Unpacked Stuxnet Is Ugly for the Microsoft Channel

Over the last week, security researchers have revealed progress in untangling the fiendishly complex encryption and massive code base of the Stuxnet malware -- and what they say they've found is one of the most interesting developments in the computer security landscape in years.

The Christian Science Monitor online newspaper last week reported, "Some top cyber security experts now say Stuxnet's arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world -- to destroy something."

The Monitor article was primarily based on interviews with German cyber-security researcher Ralph Langner, ahead of a speech Langner gave on Stuxnet in Rockville, Md. last week. Langner and his Hamburg-based team have been reverse engineering Stuxnet, which emerged in June, but is only now yielding some of its secrets.

"With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge," Langer wrote on his Web site.

Although thousands of systems have been infected by the worm, which combined four zero-day Windows flaws, the picture that is emerging now is that all but one of those systems may be collateral damage.

According to Langner's analysis, Stuxnet was one piece in a military/intelligence operation conducted by a technically sophisticated nation state to target and destroy one specific real-world facility by compromising industrial process control software via a contractor's infected USB memory stick. Langner speculated that the target may have been Iran's Bushehr nuclear power plant. Other reports suggest other Iranian facilities involved in the nuclear weapons production arena.

Over the weekend, an Iranian official was quoted as saying the worm was "part of the electronic warfare against Iran." An article in The New York Times on Sunday quoted James Lewis, a senior fellow at the Center for Strategic and International Studies in Washington, saying that the United States is "one of four or five places that could have done it  -- the Israelis, the British and the Americans are the prime suspects, then the French and Germans, and you can't rule out the Russians and the Chinese."

The nation-state perpetrator theory isn't unanimous, however. John Pescatore, vice president for internet security at Gartner, told The Guardian newspaper in the United Kingdom that it was "definitely not the case" that Stuxnet would have required state sponsorship.

A Headache for Partners

Microsoft appears to be in full panic mode about Stuxnet. Witness RCPU Editor Lee Pender's innocuous recent link to a Stuxnet item that prompted an immediate reply from Microsoft. The Microsoft response to Stuxnet is justifiably alarmist because the case threatens to reinvigorate a host of thorny, but largely dormant, issues about Windows security, proprietary source code, state security and even possible Microsoft collusion with United States' government intelligence agencies. As Microsoft's front line for sales and end user services, Microsoft partners will be the ones taking fire.

At a base level, all Microsoft partners involved with supporting customers on Windows need to understand the basics of the Microsoft Stuxnet bulletins and patches, and it's a good time to re-evaluate security policies and protections around USB sticks.

A Manufacturing Problem

Manufacturing integrators and ISVs, meanwhile, have a new set of concerns. Stuxnet provides a step-by-step guide for taking over a programmable logic controller (PLC) on an industrial control system. Anybody involved in installing or programming control systems will need to be ready to address and explain the threat.

According to Langner, it's not technically difficult to inject what he calls "rogue ladder logic" into PLC programs. (The rogue ladder logic affects the industrial control software, in this case Siemens, not Windows.)

"It is important to understand that this vulnerability cannot be considered a bug, either technically or legally, so it should not be expected that vendors would be able to release a 'patch,'" Langner said on his site.

Langner predicted that exploit code based on vulnerabilities used by Stuxnet will make their way into known frameworks like Metasploit within a few months. "The Stuxnet story will raise a lot of attention in the hacker community where people may now start to try using the attack vector for much more trivial motivations than we must assume for the Stuxnet writers," he warned.

Langner also listed a number of basic security procedures that manufacturing integrators can re-emphasize with customers that would help prevent a Stuxnet-style attack from reaching critical control systems. They included defining and enforcing a high security level for engineering stations, especially mobile ones; prohibiting staff from using the stations for private purposes; securing the systems with whitelisting solutions; defining and enforcing a high security level for contractors; removing shared folders; removing critical systems from the network; reviewing policies for remote access; implementing a zoning concept for the network; and using PLC version control systems.

Reviving Political Questions

The biggest Stuxnet problems for Microsoft, however, are what we'll call the political issues. And these will be problems for Microsoft's global systems integrators, global ISVs and Microsoft partners in the international subsidiaries, although U.S.-based partners with highly security conscious customers can expect to be dragged into these conversations, as well.

Microsoft faces four intertwined political issues. Two of them arise from being a multinational corporation headquartered within the world's most powerful nation state. Several years ago, Microsoft faced pushback from China about whether it was appropriate for Chinese government, military and business computers to run on an operating system created in another country. Related to that issue is the persistent rumor that Microsoft has either voluntarily or under duress created a backdoor for the U.S. National Security Agency to gain access to Windows-based computers. This rumor comes up at every OS release, including with Windows 7, and Microsoft takes it seriously enough to issue formal statements denying any backdoor.

While much of the early speculation points to Israel as the source of the worm, NSA involvement is a close second. The New York Times reported that former President George W. Bush had authorized efforts to undermine electrical systems, computer networks and other networks that serve Iran's nuclear programs, and the paper reported that the efforts have been ramped up under the Obama Administration. The combination of NSA suspicion and Windows flaws should give new life to international conspiracy theories about collusion. (When it comes to talking a strong stand against government encroachment, Microsoft didn't help its case any here with the recent revelations that Russian authorities piggybacked on Microsoft's software piracy campaign to crack down on dissident groups.)

The other political issues involve the technology fights within the IT community. The whole Stuxnet incident will be another data point in reviving arguments that Windows is less secure than other operating systems. Meanwhile, the issue is new grist for open source advocates, who will use the case to argue that Microsoft's proprietary approach to its code is a problem.

Let's all keep our fingers crossed that Microsoft wasn't short-sighted enough to cooperate in any way with a national authority in keeping zero-day exploits open. It would have been colossally stupid, and there's no need -- smaller actors than nation states find zero-day exploits in Windows software often enough. Put some dedicated resources and talent behind an effort and success in finding new zero-day exploits is a matter of time.

Probably the best line of defense for partners in all of the above circumstances is to be familiar with the string of Stuxnet-specific security responses from the Microsoft Security Response Center, and be ready to point to the generally positive notices that Microsoft has been receiving lately about the speed and thoroughness of their security responses.

In any case, Microsoft partners will need to pull those Microsoft-provided security playbooks off the shelves where they've been collecting dust for the last couple of years. Thanks to Stuxnet, the political disputes around Microsoft software are about to get hot again.

Posted by Scott Bekker on September 27, 2010