W32 . Stuxnet Dossier
Available from www.privacywonk.net
Page 1
W32 . Stuxnet Dossier
Security Response
Contents
Introduction ....................................................... 1
Executive Summary ........................................... 2
Attack Scenario .................................................. 3
Timeline .............................................................. 4
Infection Statistics ............................................. 5
Stuxnet Architecture.......................................... 8
Installation ....................................................... 12
Load Point ........................................................ 16
Command and Control ......................................17
Windows Rootkit Functionality ....................... 20
Stuxnet Propagation Methods......................... 21
Modifying PLCs ................................................ 32
Payload Exports ............................................... 44
Payload Resources ........................................... 45
Variants ............................................................ 47
Summary .......................................................... 50
Appendix A ....................................................... 51
Appendix B ...................................................... 53
Appendix C ....................................................... 54
Revision History ............................................... 63
While the bulk of the analysis is complete, Stuxnet is an incredibly large and
complex threat. The authors expect to make revisions to this document
shortly after release as new information is uncovered or may be publicly
disclosed. This paper is the work of numerous individuals on the Syman-
tec Security Response team over the last three months well beyond the
cited authors. Without their assistance, this paper would not be possible.
Introduction
W32.Stuxnet has gained a lot of attention from researchers and me-
dia recently. There is good reason for this. Stuxnet is one of the
most complex threats we have analyzed. In this paper we take a de-
tailed look at Stuxnet and its various components and particularly
focus on the final goal of Stuxnet, which is to reprogram industrial
control systems. Stuxnet is a large, complex piece of malware with
many different components and functionalities. We have already
covered some of these components in our blog series on the top-
ic. While some of the information from those blogs is included here,
this paper is a more comprehensive and in-depth look at the threat.
Stuxnet is a threat that was primarily written to target an industrial con-
trol system or set of similar systems. Industrial control systems are
used in gas pipelines and power plants. Its final goal is to reprogram
industrial control systems (ICS) by modifying code on programmable
logic controllers (PLCs) to make them work in a manner the attacker in-
tended and to hide those changes from the operator of the equipment.
In order to achieve this goal the creators amassed a vast array of com-
ponents to increase their chances of success. This includes zero-day
exploits, a Windows rootkit, the first ever PLC rootkit, antivirus evasion
Nicolas Falliere, Liam O Murchu,
and Eric Chien
W32.Stuxnet Dossier
Version 1.3 (November 2010)
Contents
Introduction ....................................................... 1
Executive Summary ........................................... 2
Attack Scenario .................................................. 3
Timeline .............................................................. 4
Infection Statistics ............................................. 5
Stuxnet Architecture.......................................... 8
Installation ....................................................... 12
Load Point ........................................................ 16
Command and Control ......................................17
Windows Rootkit Functionality ....................... 20
Stuxnet Propagation Methods......................... 21
Modifying PLCs ................................................ 32
Payload Exports ............................................... 44
Payload Resources ........................................... 45
Variants ............................................................ 47
Summary .......................................................... 50
Appendix A ....................................................... 51
Appendix B ...................................................... 53
Appendix C ....................................................... 54
Revision History ............................................... 63
While the bulk of the analysis is complete, Stuxnet is an incredibly large and
complex threat. The authors expect to make revisions to this document
shortly after release as new information is uncovered or may be publicly
disclosed. This paper is the work of numerous individuals on the Syman-
tec Security Response team over the last three months well beyond the
cited authors. Without their assistance, this paper would not be possible.
Introduction
W32.Stuxnet has gained a lot of attention from researchers and me-
dia recently. There is good reason for this. Stuxnet is one of the
most complex threats we have analyzed. In this paper we take a de-
tailed look at Stuxnet and its various components and particularly
focus on the final goal of Stuxnet, which is to reprogram industrial
control systems. Stuxnet is a large, complex piece of malware with
many different components and functionalities. We have already
covered some of these components in our blog series on the top-
ic. While some of the information from those blogs is included here,
this paper is a more comprehensive and in-depth look at the threat.
Stuxnet is a threat that was primarily written to target an industrial con-
trol system or set of similar systems. Industrial control systems are
used in gas pipelines and power plants. Its final goal is to reprogram
industrial control systems (ICS) by modifying code on programmable
logic controllers (PLCs) to make them work in a manner the attacker in-
tended and to hide those changes from the operator of the equipment.
In order to achieve this goal the creators amassed a vast array of com-
ponents to increase their chances of success. This includes zero-day
exploits, a Windows rootkit, the first ever PLC rootkit, antivirus evasion
Nicolas Falliere, Liam O Murchu,
and Eric Chien
W32.Stuxnet Dossier
Version 1.3 (November 2010)
Page 2
W32.Stuxnet Dossier
Page 2
Security Response
techniques, complex process injection and hooking code, network infection routines, peer-to-peer updates, and
a command and control interface. We take a look at each of the different components of Stuxnet to understand
how the threat works in detail while keeping in mind that the ultimate goal of the threat is the most interesting
and relevant part of the threat.
Executive Summary
Stuxnet is a threat targeting a specific industrial control system likely in Iran, such as a gas pipeline or power
plant. The ultimate goal of Stuxnet is to sabotage that facility by reprogramming programmable logic controllers
(PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries.
Stuxnet was discovered in July, but is confirmed to have existed at least one year prior and likely even before.
The majority of infections were found in Iran. Stuxnet contains many features such as:
Self-replicates through removable drives exploiting a vulnerability allowing auto-execution. •
Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732)
Spreads in a LAN through a vulnerability in the Windows Print Spooler. •
Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073)
Spreads through SMB by exploiting the • Microsoft Windows Server Service RPC Handling Remote Code Execu-
tion Vulnerability (BID 31874).
Copies and executes itself on remote computers through network shares.•
Copies and executes itself on remote computers running a WinCC database server.•
Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is •
loaded.
Updates itself through a peer-to-peer mechanism within a LAN.•
Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulner-•
abilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be
disclosed.
Contacts a command and control server that allows the hacker to download and execute code, including up-•
dated versions.
Contains a Windows rootkit that hide its binaries.•
Attempts to bypass security products.•
Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabo-•
tage the system.
Hides modified code on PLCs, essentially a rootkit for PLCs.•
Page 2
Security Response
techniques, complex process injection and hooking code, network infection routines, peer-to-peer updates, and
a command and control interface. We take a look at each of the different components of Stuxnet to understand
how the threat works in detail while keeping in mind that the ultimate goal of the threat is the most interesting
and relevant part of the threat.
Executive Summary
Stuxnet is a threat targeting a specific industrial control system likely in Iran, such as a gas pipeline or power
plant. The ultimate goal of Stuxnet is to sabotage that facility by reprogramming programmable logic controllers
(PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries.
Stuxnet was discovered in July, but is confirmed to have existed at least one year prior and likely even before.
The majority of infections were found in Iran. Stuxnet contains many features such as:
Self-replicates through removable drives exploiting a vulnerability allowing auto-execution. •
Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732)
Spreads in a LAN through a vulnerability in the Windows Print Spooler. •
Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073)
Spreads through SMB by exploiting the • Microsoft Windows Server Service RPC Handling Remote Code Execu-
tion Vulnerability (BID 31874).
Copies and executes itself on remote computers through network shares.•
Copies and executes itself on remote computers running a WinCC database server.•
Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is •
loaded.
Updates itself through a peer-to-peer mechanism within a LAN.•
Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulner-•
abilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be
disclosed.
Contacts a command and control server that allows the hacker to download and execute code, including up-•
dated versions.
Contains a Windows rootkit that hide its binaries.•
Attempts to bypass security products.•
Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabo-•
tage the system.
Hides modified code on PLCs, essentially a rootkit for PLCs.•
Sign up today - FREE
Mendeley saves you time finding and organizing research. Learn more
- All your research in one place
- Add and import papers easily
- Access it anywhere, anytime
Start using Mendeley in seconds!
Readership Statistics
82 Readers on Mendeley
by Discipline
by Academic Status
32% Ph.D. Student
22% Student (Master)
15% Other Professional
by Country
35% United States
9% Germany
6% United Kingdom
