A look back at one of the industry's most complex attacks -- and the lessons it teaches

Dark Reading Staff, Dark Reading

May 17, 2011

5 Min Read

[Excerpted from "Stuxnet Reality Check: Are You Prepared For A Similar Attack," a new report posted this week on the Dark Reading Advanced Threats Tech Center.]

Iranian nuclear facilities, zero-day exploits, secret operatives and nation-state government involvement sounds more like the backstory to a spy novel than a piece of malware. Yet Stuxnet, the most researched and analyzed malware ever, is still being studied and discussed in security circles around the world -- even though it was discovered more than a year ago.

You probably don’t operate a nuclear facility, so why should you care about a piece of software that targeted specific centrifuge models in particular nuclear plants in another part of the world? Simply put, Stuxnet made cybernightmares reality and changed the security world forever -- while simultaneously bringing to light the high risks associated with the supervisory control and data acquisition (SCADA) networks that control operations within many energy and utility companies.

How would a Stuxnet-like attack affect your enterprise -- and what can you do to stop it? Let's take a look.

First, why should you be concerned? A recent Ponemon Institute report, "State of IT Security: Study of Utilities and Energy Companies," shows that protecting SCADA systems is clearly the highest security objectives within these companies, and the most difficult to achieve. For companies that run SCADA networks, Stuxnet shows the harm a determined, highly skilled attacker with ample resources might do.

For the rest of us, while there are comparisons that could be made between private networks and SCADA networks, the risks are not the same. So, your best bet is to understand how Stuxnet works, its intent and, most importantly, why it was able to be somewhat successful, to understand the potential next-generation of malware that will attack your network.

Stuxnet was used in a targeted attack on five organizations in June and July 2009 and March, April, and May 2010, all five of which have a presence in Iran. The targeting of specific companies is what sets Stuxnet apart from the traditional advanced persistent threat.

What we generally think of as APTs -- notably, the Aurora attacks on Google, Adobe, Juniper, Rackspace and others—exploits the same zero-day IE vulnerability, employing the same techniques against multiple companies in an attempt to steal source code.

Stuxnet, on the other hand, was a highly sophisticated, well-financed, custom-designed attack created, apparently, for the single purpose of disrupting the production of enriched uranium in Iran. Think of a conventional APT as a machine gun, aimed at multiple targets within a certain field of fire, vs. Stuxnet, a heat-seeking, GPS-guided missile.

A team of security researchers studied possible defenses against Stuxnet by creating a simulated nuclear plant network configured with all the best IT ecurity practices known at the time of the Stuxnet attacks in 2009 and early 2010. Then the researchers, from Tofino Security, Abterra Technologies and ScadaHacker.com, analyzed each infection, propagation and stealth entry point Stuxnet had used, to determine if those best practices would have prevented the malware infections.

Their conclusion, reported in "How Stuxnet Spreads -- A Study of Infection Paths in Best Practice Systems": "No, you currently cannot really prevent this type of attack." But the researchers provided guidance you will recognize: Don’t focus on the threats; focus on your company’s vulnerability.

USB drives are the first lesson. Removable drive infections are common. Malware is placed on a USB drive or an external hard drive and moved from PC to PC. What makes the Stuxnet version of this kind of attack much deadlier is the use of the zero-day shortcut vulnerability, which does not require any user interaction beyond inserting the drive into the computer.

The best defense is removable storage device security software, available from numerous security vendors, that prevents unknown or unauthorized USB drives, CDs/DVDs, external drives, digital music players and so on from being mounted and loaded by a computer. These tools should be reinforced with policies that specify which, if any, removable storage devices can be used on a particular computer and by whom.

Lesson No. 2 is propagation. Stuxnet relied on network exploits and buried itself into WinCC project files to ensure it would be executed at designated times. This type of propagation requires peer-to-peer communication between workstations.

You can prevent this type of propagation by using host firewalls to filter out potentially dangerous traffic, such as services that let one PC communicate directly with another. Stuxnet used an exploit to send a crafted RPC message from workstation A to workstation B and caused it to execute code that downloaded the malware. If workstation B had had a firewall enabled that prevented inbound connections, the exploit would have failed.

Lesson No. 3 is authentication. Stuxnet provided a Windows rootkit that did something the security industry hadn’t seen before. It used a legitimate certificate from a legitimate company that makes Windows drivers to mask its identity.

Hiding in plain sight, Stuxnet didn’t have to worry about bloating its code with all the complicated obfuscation techniques that other malware has to use. If you were an administrator, would you question a file in the Windows\System32 folder named MrxNet.sys, written by RealTek and verified with a legitimate certificate?

What you can do today is use file hash and change management tools from companies such as Tripwire to detect these “hide-in-plain-sight” type of techniques? A change management tool monitoring critical Windows driver folders issues an alert when a new driver is installed. If this install was not on your schedule, it might be someone operating without following change management procedures, or it might be something nasty, like Stuxnet.

To learn more about how Stuxnet works, and the lessons it teaches for enterprises, download the free report.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights