Free Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon by Kim Zetter Page B

people worked on the team, and all of them had been on the job for years. “Nobody really leaves,” Chien said. “Everyone loves their work.”
    O’Murchu was undeterred. He taught himself the tools the analysts used to decipher malicious code and write signatures, and when an explosion of spyware and adware burst onto the scene several months later, he was ready when Symantec needed to expand its team. He worked the next four years in Symantec’s Dublin office—where the company still maintains its largest research group—before transferring to Culver City in 2008.
    Over the years, O’Murchu and the Symantec team had worked on a number of high-profile and complex threats. But none was as fascinating or as challenging as Stuxnet would turn out to be.
    WHEN O’MURCHU EXAMINED Stuxnet’s main file, he immediately came up against several layers of encryption masking its many parts and inner core. Luckily the first layer was a simple “packer” that was easily cracked.
    Packers are digital tools that compress and mangle code to make it slightly harder for antivirus engines to spot the signatures inside and for forensic examiners to quickly determine what a code is doing. Malware run through a packer morphs a little differently on its surface each time it’s packed, so the same code run through a packer a thousand times will create a thousand different versions of the code, though beneath the packer layer they will all be the same at their core. Antivirus engines can tell when a malicious file has been run through a known packer and can then unpack it on the fly to hunt for the signatures beneath. To thwart this, smart attackers design custom packers that aren’t easily recognized or removed. But Stuxnet’s creators hadn’t bothered to do this. Instead they used an off-the-shelf packer called UPX—short for “Ultimate Packer for eXecutables”—that was easily identified and eliminated. Given the sophisticated nature of the rest of the threat—the zero-day exploit and the stolen digital certificates—it seemed an odd choice for Stuxnet’s creators to make. So O’Murchu assumed their primary reason for using the packer must have been to simply compress the files and reduce Stuxnet’sfootprint. Once unpacked and decompressed, the main module expanded to 1.18 megabytes in size.
    With the packer now removed, O’Murchu was able to easily spot the Siemens strings Frank Boldewin had seen. But more important, he also spotted an encrypted block of code that turned out to be Stuxnet’s mother lode—a large .DLL file (dynamic link library) that contained about three dozen other .DLLs and components inside, all wrapped together in layers of encryption like Russian nesting dolls. He also found a massive configuration file containing a menu of more than four hundred settings the attackers could tweak to change everything from the URL for the command-and-control servers Stuxnet contacted to the number of machines Stuxnet would infect via a USB flash drive before the USB exploit would shut down. 1 Curiously, O’Murchu also found an infection stop date in the file—June 24, 2012. Every time Stuxnet encountered a new machine, it checked the computer’s calendar to see if the June date had passed. If it had, Stuxnet would halt and not infect it. Any payload already installed on other machines would continue to work, but Stuxnet wouldn’t infect any new machines. The stop date had been set for three years after Stuxnet infected its first machines in Iran and was presumably the date by which the attackers expected to achieve their goal. 2
    What most stood out to O’Murchu, however, was the complex way that Stuxnet concealed its files on infected machines and hijacked normal functions to perform its nefarious deeds. It took O’Murchu nearly a day to work out the details, and when he finally did, he was astounded.
    Normally, the code for performing common tasks on a Windows machine, such as opening and reading a file or