Inside Stuxnet: Why it Works and Why the U.S. Shouldn't Worry
Stuxnet is one of the most dangerous worms of all time, but there is a defense and the U.S. may already have it.
The Stuxnet worm is a new type of security threat that represents a potential risk to critical infrastructure. To date, Stuxnet has reportedly hit Iran the hardest as speculation abounds as to who is actually behind the technology.
Tom Parker, director of Security Consulting Services at security vendor Securicon, is taking a deeper look at the technology behind Stuxnext and is detailing his technical analysis of Stuxnet this week at the Black Hat security conference in Washington, D.C. Parker also has some suggestions as to the actual risks that Stuxnet poses and how to mitigate and defend against them.
Parker has analyzed Stuxnets code complexity, which has led him to several conclusions. Parker has written a plug-in for the IDA Pro debugger that looks for markings within code that might provide an indication of a coders skills.
"One of the analysis mechanisms I've written looks for amateurish mistakes in code like heavily nested conditional statements," Parker told InternetNews.com. "Typically, a more advanced programmer will be aware of efficiency issues in code and heavily nested statements is a fairly typical mistake among people that are just learning how to program."
Parker analyzed professionally written software, including Microsoft Internet Explorer (IE) and Mozilla Firefox, and compared them against malicious code including Conficker and Stuxnet. Parker noted that Conficker was well written and it scored fairly similarly to professionally written software. However, with the Stuxnet dropper that delivers the malicious payload, it did not score as well.
"That got me thinking that maybe someone else wrote the advanced components of Stuxnet, then either sold it or gave it to another group that put a wrapper around it," Parker said.
He added that outside of the dropper, Stuxnet has some very advanced components. Stuxnet itself is not entirely uniform either as there are at least four versions, according to Parker.
"Two of them have significant differences from one another," Parker said. "To begin with, Stuxnet didn't have a lot of the Microsoft vulnerabilities in it that later versions exploited."
One such vulnerability is a link shortcut file vulnerability, which creates a shortcut file to put on a removable USB drive. With that vulnerability, when a user plugs the USB drive into a PC it infects the PC.
"This is something that has been added to and improved upon over a period of two to three years," Parker said.
Defending Against Stuxnet
Stuxnet is a worm with its crosshairs targeted on SCADA (Supervisory Control and Data Acquisition) control systems for infrastructure like power plants.
"Control systems are designed around having the minimum required functionality they're designed to be efficient and reliable," Parker said. "A lot of these systems are reliant on other infrastructure to protect them, and many don't even have password access as they've been operating in closed environments."
Parker noted SCADA systems are not used to being exposed to the same types of threats that are common on the Internet. As such, Parker expects that it will take a lot of time until SCADA systems can stand alone against modern Internet attacks.
"It's important that people realize that fixing these systems won't happen overnight," Parker said. "Because of that, we have to put compensating measures in place, like additional layers of firewalls."
Parker added that in the case of Stuxnet, it was cleverly written so someone could take an infected USB key, walk it into a controlled environment, and cause an infection of the SCADA system.
"There really isn't a lot you can do about that from a technological standpoint," Parker said. "That's more of a process issue."
Parker suggested that regulations and process are required to make sure the people make good decisions.
"In the case of Stuxnet it's important that the devices that are being used to program critical SCADA devices are never contaminated by lesser networks like a corporate LAN," Parker said.
From a regulation perspective, the U.S. already has standards in place to help mitigate Stuxnet types of risk. Parker explained that the NERC (North American Energy Reliability Corporation) CIP (Critical Infrastructure Protection) standards include specifications to reduce risk.
"The aim of those standards is to have good change control, patch management and so forth," Parker said. "Those standards are where PCI was three or four years ago, there are definitely improvements that need to be done."
PCI-DSS is a set of standards for the Payment Card Industry to secure transaction systems. PCI-DSS was recently updated to version 2.0.
"One of the things that CIP does is it very clearly states that you have to have a controlled electronic and physical perimeter around critical assets, to protect against threats that you might experience in the corporate environment," Parker said. "If people adhere to those standards, we're at least raising the bar to help protect against threats like Stuxnet."
That said, Parker noted that the chances are the Stuxnet wasn't targeting the U.S. and was focused mostly on Iran. He added the Iran doesn't have the equivalent of the CIP standards in place.
"It's very unlikely that a lesser developed country like Iran would ever stand a chance against an advanced threat like Stuxnet," Parker said.
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.
October 29, 2010
Major security standard for payment and merchant systems is being updated. What's new? And what's still missing?