Bit9

We’ve been hearing a lot lately about Advanced Persistent Threats (APTs). What are they? Are they really anything different than the malware and viruses we’ve seen for decades? They are, and the Stuxnet worm flooding the news is a perfect example why.

First off, Stuxnet is advanced. Very advanced. It takes advantage of four zero-day vulnerabilities, uses two different valid (stolen) digital certificates, and contains dozens of encrypted code blocks. It uses a rootkit to hide itself, peer-to-peer capabilities for remote command and control, and alters its behavior based on the systems on which it is infecting. Utilizing a nasty vulnerability within the Windows Shell, the attack occurs upon simply viewing files within Explorer.

Secondly, it is a targeted attack. Unlike common worms and malware, its goal is not to spread everywhere or to anyone. It was designed specifically to target SCADA (supervisory control and data acquisition) systems, or industrial control systems like those used in power plants and other critical infrastructure locations. Among other behaviors, it is designed to reprogram the PLCs (programmable logic controllers) used in these systems. The advanced nature of the worm, along with its very specific targets, helped Stuxnet elude detection for months, perhaps even a year. Targeted attacks often fly below the radar of the major antivirus security vendors.

Lastly, most experts agree, the Stuxnet worm is the work of organized, and quite likely state-sponsored, professionals. Its creation required detailed knowledge of the SCADA systems being targeted, it was written using multiple languages, and it rivals many commercial applications in both complexity and stability (it’s hard to perform all of the work Stuxnet does without crashing or destabilizing a system, risking detection). At nearly 500KB in size, it is notably larger than most malicious worms we’ve seen. These observations suggest that a team of engineers developed Stuxnet over a significant period of time – something that requires commitment and more importantly, money.

Aside from being more advanced than traditional attacks, it is different in motivation (purpose and target) and generation (who created it). Kudos to the army of security researchers that have, and are continuing to, dissect this worm. But the most notable attribute of Stuxnet is, in my opinion, its initial entry point. The attack initiated from a simple USB stick, just like the one in Operation Buckshot (which I discussed a month ago). All the sophisticated techniques in its arsenal, and Stuxnet still needed to be physically inserted into “patient zero.”

And therein lies two important lessons: Number one is that the host computer is still the most vulnerable point of an infrastructure. All the perimeter defenses in the world (IPS, IDS, firewalls, …) would not have stopped Stuxnet (or the DoD attack involved in Operation Buckshot). It was delivered directly to an endpoint. It’s like a building with motion sensors in every hallway with office doors that open directly to the outside world. Why bother navigating the hallways when you can walk right into a room?

Number two, as I’ve harped on many times before, traditional reactive and signature based technologies will continue to fail at detecting these new and unknown attacks. Don’t you think there were antivirus products on at least some of the estimated 45,000 computers infected by Stuxnet?

Bit9 Parity’s advanced threat protection would have stopped Stuxnet from ever executing in the first place – with or without the Windows Shell Explorer flaw. If a file is not approved, it cannot execute, whether or not the execution is explicit or via some unknown vulnerability. Moreover, even if the stolen certificates were approved, Parity application whitelisting would have stopped the attack with its simple “block all executes from removable devices” policy. Beyond the initial entry point, if a Parity-protected system were attacked by an infected computer, it would remain clean. For example, Stuxnet uses a Print Spooler vulnerability among its techniques to spread. The print spooler is hardly an approved software distribution system, therefore any attempt to write and execute content would be blocked.

A number of articles have commented that Stuxnet marks a new era in cyber-warfare.  I agree. Advanced threats like Stuxnet are the new weapons of mass destruction. Just as the attackers and their methods have evolved, the defenders and our methods must as well.

Leave a Reply