i heart stuxnet
Post on 11-May-2015
3.528 Views
Preview:
DESCRIPTION
TRANSCRIPT
I Stuxnet
or: How I Learned to Stop Worrying and Love The Worm
Gil Megidishgil@megidish.net
DISCLAIMER
I, Gil Megidish, have had absolutely nothing to do with the virus/worm presented here, nor
do I know of its origins. Everything in this presentation is purely an analysis of
documents written by Wikipedia, Symantec, ESET and professional security advisors.
My First Anti-Virus
What is Stuxnet ?
• Most complicated computer-worm ever discovered.
• Targets industrial control systems such as in gas pipelines or power plants.
• An on-going work, dates back to Dec, 2008.
Source: http://www.securelist.com/en/blog/272/Myrtus_and_Guava_Episode_3
Bushehr Nuclear Power Plant
Agenda
Introduction to Computer ViriiStuxnet’s timelineInfection mechanismTargeted systemsWhodunit ?
Computer Virus
• A software that replicated itself onto other executable files.
Computer Worm
• A software that replicates itself onto other computers; usually via exploits.
Rootkit
• Enable continued access while actively hiding presence.
CVE-2010-0049
• Remote exploitation of a memory corruption vulnerability in WebKit; allows an attacker to execute arbitrary code on victim’s machine.
15 Dec 2009 Vendor notified15 Dec 2009 Vendor replied11 Mar 2010 Coordinated public disclosure
The List Never Ends
Backdoor
Worms
Viruses
Adware
Spyware
Trojan Horse
Rootkit
BotnetPhishing
XSS
Spoofing
Man in the Middle
D.o.S.
CSRF
“Building the worm cost at least $3 million and required a team of as many as 10 skilled programmers working about six months. “
Frank Rieger (GSMK)
Timeline• 2008.11 – Trojan.Zlob found to be using LNK vulnerability• 2009.04 – Hakin9 magazine publishers Printer Spooler vulnerability• • 2010.01 – Stuxnet variant found with Realtek certificate• 2010.03 – Stuxnet variant found using LNK vulnerability• • 2010.06 – VeriSign revokes Realtek’s certificate• 2010.06 – Stuxnet variant found with JMicron certificate• 2010.07 – Symantec monitors Stuxnet’s C&C traffic• 2010.07 – VeriSign revokes JMicron’s certificate• 2010.08 – Microsoft patches LNK vulnerability.• 2010.09 – Microsoft patches Printer Spooler vulnerability.
2009.06 – First variant of Stuxnet found
2010.05 – Stuxnet first detected, named RootkitTmphider
Timeline• 2008.11 – Trojan.Zlob found to be using LNK vulnerability• 2009.04 – Hakin9 magazine publishers Printer Spooler vulnerability• • 2010.01 – Stuxnet variant found with Realtek certificate• 2010.03 – Stuxnet variant found using LNK vulnerability• • 2010.06 – VeriSign revokes Realtek’s certificate• 2010.06 – Stuxnet variant found with JMicron certificate• 2010.07 – Symantec monitors Stuxnet’s C&C traffic• 2010.07 – VeriSign revokes JMicron’s certificate• 2010.08 – Microsoft patches LNK vulnerability.• 2010.09 – Microsoft patches Printer Spooler vulnerability.
2009.06 – First variant of Stuxnet found
2010.05 – Stuxnet first detected, named RootkitTmphider
Exploit #1: LNK VulnerabilityCVE-2010-2568
Affects Windows 2000, Windows XP, WindowsServer 2003, Windows Vista and Windows 7
Exploit #2: Print Spooler VulnerabilityMS10-061
Affects Windows XP and legacy Lexmark/Compaqprinters.
Exploit #3:Windows Server ServiceMS08-067
Affects unpatched operating systems, withKernel32.dll earlier than Oct 12, 2008.
Metasploit: point. click. root.
Rootkitting Windows
Source: www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf
Taiwanese Ninjas?
Two More Zero-Day Exploits
WinCCConnect : 2WSXcder… Yes!
Peer To Peer Upgrades
Get version number
Request payload
#version#
Current version
Infected A Infected B
Command and Control
todaysfutbol.commypremierfutbol.com
GET /
200 OK
GET index.php?data=[XOR%31]
200 OK: Executable codeInfected PC
whois mypremierfutbol.com
Siemens SIMATIC Step 7
Step 7 Editor
Developer Station
WinCC MS-SQL Database
PLC
Step7 Interception
s7otbxdx.dll
s7blk_reads7blk_write
s7_blk_findfirsts7_blk_delete
All communication done through s7otbxdx library
Developer StationPLC
Step7 Interception
s7otbxsx.dll
s7blk_reads7blk_write
s7_blk_findfirsts7_blk_delete
Man in the middle rootkit!
Developer StationPLC
s7otbxdx.dll
OB1 Main Organization Block
OB35 Watchdog Organization Block
What the hell does it do?
Vacon NX
Vacon NX
The End of Stuxnet ?
v
So, whodunit ?
The Americans ?
The Russians ?
The Israelis ?
19790509
b:\myrtus\src\objfre_w2k_x86\i386 \guava.pdb
Dan Hamizer
WE MAY NEVER KNOW
Symantec's Brian Tillett put a number on the size of the team that built the virus. He said that traces of more than
30 programmers have been found in source code.
The Atlantic
I Stuxnet
LESS OF THIS
AND MORE OF THIS
NONE OF THIS
AND LOTS OF THIS
THANK YOU
Links
• Symantec’s Stuxnet Dossier http://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdf
• ESET: Stuxnet Under The Microscope http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf
• Siemens Step 7 Programmer’s Handbook http://www.plcdev.com/book/export/html/373
Gil Megidishgil@megidish.net
top related