Symantec Updates Stuxnet Dossier

Yesterday Symantec published version 1.4 of their “W32 Stuxnet Dossier”. A blog entry explains that there were essentially two new items included in the updated version (and Symantec intends to continue updating their report as they continue to come up with new data on the attack). First they were able to time track the infection and track it back to five specific initial attack vectors. Second they confirmed much of the work that Ralph Langner has reported on the 417 attack code (without reaching any conclusions about the specific target because the code was ‘disabled’).

Tracking the Infection

Certainly the most valuable part of this new information is the information Symantec was able to provide on how the worm was physically spread from the initial attack vectors. They are in a unique position to conduct this portion of the research because they possess 3,280 distinct copies of the virus from the wild representing 3 separate variants of the worm. This combined with the fact that Stuxnet records system data (including time stamp and IP address) every time that it infects a new host and Symantec can provide a good picture of how the attack proceeded.

Symantec has been able to show that there were five separate organizations that were used as initial attack vectors, what Symantec misleadingly calls targets. All five of these initial vector organizations, Symantec reports, have a presence in Iran. Apparently an infected USB drive was introduced into these organizations as a way of pointing the worm at its intended target without risking the actual presence of the author’s agents in Iran.

In its discussion of the spread of the worm the Dossier authors make a point of noting that the worm had a designed-in self-limiter, after infecting three separate computers the infection from that particular device shut down. Looking at the cluster diagrams on page 9 of the Dossier it does not seem as if any single attack-vector organization was infected more than twice by the initial device on each attack wave.

While this may simply be a data anomaly due to the small sample size, it seems unlikely with ten separate infections. It seems more likely that the agents carrying the infected USB drive were under instructions to limit their infection to just two computers to reduce the likelihood of their being detected.

The other interesting thing from these diagrams is that it does not appear that there is any cross linking between the infection trees. We can clearly see from the diagrams that within an infected zone there are a number of places where a single computer is linked to multiple sources, as we would expect from an increasingly networked world. It is not clear whether Symantec just failed to note cross infections from the initial attack vectors, or if these infections were actually isolated from each other.

The Reason for the Tracking Data

While Symantec is to be commended for putting this data together, it seems obvious that the virus designers put this tracking tool into the worm for a reason. If they were able to collect this data from infected computers (which they certainly were until the identified command and control link was shut down) they were able to paint a very complete picture of how their attack spread. This would certainly be valuable information to design subsequent attacks.

With that in mind I would like to suggest that clearly identified C&C computer that was shut down relatively soon after Stuxnet was identified was not the only method by which the originators planned to get information back from Stuxnet infected computers. If I were designing this system I would have seeded the operational area with a network of communications nodes.

Given the information sharing design of the Stuxnet worm, each time an infected computer talked with another computer on its network it would drop an updated copy of its infection history into the new computer. If a separate virus were designed to set up a very specific bot network, one designed to ‘listen for’ a new set of Stuxnet infection histories and report that history back to a separate command and control computer, the Stuxnet authors could keep receiving updated information on the progress of the spread of the virus. It would also allow them to map the optimal path to link to any particular infected computer.

In the infection on a targeted computer (or attached PLC’s) were not completely cleared, then a subsequent Stuxnet-like virus would be more easily targeted at those systems. Such an attack could be very directed without the collateral exposure that led to the discovery of Stuxnet. And with the spread of Stuxnet far and wide across the world, the attack would not necessarily have to be limited to Iranian nuclear facilities or even against just targets in Iran.

This bot network would be very hard to detect since it would be operationally limited to a very small set of instructions. Unless one knew exactly what to look for this network could exist for years before it was discovered. In fact, if the designers were particularly devious, they would set up at least a couple of separate bot networks to allow for one or more to be detected and remediated without loosing contact with their tools.

Identifying Stuxnet Source

With the source tracking data that Symantec has, it would seem to be a relatively simple investigation to determine who carried the infected USB drive into the attack vectors. Symantec obviously does not list the real identity of these initial targets, but they must certainly have that data. An intelligence or law enforcement organization should be able to take that data, conduct the appropriate investigation and determine who was likely to have carried the USB drive. Will this happen? I doubt it.