Stuxnet worm in PLC's

Here’s the short summery, this post is just too long, sorry.
Stuxnet is a worm spread by just inserting a thumb drive; you don’t need to do anything to infect the computer. It installs itself in the SCADA computer, that’s a computer like the display screens of the Cyber Chair that show WOB, SPM’s Pit Gain etc that run Factory Link.
Here’s the thing: after that the worm looks for ANY Siemens PLC’s and infects those systems, which no one thought was possible to infect a PLC with anything. We all knew the SCADA systems on Drilling Rigs were vulnerable to infections, blue-screens-of-death, freezing and a bunch other stuff. That’s why there is an old fashion WOB outside the window and we ran the drives through the PLC so the Joy Stick would work when the Driller lost his screens.
Everyone thinks the Stuxnet worm was made to disable Iran’s nuclear plants; one of the codes it inserts would wreck a high speed device controlled by the PLC, like a centrifuge.
No damage has been reported ANYWHERE in the world, we think Iran is keeping it secret and the worm was responsible for damage reported only by Wikileaks months ago. Everyone thinks the worm has been in the wild for over a year.
There are ‘many’ reports all saying the worm hasn’t spread out of Iran, Siemens says they have only seen 14 cases of infections. We all find this very hard to believe and there is little information about how to detect the worm or clean it out of a PLC.
What if most all the Siemens PLC’s in the world are infected and no one knows how to check for it until it’s triggered to send information or do damage.

Now its one thing for your refrigerator to go online to get the latest prices for stuff you’re running out of, get infected and shut down. It’s quite another for your LNG processing plant to accept valve operating instructions from the internet when there are millions of cubic feet of natural gas on site. No controls engineer in his/her right mind would let critical control infrastructure even connect to the internet directly. (yes,yes,yes it’s fine to report conditions over some VPN webpage, but CONTROL ??) Now this troubles me because:

  1. the internet is not required,
  2. it infects PLC’s, which, although simpler than personal computers, vastly outnumber them in machine control applications worldwide,
  3. it may be exploiting several zero day vulns in WinCE , which is a very common OS for control systems that have never been exploited before ,
  4. it is a sophisticated worm capable of hiding itself from the PLC programmer
  5. it might be propagating via PLC OS updates without anyone knowing
  6. it probably has bugs which could wreak all kinds of havoc
  7. An oncologist uses a 12MeV Siemens LINAC to give radiation treatments to a dozen people daily, the PLC controls beam intensity and duration and angle and linear position. How many of the safety interlocks are coded into the PLC me wonders as the HV supply contactor kicks in?

http://blogs.forbes.com/andygreenberg/20…channelsections

http://news.yahoo.com/s/csm/327178

http://www.telegraph.co.uk/technology/ne…n-targets .html

http://www.symantec.com/connect/blogs/st…t-scada-devices

http://www.bcs.org/server.php?show=conWebDoc.37297

German IACS security researcher Ralph Langner has successfully analyzed the Stuxnet malware that appeared to be a miracle. Stuxnet is a directed attack against a specific control system installation. Langner will disclose details, including forensic evidence, next week at Joe Weiss’ conference in Rockville.

Stuxnet logbook, Sep 16 2010, 1200 hours MESZ

With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge. Here is what everybody needs to know right now.

Fact: As we have published earlier, Stuxnet is fingerprinting its target by checking data block 890. This occurs periodically every five seconds out of the WinCC environment. Based on the conditional check in code that you can see above, information in DB 890 is manipulated by Stuxnet.

Interpretation: We assume that DB 890 is part of the original attacked application. We assume that the second DWORD of 890 points to a process variable. We assume that this process variable belongs to a slow running process because it is checked by Stuxnet only every five seconds.

Fact: Another fingerprint is DB 8062. Check for the presence of DB 8062 in your project.

Fact: Stuxnet intercepts code from Simatic Manager that is loaded to the PLC. Based on a conditional check, original code for OB 35 is manipulated during the transmission. If the condition matches, Stuxnet injects Step7 code into OB 35 that is executed on the PLC every time that OB 35 is called. OB 35 is the 100 ms timer in the S7 operating environment. The Step7 code that Stuxnet injects calls FC 1874. Depending on the return code of FC 1874, original code is either called or skipped. The return code for this condition is DEADF007 (see code snipplet).

From here http://powerandcontrol.blogspot.com/2010/09/plant-breakdown.html he’s shy a fry for his happy meal on some other things but good on this, Langner is the one on top who’s talking. Go here http://www.langner.com/en/

Everyone is saying that the cleaning instructions from Siemens won’t work, EVEN if you re-write and re-compile all the code, it’s a root-kit that stays on the EPROM and RAM in the PLC. http://support.automation.siemens.com/WW…783&caller=view Changing the processor might work IF you have it all cleaned out of you Factory Link or WonderWare or Sinatic Manager because it can’t be cleaned from WinCC.

This may be a BIG DEAL later or it’s all over and the worm has done its job a year ago when the Iranian’s had all the failures. The big deal is it waiting to do more havoc later on command, could be if the DWORD of 890 and DB8062 is specific enough to limit the damage to the Middle East, otherwise it’s like acoustic weapons, as likely to damage you as the target.

So far no verifiable damage has been done, who REALLY knows what’s going on in Iran. And Siemens could be hiding what’s going on with systems that have legal Step 7 licenses and their support they are involved in, nothing has blown up yet, but they say “we know of 15 systems infected worldwide”, I think there is more to come.
My wife posted in her blog, http://ponderingpenguin.blogspot.com/ about the Stuxnet worm, and got this comment from what ‘looks’ like a non government computer in Virginia:

Anonymous said…The Pentagon is probably just envious:P
And you know the attack was really, really bad when the Iranians try to downplay the Israeli aggression. They must have gotten whacked hard.
They will try to save some space (think Anonymous meant Face here) by using the rest of their bomb fuel to get the plant up and running, but they are set back many years and their reputation of invincibility severely damaged.

Has anyone else about them having to use the fuel from the centrifuges to fuel the reactor?

If the centrifuges are scrap now (as the 100ms delay would cause) this is big news and a real delay to when they can nuke someone.

That would be assuring, Stuxnet did its job over a year ago and there is no need to use it again for another attack that might effect a lot of other PLC’s considering how far it’s spread now.

90 days till ‘other’ hackers exploit Stuxnet check http://www.nytimes.com/2010/09/27/techno…ner=rss&emc=rss from Langner http://www.langner.com/en/index.htm