W32.Stuxnet

 

In my last page - about encryption - I posted comments about the possible fundamental insecurity in the use of Digital Certificates and the PKI to ensure we are talking to the server we want to talk to. I raised some weaknesses about the use of Digital Certificates and the PKI as a security mechanism.

So there is perhaps a certain amount of irony in the fact that just a week after I posted that page on my website, the existence of a new piece of malware has been announced on various webpages.

Whether it is a high risk or a low risk depends on which website you read - some of them reckon that the end of the world is nigh, and others suggest it is low risk and easily removed.

It is getting quite a lot of attention from the technical press because it exploits a previously unknown weakness of MS Windows - which is the way that MS Windows user shell uses shortcuts. The malware is now known as W32.Stuxnet, sometimes it has been referred to as W32.Temphis or W32.Temphidlink.

The malware appears as a .lnk file, and has been carried on external drives like USB memory sticks. Some websites refer to it as a trojan, some refer to it as a worm. It does not need user activity to allow it to run, it is self running. It installs rootkits on the infected computers. Some websites say it can be prevented from running by disabling autoplay, some say that that doesn`t stop it.

Most modern versions of MS Windows are vulnerable, including XP, Vista, 7, server 2008 - earlier versions may also be vulnerable. Some of the anti-virus/anti-malware providers now have signatures for its detection and removal.

The general interest in it revolves around the fact that it is a new exploit using a previously unknown characteristic of MS Windows, and it opens a new platform for a host of a new type of malware. However my interest in it revolves round two characteristics, which haven`t had nearly as much publicity.

 

W32.Stuxnet and Digital Certificates

The first of these is that W32.Stuxnet uses a Digital Certificate that belongs to a legitimate company - ie, it is a stolen certificate, although it appears as a legitimate certificate. It uses a certificate to avoid any kind of user interaction.

I believe that Veritas has now revoked the certificate, however revocation is itself a somewhat unreliable mechanism for cancelling certificates, as it is open loop. There is no guarantee that all operating systems/browsers holding certificates will receive the revocation notice.

It is a bit concerning that very little of the technical press is raising the use of a stolen certificate as an issue - it is after all the exact same mechanism that is used in SSL to "guarantee" the security of a connection for internet based commerce and internet banking, secure e-mail, etc, etc.

The success of W32.Stuxnet does rather illustrate the weaknesses of certificates being stored within operating systems/browers, and weaknesses of the PKI system as a whole.

The fact that it is a zero-day exploitation is getting all the attention - but sadly MS Windows has many different security weaknesses - some have been exploited, maybe others are still waiting to be found. But it is nothing new, Microsoft will go away, scratch their head, and produce a patch; the anti-virus/anti-malware software providers are already producing signatures for it, so in that respect it is all in hand.

However the fundamental weaknesses in certificates and the PKI are getting little attention, and it is probably more important than another weakness in MS Windows.

 

W32.Stuxnet and SCADA

The second thing of interest about W32.Stuxnet is that it is targeted specifically at MS Windows machines within SCADA environments. It is designed to interrogate databases associated with Siemens WinCC based SCADA systems, and it knows the default administrator password for these systems.

It is believed to be a mechanism for some form of industrial espionage. Now okay, in this case it is looking for data. It could just have easily been looking for the ability to control the SCADA system.

My understanding is that although W32.Stuxnet is designed to run from a USB memory stick, it will propagate via network shares. The design by which it runs from a USB memory stick is so it catches SCADA systems that aren`t in fact connected to public networks - so they are caught as well.

However it still somewhat confirms the view I presented in one of my earlier webpages about SCADA, about the security risk of moving a SCADA system out of a secure private network environment, and putting it onto a corporate network, or even the internet.

This isn`t the first malicious attack on SCADA systems, and it won`t be the last - security is an absolute must for SCADA systems on corporate networks or the internet, and it has to be designed in from the very start.

 

 

 

 

 

website design by ron-t

 

website hosting by freevirtualservers.com

 

© 2024   Ron Turner

 

+                                   +  

 

Link to the W3C website.   Link to the W3C website.