“detecting and stopping malware & exploit packages on the ... · spreading via wincc • if...
TRANSCRIPT
Page 1 21 September 2011
0
“Detecting and Stopping Malware & Exploit Packages on the Wire - Case
Study: SCADA Environments”
21 September 2011
Righard J. Zwienenberg
Page 2 21 September 2011
Detecting and Stopping Malware & Exploit Packages on the Wire
Case Study: SCADA Environments The landscape of malware attacks is slowly changing. Ever since Stuxnet, there is increased activity against production networks as SCADA environments. At default, by demand of the manufacturers, no anti-malware protection may be installed on the machines controlling the PLC's as they will not guarantee the proper working of these machines and or the interaction with the controlled PLC's. Perfect for the cybercriminals and they expect complete open and non-protected networks. But should they? Of course not. There are possibilities to protect even these networks, ways you can be alerted that something is happening in your network, ways to prevent these attacks. Guided by the well known Stuxnet attack, different attack vectors and solutions and counter measurements will be presented. Coming soon to an environment near you: SCADA Scareware... Like
Ripley said: "Believe It or Not!"
Page 3 21 September 2011
Agenda
• SCADA
• Recent History: Stuxnet
• SCADA, the “old” and new environment
• Attack Vectors
• (Possible) Defense Vectors
• Q&A
Page 4 21 September 2011
SCADA
• SCADA: Supervisory Control And Data Acquisition
Page 5 21 September 2011
Recent History
• Stuxnet
Page 6 21 September 2011
What is Stuxnet?
Facts: • Specialized malware, mainly targeted at:
• SIMATIC WinCC • SIMATIC Siemens Step7
• Using several exploits • Uses a Rootkit component to hide itself on WinCC
systems • A Rootkit component hides the files on the USB Flash
Drives • Supports full “Remote Control” and P2P systems
Page 7 21 September 2011
Our networks: reality
Page 8 21 September 2011
Stuxnet
Production Environment
Page 9 21 September 2011
How does malware enter the system?
Page 10 21 September 2011
How does malware enter the system?
Page 11 21 September 2011
How does malware enter the system?
Page 12 21 September 2011
Stuxnet
USB-FLASH MS10-046
LNK Exploit
MS10-061 Spool Server
Exploit MS08-067 RPC Exploit
SCADA Environment
Open Shares
Page 13 21 September 2011
What could happen?
Page 14 21 September 2011
Stuxnet
P2P update mechanism • Infected computers communicate with each other via
RPC. They serve both as server and client and supply other infected computers with information about the version of the malware. If the present Stuxnet version is older than the Stuxnet on the remote system, the new version is requested and installed.
• Stuxnet tries to connect to 2 different sites: – www.mypremierfutbol.com – www.todaysfutbol.com
• Connect happens via HTTP on port 80. Code will be injected in the browser process (IEXPLORE.EXE).
Page 15 21 September 2011
Stuxnet
Spreading via Step7 projects
• If a Step7 project is found and is within acceptable parameters, Stuxnet will add itself to the project. Stuxnet will do this in such a way that it will be started automatically when someone is looking at the project.
Page 16 21 September 2011
Stuxnet
Page 17 21 September 2011
Stuxnet
Page 18 21 September 2011
Stuxnet
Spreading via WinCC • If Stuxnet finds a machine on the network with WinCC
database software, Stuxnet will connect with this machine using a known hardcoded(!) password for WinCC servers. As soon as the connection is established, Stuxnet is capable of copying itself to the WinCC server and start itself.
• 2WSXcder
Page 19 21 September 2011
Iran's Bushehr nuclear power plant in Bushehr Port
UPI Photo/Mohammad Kheirkhah
Page 20 21 September 2011
Somewhat more complex
Page 21 21 September 2011
First idea: Make it simpler….
Boeing 747-100 Boeing 787
But is it safer???
Page 22 21 September 2011
Stuxnet
• A buggy OS version control in one of the WinCC components that has to establish the spread of Stuxnet.
• Larger or Equal to 5 OR Smaller or Equal to 6?
Page 23 21 September 2011
Stuxnet – checking the correct target
• We now know that Stuxnet checks if the PLC’s are from the next series : – S7-300 – S7-400,
• And uses one of the next CPU’s: – 6ES7-315-2x – 6ES7-417x
• Some additional checks exists with regards to the hardware and system configuration before Stuxnet will do something with the PLC.
Page 24 21 September 2011
Stuxnet – Stolen certificates
• Stuxnet did something never seen before: it used valid digital certificates of valid companies. The OS will see the code as legitimate and authorizes the code to execute.
• First, Stuxnet used a valid certificate of Realtek, a Taiwanese chip manufacturer .
• A later discovered version of Stuxnet had a digital signature of JMicron Technology Corp, another chip manufacturer from Taiwan.
Page 25 21 September 2011
Stuxnet – Stolen certificates
Page 26 21 September 2011
Certificates
Page 27 21 September 2011
Certificates
Page 28 21 September 2011
Certificates: QuakeBot
Page 29 21 September 2011
Certificates
Page 30 21 September 2011
SCADA, the “old” and new environment • Non proporietary
protocols – Profibus (Siemens) – IEC 60870-5-101 – IEC 60870-5-104 – ModBus – ModBus RTU (Square D) – DNP3 – DF1 (Rockwell) – Conitel – NBus – ...
• How – RS232 (DB9) (19.2kbps) – RS422 – RS485 (25 pins)
(10Mpbs) – ...