Sunday, October 17, 2010

Another Detailed View of Stuxnet

Thanks to Bob Radvanovsky at the SCADASEC List for pointing me at a new source of detailed information about Stuxnet. He recently posted a link to a blog at ESET.com that is covering Stuxnet in some detail, in fact they recently revised a major paper on the malware.

In many ways this paper is similar to the Symantec paper I recently discussed; it is a very technical discussion about the Stuxnet operation on MS Windows® systems. It does take a little bit different tack on the discussion so it complements that paper. More importantly it includes information on the recently patched escalation of privilege (EOP) vulnerability that previous papers had to dance around. It also has a brief and deliberately vague discussion about the second EOP that has yet to be patched. If for no other reason, this paper is worth downloading for the technically minded just for the discussion of the EOP vulnerability.

I was hoping that I would be able to give the SCADA users in the audience a reasonable explanation of the Key Board EOP that was patched this week by Microsoft (MS10-073). I read the portion of the paper dealing with that vulnerability and quickly got bogged down in the details. Fortunately, Randy Abrams had a really good explanation in his post on the ESET.com blog:

“A flaw in the software that translates what you type on the keyboard to letting the computer know what that was allowed Stuxnet to have more control over the infected computer than it was supposed to be allowed.”
In fact, he does even better in discussing the two latest Microsoft patches for vulnerabilities used by Stuxnet:

“For a normal user, all of the pictures of computer code don’t really matter. What is critical for you to understand is that if you do not apply the recent Microsoft security patches, anyone can hijack your computer using the print spooler attack and the privilege escalation attacks.”
That’s good advice, even if you have to shut down a process to get the patch installed. Of course there is still one other EOP vulnerability that Stuxnet used that is not patched, so many will want to wait for that patch before shutting stuff down to be all of the holes patched at one time. Of course, there will be other ‘zero day’ vulnerabilities coming down the road too with their associated patches.

That’s one of the problems with using standard IT type security measures on SCADA systems, they can be a lot more time-consuming, expensive and painful to implement.

No comments:

 
/* Use this with templates/template-twocol.html */