [From the Internet]
In 2006, Iran restarted its nuclear program, building a nuclear plant in Natanz and installing a large number of centrifuges to produce enriched uranium. In January 2010, the United Nations' International Atomic Energy Agency (IAEA), which verifies Iran's nuclear facilities, found a problem at the Natanz nuclear plant, and a massive failure of the IR-1 centrifuge, which had a 10-year expected lifespan, but no one could say what caused it.
Iranian Natanz Nuclear PlantIranian Natanz Nuclear Plant
In June 2010, Sergey Ulasen, the technical director of VirusBlockAda, a small anti-virus company in Belarus, found that the malicious file was extremely complex when analyzing the malicious file on the Iranian plan, not only effectively using the "kernel pole" backdoor to evade the scan of the antivirus engine, but also using multiple "zero-day vulnerabilities" to break through the Windows system, but due to the inability to do so. The malicious code is not fully deciphered. On July 12, 2010, Ulsen posted the findings on an English-language security forum.
Sergey Ulasen
The global security community began to analyze and decipher the virus. At the same time, Microsoft named the virus Stuxnet. Through analysis, it was found that the concealment, advanced and complexity of the virus far exceeded people's imagination.
According to some foreign reports, the virus was jointly written by programmers in the United States and Israel, in which the technical specifications of the attacking Siemens industrial control system were provided by Germany, and the Siemens industrial control system was widely used in Iranian nuclear facilities. In Dimono, Israel, a test system for the Siemens controller and IR-1 centrifuge was built, the virus was tested, and the British government also participated, and after the test, Dutch intelligence officers acted as technical consulting engineers for the centrifuge to implant the virus into the nuclear facility.
Stuxnet virus destroys centrifuges primarily by changing the speed of centrifuges and affects the quality of enriched uranium produced.
The centrifuge is faulty
The original design of the Stuxnet virus was a targeted attack, which was used as a cyber weapon and was regarded as the originator of APT attacks. It was discovered because the programmers who developed the Stuxnet virus misused and or when programming, resulting in the virus infecting any version of Windows, and was finally captured in June 2010.
Chapter 2 Stuxnet Virus Reverse In-depth Analysis [Personal Original Analysis, Please Do Not Reprint Without Authorization]
Stuxnet virus structure and operation process
Stuxnet virus mainly contains 6 files, 4 shortcut icon files, using LNK vulnerability to automatically infect computers from U disk, and two tmp files for initializing and installing Stuxnet virus.
Stuxnet exploits a total of 7 vulnerabilities, 4 of which are 0 Day vulnerabilities:
- CVE-2008-4250(MS-08-067)-Windows Server Service NetPathCanonicalize()
- CVE-2010-2772 WinCC default password
- CVE-2012-3015 Step 7 Insecure Library Loading
- CVE-2010-2568(MS-10-046)-Windows Shell LNK Vulnerability (O day)
- CVE-2010-2743(MS-10-073)-Win32K.sys Local Privilege Escalation (O day)
- CVE-2010-3888(MS-10-092) Task Scheduler vulnerability (O day)
- CVE-2010-2729(MS-10-061)-Windows Print Spooler Service Remote Code Execution (O day)
Stuxnet virus is hidden in the U disk, when the U disk is inserted into the computer, the use of LNK vulnerability will automatically infect the Windows system, after the infection is executed, through the Ring3 Hook Ntdll to load the ~WTR4141 .tmp file in memory, Ring3 Hook Kernel32, Ntdll to achieve *.tmp and *.lnk file hiding. Then load the ~WTR4132 .tmp file through the memory LoadLibrary, extract the core Main .dll, encrypt, shell, load the Main .dll in memory, initialize and install the Stuxnet virus, inject the process, register the service, release the resource file, and finally the Stuxnet virus runs as a service. When the service runs, it will attack the Siemens WinCC industrial control system software, and eventually attack the PLC through the software, causing the centrifuge to work abnormally, resulting in rapid failure of the centrifuge.
Call#15 initializes the installation of Stuxnet
When the Main .dll is loaded, export table #15 is called first. #15主要负责检查Stuxnet是否运行在一个合适的系统中, detect whether the current system is infected, elevate the current process authority to system privilege, detect the version of antivirus software installed on the system, and select which process to inject the DLL into; Inject the DLL into the selected process and call #16.
Whether the #15的第一个任务是检查配置数据configuration data is up to date. Configuration data can be stored in two locations. Stuxnet checks the latest configuration data and executes. Then Stuxnet checks whether it is running on a 32-bit system, and exits if it is running on a 64-bit system, and also checks the version of the operating system, Stuxnet can only run on the following versions of the operating system:
- Win2K
- WinXP
- Windows 2003
- View
- Windows Server 2008
- Windows 7
- Windows Server 2008 R2
Then check whether the current process has Administrator privileges, and if not, it will use the 0-day vulnerability to elevate running privileges. If the current operating system is Windows Vista, Windows 7, Windows Server 2008 R2, use Task Scheduler Escalation of Privilege to elevate privileges; If the operating system is Windows XP and Win2K, the Windows Win32k.sys Local Privilege Escalation (MS10-073) vulnerability is exploited to elevate privileges.
If the code runs successfully, if the win32k .sys vulnerability is exploited, the main DLL file is run as a new process, such as with Task Scheduler, the main DLL runs in the csrss.exe process.
The Win32k .sys exploit code in resource file #250 is #16运行 when the export table #15 run checks are passed. #16是Stuxnet的主安装程序. It checks the date and version of the operating system, decrypts, creates and installs rootkit files and registry entries; and inject yourself into the services .exe in order to infect the removable storage device; inject yourself into the Step7 process to infect all Step7 projects; establish global mutexes for communication between different components; Connect to the RPC server.
Call#16 installs Stuxnet
#16首先检查配置数据是否有效, and then check that the NTVDM TRACE value in the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation is 19790509, and if so, exit. The entry should be an indicator of whether infection is allowed. Then read the date in the configuration data (where the configuration data is offset 0x8c) and compare with the current system date, and exit if the current date is later than the time in the configuration data; The date in the configuration data is 2012-6-24.
Communication between the various components of Stuxnet uses global mutex semaphores, which are created when SetSecurityDescriptorDacl is called in Windows XP; SetSecurityDescriptorSacl creation is called in Windows Vista, Windows 7, and Windows Server 2008 to reduce system integrity checks and ensure that code writes are rejected.
Stuxnet then creates 3 encrypted files from the .stub section. Then save them to disk.
Ø Stuxnet main attack payload file saved as Oem7a.pnf;
o A 90-byte data is saved to %SystemDrive%\inf\mdmeric3. PNF;
Ø The configuration data is copied to %SystemDrive%\inf\mdmcpq3. PNF;
o A log file is copied to %SystemDrive%\inf\oem6C.PNF;
Stuxnet then checks the system time to make sure it is before June 24, 2012. Then check whether the encryption code for itself and saved to disk is up to date by reading and decrypting the version information stored on the hard disk. This feature is achieved through #6.
After the version check passes, Stuxnet frees, decodes and writes the contents from the resource files (#201, #242) in 2 files: Mrxnet.sys and Mrxcls.sys; they are two driver files: one for Stuxnet's load point, and the other for hiding malicious files on disk. And the time of these two files coincides with the time of other files in the system directory, so as not to arouse suspicion; Then create registry keys pointing to these two driver files and register them as service entries so that these two services are started at startup. Once this rootkit created by Stuxnet is properly installed, it generates some global semaphore indicating that the installation was successful.
Stuxnet then uses two additional import functions (exports) to continue the installation and infection process.
(1) Then inject the payload .dll into the services .exe and call #32 (infect the removable storage device and start the RPC service);
(2) Inject the payload .dll into the process of Step 7: S7tgtopx .exe and call #2 (to infect the Step7 project file), in order for this step to succeed, Stuxnet may need to kill the explorer.exe and S7tgtopx .exe processes if they are running.
Stuxnet runs through the two payloads mentioned above .dll injected and created service and driver files.
Stuxnet will wait a short time before attempting to connect to the RPC service (#32开启的), will call function 0 to check if the connection is successful, and call function number 9 to receive some data stored in oem6c.pnf.
At this point, all default propagation methods and attack payloads have been activated.
Stuxnet attacks Siemens PLC processes
Attack PLC process:
(1) The malicious DLL renames the s7otbxdx .dll to s7otbxsx.dll and replaces the s7otbxdx .dll with a custom DLL that mainly rewrites s7otbxsx.dll 16 of the 109 export functions involve reading, writing and enumerating code blocks, and the other export functions are provided by the s7otbxdx.dll;
(2) Stuxnet selects different codes to infect PLCs according to the characteristics of different target systems, an infected sequence contains code blocks and data blocks injected into the PLC to change PLC behavior, there are mainly three infection sequences, two of which are relatively similar and functionally the same, labeled as sequence A and B, and the other labeled as sequence C;
(3) If the s7otbxdx .dll is running in the ccrtsloader .exe file, the replacement s7otbxdx .dll start two threads to infect the specific PLC:
Thread 1: (Runs every 15 minutes; Infection with 6ES7-315-2 PLC with specific SDB characteristics)
(a) The type of PLC detected by s7ag_read must be 6ES7-315-2;
(b) Detection of SDB blocks to determine whether the PLC is infected and to select which sequence to write (A or B);
Ø Enumerate and parse SDB (system data block), looking for an SDB with an offset of 50h DWORD equal to 0100CB2Ch; (The Profibus communications processor module CP 342-5 is used.) )
Ø Search for specific values 7050h and 9500h in SDB, and only meet the infection requirements when the two values appear in the total number greater than or equal to 33; (The 7050h represents the KFC750V3 variable frequency driver and the 9500h represents the Vacon NX frequency conversion driver.) )
(c) Infection according to sequence A or B:
Copy DP_RECV block to FC1869 and replace DP_RECV block with a customized block; (DP_RECV is the name of the standard code block used by the network coprocessor to receive network frames on Profibus. Each time a packet is received, the custom block invokes the original DP_RECV in FC1869 for processing, and then does some post-processing on the packet data. )
Ø Write some custom blocks to the PLC (20);
Ø Infect OB1 so that malicious code is executed first at the beginning of each cycle; (Start by increasing the size of the original block; The custom code is then written to the beginning of the block; Finally, insert the original OB1 code after the custom code. )
o Infected with OB35; (Same as OB1, using code-prepending infection technology)
Thread 2: (Query every 5 minutes; Simultaneous attacks are guaranteed)
(a) Monitor and query the block DB890 successfully injected by thread 1 in each specific PLC (e.g. S7-315) on the bus;
(b) When a certain condition is reached and a sabotage routine is initiated, the thread writes data to DB890 in all monitored PLCs, causing PLCs on the same bus to launch sabotage attacks at the same time.
(4) Under certain conditions, sequence C will be written to the PLC, which is more complex for 6ES7-417;
(5) Destruction: (reduce or increase the motor frequency at different times)
(a) Determination of normal operating frequency: 807-1210Hz;
(b) Setting the frequency to 1410 Hz;
(c) Resumption of normal operations;
(d) After approximately 27 days, set the frequency first to 2 Hz and then to 1064 Hz;
(e) Resumption of normal operations;
Repeat the above process.
Chapter 3: The Stuxnet virus reappears
[For reasons of length, please pay attention to subsequent articles]
Click below to learn about HUAWEI CLOUD fresh technologies~ for the first time
HUAWEI CLOUD Blog_Big Data Blog_AI Blog_Cloud Computing Blog_Developer Center-HUAWEI CLOUD