Spreading malware with worms

By: Brody Massecar, Olatubosun Aremu and Yifeng Xie

What are Malwares? Malwares are softwares intentionally designed to cause damage to a computer, server, client, or a computer network. The History of malware dates back to the late 80s even before the widespread access of the Internet where viruses spread on personal computers by infecting executable programs or boot sectors of floppy disks.

However, with the world wide spread of the Internet also came the increase in the range of malware spread and the damage they cause. There are a few malware infection techniques like worm, virus and trojan and the type of attacks can range from a spyware being installed on a computer to ransomware where criminals take hostage of victim’s computer hard drives. We will be looking at the two of the notable malware worm attacks that happened in this century.

ILOVEYOU

Year: 2000

Computers affected: 45 million in two days

Financial cost: $10 billion

ILOVEYOU malware is a malware that uses social engineering to gain access into computer systems. The creator of the malware was Onel de Guzman, a resident of Manila, Philippines. The “ILOVEYOU” worm took advantage of computer users looking for love. Users would receive an email with an attached “love letter.” Instead of getting quotes from popular poets or love notes, the letter is in fact a visual basic script. When clicked, the script will download a program that overwrote any files with the .JPEG, .DOC and .MP3 extensions, among other files in the system. The malware then forwarded the malicious letter to 50 of the user’s email contacts. This self replicating feature is the main catalyst behind how far its reach went.

alt text

Analyzing the malware from the machine system level, ‘ILOVEYOU” hinged on the assumption that the scripting engine system setting which runs scripting language files such as .vbs files would be enabled. It then exploited a feature in Windows that hid file extensions by default, which malware creators would use in their exploit.

With the hidden extension setting enabled, It will only appear as a .txt file but when the user clicks on it, it will send the script to 50 people in their contact list and then delete all the media (audio and image) files on their computer system

alt text

A screenshot showing a copy of the ILOVEYOU virus email and the program (Reference: CNN Business article on iloveyou by James Griffiths)

STUXNET

Year: 2009-2010

Damage: Over 200,000 computers infected and 1000 Centrifuges degraded

STUXNET is a computer malware that was first discovered in 2010. According to speculations, the birth of Stuxnet dates as far back as 2005-2006. It was believed to have been a joint venture by the U.S and Israel to halt the development of Iran’s nuclear weapon and to do it in a stealth manner such that Iran had no knowledge of it until the attack happened. An unsuccessful earlier version of the malware was deployed in 2007, but it later appeared that the aim of that was only to gather intelligence about the nuclear program.

Stuxnet was one of the first malwares to be designed to cause damage in real life rather than just in the virtual world of computers. Stuxnet targets supervisory control and data acquisition (SCADA) systems, and researchers believed that Stuxnet is responsible for causing considerable damage to the nuclear program of Iran.

alt text

Image from the real story of Stuxnet article on IEEE Spectrum website

The Stuxnet worm was an extraordinarily powerful and malicious piece of code that attacked in three phases undetectably.

  1. Windows infection; It targeted Microsoft Windows machines and networks and then continually replicated itself to spread across the machine.

  2. STEP7 infection; then it locates Siemens Step7 software, which is a Windows-based software and is used to control the special industrial control systems that operate equipment, such as centrifuges.

  3. PLC infection; Finally, it infected the programmable logic controllers. The hacker could then spy on the industrial systems and even cause the fast-spinning centrifuges to spin out of control and self-destruct, unbeknown to the human workers at the plant.

Below are the exploits of each phase explained in some detail.

Windows Infection:

Stuxnet was able to attack Windows operating systems by using four undetectable exploits;zero-day attacks

The Four zero-day attacks used were:

  • Remote code execution with Printer Sharing
  • LNK/PIF vulnerability
  • CPLINK vulnerability
  • Conficker worm vulnerability

At first, the worm gained access to the host computers and spread through infected removable disk drives. The infected drives contained Windows shortcut files that would start executable codes when viewed. The worm then uses the peer-to-peer remote procedure call (RPC) to infect and update other computers inside private networks that don’t have a direct connection to the Internet. The other exploits used were remote code execution on a computer with Printer Sharing enabled and the LNK/PIF vulnerability in which file execution is accomplished when an icon is viewed in Windows Explorer, removing the need for user interaction.

The malware has both user mode and kernel mode rootkit ability under Windows, and its device drivers have been digitally signed with the private keys of two public key certificates that were stolen from two prominent companies, JMicron and Realtek. The driver signing helped the worm to install kernel-mode rootkit drivers successfully without users being notified, and thus it remained undetected for a very long period of time. The Windows component of the malware is powerful in that it spreads very quickly and erratically.

Step 7 Infection:

According to researcher Ralph Langner, once Stuxnet finds its way into a Windows system, it infects project files belonging to Siemens’ WinCC/PCS 7 SCADA control software (Step 7) and takes control of a key communication library of WinCC called s7otbxdx.dll. By doing this, it commandeers the communications between the SCADA control software running under the Windows operating system and the target Siemens PLC devices that the software is able to configure and program when the two are connected through a data cable. By doing this way, the Stuxnet can install itself on PLC devices without notifying the worker and hide its existence from SCADA if the control software tries to read an infected block of memory from the PLC system.

alt text Overview of normal communications between Step 7 and a Siemens PLC

alt text Overview of Stuxnet hijacking communication between Step 7 software and a Siemens PLC

PLC Infection:

Although the whole Stuxnet code has not been fully revealed, we know that it is only targeting those SCADA configurations that meet certain requirements that Stuxnet are designed to recognize the system itself. Stuxnet requires specific variable-frequency drives, also called frequency converter drives. These drives are used to be attached to the targeted Siemens S7-300 system and its associated modules. There are two distinct vendors that Stuxnet will attack, which have the PLC systems with special variable frequency drives. One is Vacon based in Finland, and the other is Fararo Paya based in Iran.

In addition, it monitors the frequency of the attached motors and only attacks systems that spin between 807 Hz and 1,210 Hz. This frequency setting is a much higher frequency than what motors in most industrial applications will operate on. Stuxnet will install malware into memory block DB890 of the PLC system. In this case, Stuxnet can monitors the Profibus messaging of the system to determine when it can start to control the system. When Stuxnet collet enough information and some conditions had met the requirements, it starts to modifies the frequency of the motors to 1,410 Hz and then to 2 Hz and then to 1,064 Hz. By changing the frequency of motors can modify their rotational speed to abnormal status, which can cause damage. Stuxnet will also install a rootkit to the PLC system. The function of this rootkit is to hides the malware and mask the changes in rotational speed from monitoring systems.

In summary, we have looked at two different ways malwares can be propagated both in the virtual and real world. The ILOVEYOU worm exploited a vulnerability that was present in Windows 90/2000 operating system allowing malicious files to have their file type hidden and then, when opened, overwrites personal files resulting in significant data loss. Stuxnet was a more sophisticated worm that used a combination of several attacks and techniques to gain control of industrial centrifuges without the plant operators or monitoring tools ever detecting it and then causing the centrifuges to run out of control.

References

  1. https://en.wikipedia.org/wiki/Malware

  2. https://www.popularmechanics.com/technology/security/g29625471/history-of-malware-attacks/?slide=3

  3. https://www.youtube.com/watch?v=NZDiQczOsdc

  4. https://en.wikipedia.org/wiki/Stuxnet

  5. https://en.wikipedia.org/wiki/ILOVEYOU#Description

  6. https://www.youtube.com/watch?v=djUHvCyPYhY

  7. The Real Story of Stuxnet: https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet

  8. https://www.csoonline.com/article/3250248/stuxnet-the-father-of-cyber-kinetic-weapons.html#:~:text=Stuxnet%20successfully%20targeted%20each%20of,physical%20layer%2C%20causing%20physical%20damage.