Page 1 21 September 2011

0

“Detecting and Stopping Malware & Exploit Packages on the Wire - Case

Study: SCADA Environments”

21 September 2011

Righard J. Zwienenberg

Page 2 21 September 2011

Detecting and Stopping Malware & Exploit Packages on the Wire

Case Study: SCADA Environments The landscape of malware attacks is slowly changing. Ever since Stuxnet, there is increased activity against production networks as SCADA environments. At default, by demand of the manufacturers, no anti-malware protection may be installed on the machines controlling the PLC's as they will not guarantee the proper working of these machines and or the interaction with the controlled PLC's. Perfect for the cybercriminals and they expect complete open and non-protected networks. But should they? Of course not. There are possibilities to protect even these networks, ways you can be alerted that something is happening in your network, ways to prevent these attacks. Guided by the well known Stuxnet attack, different attack vectors and solutions and counter measurements will be presented. Coming soon to an environment near you: SCADA Scareware... Like

Ripley said: "Believe It or Not!"

Page 3 21 September 2011

Agenda

•  SCADA

•  Recent History: Stuxnet

•  SCADA, the “old” and new environment

•  Attack Vectors

•  (Possible) Defense Vectors

•  Q&A

Page 4 21 September 2011

SCADA

•  SCADA: Supervisory Control And Data Acquisition

Page 5 21 September 2011

Recent History

•  Stuxnet

Page 6 21 September 2011

What is Stuxnet?

Facts: •  Specialized malware, mainly targeted at:

•  SIMATIC WinCC •  SIMATIC Siemens Step7

•  Using several exploits •  Uses a Rootkit component to hide itself on WinCC

systems •  A Rootkit component hides the files on the USB Flash

Drives •  Supports full “Remote Control” and P2P systems

Page 7 21 September 2011

Our networks: reality

Page 8 21 September 2011

Stuxnet

Production Environment

Page 9 21 September 2011

How does malware enter the system?

Page 10 21 September 2011

How does malware enter the system?

Page 11 21 September 2011

How does malware enter the system?

Page 12 21 September 2011

Stuxnet

USB-FLASH MS10-046

LNK Exploit

MS10-061 Spool Server

Exploit MS08-067 RPC Exploit

SCADA Environment

Open Shares

Page 13 21 September 2011

What could happen?

Page 14 21 September 2011

Stuxnet

P2P update mechanism •  Infected computers communicate with each other via

RPC. They serve both as server and client and supply other infected computers with information about the version of the malware. If the present Stuxnet version is older than the Stuxnet on the remote system, the new version is requested and installed.

•  Stuxnet tries to connect to 2 different sites: –  www.mypremierfutbol.com –  www.todaysfutbol.com

•  Connect happens via HTTP on port 80. Code will be injected in the browser process (IEXPLORE.EXE).

Page 15 21 September 2011

Stuxnet

Spreading via Step7 projects

•  If a Step7 project is found and is within acceptable parameters, Stuxnet will add itself to the project. Stuxnet will do this in such a way that it will be started automatically when someone is looking at the project.

Page 16 21 September 2011

Stuxnet

Page 17 21 September 2011

Stuxnet

Page 18 21 September 2011

Stuxnet

Spreading via WinCC •  If Stuxnet finds a machine on the network with WinCC

database software, Stuxnet will connect with this machine using a known hardcoded(!) password for WinCC servers. As soon as the connection is established, Stuxnet is capable of copying itself to the WinCC server and start itself.

•  2WSXcder

Page 19 21 September 2011

Iran's Bushehr nuclear power plant in Bushehr Port

UPI Photo/Mohammad Kheirkhah

Page 20 21 September 2011

Somewhat more complex

Page 21 21 September 2011

First idea: Make it simpler….

Boeing 747-100 Boeing 787

But is it safer???

Page 22 21 September 2011

Stuxnet

•  A buggy OS version control in one of the WinCC components that has to establish the spread of Stuxnet.

•  Larger or Equal to 5 OR Smaller or Equal to 6?

Page 23 21 September 2011

Stuxnet – checking the correct target

•  We now know that Stuxnet checks if the PLC’s are from the next series : –  S7-300 –  S7-400,

•  And uses one of the next CPU’s: –  6ES7-315-2x –  6ES7-417x

•  Some additional checks exists with regards to the hardware and system configuration before Stuxnet will do something with the PLC.

Page 24 21 September 2011

Stuxnet – Stolen certificates

•  Stuxnet did something never seen before: it used valid digital certificates of valid companies. The OS will see the code as legitimate and authorizes the code to execute.

•  First, Stuxnet used a valid certificate of Realtek, a Taiwanese chip manufacturer .

•  A later discovered version of Stuxnet had a digital signature of JMicron Technology Corp, another chip manufacturer from Taiwan.

Page 25 21 September 2011

Stuxnet – Stolen certificates

Page 26 21 September 2011

Certificates

Page 27 21 September 2011

Certificates

Page 28 21 September 2011

Certificates: QuakeBot

Page 29 21 September 2011

Certificates

Page 30 21 September 2011

SCADA, the “old” and new environment •  Non proporietary

protocols –  Profibus (Siemens) –  IEC 60870-5-101 –  IEC 60870-5-104 –  ModBus –  ModBus RTU (Square D) –  DNP3 –  DF1 (Rockwell) –  Conitel –  NBus –  ...

•  How –  RS232 (DB9) (19.2kbps) –  RS422 –  RS485 (25 pins)

(10Mpbs) –  ...