Stuxnet Vulnerabilities Analysis of SCADA Systems*

Yong Wang1, Dawu Gu2, DaoGang Peng1, Shuai Chen1, and Heng Yang1
1
Department of Computer Science and Technology, Shanghai University of Electric Power,
2103 Pingliang Road
Shanghai, 200090/Yangpu District, China
2
Department of Computer Science and Engineering, Shanghai Jiao Tong University, 800
Dongchuan Road
Shanghai, 200240/Minhang District, China
wy616@126.com

Abstract. Stuxnet virus is a first discovered malware to damage nuclear power

station in June 2010 and targets only Siemens supervisory control and data
acquisition (SCADA) system via vulnerabilities. Through the static reverse and
dynamic analysis of Stuxnet malware files, we researched on MS10-046 (CVE-
2010-2772) shortcut vulnerability, MS10-061 (CVE-2010-2729) in print
spooler service vulnerability and MS10-073 (CVE-2010-2743) keyboard layout
elevation of privilege vulnerability. The paper illustrated internal details and the
Stuxnet implemented methods.

Keywords: Stuxnet, Vulnerability, CVE, SCADA.

1 Introduction

Stuxnet is widely suspected to be used to damage uranium enrichment infrastructure

in Iran, which is discovered in June 2010. The Iran nuclear program using Siemens
equipment has been damaged by Stuxnet according to widely report. Stuxnet targets
only Siemens supervisory control and data acquisition (SCADA) systems through
PLCs by subverting the Siemens Step-7.
Stuxnet self-propagates via Windows some vulnerability. MS10-046 (CVE-2010-
2772) shortcut vulnerability is in windows shell that could allow remote code
execution. MS10-061 (CVE-2010-2729) in print spooler service could allow remote
code execution. MS10-073 (CVE-2010-2743) keyboard layout vulnerability allows
elevation of privilege.

*
This work is supported by State Key Laboratory of Information Security (Institute of
Software, Chinese Academy of Sciences) (04-02-1), Shanghai Education Commission
Innovation Foundation (11YZ192), Shanghai Science and Technology Commission Key
Program (11511504400) and National Nature Science Foundation of China under Grant
(60903188). Natural science foundation of Shanghai City (NO.12ZR1411900).

J. Lei et al. (Eds.): NCIS 2012, CCIS 345, pp. 640–646, 2012.
© Springer-Verlag Berlin Heidelberg 2012
 Stuxnet Vulnerabilities Analysis of SCADA Systems 641

2 Stuxnet Files

Stuxnet from tuts4you.com has 7 files in root directory 2 subdirectory with 1,129,027
bytes.
2010/09/14 16:52 26,616 A0055521.sys
2010/08/25 20:15 4,171 Copy of Shortcut to.lnk
2010/07/18 01:07 40,960 dll.dll
2010/09/27 17:46 513,536 malware.exe
2010/07/22 09:03 <DIR> signed drivers
2010/10/02 02:02 <DIR> stuxnet core
2010/07/18 00:37 392 suckme.lnk_
2010/08/25 20:15 517,632 ~WTR4132.tmp
2010/08/25 20:15 25,720 ~WTR4141.tmp
There are dropper.exe_ and maindll.decrypted.unpacked. dll_ in the stuxnet core
directory besides the files listed. In the signed drivers directory, files are
“0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198”,
“1635ec04f069ccc8331d01fdf31132a4bc8f6fd3830ac94739df95ee093c555c”,
“63e6b8136058d7a06dfff4034b4ab17a261cdf398e63868a601f77ddd1b32802” and
70f8789b03e38d07584f57581363afa848dd5c3a197f2483c6dfa4f3e7f78b9b.

3 Stuxnet Analysis

3.1 Dll.dll

The Dll.dll is a main module. Its size is 40,960 bytes. Section header of .text
composed of 00006354h virtual size, 10001000h virtual address, 0006400h raw data,
and 0000400h pointer to raw data.
_text_1000285C in .text with 96h length is the main program in dll.dll, which has
procedures, such as _text_1000288E, _text_100028D4, _text_100028DF and
_text_100028EE. The string in dll.dll file is shown in Table 1.

Table 1. String in Dll.dll by PE Explorer

Virtual
String
Address
10008838 ‘Microsoft Visual C++ Runtime Library’,0
SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA
10008120
#@!',0Ah,0
'R6032',0Dh,0Ah,'- not enough space for locale
7783ADC1
information',0Dh,0Ah,0
1000830C 'DOMAIN error',0Dh,0Ah,0
100091D8 'GetProcessWindowStation',0