Read Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon Online
Authors: Kim Zetter
Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (3 page)
The discovery of the second certificate led to more speculation about how the hackers had obtained these security documents. RealTek and JMicron were both headquartered just two blocks away from each other in the Hsinchu Science and Industrial Park in Hsinchu City, Taiwan. Given their geographic proximity, some speculated that the attackers may have physically broken into the two offices to steal the digital signing keys and certs. Others speculated that the People’s Republic of China was behind the Stuxnet attack and had hacked the two Taiwanese companies to get their digital signing keys and certificates.
Whatever the scenario, it meant the attackers likely had other stolen digital certificates in their arsenal. And if they had gone to this much trouble to make sure their attack would work, it likely meant they had a serious goal and considerable means at their disposal. Many in the security community were left feeling very uneasy and perplexed. “We rarely see such professional operations,” ESET researcher Pierre-Marc Bureau remarked online.
25
As antivirus firms examined the Stuxnet files pouring in from customers, they got another surprise. Based on dates in some of the files, it appeared that Stuxnet had been launched in the wild as early as June 2009, which meant it had been lurking on machines for at least a year before VirusBlokAda discovered it. It also appeared that the attackers had unleashed
their attack in three different waves—in June 2009, and in March and April 2010—changing the code slightly in each of these waves.
One thing that was still a mystery, though, was Stuxnet’s intention. Researchers could find no sign in any of the files that Stuxnet was stealing bank account passwords or other credentials the way so much other malware was designed to do. Neither could they find signs of any other obvious motive in the code. That is, until a researcher in Germany found one possible clue suggesting Stuxnet’s aim.
“Hi guys,” Frank Boldewin wrote to the online forum where Ulasen had first published his notice about Stuxnet, “has anyone … taken a deeper look at the malware?” Boldewin had unwrapped the first layer of covering on one of Stuxnet’s files and found unusual references inside to software made by the German firm Siemens. The attackers appeared to be searching for computers that had one of two Siemens proprietary software programs installed—either Siemens SIMATIC Step 7 software or its SIMATIC WinCC program. Both programs are part of an industrial control system (ICS) designed to work with Siemens programmable logic controllers (PLCs)—small computers, generally the size of a toaster, that are used in factories around the world to control things like the robot arms and conveyor belts on assembly lines.
Boldewin had never seen malware targeting an industrial control system before. There was no obvious financial gain to be made from hacking factory equipment like PLCs, at least not the kind of quick cash that could be made from hacking bank accounts and credit card systems. It could mean only one thing to him. “Looks like this malware was made for espionage,” he wrote.
26
The attackers must have been looking to steal a competitor’s factory design or their product blueprints.
It was an assessment that many in the tech community were all too happy to embrace. Stuxnet appeared to be targeting only systems with the Siemens software installed, which meant that any computer not using the Siemens programs was presumably safe, and their owners could
relax. The systems in Iran that were caught in the reboot loop didn’t have the Siemens software installed, Ulasen discovered, and aside from the system crashes they experienced, it appeared that Stuxnet had caused them no lingering harm.
So within a week or so after the mysterious worm’s brief brush with fame, it appeared that Stuxnet was on its way out the door to lasting obscurity. Microsoft was still working on a patch to fix the security hole the .LNK exploit breached, but as far as most security companies were concerned, once they added signatures to their scanners to detect the worm’s malicious files, Stuxnet held no further interest.
The story of the world’s first digital weapon might well have ended here, except that a few security researchers weren’t quite ready to let it go.
1
Ulasen and his team encountered the malware the week of June 24, 2010.
2
Ulasen has never disclosed the name of the reseller, but a link on VirusBlokAda’s website for its distributor in Iran points to
vba32-ir.com
, a site owned by the Deep Golden Recovery Corporation, a data-recovery firm in Iran.
3
Information about VirusBlokAda’s encounter with the malware comes from interviews with Sergey Ulasen and Oleg Kupreev, as well as from an account published by Kaspersky Lab in 2011, after the Russian antivirus firm hired Ulasen away from VirusBlokAda. That interview, “The Man Who Found Stuxnet—Sergey Ulasen in the Spotlight,” was published November 2, 2011, at
eugene.kaspersky.com/2011/11/02/the-man-who-found-stuxnet-sergey-ulasen-in-the-spotlight
.
4
A module is a stand-alone component. It is often interchangeable and can be used with various programs.
5
Drivers are software programs that are used as interfaces between a device and a computer to make the device work with the machine. For example, a driver is required to allow a computer to communicate with a printer or digital camera that is connected to it—different drivers are available for different operating systems so that the same device will work with any computer. In this case the drivers were actually rootkits designed to install and conceal malicious files on the machine.
6
The reboot problem didn’t occur on other machines later found to be infected by the malware. So some researchers suspect the problem may have been an incompatibility between one of the malware’s drivers and VirusBlokAda’s antivirus software. The malware used the driver to install itself, and researchers at Kaspersky Lab in Russia suspected that when the driver injected the malware’s main file into the memory of the machines in Iran, this caused some machines to crash. Researchers at Kaspersky Lab later tried to reproduce the problem but got inconsistent results—sometimes a machine crashed, sometimes it didn’t. The irony is that the attackers had put a lot of effort into testing their malware against antivirus scanners from Kaspersky, Symantec, McAfee, and others, precisely to make sure their code wouldn’t be detected by the scanners or crash machines. But they apparently hadn’t tested it against VirusBlokAda’s scanning software. So if VBA’s scanner
was
the problem, it meant this tiny Belarusian firm had been their undoing in more ways than one.
7
Autorun is a convenience feature in Windows that allows programs on a USB flash drive, CD-ROM, or DVD, to automatically launch when the devices are inserted into a computer. It’s a known security risk, however, because any malicious program on the device will automatically launch as well.
8
If Autorun is disabled for security reasons, then the malicious code on the flash drive that exploits this feature will not be able to launch automatically but will launch only if users specifically click on the file to open it.
9
The exploit worked against seven versions of Windows: Windows 2000, WinXP, Windows 2003, Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
10
With Windows Vista and Windows 7, a driver that isn’t signed with a trusted digital certificate that Microsoft recognizes will have trouble installing on the machine. On 32-bit Windows machines that have Vista or Windows 7 installed, a warning will display, telling the user the file is not signed or is not signed with a trusted certificate, forcing the user to make a decision about whether to let it install. On 64-bit Windows machines using either operating system, a file not signed with a trusted certificate simply won’t install at all. The malware VirusBlokAda found only worked on 32-bit Windows machines.
11
Certificate authorities dole out the signing certificates that companies use to sign their code and websites. The CAs are supposed to verify that an entity requesting a certificate has the authority to do so—to prevent someone other than Microsoft from obtaining a code-signing certificate in Microsoft’s name, for example—and to ensure that if someone applies for a signing certificate for a company they claim is theirs, it’s a real company producing real code. Some certificate authorities don’t do due diligence, however, and certificates are sometimes issued to malicious actors. There are also companies that, for a fee, will use their key and certificate to sign code for others. Hackers have used these companies in the past to sign their malware.
12
In September 2012, this is exactly what happened to Adobe. The software giant, which distributes the popular Adobe Reader and Flash Player programs, announced that attackers had breached its code-signing server to sign two malicious files with an Adobe certificate. Adobe stored its private signing keys in a device called a hardware security module, which should have prevented the attackers from accessing the keys to sign their malicious files. But they compromised a build server—a server used for developing software—which had the ability to interact with the code-signing system and get it to sign their files.
13
Ironically, on July 12, 2010, the day Ulasen went public with news about the malware, a researcher with the Finnish security firm F-Secure published a conference presentation about digital certificates, stating that, as of then, malware using stolen certificates had yet to be discovered. He noted, however, that this would inevitably happen now that new versions of Windows treated unsigned drivers with suspicion, pushing hackers to steal legitimate certificates to sign their malware. (See Jarno Niemela, “It’s Signed, Therefore It’s Clean, Right?” presented at the CARO conference in Helsinki, Finland; available at
f-secure.com/weblog/archives/Jarno_Niemela_its_signed.pdf
.) Indeed, not long after VirusBlokAda’s discovery of the RealTek certificate, other hackers were already attempting to use the same tactic. In September 2010, antivirus firms discovered Infostealer. Nimkey, a Trojan horse specifically designed to steal private key certificates from computers. This was followed over the next two years by a number of malicious programs signed with certificates apparently stolen from various trusted companies.
14
Ulasen contacted Microsoft through a general e-mail address used for its security team. But Microsoft’s security response team receives more than 100,000 e-mails a year, so it was understandable that an e-mail sent to its general mailbox from an obscure antivirus firm in Belarus got lost in the queue.
15
The malware, researchers would later discover, was a combination of a worm and virus. The worm portion allowed it to spread autonomously without user action, but once it was on a system, other components infected files, like a virus would, and required user action to spread.
16
Ulasen published his note on his company’s site at anti-virus.by/en/tempo/shtml and at the Wilders Security forum at
wilderssecurity.com/showthread.php?p=1712146
.
17
Krebs, a former
Washington Post
reporter, runs the
KrebsonSecurity.com
blog, which focuses on computer security and cybercrime. He published his post July 15, 2010, at
krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw
.
18
Lenny Zeltser, “Preempting a Major Issue Due to the .LNK Vulnerability—Raising Infocon to Yellow,” published July 19, 2010, at
isc.sans.edu/diary.html?storyid=9190
.
19
Andreas Marx, head of
AV-TEST.org
in Germany, brokered the introduction with his direct contacts at Microsoft.
20
Microsoft’s advisory appears at
technet.microsoft.com/en-us/security/advisory/2286198
.
21
Most antivirus companies have automated reporting systems that will notify them when a malicious file is detected on a customer’s machine if the customer has opted for this feature. In most cases all that gets sent to the company is a “hash” of the file—a cryptographic representation of the contents of the file composed of a string of letters and numbers produced by running the file through an algorithm—with no indication of who the victim is, other than the sender’s IP address. But in other cases companies can obtain the entire malicious file itself if the victim decides to send it or the antivirus firm determines through the IP address who the victim is and requests a copy of the file.
22
Researchers speculated that the driver might have been used with a new version of Stuxnet the attackers unleashed after tweaking the code to prevent antivirus signatures from detecting it. No later version of Stuxnet has ever been discovered, but see
footnote 41
, for further discussion about a later version of Stuxnet.
23
See Costin G. Raiu and Alex Gostev, “A Tale of Stolen Certificates,” published in
SecureView
, 2nd Quarter 2011, a quarterly newsletter from Kaspersky Lab. The mistakes appear in the digital signature block on the certificate, where a company provides information about itself. In this case, the attackers mistyped the URL for JMicron so that it returned a “server not found” error if someone tried to visit the website. They also failed to fill in several fields for the company’s name, copyright ownership, and other data. In eight of the fields, the words “change me” appeared instead of information.
24
The RealTek certificate was valid from March 15, 2007, to June 12, 2010. The JMicron certificate was valid until July 26, 2012, but once it was revoked by certificate authorities, the attackers couldn’t use it anymore.
25
Pierre-Marc Bureau, “Win32/Stuxnet Signed Binaries,” published August 9, 2010, at
blog.eset.com/2010/07/19/win32stuxnet-signed-binaries
.
26
Boldewin published his note at
wilderssecurity.com/showthread.php?p=1712146
.
500 KILOBYTES OF MYSTERY
