Previous blog entries have covered several different Stuxnet propagation vectors, from autorun.inf tricks to zero-day vulnerabilities. Our research has also uncovered another method of propagation that impacts Step7 project folders, causing one to unknowingly become infected when opening an infected project folder that may have originated from a third party.
The structure of a Step7 project folder is as follows:
Stuxnet monitors Step7 projects (.S7P files) being worked on by hooking CreateFile-like APIs of specific DLLs within the s7tgtopx.exe process (the Simatic manager). Any project encountered by the threat in this way may be infected. Analysis additionally shows that projects inside Zip archives may also be infected through the same method.
The infection process consists of several distinct steps:
First, Stuxnet creates the following files:
- xutils\listen\xr000000.mdx: an encrypted copy of the main Stuxnet DLL
- xutils\links\s7p00001.dbf: a copy of a Stuxnet data file (90 bytes in length)
- xutils\listen\s7000001.mdx: an encoded, updated version of the Stuxnet configuration data block
The threat then scans subfolders under the hOmSave7 folder. In each of them, Stuxnet drops a copy of a DLL it carries within its resources. This DLL has a particular name (we’ll refer to it as “xyz.dll”).
Stuxnet then modifies a Step7 data file located within the project folder structure. In the interests of responsible disclosure, we will not be providing details of this modification. Following this final step, the infection process is complete.
When an infected project is opened with Simatic manager, the modified data file will trigger a search for the previously mentioned xyz.dll file. The following folders are searched in the following order:
- The S7BIN folder of the Step7 installation folder
- The %System% folder
- The %Windir%\system folder
- The %Windir% folder
- Subfolders of the project’s hOmSave7 folder
If the xyz.dll file is not found in one of the first four above locations, the malicious DLL will be loaded and executed by the manager. This DLL file acts as a decryptor and loader for the copy of the main DLL located in xutils\listen\xr000000.mdx. This strategy is very similar to the DLL Preloading Attacks that emerged in August.
We tested the threat and its ability to infect projects using two versions of the Simatic manager. Versions 5.3 and 5.4 SP4 are impacted; it appears that Step7 Lite v3 is not. As yet we are unsure whether the latest versions of the manager (v5.4 SP5, v5.5, released in August this year) are affected.
Stuxnet’s ability to infect project files and run when they are opened is yet another propagation vector to add to the list. While we advise operators and programmers to be wary of project files from untrusted sources – Internet forums, for instance – the most likely source of infection is likely to be a trusted party whose systems have been compromised by the threat. Infected projects restored from backups may reintroduce the infection to previously cleaned machines so administrators should exercise caution when restoring files in this manner.
We will be presenting our Stuxnet-related findings to date during the Virus Bulletin conference on September 29th.