stuxnet presentation fit

8/3/2019 Stuxnet Presentation Fit

1/21

Authors:Rahat Masood

Um-e-Ghazia

Zahid Anwar

National University of Sciences andNational University of Sciences andTechnology, Islamabad, PakistanTechnology, Islamabad, Pakistan


2/21

Stuxnet is one of the most sophisticated and recent worm

that hit Iranian nuclear facilities in June 2010.

Senior Director at Symantec reported that Iran is the

only country that suffers a lot (about 60%) through this

worm.

Stuxnet mainly targets uranium facility at Natanz which

affects centrifuges speed.

It targets computer control systems, commonly used tomanage water supplies, oil rigs, power plants and other

facilities.


3/21

An assumption is that 10% of centrifuges in

Natanz have been affected through this worm

from 2009 to 2010.

Rotational speed of centrifuges first increases

then drop to introduce distortions and disturb their

normal behavior.


4/21

A complex piece of malware, intended to sabotage thenormal functioning of certain critical systems

Two main Phases":

Propagation Phase: Propagation of the virus, whichis based upon the vulnerabilities inherent in theWindows platform.

Injection Phase: Attack on SCADA Siemens systems,which controls Programmable logic controllers (PLC)


5/21

Stuxnet contains user level as well as kernel level Rootkit that

hides their existence to gain root level privileges.

Penetrate the target infrastructure through:

Removable storage media such as USB drives.

Network (LAN) Propagation via network shares Propagation via print spooler zeroday vulnerability(MS10061)


6/21

When a target (WinCC) is discovered, the behaviour

of the various items controlling the target architecture

is modified in order to physically impair the integrity

of the industrial production system.

This concerns modifying the normal function of

certain critical systems by manipulating their

controllers.


7/21


8/21

Copy of Shortcut to.lnkCopy of Copy of Shortcut to.lnk

Copy of Copy of Copy of Shortcut to.lnk

Copy of Copy of Copy of Copy of Shortcut to.lnk~WTR4141.TMP~WTR4132.TMP

First four .lnk files controls the display of shortcut icons of

all the files on system. Various .lnk files corresponds to different versions of

windows. These .lnk files load the library "-WTR4141.tmp" which, in

turn, loads the file "-WTR4132.tmp".


9/21

The worm is also capable of distributing itself over the

network through shared folders.

Malicious payload is copied and executed through sharedcredentials on network.

Assessment of shared files by LAN user will result in the

copy of this file into his system directories.

It scans network shares on the remote computers and installs a

file (dropper) there with the name

DEFRAG.TMP .


10/21

When a printer is shared on a system, a user is able to "print"(read and write) files in the "%System%" directory.

It allows a remote user to copy files in %SYSTEM% directory

in which user has no access.

Exploitation in this case comprises two phases: injection &execution phase.

3 Injection Phase: involves copying winsta.exeand"sYsnuIlevnt.m0f" in windows %SYSTEM% directory.

3 Execution Phase: Executing the script "sysnullevnt.mof".This file is used to trigger aforementioned copied files


11/21

Vulnerability relates to the way that the icon for the link is

loaded.

This image is normally loaded from a CPL (Windows Control

Panel) file using the system function "LoadLibraryW()". Forcing the CPL file to change the "File Location Info field

of a LNK file, stuxnet is therefore able to force any Windows

system to execute arbitrary code.

User is redirected to malicious path by opening shortcut file.


12/21

Backtrack 4 acts as C&C server

Metasploit Framework within backtrack 4 is used.

Metasploit Framework act as USB Drive to exploit

vulnerabilities.

3 windows XP machines 2 connected in LAN

1 XP containing Keil and proteous softwares (in

place of PLC)Virtual Box

LinuxBacktrack 4

XP1 XP2 XP3

Keil &

Proteous

Metasploit

Framework


13/21

MS08_067 and MS10_061 are exploited through

LAN.

MS08_067 exploits through shared folder in LAN.

MS10_046 exploited in PLC assumed machine. Hardware printer is not attached but a print server is

shared on LAN through which MS10_061 exploits.

We have created Stuxnet.exe which propagates in

LA N and Plc.exe which specifically targets PLC

machine and affects normal behaviour.


14/21

ConnectingC&Cserver & PCs on

network

Entercommands for

ms08_067

Through meterpreterupload stuxnet.exe in

shared folder

PC1 opens a sharedfolder &

stuxnet.exe

Stuxnet.exeexecutes & copyitself inC:/drive

After copying hideitself

LAN PCs when openthis exe , Stuxnet.exe

propagates


15/21

ConnectingC&C,PCs and Print server

in LAN

Enter commands forms10

_061

PrintCommand issend to print server

via Metasploit

Two Malicious exesare inserted in print

server in locationwindows/system32

PC3 & PC5 on LANsends print

command to printserver

Malicious exes arecopied to PC5 & PC3


16/21

ConnectingC&Cserver & PC 6 with

each other

Entercommands for

ms10_046

PC6 opens a internetexplorer shortcut file

Two dll files areopened on PC6

Meterpreter sessionis opened

Upload plc.exe &execute it through

meterpreter

KEIL project filechanges i.e. code

change

Proteous circuit Diagramoutput changed i.e.

Pressure Sensor gives alert


17/21


18/21

Exploits Results

MS08_067_netapi (Server

Service)

Copies a malicious file Stuxnet.exe in a folder shared on LAN.

Any machine on LAN when use this file, this exe automatically

copies into that machine.

MS10_061_spoolss (Print

Spooler)

Print command send to print server containing two random files.

These files are copied to windows system directory.

Sending print command to server automatically copies these two files

in system directory.

MS10_046_dllloader (.LNK

Vulnerability)

Opening of shortcut file , results in session establishment with

attacker machine.

Malicious plc.exe file uploaded to victim machine.

Plc.exe targets specifically PLC machine (Keil & Proteus) , which

disturbs normal functioning of pressure sensor.

Value of pressure Sensor drops to 0 & alert is generated.


19/21

This work shows simulations through dummy malicious

Stuxnet exe files. This work will be extended by analyzing the

original six Stuxnet files in original PLC software or by

implementing pure Stuxnet worm (writing source code).

Next version of Stuxnet i-e Duqu Stuxnet 2.0 is under

consideration. Its payload is different from Stuxnet 1.0: targets

certificate authorities and redirect victims to rogue servers.

Alien Vault is a tool that can provide information about

Stuxnet detection by analyzing different events logs and

writing specific rules related to it.


20/21

[1] Nicolas Falliere, Liam O Murchu, and Eric Chien, W32.Stuxnet Dossier ,

Symantec Security Response, Version 1.4, February 2011.

[2] Aleksandr Matrosov, Eugene Rodionov, David Harley, Juraj Malcho, Stuxnet

Under the Microscope2, Revision 1.31, 24 Sep 2010.[3] David Helan, Stuxnet: Analysis, Mythes and Realities ACTU SECU 27,

XCMO, 2011.

[4] Martin Brunner, Hans Hofinger, Christoph KrauSS, Christopher Roblee, Peter

Schoo, Sascha Todt, Infiltrating Critical Infrastructures with Next-Generation

Attacks W32.Stuxnet as a Showcase Threat, Version 1.4, December 17, 2010.

[5] Shon Harris, Allen Harper, Chris Eagle, Jonathan Ness, Gray Hat Hacking:

The Ethical Hackers Handbook , Copyright 2008 by McGraw-Hill

Companies Second Edition.

[6] WikiPedia, Stuxnet, http://en.wikipedia.org/wiki/Stuxnet , October 21, 2011.

[7] Rahat Masood, Stuxnet Simulation via Metasploit.wmv,

http://www.youtube.com/watch?v=AZNU7bCRvJg


21/21

stuxnet presentation fit

Documents