Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (14 page)

It was a Friday evening in late August, and Liam O’Murchu was celebrating his thirty-third birthday at a swanky rooftop lounge in Venice, California. He’d rented out a section of the open-air, U-shaped bar on top of the Hotel Erwin overlooking the Pacific Ocean, and was tipping back beer and cocktails with his girlfriend, his sister and brother-in-law visiting from Ireland, and a dozen good friends. This being Southern California, a reality-TV crew was filming a couple sitting nearby, going through the awkward motions of a “private” date.

O’Murchu’s group had already been at the bar for three hours when Eric Chien showed up around nine p.m. His mind wasn’t on partying, though. He was itching to show his friend and colleague an e-mail that had popped up on a security list earlier that day. But he was reluctant to bring it up because he knew once O’Murchu saw it, he wouldn’t be able to put it out of his mind. “I’ll show you this one thing,” Chien told O’Murchu. “But then we’re not going to talk about it the rest of the night, OK?” O’Murchu agreed.

Chien pulled out his BlackBerry and brought up the e-mail—a note from a researcher at another antivirus firm hinting that there might be additional
zero-day exploits hidden in Stuxnet. O’Murchu looked at Chien. They’d been working on Stuxnet for weeks trying to reverse-engineer its components and had seen a few clues that suggested there might be another zero-day embedded in it, but they hadn’t had time to pursue them. The clues were in the missile portion of the code responsible for spreading Stuxnet, but they had been focused on the payload, the part of the code that affected the Siemens software and PLCs.

The e-mail was vague on details, and it wasn’t clear from the message whether the other researcher had actually
found
more zero-days in Stuxnet or had simply seen the same clues they had seen. Either way, O’Murchu’s competitive spirit was sparked. “That’s it,” he told Chien. “I’m not drinking any more tonight.” The next morning, a Saturday, O’Murchu was back in the office digging through Stuxnet.

The office was deserted, so O’Murchu was left to work without distraction. The Symantec team had already mapped out most of Stuxnet’s missile portion before moving to the payload, so now it was just a matter of combing through the code carefully for signs of an exploit. This wasn’t as simple as it sounded. Zero-day exploits weren’t the sort of thing you found just by opening a malicious file and peering at the code. You had to track each reference the code made to the operating system or to other software applications on the machine to spot any suspicious ways it interacted with them. Was it forcing an application to do something it shouldn’t? Jumping security barriers or bypassing system privileges? The missile portion, when reverse-engineered, consisted of thousands of lines of code, each of which had to be examined for suspicious behavior.

Stuxnet’s structure wasn’t linear, so trying to track what it was doing was doubly difficult. The commands skipped and jumped around, and O’Murchu had to follow their movement at every step.

After about an hour, however, he was pretty sure he’d nailed a second exploit. He searched the archive for any sign that the vulnerability it attacked had been exploited before, but found none. Then he tested the exploit on a machine with the latest Windows software installed, to be
certain he wasn’t making a mistake. Sure enough, Stuxnet was using a zero-day vulnerability in a Windows keyboard file to gain escalated privileges on the machine.

Zero-day vulnerabilities were valuable commodities and to use two of them at once in a single attack, and risk having them both discovered, seemed an odd waste of resources, O’Murchu thought. But he didn’t stop to ponder it. He simply documented his findings and turned back to the code.

Hours later, he thought he spotted yet another exploit—signs that Stuxnet was using a vulnerability in the Windows print-spooler function to spread between machines that shared a printer. Once again, he tested it on a machine and searched the archive for any evidence that it had been exploited before, but found none. The feeling that had made his hair stand on end weeks earlier was beginning to return. He documented his findings and turned back to the code to continue foraging.

By midafternoon, when Chien came into the office to check on him, O’Murchu was bleary-eyed and needed a break. He handed his findings off to Chien, who continued working on the code until evening. They worked on it some more on Sunday and by the end of the weekend, they’d uncovered an astonishing three zero-day exploits. These, plus the .LNK exploit already discovered, made four zero-day exploits in a single attack.
¹

This was crazy, they thought. One zero day was bad enough. Two was overkill. But four? Who did that? And why? You were just burning through valuable zero days at that point. A top-notch zero-day bug and exploit could sell for $50,000 or more on the criminal black market, even twice that amount on the closed-door gray market that sold zero-day exploits to government cyber armies and spies. Either the attackers had an unlimited supply of zero days at their disposal and didn’t care if they lost a
handful or more, or they were really desperate and had a really good reason to topload their malware with spreading power to make certain it reached its target. Chien and O’Murchu suspected that both might be true.

Chien contacted Microsoft to report the new zero-day exploits they’d found, but discovered that Kaspersky Lab in Russia had already beat them to it. Right after news of Stuxnet had broken, Kaspersky assembled a team of ten analysts to examine the missile portion of the code and within days they had found a second zero-day exploit, followed a week later by the third and fourth. At the time, they had reported the vulnerabilities to Microsoft, which was now working on patches to fix them, but couldn’t go public with the news, under the rules of responsible disclosure, until Microsoft patched the software holes.
²

The four zero-day exploits in Stuxnet were remarkable, but this wasn’t the end of the story. During Chien and O’Murchu’s weekend marathon with the code, they also discovered four additional ways that Stuxnet spread, without the use of zero-day vulnerabilities, for a total of eight different propagation methods. The attack code had a virtual Swiss Army knife of tools to pry its way into a system and propagate.

The most important of these involved infecting the Step 7 project files that programmers used to program PLCs, and hijacking a username (winccconnect) and password (2WSXcder) that Siemens had hard-coded into its Step 7 software.
³
The Step 7 system used the name and password to gain automatic access to a backend database where they injected code to infect the machine on which the database was stored. The database is a shared system that all the programmers working on a Step 7 project can use. Stuxnet would then infect the machine of any programmer who accessed the database. Both of these infection methods increased the
likelihood that Stuxnet would reach a PLC the next time the programmer connected his laptop or a USB flash drive to one to program it. The attackers used a vulnerability in an obscure feature of the Step 7 system to infect the Step 7 project files, indicating they had deep knowledge of the system that few others possessed—another sign of the extensive skill that went into the attack.
⁴

In addition to these spreading mechanisms, Stuxnet had a peer-to-peer component that let it update old versions of itself when new ones were released. This let them update Stuxnet remotely on machines that weren’t directly connected to the internet but were connected to other machines on a local network. To spread an update, Stuxnet installed a file-sharing server and client on each infected machine, and machines that were on the same local network could then contact one another to compare notes about the version of Stuxnet they carried; if one machine had a newer version, it would update the others. To update all the machines on a local network, the attackers would have only had to introduce an update to one of them, and the others would grab it.

It was clear from all the methods Stuxnet used to propagate that the attackers were ruthlessly intent on getting their malware to spread. Yet unlike most malware that used e-mail or malicious websites to spread to thousands of machines at a time, none of Stuxnet’s exploits leveraged the internet.
⁵
Instead, they relied on someone carrying the infection from one
machine to another via a USB flash drive or, once on a machine, via local network connections. Based on this, it appeared the attackers were targeting systems they knew were not connected to the internet and, given the unprecedented number of zero-day exploits they used to do it, they must have been aiming for a high-value, high-security target.

But this roundabout way of reaching their goal was a messy and imprecise method of attack. It was a bit like infecting one of Osama bin Laden’s wives with a deadly virus in the hope that she would have passed it on to the former al-Qaeda leader. The virus was bound to infect others along the way and thereby increase the likelihood of exposing the plot. And, in the end, this is exactly what occurred with Stuxnet. It spread to so many collateral machines that it was only a matter of time before something went wrong and it was caught.

As Chien reviewed the long list of methods and exploits the attackers had used, he realized the collection was far from arbitrary. Each accomplished a different task and overcame different obstacles the attackers needed to achieve their goal. It was as if someone had drafted a shopping list of exploits needed for the attack—something to escalate privileges, something to spread inside a victim’s network, something to get the payload to a PLC—then gave someone the task of buying or building them. It was another indication of how much planning and organization had gone into the attack.

Of all the methods and exploits the hackers used, however, the most crucial to the attack were the .LNK exploit and the infection of the Step 7 project files, because these were the ones that were most likely to get Stuxnet
to its final target—the Siemens PLCs. PLC programmers often crafted their commands on workstations that were connected to the internet but not connected to the production network or to PLCs on a plant floor. To transfer commands to a PLC, someone had to transfer them via a laptop connected directly to a PLC with a cable or to carry them on a USB flash drive to a programming machine, called a Field PG—a Windows laptop used in industrial-control settings. The Field PG is not connected to the internet but is connected to the production network and the PLCs. By infecting Step 7 project files and investing Stuxnet with the power to jump the air gap as a USB stowaway, the attackers had essentially turned every engineer into a potential carrier for their weapon.

Once Chien and O’Murchu documented all of the exploits and vulnerabilities that Stuxnet used to spread, they realized there was something else that stood out about them. A number of them had actually been seen before. Although VirusBlokAda believed the .LNK vulnerability had never been exploited before, Microsoft discovered that another attack had used an .LNK exploit in November 2008. It had been used by criminal hackers to install a variant of the Zlob Trojan onto victim machines.
⁶
Although various antivirus scanners had caught the Trojan at the time it was used, they had failed to spot the zero-day exploit that came with it, leaving the vulnerability open to attack by Stuxnet. The print-spooler exploit had also made a prior appearance—in a Polish security magazine in April 2009. The magazine had published an article about the hole, along with source code for an exploit to attack it.
⁷
News of the vulnerability never reached Microsoft at the time, however, so that vulnerability also remained unpatched.
The hard-coded Siemens password also had been exposed before, when someone published it online to a Siemens user forum in April 2008.
⁸

Chien and O’Murchu wondered if a team of curators had scouted hacker forums and security sites to collect information about holes and exploits that the Stuxnet attackers could use in their assault or if they had simply purchased the exploits readymade from brokers.

Oddly, of all the exploits Stuxnet used, only the print-spooler exploit appeared in the first version of the attack, the one unleashed in 2009. The rest showed up for the first time in the March 2010 attack, which was the one that spread wildly out of control.
⁹
The 2009 version of Stuxnet did spread via USB flash drives, but it used a trick that took advantage of the Autorun feature of Windows to do this.
¹⁰
As noted previously, the Autorun feature could be turned off to thwart malware. So when the next version of Stuxnet was released in March 2010, the attackers swapped out the code for the Autorun feature and replaced it with the .LNK zero-day exploit.

The authors also added one other important feature to the 2010 versions of Stuxnet—the RealTek certificate used to sign the drivers.
¹¹

In looking at modifications the attackers made from 2009 to 2010, it appeared to Chien and O’Murchu that the attack had been deliberately
altered to become more aggressive over time, beginning conservatively in 2009, then amping it up in 2010 by adding more spreading mechanisms—perhaps in a desperate bid to reach their target more quickly or to reach different machines than they had hit in their first attack. The .LNK exploit used in 2010, for example, was a much more efficient spreading mechanism than the Autorun exploit they had used in 2009.
¹²
But while it increased the chance that Stuxnet would reach its target, it also increased the risk that it would spread to other machines. Indeed, with this and other exploits added to the March 2010 version, the malware spread to more than 100,000 machines in and outside Iran.
¹³
None of these collateral infections helped the attackers reach their goal; they only increased their chance of getting caught.
¹⁴
They had to have known the risk they were taking in super-sizing Stuxnet’s spreading power. But apparently it was a risk they were willing to take.