by Kim Zetter
16 Ulasen published his note on his company’s site at anti-virus.by/en/tempo/shtml and at the Wilders Security forum at wilderssecurity.com/showthread.php?p=1712146.
17 Krebs, a former Washington Post reporter, runs the KrebsonSecurity.com blog, which focuses on computer security and cybercrime. He published his post July 15, 2010, at krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw.
18 Lenny Zeltser, “Preempting a Major Issue Due to the .LNK Vulnerability—Raising Infocon to Yellow,” published July 19, 2010, at isc.sans.edu/diary.html?storyid=9190.
19 Andreas Marx, head of AV-TEST.org in Germany, brokered the introduction with his direct contacts at Microsoft.
20 Microsoft’s advisory appears at technet.microsoft.com/en-us/security/advisory/2286198.
21 Most antivirus companies have automated reporting systems that will notify them when a malicious file is detected on a customer’s machine if the customer has opted for this feature. In most cases all that gets sent to the company is a “hash” of the file—a cryptographic representation of the contents of the file composed of a string of letters and numbers produced by running the file through an algorithm—with no indication of who the victim is, other than the sender’s IP address. But in other cases companies can obtain the entire malicious file itself if the victim decides to send it or the antivirus firm determines through the IP address who the victim is and requests a copy of the file.
22 Researchers speculated that the driver might have been used with a new version of Stuxnet the attackers unleashed after tweaking the code to prevent antivirus signatures from detecting it. No later version of Stuxnet has ever been discovered, but see footnote 41, for further discussion about a later version of Stuxnet.
23 See Costin G. Raiu and Alex Gostev, “A Tale of Stolen Certificates,” published in SecureView, 2nd Quarter 2011, a quarterly newsletter from Kaspersky Lab. The mistakes appear in the digital signature block on the certificate, where a company provides information about itself. In this case, the attackers mistyped the URL for JMicron so that it returned a “server not found” error if someone tried to visit the website. They also failed to fill in several fields for the company’s name, copyright ownership, and other data. In eight of the fields, the words “change me” appeared instead of information.
24 The RealTek certificate was valid from March 15, 2007, to June 12, 2010. The JMicron certificate was valid until July 26, 2012, but once it was revoked by certificate authorities, the attackers couldn’t use it anymore.
25 Pierre-Marc Bureau, “Win32/Stuxnet Signed Binaries,” published August 9, 2010, at blog.eset.com/2010/07/19/win32stuxnet-signed-binaries.
26 Boldewin published his note at wilderssecurity.com/showthread.php?p=1712146.
CHAPTER 2
500 KILOBYTES OF MYSTERY
In the six years Liam O’Murchu had been analyzing viruses and worms, he’d never seen anything like the code he was looking at now. It was using techniques that went way beyond anything he’d ever seen other malware do. This wasn’t at all what he’d expected when he sat down at his computer in Symantec’s Southern California office and pulled up the Stuxnet files that had arrived overnight from his colleagues in Europe.
It was Friday, July 16, the day after the news of Stuxnet had broken in the tech community, and O’Murchu was in the midst of what he thought would be a routine and perfunctory review of the code. The thirty-three-year-old Irishman was manager of operations for the Security Response team in Symantec’s Culver City office, and it was his job to review new malware that came in to determine if it merited closer scrutiny.
Analysts in the company’s office in Dublin, Ireland, had got hold of the Stuxnet files late in their afternoon but only had a couple of hours with the code before it was time to hand it off to O’Murchu’s team in California, who were just waking up. Symantec’s threat-analysis team is spread across multiple continents so that anytime an important threat pops up, someone somewhere is awake to jump on it. Then as the sun sets on one office and rises on another, workers in one time zone hand off their notes, like tag-team wrestlers, to those in the next zone.
Not all malware gets this follow-the-sun coverage. Of the more than 1 million malicious files Symantec and other security firms find each month, most are copycats of known tools that hackers simply tweak to alter their fingerprints and try to outrun antivirus scanners. These standard threats get piped through algorithms that tear through the code looking for signatures or behavior that matches known malware. Code gets kicked out of the queue for researchers to examine manually only if the algorithms find something they can’t reconcile. Malware containing, or suspected of containing, a zero-day exploit always gets examined by hand, which is the only reason Stuxnet landed on O’Murchu’s desk.
O’Murchu is an avid snowboarder with a lyrical accent and closely cropped brown hair sculpted vertically in front like the lip of a small half-pipe. A fairly recent transplant to the United States from Dublin, he’d only been in Symantec’s California office about two years before Stuxnet struck, but he’d worked for the company since 2004. He led a team of highly skilled malware analysts and reverse engineers who were engaged in a constant battle against an onslaught of digital threats, each one often more advanced than the last. None of them, however, prepared him for what he found in Stuxnet.
O’Murchu expected their examination of the code would be merely routine, just to confirm the presence of the zero-day exploit that Ulasen and Kupreev had already found. So he passed the code off to a junior engineer, thinking it would be a good opportunity to train him on zero days, and only examined the code himself to backstop his colleague and make sure he didn’t miss anything. But as soon as he opened the files, it was immediately clear there was something strange going on with the code.
The main Stuxnet file was incredibly large—500 kilobytes, as opposed to the 10 to 15 KB they usually saw. Even Conficker, the monster worm that infected more than 6 million machines the previous two years, was only 35 kilobytes in size. Any malware larger than this usually just contained a space-hogging image file that accounted for its bloat—such as a fake online banking page that popped up in the browser of infected machines to trick victims into relinquishing their banking credentials. But there was no image file in Stuxnet, and no extraneous fat, either. And, as O’Murchu began to take the files apart, he realized the code was also much more complex than he or anyone else had previously believed.
When you’ve seen as much malware as O’Murchu has, you can glance at a virus or Trojan horse and know immediately what it does—this one is a keystroke logger that records everything a victim types; that one is a banking Trojan that steals login credentials to online banking accounts. It’s also easy to see whether a piece of code was slapped together sloppily or crafted skillfully with care. Stuxnet was obviously the latter. It appeared to be a dense and well-orchestrated collection of data and commands that contained an enormous amount of functionality. What those functions were was still a mystery, but O’Murchu’s interest was immediately piqued.
O’MURCHU’S FIRST ENCOUNTER with malware occurred in 1996 when he was studying computer science at University College Dublin and a fellow student unleashed a homemade virus that infected all the machines in the school’s computer labs. On the Ides of March, the virus seized control of the terminals and locked everyone out. Users could only log in after answering a series of ten questions that flashed on the screens. Most were annoyed by the interruption, but O’Murchu just wanted to get his hands on a copy of the virus to take it apart. It was part of his DNA to deconstruct things. Growing up in the country outside the small town of Athy in County Kildare, he was the kind of kid who was less interested in playing with toy cars than in tearing them apart to see how they worked.
O’Murchu didn’t set out to become a virus wrangler. He began his college career dutifully taking
physics and chemistry classes for the science degree he planned to pursue, but then enrolled in a computer science course and became obsessed. He quickly abandoned the chemist’s lab for the computer lab. Hacking was a growing problem at the university, but O’Murchu never considered computer security a possible career path until intruders began breaking into servers belonging to the school’s computer club, and a team of students was tasked with patching the servers to kick them out. O’Murchu was fascinated by the cat-and-mouse game that ensued, as he watched the intruders repeatedly outmaneuver the defenders to get back in.
That lesson in breaking digital barriers came in handy when he and a group of friends traveled to the United States after college and briefly got jobs testing internet kiosks for a San Diego start-up. They were hired to see if they could bypass the kiosk’s paywall in order to steal internet access. But instead of getting the normal computer users the company thought it was getting, it had inadvertently hired a team of skilled hackers. After half a dozen kiosks were set up in the warehouse where the systems were being assembled, O’Murchu and his friends were told to go at them. They were only supposed to test the system for two weeks before the company planned to ship the kiosks out to customers, but O’Murchu and his friends kept finding new ways to break the paywall. After two months passed and they were still finding holes, the company canceled the testing and just shipped the kiosks out.
O’Murchu spent the next couple of years traveling the world and snowboarding with a vague desire to get into security but without any plan for doing it. Then in 2002, he got a job with the anti-spam company Brightmail in Dublin. He only took it to earn money to support his traveling, but when Symantec bought the firm in 2004, he saw it as a chance to leap into security. During a tour of Symantec’s Dublin office given to the Brightmail employees, O’Murchu could barely contain his impatience at being shown around the various departments. All he wanted to see was the virus research team that he hoped to join. But when he finally met Eric Chien, the American who managed the team, his dream of being hired was dashed. O’Murchu thought Symantec had hundreds of analysts stationed around the world and that it would therefore be easy to get a job. But Chien told him only half a dozen people worked on the team, and all of them had been on the job for years. “Nobody really leaves,” Chien said. “Everyone loves their work.”
O’Murchu was undeterred. He taught himself the tools the analysts used to decipher malicious code and write signatures, and when an explosion of spyware and adware burst onto the scene several months later, he was ready when Symantec needed to expand its team. He worked the next four years in Symantec’s Dublin office—where the company still maintains its largest research group—before transferring to Culver City in 2008.
Over the years, O’Murchu and the Symantec team had worked on a number of high-profile and complex threats. But none was as fascinating or as challenging as Stuxnet would turn out to be.
WHEN O’MURCHU EXAMINED Stuxnet’s main file, he immediately came up against several layers of encryption masking its many parts and inner core. Luckily the first layer was a simple “packer” that was easily cracked.
Packers are digital tools that compress and mangle code to make it slightly harder for antivirus engines to spot the signatures inside and for forensic examiners to quickly determine what a code is doing. Malware run through a packer morphs a little differently on its surface each time it’s packed, so the same code run through a packer a thousand times will create a thousand different versions of the code, though beneath the packer layer they will all be the same at their core. Antivirus engines can tell when a malicious file has been run through a known packer and can then unpack it on the fly to hunt for the signatures beneath. To thwart this, smart attackers design custom packers that aren’t easily recognized or removed. But Stuxnet’s creators hadn’t bothered to do this. Instead they used an off-the-shelf packer called UPX—short for “Ultimate Packer for eXecutables”—that was easily identified and eliminated. Given the sophisticated nature of the rest of the threat—the zero-day exploit and the stolen digital certificates—it seemed an odd choice for Stuxnet’s creators to make. So O’Murchu assumed their primary reason for using the packer must have been to simply compress the files and reduce Stuxnet’s footprint. Once unpacked and decompressed, the main module expanded to 1.18 megabytes in size.
With the packer now removed, O’Murchu was able to easily spot the Siemens strings Frank Boldewin had seen. But more important, he also spotted an encrypted block of code that turned out to be Stuxnet’s mother lode—a large .DLL file (dynamic link library) that contained about three dozen other .DLLs and components inside, all wrapped together in layers of encryption like Russian nesting dolls. He also found a massive configuration file containing a menu of more than four hundred settings the attackers could tweak to change everything from the URL for the command-and-control servers Stuxnet contacted to the number of machines Stuxnet would infect via a USB flash drive before the USB exploit would shut down.1 Curiously, O’Murchu also found an infection stop date in the file—June 24, 2012. Every time Stuxnet encountered a new machine, it checked the computer’s calendar to see if the June date had passed. If it had, Stuxnet would halt and not infect it. Any payload already installed on other machines would continue to work, but Stuxnet wouldn’t infect any new machines. The stop date had been set for three years after Stuxnet infected its first machines in Iran and was presumably the date by which the attackers expected to achieve their goal.2
What most stood out to O’Murchu, however, was the complex way that Stuxnet concealed its files on infected machines and hijacked normal functions to perform its nefarious deeds. It took O’Murchu nearly a day to work out the details, and when he finally did, he was astounded.
Normally, the code for performing common tasks on a Windows machine, such as opening and reading a file or saving its contents to disk, is stored in .DLLs in the operating system. When the operating system or another application needs to perform one of these tasks, they call up the relevant code from the .DLL—like a library patron checking out a book—and run it in the machine’s memory. Conventional hackers would try to store code for their malicious activities in the Windows .DLLs too, but antivirus scanners can spot code in a library that shouldn’t be there, so Stuxnet placed its malicious code in the machine’s memory instead, where antivirus programs were less likely to detect it. That alone wasn’t remarkable, since a lot of smart hackers stored their malicious code in memory. But the way Stuxnet got its code to run was.
Usually, malicious code that lurks in memory will still need to ask the system to load additional code from files that it stores on the computer’s disk. But antivirus engines will spot this behavior as well, so Stuxnet did it one better. Stuxnet kept all of the code it needed to operate inside itself, stored as virtual files with specially crafted names. Ordinarily this wouldn’t work because when Stuxnet tried to call up this code, the operating system wouldn’t recognize the names or would look for the oddly named files on disk and not be able to find them. But Stuxnet “hooked” or reprogrammed part of the Windows API—the interface between the operating system and the programs that run on top of it—so that anytime it called on these oddly named files, the operating system would simply go to Stuxnet, sitting in memory, to obtain the code instead. If an antivirus engine grew suspicious of the files in memory and tried to examine them, Stuxnet was prepared for this as well. Because it controlled parts of the Windows API responsible for displaying the attributes of files, it simply tricked the scanner into thinking the files were empty, essentially telling it, “Nothing to see here, move along.”3
But this wasn’t the end of it. Normal malware executes its code in a straightforward manner by simply calling up the code and launching it. But this was too easy for Stuxnet. Instead, Stuxnet was built like a Rube Goldberg machine so that rather than calling and executing its code directly, it planted the code inside another block of code that was already running in a process on the
machine, then took the code that was running in that process and slipped it inside a block of code running in another process to further obscure it.
O’Murchu was astounded by the amount of work the attackers had invested in their heist. Even the most complex threats he’d seen in recent years didn’t go to such lengths. The average malware writer did just the minimum of what he needed to do to make his attack work and avoid detection; there was little to be gained from investing a lot of time in code that was just meant to do a quick smash-and-grab of passwords or other data. Even the advanced espionage tools that appeared to come from China didn’t bother with the kinds of tricks he was seeing in Stuxnet. Red flags were popping up all over the code, and O’Murchu had only examined the first 5 KB of the 1 MB threat.
It was clear this wasn’t a standard attack, and needed to be examined more closely. But the size and complexity of the code meant it was going to take a team of people to reverse-engineer and decipher it. So the question running through O’Murchu’s mind was should they even bother doing it? No one would blame Symantec if the researchers dropped the code and moved on to other things. After all, the primary task of any antivirus firm was to halt infections before they began or to rid infected systems of malware that was already on them. What malicious code did to computers once it was on them was secondary.
But even though their primary work stopped at the point of detection, any customer infected with Stuxnet would still want to know what the malware had done to their system, even if Symantec had already detected and deleted its malicious files. Had it pilfered credentials or important documents? Altered or deleted crucial data? O’Murchu felt it was their duty to find out.