Binary Operations: Stuxnet.exe

Published: Mon 12 November 2012

This project positions the highly sophisticated and controversial computer worm Stuxnet as a volatile material for experimentation and distribution.

0. Background

Discovered in June 2010, Stuxnet initially spreads via Microsoft Windows, and targets Siemens industrial software and equipment. Stuxnet is the first discovered malware that spies on and subverts industrial systems. Its primary target is the Siemens Simatic S7-300 PLC CPU, commonly found in large scale industrial sites, including Nuclear Facilities.

Stuxnet is considered a major cyber weapon: On 1 June 2012, an article in The New York Times said that Stuxnet is part of a U.S. and Israeli intelligence operation called “Operation Olympic Games”, started under President George W. Bush and expanded under President Barack Obama.

Because of its danger Stuxnet is considered absolutely unsafe for distribution. By merely presenting Stuxnet in its original form is to risk infecting another machine. In this sense it is unique as an executable program, both undercover agent and tool.

Here I experiment with this highly volatile digital material, presenting Stuxnet in several ruined, encrypted or mutilated forms.

DISCLAIMER: I am not distributing Stuxnet here in its original form. Stuxnet has been made completely broken/dysfunctional, a harmless binary blob. Nonetheless I take no responsibility for any harm done to systems, people or equipment in the event researchers or the curious somehow (magically) manage to derive the original executable by a translation, cracking or re-manipulation of the binary data linked from this page.

1. Stuxnet held captive within the image of its target, then buried.

As mentioned above, Stuxnet is designed to target the Siemens S7-300 system. Here I have directly put Stuxnet inside the image of its target, using a steganography program, embedded using the encryption algorithm Rijndael, with a key size of 256 bits. The Stuxnet worm I embedded is called ‘malware.exe’ and has md5sum 016169ebebf1cec2aad6c7f0d0ee9026. Here is a virus report on files with this md5sum.

Clicking on the below image will take you to a 9.7M JPEG image in which Stuxnet is embedded.

Whilst encoded inside the image (md5sum acefdc7f312df5af5c9de8e54a4764c6) Stuxnet is rendered completely harmless, entombed within a representation of its target.

The passphrase to unlock Stuxnet from its target is random, extremely long and I have no record of it. Nor can I remember it. I also altered the image after encoding with a single pixel, corrupting the index and thus making it impossible to extract.

            julian@x200:/tmp/stuxnet$ steghide -e rijndael-256 embed -ef malware.exe -cf
            s7300.jpg 
            Enter passphrase: 
            Re-Enter passphrase: 
            embedding "malware.exe" in "s7300.jpg"... done%

2. Stuxnet interpreted as an image, then broken.

HEX values are widely used to represent colours. Here I turn the 16bit HEX values, dumped from the binary into color values that are placed, in order, pixel by pixel, into a PNG image. Here is the first part of Stuxnet (about 1/60th), as a PNG image:

The whole image is available here at 64 pixels wide and here at 32 pixels wide.

Here is how I derive colours from symbol values:

It is possible to reconstruct Stuxnet from such an image by reading out the HEX values (using an image editor or processor) into a file and then converting the HEX back into a binary. It is not possible with this image however, as I have encoded “julian oliver 2012” into the image, at a random location in the first half of the image:

            julian@x200:~$ echo "julian oliver 2012" | xxd
            0000000: 6a75 6c69 616e 206f 6c69 7665 7220 3230  julian oliver 20
            0000010: 3132 0a                                  12.

The binary is thus polluted and fails to run. My tests with the unpolluted image do execute in my jailed, offline test environment.

Here is the code I wrote, executed on a Debian GNU/Linux workstation, that generates the image map of the Stuxnet malware.exe binary (md5sum 016169ebebf1cec2aad6c7f0d0ee9026).

            #!/bin/bash

            # Declare vars
            x=0 y=0 t=0

            # Create an empty image
            convert -size 64x64 xc:white tile0.png

            # Execute a hexdumper, add a '#' for colour value,
            for col in $(xxd -p -c 2 malware.exe | sed -e 's/^/#/')
                do
                    # Draw points on tiles, 64 square. Pad with '00'
                    mogrify -fill "$col"00 -draw "point $x,$y" tile$t.png 
                    x=$((x+1))
                    if [ $x -eq 64 ]
                        then
                            x=0
                            y=$((y+1))
                        fi
                    if [ $y -eq 64 ]
                        then
                            t=$((t+1))
                            convert -size 64x64 xc:white tile$t.png
                            y=0
                        fi
                    echo $x " " $y " " $col
            done
            # Append all tiles together into one image.
            convert -append tile*.png stuxnet.png
            # Remove the tiles 
            rm -f tile*

One might recreate a polluted Stuxnet from the values stored in the above image like so:

            xxd -r Stuxnet.txt malware.exe

Again, it will not execute due to my name strategically polluting the source image. It is my name that breaks it.

3. xnet.exe: Stuxnet beheaded (or the 2nd half of Stuxnet).

Here I have opened up Stuxnet’s malware.exe in the VIM editor, switched to HEX view mode (with :%xxd), found the middle line of Stuxnet and deleted the first half, leaving only the remainder. This renders Stuxnet completely dysfunctional. Clicking on the image below will allow you to download the beheaded corpse of Stuxnet.

Julian Oliver, 12.11.12

EOF

Affiliated