As we’ve explained in our recent W32.Stuxnet blog series, Stuxnet infects Windows systems in its search for SCADA programming software. SCADA systems consist of Programmable Logic Controllers (PLCs), which can be thought of as mini-computers that can be programmed from a Windows system. These PLCs contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory. SCADA programmers use software (e.g., on a Windows PC) to create SCADA code and then upload their code to the PLCs.

Previously, we reported that Stuxnet can steal SCADA code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own SCADA code to the PLC. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known SCADA rootkit that is able to hide injected SCADA code located on a PLC.

In particular, Stuxnet hooks the SCADA programming software, which means that when someone uses the software to view code blocks on the PLC, the injected blocks are nowhere to be found. This is done by hooking enumeration, read, and write functions so that you can’t accidentally overwrite the hidden blocks as well.

Stuxnet contains 70 encrypted code blocks that appear to replace some “foundation routines” that take care of simple yet very common tasks, such as comparing file times and others that are custom code and data blocks. Before some of these blocks are uploaded to the PLC, they are customized depending on the PLC.
By writing code to the PLC, Stuxnet can potentially control or alter how the SCADA system operates. A previous historic example includes a reported case of stolen SCADA code that impacted a pipeline. SCADA code was secretly “Trojanized” to function properly and only some time after installation instruct the host system to increase the pipeline's pressure beyond its capacity. This resulted in a three kiloton explosion, about 1/5 the size of the Hiroshima bomb.

Thus, in addition to cleaning up the Stuxnet malware, administrators with machines infected with Stuxnet need to audit for unexpected code in their SCADA devices. We are still examining some of the code blocks to determine exactly what they do and will have more information soon on how Stuxnet impacts real-world SCADA systems.

Finally, we’ve reserved the in-depth technical details on how Stuxnet achieves this SCADA rootkit functionality for a future technical whitepaper, which will delve into other features of Stuxnet as well that we haven’t had a chance to blog about. For example, a couple of other interesting things include the fact that it uses an infection counter before deleting itself (it is set to ‘3’) and also can use MS08-067, the same vulnerability used by Downadup (a.k.a. Conficker) to spread.
So, please stay tuned.