Liam O'Murchu Symantec
download slides (PDF)
Stuxnet is the first publicly known worm to target industrial control systems, often generically referred to as SCADA systems. Not only did Stuxnet include malicious STL (Statement List) code, an assembly-like programming language, which is used to control industrial control systems, it included the first ever PLC (programmable logic controller) rootkit hiding the STL code. It also included a zero-day vulnerability to spread via USB drives, a Windows rootkit to hide its Windows binary components, and it signed its files with certificates stolen from other unrelated third-party companies. All of these characteristics are noteworthy in their own right, however when they all converge within one threat it is clear that there is a special force at work. Any threat that is capable of taking control of a real-life physical system is worthy of a closer look, and here we present our analysis of such a threat.
We will report on the conclusions from our extensive analysis of the Stuxnet threat including outlining the functionality of the vast array of components used by the threat and illuminating how each component is used. The analysis exposes the true intention of the creators to takeover industrial control systems (ICS) and details exactly how this is performed. The threat's ability to control physical machinery is what sets it apart from any other threat we have seen to date and is the aspect of the threat that we find most concerning.
In addition to analysis of the code we also examine the data we received from compromised systems via the command and control servers. Using this data allows us to draw conclusions about who was the target of this threat and who may have been responsible for creating the threat.
During the presentation we will also show the code used and give demonstrations on the more malevolent and intriguing parts of the threat, namely the PLC/STL rootkit and the ability to control real-life physical systems. With this threat, the attackers are capable of injecting code into industrial control systems and hiding that code from the designers and operators of the ICS giving the attackers full control over the day-to-day functionality of the physical system under attack.
Many aspects of the threat have not been reported widely in public, but we believe they have significant repercussions within the security industry and they will no doubt become more commonplace in the future threat landscape.