by Kim Zetter
Once Chien and O’Murchu documented all of the exploits and vulnerabilities that Stuxnet used to spread, they realized there was something else that stood out about them. A number of them had actually been seen before. Although VirusBlokAda believed the .LNK vulnerability had never been exploited before, Microsoft discovered that another attack had used an .LNK exploit in November 2008. It had been used by criminal hackers to install a variant of the Zlob Trojan onto victim machines.6 Although various antivirus scanners had caught the Trojan at the time it was used, they had failed to spot the zero-day exploit that came with it, leaving the vulnerability open to attack by Stuxnet. The print-spooler exploit had also made a prior appearance—in a Polish security magazine in April 2009. The magazine had published an article about the hole, along with source code for an exploit to attack it.7 News of the vulnerability never reached Microsoft at the time, however, so that vulnerability also remained unpatched. The hard-coded Siemens password also had been exposed before, when someone published it online to a Siemens user forum in April 2008.8
Chien and O’Murchu wondered if a team of curators had scouted hacker forums and security sites to collect information about holes and exploits that the Stuxnet attackers could use in their assault or if they had simply purchased the exploits readymade from brokers.
Oddly, of all the exploits Stuxnet used, only the print-spooler exploit appeared in the first version of the attack, the one unleashed in 2009. The rest showed up for the first time in the March 2010 attack, which was the one that spread wildly out of control.9 The 2009 version of Stuxnet did spread via USB flash drives, but it used a trick that took advantage of the Autorun feature of Windows to do this.10 As noted previously, the Autorun feature could be turned off to thwart malware. So when the next version of Stuxnet was released in March 2010, the attackers swapped out the code for the Autorun feature and replaced it with the .LNK zero-day exploit.
The authors also added one other important feature to the 2010 versions of Stuxnet—the RealTek certificate used to sign the drivers.11
In looking at modifications the attackers made from 2009 to 2010, it appeared to Chien and O’Murchu that the attack had been deliberately altered to become more aggressive over time, beginning conservatively in 2009, then amping it up in 2010 by adding more spreading mechanisms—perhaps in a desperate bid to reach their target more quickly or to reach different machines than they had hit in their first attack. The .LNK exploit used in 2010, for example, was a much more efficient spreading mechanism than the Autorun exploit they had used in 2009.12 But while it increased the chance that Stuxnet would reach its target, it also increased the risk that it would spread to other machines. Indeed, with this and other exploits added to the March 2010 version, the malware spread to more than 100,000 machines in and outside Iran.13 None of these collateral infections helped the attackers reach their goal; they only increased their chance of getting caught.14 They had to have known the risk they were taking in super-sizing Stuxnet’s spreading power. But apparently it was a risk they were willing to take.
It was easy, in fact, for the researchers to track the exact paths that Stuxnet took in spreading. Tucked inside every copy of Stuxnet, the researchers found a little gem that helped them trace the course the malware had traveled in trying to reach its goal—a small log file containing data about every machine that it had infected. As the worm slithered its way through machines in search of its target, it logged the IP address and domain name of each of its victims, as well as a timestamp of when the infection occurred based on the machine’s internal clock. It stored the data, about 100 bytes in size, in the log file, which grew as the worm passed from machine to machine. Thus, every copy of Stuxnet collected from infected machines contained a history of every computer it had infected up to that point, leaving a trail of digital breadcrumbs that Chien and O’Murchu could trace back to the initial victims. The log had been designed to help the attackers track the path Stuxnet took, but they likely hadn’t counted on someone else using it for the same purpose.15
Chien and O’Murchu examined 3,280 copies of Stuxnet collected from infected machines by various antivirus firms, and based on the data in the log files, it appeared the attackers had launched their offensive against a cluster of five companies in Iran, likely chosen for their ability to provide a gateway for Stuxnet to reach its target. Each of the companies was hit by one or more versions of the malware launched in June 2009 and in March and April 2010. Symantec counted 12,000 infections at these five targets, and from these initial victims Stuxnet then spread to more than 100,000 machines in more than 100 countries.
Symantec has never publicly identified the companies, due to its policy of not naming victims, and has only referred to them as Domain A, B, C, D, and E in public documents. But the names of the victims are in the log files for others to see. They were Foolad Technique, Behpajooh, Kala, Neda Industrial Group, and a company only identified in the file as CGJ, believed to be Control Gostar Jahed. Kala was believed to refer to the same Kala Electric, or Kalaye Electric, that the Iranian opposition group, NCRI, had mentioned in their 2002 press conference as a front company for Iran’s uranium enrichment program.
Although the attack struck some of the companies multiple times, not always the same machines were hit each time, suggesting the attackers may have been looking for better-placed machines each time they unleashed their attack or for ones that offered different routes to the targets to increase the likelihood that they would succeed. Only one of the companies, Behpajooh, was hit in all three attacks, suggesting it may have provided the best route to the targeted machines. This company was also, however, the victim that caused the most collateral damage. It was the only target hit in the March 2010 attack, which was the one that spread out of control. Of 12,000 infections that occurred at these five companies, 69 percent of them could be traced to this single victim.
* * *
1 The fourth exploit they uncovered attacked a vulnerability in the Windows task scheduler. This and the Windows keyboard exploits were used to gain Stuxnet higher privileges on a machine. If the user account on a machine had limited privileges that prevented Stuxnet from installing itself or performing any other functions, the two exploits escalated these to system-level or “administrative” privileges that gave Stuxnet permission to do what it wanted without displaying any warnings or asking for an actual administrator’s approval.
2 Microsoft and Kaspersky Lab began publishing information about the three other zero-day vulnerabilities in mid-September.
3 A hard-coded password is one that the software maker embeds in their code so that the system can do certain things automatically, without the user needing to enter a password. Often, the passwords can’t be changed without creating problems for the system. But hard-coded passwords are a security hazard because it means that every system has the same password, and someone can discover the password by reading the code.
4 Chien and O’Murchu learned about the obscure nature of the vulnerability in the Step 7 system after consulting with control system experts like Eric Byres of Tofino Security, who had deep knowledge of the Siemens software. The vulnerability lay in the fact that the files were designed so that programmers could add more than simple data to a Siemens project file. It wasn’t a vulnerability per se, but a feature, since Siemens had intentionally included this in the design of its files. But Stuxnet exploited it to slip its .DLL into the files. This alone wasn’t sufficient to get Stuxnet to infect a system when a project file was opened, however. Stuxnet also had to modify critical portions of the project file, including configuration data, to make sure the .DLL got loaded to any machine that opened the file.
5 The seventh method Stuxnet used to spread was via network shares—by infecting resources and files that were shared by multiple computers on a local network. The eighth method involved an exploit that targeted a two-year-old Windows vulnerability that Microsoft had already patched. It was a vulnerability that Conficker had used previously in
November 2008. Microsoft patched the vulnerability in October 2008 after hackers in China had used it first to spread a Trojan horse. Microsoft issued a rare out-of-band patch for the hole—out-of-band patches are ones released ahead of a company’s regular patch schedule when a security hole was serious—after realizing the hole could be easily used to spread a worm. Unfortunately, the makers of Conficker realized this too, and didn’t waste time using it to spread their worm the next month. Even though Microsoft had released a patch by then, the Conficker team gambled on the fact that many computer users don’t keep current with patches. They won the bet. An estimated one-third of Windows machines remained unpatched, and by April 2009 Conficker had infected millions of them. When Stuxnet was released two months later, its attackers gambled on the same bet. But Stuxnet only used this exploit to spread under certain conditions; it wasn’t a primary method of propagation.
6 Zlob generated pop-up windows on infected machines that looked like legitimate Microsoft alerts, warning users that their machines were infected and urging them to click a link to download an antivirus program. The antivirus program that got downloaded, however, was a malicious backdoor that allowed the attacker to do various things on infected machines. The .LNK exploit was an ingenious attack, but it wouldn’t have been much use to the Zlob gang and other cybercriminals, whose goal was to infect as many machines as possible in a short amount of time. The .LNK exploit spread malware at a slow rate since it was reliant on a USB flash drive being hand-carried from machine to machine. The Zlob gang was better off using an exploit that could infect thousands of machines over the internet.
7 Carsten Kohler, “Print Your Shell,” Hakin9, April 1, 2009, available at hakin9.org/print-your-shell.
8 The password was posted in April 2008 by someone named “Cyber” after another user complained that his Siemens system had stopped working after he changed the hard-coded default password. He couldn’t remember the original password to restore it, so “Cyber” posted it online to help him out. The passwords were subsequently deleted from the Siemens forum after someone chastised Cyber for posting them online. But the same passwords were also posted to a Russian-language Siemens forum by someone named “Cyber” and were still there when Stuxnet was discovered, though the page where they were posted has since moved or been deleted. The English-language forum where the password was posted is available at: automation.siemens.com/forum/guests/PostShow.aspx?PostID=16127&16127&Language=en&PageIndex=3.
9 In all three versions of Stuxnet—June 2009 and March and April 2010—the only part of the attack that changed was the missile portion of the code with the spreading mechanisms; the payload targeting the PLCs remained the same.
10 The Autorun trick doesn’t count as a zero-day vulnerability since it’s a feature of the Windows system, which attackers simply have found to be advantageous for spreading their malware. See footnotes 7 and 8, for previous discussion of Autorun.
11 The attackers had to add the certificate to the 2010 version of Stuxnet because in late 2009, Microsoft released a new version of its operating system, Windows 7, which, as previously noted on this page, included a new security feature that prevented drivers from installing unless they were digitally signed with a valid certificate.
12 As previously noted, many companies disable Autorun because it’s a security risk. The .LNK feature couldn’t be disabled in the same way, and because the vulnerability affected every version of Windows since Windows 2000, it made more machines vulnerable to it.
13 There’s a caveat regarding the extensive spread of the 2010 version compared to the 2009 version. Chien and O’Murchu examined 3,280 copies of Stuxnet collected from infected machines by various antivirus firms. The June 2009 version of Stuxnet accounted for only 2 percent of these; the rest were from the March and April 2010 versions. The limited number of 2009 samples found is presumed to be due to the fact that this version spread less and infected fewer machines outside of Iran. But it could also be that the 2009 version got replaced on machines by the March 2010 version when it was released. Anytime Stuxnet encountered a machine, it looked to see if an older version of itself was already on the machine and replaced it with the new version. This could have resulted in fewer 2009 samples in the wild for researchers to find. It’s just as likely, however, that the limited number of 2009 copies was due to the limited ways in which it could spread.
14 The fact that Stuxnet spread via USB flash drives and local networks instead of through the internet should have made it less likely to spread so widely, yet it did. This probably occurred because some of the companies infected in Iran had satellite offices outside Iran or used contractors who had clients in other countries and spread the infection each time they connected an infected laptop to another client’s network or used an infected USB flash drive at multiple sites. After Stuxnet was discovered, the Symantec researchers sifted through their archive for any copies of Stuxnet that might have been caught and flagged as suspicious by their automated reporting system before VirusBlokAda discovered it in June 2010. They found one copy of the March 2010 version of the code on a customer’s machine in Australia that had been flagged by their reporting system the month that version of Stuxnet was released. This showed just how far the malware traveled in a short time and how inevitable it was that it was going to eventually get caught.
15 The attackers could have retrieved the log remotely from an infected system that contacted their command servers.
CHAPTER 7
ZERO-DAY PAYDAYS
Stuxnet’s zero-day exploits raised a lot of troubling questions about the burgeoning role of governments in the secret sale and use of such exploits—questions that have yet to be considered by Congress or resolved in public debate, despite evidence that the practice is creating dangerous vulnerabilities for corporations, critical infrastructure, and individual computer users alike.
Although the market for zero-day vulnerabilities and exploits has been around for more than a decade, until recently it was fairly small and lurked in the closed, underground world of hackers and criminals. In the last few years, however, it has gone commercial and exploded as the number of buyers and sellers has ballooned, along with prices, and the once murky trade has become legitimized with the entry of government dollars into the arena to create an unregulated cyberweapons bazaar.
One of the first hints of the free-market commercialization of zero days appeared in December 2005, when a seller named “fearwall” posted a zero-day vulnerability for sale on eBay and sparked fears that legitimate security researchers and bug hunters would soon go the way of mercenaries and sell their skills and wares to the highest bidder instead of handing information about software holes over to vendors to be fixed. Before putting his Windows Excel zero day on the auction block, fearwall did disclose information about the vulnerability to Microsoft, as “responsible” researchers were expected to do, but the software giant was noncommittal about fixing it, and Microsoft didn’t have a bounty program at the time that paid researchers for the bugs they disclosed. So fearwall decided to offer his bug to the open market to embarrass the software giant and force it to fix the hole faster. The bidding reached only $60 before eBay yanked the listing. But the aborted sale was a foreshadowing of things to come.
Today the markets for zero-day vulnerabilities and exploits are legion—from the white-market bug bounty programs offered by software makers and website owners themselves to the thriving underground black markets run by criminal hackers to the clandestine gray markets that feed the bottomless demand of law enforcement and intelligence agencies around the world.
The white-market bounty programs offered by Google, Microsoft, and other companies now pay for information about security holes in their software, and have made the companies more responsive about fixing them. Third-party security firms like HP TippingPoint also pay for zero days, which they use to test the security of customer networks and protect them against attacks. TippingPo
int discloses the vulnerabilities privately to software vendors so they can be fixed, but patches can take weeks or months to produce, and during that time TippingPoint gets a leg up on competitors by being able to protect customers from attacks that they don’t know about yet.
The thriving underground black market that caters to crooks and corporate spies sells not just zero-day vulnerabilities and exploits but also the payloads to weaponize the exploits—Trojan horses, spy kits, and other malicious tools designed to steal online banking credentials and company secrets or amass armies of zombie computers for a botnet. Vulnerabilities sold on this market become known to the public and vendors only after attacks that use them are discovered, something that can take years to occur, as evidenced by the length of time it took researchers to discover the .LNK exploit that Stuxnet, and the Zlob Trojan before it, used.
But the underground criminal sales—troubling as they are—are rapidly being eclipsed by the newest market for zero-day vulnerabilities and exploits, one that critics predict will soon have a more serious effect on security than the criminal market. This is the flourishing gray market of digital arms dealers—defense contractors and private marketeers—whose government customers have driven up the price of zero days and enticed sellers away from the vendor bounty programs where the holes will be fixed and into the arms of people who only want to exploit them.