Stuxnet - How the **** did it work?

swedeleaner

Member
S
Join Date
Dec 2013
Location
Göteborg
Posts
147
All of you is probably familiar with Stuxnet and what it did.

If you need a refresh, here is a presentation from Stanford:
https://www.youtube.com/watch?v=DDH4m6M-ZIU

What i would like to know/discuss is how the PLC-code would have looked like and how it got injected.

Did it tamper with existing FC´s/FB´s? Or added new ones?
Some of the functions (like the emergency stops that got disabled) might have been written on Failsafe-CPU. Changing safetyprograms changes checksums, needs passwords etc..

Does anyone of you know more about this?
 
A couple of years ago, when the news were fresh, there was a large topic about Stuxnet on this forum, search for it.

My understanding is, those who created Stuxnet (which is assumed to be, although never officially admitted, a joint project of the US and Israeli intelligence) did have some significant help from Siemens and possibly other manufacturers regarding the inside knowledge of the systems involved. Which, in turn, has also never been admitted, of course.
 
My understanding is they added an extra FC at the beginning that overwrote the inputs and changed the set points. Nothing too complicated in the PLC.

The real trick was all on the engineer's PC. A whole bunch of windows exploits to spread the virus, some exploit involving WinCC Scada(not sure on the details there, just that it involved a hard coded SQL password), and they modified/replaced the SIMATIC communications driver. Whenever S7 went to do a download, the modified communications driver checked for some very specific conditions, and if they were met then it downloaded the extra PLC code. When the engineers went to monitor or upload, it didn't show the "extra" code. As far as I know the actual S7 project was never modified, so they never noticed the differences. My understanding is that there weren't really any bugs exploited in S7, the virus basically just rewrote it.

From what I recall, the systems were well air-gapped and had decent security precautions in place (good passwords, etc). They did the right things, and they got 0wned anyway.
 
LadderLogic said:
My understanding is, those who created Stuxnet (which is assumed to be, although never officially admitted, a joint project of the US and Israeli intelligence) did have some significant help from Siemens and possibly other manufacturers regarding the inside knowledge of the systems involved. Which, in turn, has also never been admitted, of course.
Click to expand...

I hadn't heard that, but I had heard that a couple years before Stuxnet was found in the wild, the U.S. Government did a "security audit" of all the major automation vendors' systems.
 
You all know I have ranted about Step7 software in the past. One of the things I didn't like was that the code you see at the beginning of a FC or FB is not the same code that is actually running. It is like there are macros that stand for a sequence of code. LD [AR2,P#0.0] has pointed this out. It seems to me that if this header can be modified no one will no the difference unless they upload the code without symbols. Then you see what code is really there.

I doubt anybody needs help from Siemens to add these headers. Step7 is a huge program made of many DLLs. It isn't that hard to disassemble a key DLL , the communication DLL, and modify it to do what you want. The key is that anybody that wants to mess with Step7 doesn't need to disassemble the whole of Step7, just its Achilles heel.

For security purposes it would be best if the programming software was one program so the whole program would need to be disassembled, patched and bytes stuffed to the CRC matches again.
 
That video was interesting, but they never explained why they ramped the drives up and down briefly and then stopped for 27 days at a time. What purpose did that serve? Also it never explained what they finally did to damage the centrifuges? Ramped it up even higher?
 
rupej said:
That video was interesting, but they never explained why they ramped the drives up and down briefly and then stopped for 27 days at a time. What purpose did that serve? Also it never explained what they finally did to damage the centrifuges? Ramped it up even higher?
Click to expand...


To me it seems it would have been better to just make the centrifuges run over speed destroying them.. Unless the vibration caused by cycling the speed is faster than waiting for them to self destruct under over speed. But the centrifuge itself may have had over speed protection...

From Wikipedia...

"The attacks seem designed to force a change in the centrifuge’s rotor speed, first raising the speed and then lowering it, likely with the intention of inducing excessive vibrations or distortions that would destroy the centrifuge. If its goal was to quickly destroy all the centrifuges in the FEP [Fuel Enrichment Plant], Stuxnet failed. But if the goal was to destroy a more limited number of centrifuges and set back Iran’s progress in operating the FEP, while making detection difficult, it may have succeeded, at least temporarily.[93]"


Also.....most interesting...

"Stuxnet requires specific slave variable-frequency drives (frequency converter drives) to be attached to the targeted Siemens S7-300 system and its associated modules. It only attacks those PLC systems with variable-frequency drives from two specific vendors: Vacon based in Finland and Fararo Paya based in Iran.[62] Furthermore, it monitors the frequency of the attached motors, and only attacks systems that spin between 807 Hz and 1210 Hz. The industrial applications of motors with these parameters are diverse, and may include pumps or gas centrifuges.
Stuxnet installs malware into memory block DB890 of the PLC that monitors the Profibus messaging bus of the system.[53] When certain criteria are met, it periodically modifies the frequency to 1410 Hz and then to 2 Hz and then to 1064 Hz, and thus affects the operation of the connected motors by changing their rotational speed.[62] It also installs a rootkit – the first such documented case on this platform – that hides the malware on the system and masks the changes in rotational speed from monitoring systems."
 
Last edited:
The intent was to dramatically shorten the life of centrifuges, and make it look they had a quality issue. They hoped the virus would remain undetected for years.
 

Similar Topics

P
OT: Zero Days - Stuxnet Documentary
I came across Zero Days on Hulu the other day (rent from Amazon as well). It's a very good documentary on the Stuxnet worm, and talks about how...
2
Replies
21
Views
7,220
harryting
H
DamianInRochester
Stuxnet-Linked Cyber Weapon Hits Lebanon
Look like Stux is at it again. http://news.yahoo.com/gauss-stuxnet-linked-cyber-weapon-hits-lebanon-181202373--abc-news-topstories.html
Replies
2
Views
2,389
RussB
RussB
D
Son of Stuxnet
Anyone know more about this? What PLC/SCADA system...
Replies
12
Views
4,800
RussB
RussB
M
Stuxnet
Hi Is there any way of finding if one of my machines has the Stuxnet virus. Recently it has started doing some fairly unusual stuff with no...
Replies
4
Views
2,326
RussB
RussB
M
WinCC and the Stuxnet worm
Has anyone heard what Siemens plans to do about the WinCC admin password vulnerability that is exploited by the Stuxnet worm? This is the first...
Replies
4
Views
7,925
Saperov
S
Back
Top Bottom