Security

Stuxnet Analysis (0-day edition)

Leave a comment

This is becoming a point of curiosity for me. A 0-day attack is one that no one is ready for because they have not seen it before. No countermeasures are prepared, no detection is known. This begs the question, what do you really know about your environment?

I know it’s uber sexy to talk 0-day, but is that really what makes Stuxnet dangerous? It looks like a symptom to me, but not the problem.

First, the Windows Print Spooler exploit was from 2009. Stuxnet spread using this known flaw that had not been patched. That makes it three 0-day at best, not the reported four. Microsoft claimed it only heard about it in late 2010 and fixed it 13 days later. I’ll spare you the rant, but guess who really argues the case to call things a 0-day?

See “Print Your Shell” in the September 2009 edition of hakin9 magazine.

Second, not all the Stuxnet vulnerabilities were 0-day. It made use of more than just four infamous vulnerabilities; the RPC vulnerability, for example, was from 2008.

Third, even on a perfect day we expect malware detection to get less than 80%. What does a 0-day really represent (assuming you still believe the three are truly 0-day)? We have messed around with the 0-day attacks for ages (depending on your definition, of course), and yet the known vulnerabilities (non-0-day) also have a very high probability of working. A 0-day may not be as serious as other vulnerabilities. I believe they play a secondary, or even a supporting role.

What I mean is the Stuxnet authors knew an awful lot about their target environment. We can talk all day about the probability of a 0-day relative to known vulnerabilities, but what really defines this Stuxnet attack vector as dangerous is knowledge specific to operations. The danger is that the attack is able to get insider knowledge…trusted access and detailed information. The ability of an attacker to conceal themselves after the breach thus is also a symptom, rather than a primary characteristic of the threat.

A good defensive posture will focus on this as a development of insider-based risk, which requires security information at least as good as an attacker’s, as I tried to explain in my presentation at RSA 2010 in London. Know your environment.

Here is a classic targeted attack example from this past weekend in Australia

The University of Sydney (USyd)…website was last defaced Friday night with a message claiming that Jie Gao, the university’s UNIX systems administrator, is incapable of securing the web server.

That message obviously is not meant to say it is theoretically impossible to secure a web server — the inevitability of 0-day flaws. It is to accuse an administrator of not knowing their environment. Major differences from Stuxnet can be found in this attackers means, motive and opportunity, but probably not methods.

It might seem like a tangent, but the TED presentations by Hans Rosling make an insightful and powerful observation on this topic. He went to fix the equivalent of 0-day health risks in Africa using modern medicine, but realized that the greatest threat was not an unknown virus or from lack of sophisticated technology. Once he began to study the environment he found that the prevention of common malnutrition is more effective to improve child survival rates.

What risks are you running in your environment?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.