Book Read Free

Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon

Page 7

by Kim Zetter


  33 Iran released the details of its nuclear history piecemeal over a number of years, and they were relayed in IAEA reports as the agency received them, beginning in 2004. The details from Iran, however, did not always jibe with information the IAEA and reporters received from other sources.

  34 Albright, Peddling Peril, 185.

  CHAPTER 4

  STUXNET DECONSTRUCTED

  In the first days after the news of Stuxnet broke, nearly a dozen Symantec researchers on three continents were involved in the company’s initial analysis of the code. But very quickly that dropped down to just three—Chien, O’Murchu, and Falliere—as other analysts fell away to focus on new threats that were coming in. Now, nearly a week after Stuxnet had been exposed, the three analysts were still picking apart the “missile” portion of the attack and hadn’t even begun to examine the payload yet.

  Like conventional weapons, most digital weapons have two parts—the missile, or delivery system, responsible for spreading the malicious payload and installing it onto machines, and the payload itself, which performs the actual attack, such as stealing data or doing other things to infected machines. In this case, the payload was the malicious code that targeted the Siemens software and PLCs.

  With so much work on Stuxnet still to be done, Chien had the task of convincing his managers that he and his team should continue digging through the code, even though it was already becoming yesterday’s news. Every Wednesday, he had a video conference call with the company’s threat managers around the world to review all of the major infections they were investigating at the time and to talk about strategy. The first Wednesday after Stuxnet was exposed, the puzzling attack was at the top of their agenda.

  Symantec’s offices in Culver City occupy a large and airy building on a nine-acre business campus dotted with palm trees and desert shrubs. The modern, five-story structure is a stark contrast to VirusBlokAda’s cramped Communist-era office, with a spacious, high-ceilinged atrium and large cement-tile floors that clink like hollow glass when visitors walk on them, due to tunnels beneath that house the building’s power and ventilation systems. The Symantec office complex is LEED–gold certified for its environment-friendly architecture, with solar-reflecting roof to ward off the relentless Southern California sun and a glass façade designed to give every occupant a view, or at least what passes for one in this uninspired neighborhood of shopping malls and freeways near the Los Angeles airport.

  The videoconference room was a small, windowless space tucked into a forgotten neighborhood of the building’s third floor that was reached via a circuitous route from the malware lab. Inside the room, three large video screens, mounted at eye level on a wall in front of a row of tables, made it appear as if the virtual visitors were seated directly across from Chien.

  Chien laid out a summary of O’Murchu’s early findings for his managers—the code’s abnormally large size, its sophisticated method for loading and hiding its files, and the mysterious payload that seemed to target only Siemens PLCs. He also revealed the bizarre geographic pattern of the infection data pouring into their sinkhole. The possible political implications of the attack, however, remained unspoken.

  “We want to put Nico on this full-time,” Chien then told his managers, referring to Falliere in France. “And I think Liam and I should continue working on it as well.” There was one catch, however. He had no idea how long it would take them to finish analyzing the code.

  Typically, the company’s research teams analyzed about twenty malicious files a day, so devoting three top analysts to a single threat indefinitely didn’t make any business sense. They’d done this only once before, with the Conficker worm in 2008. But Conficker was a shape-shifting worm that infected millions of machines around the world and left a lot of still-unanswered questions in its wake, including why the worm had been created in the first place.1 Stuxnet, by contrast, infected only a fraction of Conficker’s numbers and had a targeted focus on an even smaller subset—the Siemens PLCs. Yet something about the mysterious code cried out for further investigation, and Chien’s managers agreed they shouldn’t drop it just yet. “But keep us posted on what you find,” they said, with little idea that their weekly meetings would be dominated by talk of Stuxnet for months to come.

  Chien and his colleagues seized the opportunity to dive into the code, taking it on as a personal obsession. But no sooner had they begun the operation than they realized they were headed into uncharted territory with little help to guide them.

  SYMANTEC IS A large, international corporation, but Chien and O’Murchu worked out of a small satellite office, going at it primarily alone with little input. They worked in Symantec’s Threat Intelligence Lab in Culver City, the cyber equivalent of a biodefense lab, where researchers could unleash malevolent code on a “red” network—a sandboxed system air-gapped from Symantec’s business network—to observe its hostile behavior in a controlled environment. To reach the ground-floor lab, workers passed through several sets of security doors, each with progressively more restrictive rules. The final gateway kept all but a handful of workers out and physically isolated the red network from computers connected to the outside internet. Portable media were prohibited here—no DVDs, CD-ROMs, or USB flash drives were allowed—to prevent workers from mindlessly slipping one into an infested machine and inadvertently carrying it out of the lab with a malicious specimen stowed away on it.

  The term “threat intelligence lab” conjures a sterile workshop with scientists in white coats bent over microscopes and Petri dishes. But Symantec’s lab was just a nondescript office space filled with mostly empty cubicles and a handful of workers who stared intently at their monitors all day, mostly in silence, doing methodical and seemingly tedious work. There were no pictures on the walls; no Nerf guns or other goofy office games that workers sometimes play to blow off steam; no plants, fake or otherwise, to give the space a homey feel. The only greenery came courtesy of a wall of windows overlooking a grassy, tree-covered hill—the kind that business parks manufactured to simulate nature for shut-in workers.

  O’Murchu’s cubicle was barren of any personal touch, aside from a lone panoramic shot of the Grand Canyon, bathed in pink and mauve sunset hues, that commemorated a road trip he took with his father the previous year. He had two research computers on his desk that were attached to the red network and a third, for reading e-mail and surfing the web, that consisted of just peripherals—a keyboard, monitor, and mouse—connected via snaking cables to a hard drive secreted outside the lab in a server closet, safely quarantined from the hostile network.

  Chien’s cubicle, which shared a wall with O’Murchu’s, was only slightly more personal, with an odd assortment of art postcards and pirate flags next to an enamel-coated door sign that read CHIEN LUNATIQUE—a pun on his name. Translated loosely from the French it meant “Beware of Dog,” but Chien preferred the more literal translation, “Mad Dog.”

  Chien was thirty-nine years old but looked a decade younger. Tall, with a lanky frame and wire-rimmed glasses, he had a wide, engaging grin with cavernous dimples that sank deep into his cheeks whenever he laughed, and he talked in rapid-fire bursts whenever he got excited about a topic he was discussing. Chien had enjoyed a long and successful career in security, but in a highly competitive field where professionals often hyped their skills and experience to stand out among competitors, he was the opposite, modest and understated, preferring to focus on the forensics instead of the flash.

  Of the three of them, he had worked at Symantec the longest. It was his first job out of college, but he fell into it completely by chance. In the early ’90s at UCLA, he studied a mix of genetics, molecular biology, and electrical engineering, and like O’Murchu was well on his way to a career in science. But after graduating in 1996, he followed a few friends to Symantec, intending to stay just a couple of years to earn money for grad school. But he never left.

  Cybersecurity was still a nascent field and it was easy to get a job without tr
aining or experience. Chien knew nothing about viruses at the time, but had taught himself x86 assembly, the programming language most malware is written in, and that was enough. The best analysts weren’t trained computer engineers anyway. Engineers built things, but virus wranglers tore them apart. Even with computer security an established profession built on training courses and certifications, Chien favored job candidates who had no experience but had an unquenchable curiosity and a nagging need to solve puzzles and tear things apart. It was easy to teach someone how to code virus signatures, but you couldn’t teach curiosity or instill in someone a passion for knowing how things worked. The best researchers had an obsessive streak that made them dog a piece of code until it relinquished its secrets.

  When Chien joined Symantec, antivirus researchers were like the Maytag repairman in those iconic ads—they had a lot of downtime. Viruses were still rare and tended to spread slowly via floppy disks and the “sneaker net”—carried from one computer to another by hand. Customers who thought they were infected with a virus would mail the suspicious file on a floppy disk to Symantec, where it might sit in a desk tray for a week or more before Chien or one of his colleagues wandered by and picked it up. Most of the time, the files turned out to be benign. But occasionally, they found a malicious specimen. When that occurred, they dashed off some signatures to detect it, then threw them onto another floppy disk and mailed it back to the customer along with instructions for updating their virus scanner.

  It wasn’t long, though, before malware evolved and the landscape changed. The introduction of Microsoft Windows 98 and Office, along with the expanding internet and proliferation of e-mail, spawned rapid-spreading viruses and network worms that propagated to millions of machines in a matter of minutes. The Melissa virus in 1999 was one of the most notorious.2 Launched by a thirty-one-year-old New Jersey programmer named David Smith, it came embedded in a Word document that Smith posted to the alt.sex.usenet newsgroup. Smith knew his target audience well—he enticed them to open the file by claiming it contained usernames and passwords to access porn sites. Once opened, Melissa exploited a vulnerability in the macro function of Microsoft Word and e-mailed itself to the first fifty contacts in the victim’s Outlook address book. Within three days the world’s first mass-mailing virus had spread to more than 100,000 machines, a spectacular record at the time, but quaint by today’s standards. In addition to spreading via Outlook, it slipped a nerdy Scrabble reference into documents on infected machines: “twenty-two, plus triple-word-score, plus fifty points for using all my letters. Game’s over. I’m outta here.” Melissa was relatively benign, but it opened the way to other fast-moving viruses and worms that would dominate headlines for years.3

  As the threat landscape expanded, Symantec realized it needed to halt infections faster, before they began to spread. When the company first entered the antivirus business, it was considered a good response time to turn a threat around—from discovery to delivery of signatures—within a week. But Symantec aimed to reduce this to less than a day. To accomplish this, the company needed analysts in multiple time zones to spot viruses in the wild when they first appeared and get signatures out to US customers before they woke up and began clicking on malicious e-mail attachments.

  Chien had already surpassed his two-year plan with Symantec by then. He’d saved enough money for grad school and planned to move to Colorado to snowboard and cycle before applying to science programs. But Symantec dangled an enticing offer—a post in the Netherlands instead. The company had a tech support and sales office outside Amsterdam but wanted a team of malware analysts too. Chien couldn’t say no. He landed in the Netherlands days before the Love Letter worm crippled the internet in May 2000. The worm began as a college student’s mischievous class project in the Philippines but then spread rapidly to millions of machines worldwide. It was the perfect test for Symantec’s new European rapid-response team, even if that team consisted of just one. Within a record twenty minutes Chien had analyzed the code and crafted signatures to detect it. (Sadly, the achievement was all for naught, since Love Letter sucked up so much internet bandwidth that customers couldn’t reach Symantec’s servers to download the signatures.) As soon as the crisis passed, Chien hired four more researchers to complete his Amsterdam team, and they were all in place when the next big threat—the Code Red worm—hit the following year.

  He moved to Tokyo for a brief period to open another research office. Then, in 2004, Symantec moved its European headquarters from Amsterdam to Dublin, and Chien went with it. Shortly after, he bulked up the research team with more than a dozen new hires, including O’Murchu. In 2008 he returned to the United States, along with his new wife, a Frenchwoman who had worked in Symantec’s Netherlands office. He was later joined in California by O’Murchu.

  Now in Culver City, the two of them and Falliere faced a daunting task in deconstructing Stuxnet.

  THE FIRST OBSTACLE the researchers encountered occurred when they tried to decrypt all of Stuxnet’s code. As O’Murchu had already discovered, the core of Stuxnet was a large .DLL file that got deposited onto machines. This came packaged with dozens of smaller .DLLs and components inside of it, all wrapped together in layers of encryption that had to be cracked and removed before they could decipher the code. Luckily, the keys for unlocking them were in the code itself; every time Stuxnet landed on a Windows machine, it used the keys to decrypt and extract each .DLL and component as needed, depending on the conditions it found on the machine. At least this was how it was supposed to work. Some of the keys weren’t getting activated on their test machine—the final ones needed to unlock the payload.

  O’Murchu dug through the code, trying to find the reason, and that’s when he discovered references to specific brands of Siemens PLCs. Stuxnet wasn’t just hunting for systems with Siemens Step 7 or WinCC software installed; they also had to be using a specific line of Siemens PLCs—the company’s S7-315 and S7-417 programmable logic controllers. Only this combination of software and hardware triggered Stuxnet’s keys to unlock and release the payload.

  The only problem was, Chien and O’Murchu had neither—the Siemens software nor the PLCs. Without them, they had to use a debugger to poke and prod the code to find the keys and manually unlock the payload.

  The debugging program, a mainstay for reverse engineers, let them walk through the code step-by-step—like a stop-motion camera—to isolate each function and document its activity. Using this, they singled out each section of code that contained commands for decrypting the malware and followed the commands to find the keys. But locating the keys was only half the trick. Once they had all the keys, they had to find the encryption algorithm that each key unlocked. It took several days of digging, but when they had all the parts unlocked, they could finally see every step that Stuxnet took during its initial stages of infection.4

  One of the first things Stuxnet did was determine if the computer was a 32-bit or 64-bit Windows machine; Stuxnet only worked with 32-bit Windows machines. It also determined if the machine was already infected with Stuxnet. If it was, Stuxnet made sure the resident malware was up to date and simply swapped out any old files for the latest ones. But if Stuxnet found itself on a new machine, it began an elaborate infection dance, racing rapidly through a succession of steps to scope out the landscape of the machine and determine the best way to proceed.

  During this process, one of its rootkits quickly took up position on the machine to blind the system to Stuxnet’s files on the USB flash drive. It did this by hooking the system so the file names couldn’t be seen by virus scanners—the equivalent of hiding them in a scanner’s shadow. If the scanner tried to read the contents of the flash drive, the rootkit intercepted the commands and served back a modified list that didn’t include Stuxnet’s files. But some scanners couldn’t be bypassed in this way. Stuxnet knew which scanners were trouble and modified its methods accordingly if it found one of these on a machine. If Stuxnet determined it couldn’t bypass a scanner at all
, it halted the infection and shut itself down.

  But if Stuxnet decided to proceed, the second driver then got activated. This one had two tasks—the first was to infect any USB flash drive that got inserted into the machine, which it would do for only twenty-one days after Stuxnet infected the machine.5 The second, and most important, task was to decrypt and load the large .DLL, and its various components, into the machine’s memory using the novel techniques O’Murchu had documented. First it unwrapped and decompressed the .DLL to release the smaller .DLLs inside, then it loaded them into memory. Because the files were running in memory, any time the machine rebooted, the files got wiped away, so the driver also had to reload them in memory after each reboot.

  Once the large .DLL and its contents were all unpacked and loaded into memory, Stuxnet searched for new machines to infect and called home to the command-and-control servers to report its new conquest—but unless it found the Siemens Step 7 or WinCC software installed on the machine, Stuxnet would go dormant on the machine once these steps were done.

  So now the Symantec researchers knew how Stuxnet propagated and loaded its files, but they still didn’t know why it was created or what it was designed to do. The answers to these questions were still buried within its payload.

  As O’Murchu reflected on what they had uncovered so far in the missile portion of the code, he couldn’t help but admire the artful handiwork the attackers had put into their attack—the clever ways they solved problems they expected to encounter, and the numerous scenarios they had to test before releasing their code. Not all of Stuxnet’s features were impressive on their own, but as a whole the attack posed a formidable threat.

 

‹ Prev