Code complexity
The 417 code and data is much more complex than the 315 code. For example, FC 6063 contains 1400 lines of decrypted STL code, and FC 6065, which contains the main logic for the attack, contains about 900 lines of decrypted STL code.
State machine
Similar to the 315 attack code, the 417 attack code is structured as a state machine. However, the 417 code has eight different states, numbered from zero to seven, with zero being the initial state. Basically, states are iterated, with the exception that state four may be reached directly from state two, rather than going through state three. State seven leads to state zero for the next round.
State one is where the recording of input values takes place. Up to 984 inputs are recorded for up to 15 seconds.
The core attack is executed in states two to six. During the attack, pre-recorded input is played back to the process image that the legitimate PLC code works on. States two, three, and four are executed pretty fast. Transition to state six takes place at latest 2 minutes and 53 seconds after beginning the attack. Transition from state six to state seven takes place at latest 6 minutes and 58 seconds after beginning the attack.
MITM, input values, output values
As had been published earlier by us, the man-in-the-middle position is achieved by disabling automated process image updates in the S7-400’s execution environment. This is done by manipulating system data blocks (SDBs) at infection time, as it cannot be done at runtime. Thereafter, the copying of input and output images is performed by calling SFC 26 (update process image input table), SFC 27 (update process image output table), and SFC 20 (block move).
The up to 984 input values are structured into a multi-dimensional array of six records containing up to 164 entries. We have reason to believe that the number of six has no relation to the six Profibus interfaces that are accessed by the 315 attack code. We will publish intelligence on the 417’s input data structure soon. As mentioned above, the 6 x 184 inputs are recorded for up to 15 seconds.
Output manipulations as identified so far are primarily affecting digital outputs, i.e. “on” and “off” values are manipulated.