Symantec posted yesterday the definitive analysis of Stuxnet to date. It’s long, detailed, easily understood and overall a fantastic piece of work. Evidently they were holding this detail for a conference on the 29th and even more detail will be available in a white paper.
Here is what I found to be the key paragraph:
Stuxnet ’s modified s7otbxdx.dll file contains all potential exports of the original DLL – a maximum of 109 – which allows it to handle all the same requests. The majority of these exports are simply forwarded to the real DLL, now called s7otbxsx.dll, and nothing untoward happens; in fact, 93 of the original 109 exports are dealt with in this manner. The trick, however, lies in the 16 exports that are not simply forwarded but are instead intercepted by the custom DLL. The intercepted exports are the routines to read, write, and locate code blocks on the PLC. By intercepting these requests Stuxnet is able to modify the data sent to or returned from the PLC without the operator of the PLC ever realizing it. It is also through these routines that Stuxnet is able to hide the malicious code that is on the PLC.
The post covers how Stuxnet decides what PLC’s to infect, method of infection, infection code, and the rootkit. A must read if you want the technical meat on Stuxnet. I’m looking forward to the whitepaper.