230 likes | 481 Views
Stuxnet. Lee VanGundy. Background. Discovered in June/July 2010 Targeted Siemens software and equipment running Microsoft Windows First malware for SCADA systems to spy and subvert the systems Also first to include a rootkit for a programmable logic controller (PLC)
E N D
Stuxnet Lee VanGundy
Background • Discovered in June/July 2010 • Targeted Siemens software and equipment running Microsoft Windows • First malware for SCADA systems to spy and subvert the systems • Also first to include a rootkit for a programmable logic controller (PLC) • Exploited 4 Zero-Day vulnerabilities • Multiple Methods of Propagation • Slowly over spun Centrifuges
SCADA System Attacks • Nothing New • Many Web Accessible • Default Passwords Still set • Examples • Polish Trains • Harrisburg, PA water facility • L.A. Traffic Light System • Many others Control System Security Assessments – 2008 Siemens Automation Summit http://graphics8.nytimes.com/packages/pdf/science/NSTB.pdf
Affected Countries • September 2010 Study by Symantec http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99
Media Frenzy • Who Created Stuxnet? • Lots of time put into it • USA, Israel, Multi-Country Agency collaboration • INL influence? • Study back in 2008 with Siemens • Was it specifically targeted at Iran? • Maybe
Classification • Discovered: July 13, 2010 • Type: Worm • Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000 • CVE References:CVE-2010-2568 http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99
Creation/Variants • Estimated 8 to 10 developers over ~6 months • First variant June 2009 • Wasn’t spreading fast enough? • Second variant March 2010 • Third variant April 2010 • Minor improvements • Several Different Languages • About 15,000 Lines of Code • Around 0.5 MB in size
Targeted • Spread like a normal worm, but only targeted Siemens Systems • Infected computer could only spread to a maximum of three other computers • Scheduled to erase itself on June 24, 2012
Zero-Day Vulnerabilities • Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability • BID 41732 • CVE-2010-2568 • First malware to use this • Classified as a design error (Binary Planting)
Zero-Day Vulnerabilities • Microsoft Print Spooler Remote Code Execution Vulnerability • CVE-2010-2729 • Patch released September 2010 • Could not find the other 2 listed
Another Notable Vulnerability • Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability • BID 31874 • CVE-2008-4250 • Used by Conficker
Propagation • Self-replicates through removable drives • Spreads via Windows Print Spooler on a LAN • Copies and executes itself on remote computers through network shares • 2 Compromised digital driver certificates http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Propagation • Copies and executes itself on remote computers running WinCC database server • Copies itself into Step 7 projects, and executes when project is loaded http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Software Infection Process http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Update and Control • Updates through P2P within a LAN • Contacts a command and control server which allows the hacker to download and execute code http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Note on PLC Modification • s7otbxd.dll replaced by Stuxnet • Allowed for: • Monitoring of PLC blocks being written to and read from the PLC • Infection of a PLC by inserting or modifying choice blocks • Masking of the infection of the PLC
This Just in…Stuxnet has a kid • Named ‘Duqu’ • Shares source code with Stuxnet • Possibly same authors or someone who has access to source code • Uses command and control server like Stuxnet • Designed to capture information not attack control systems or self-replicate • Reconnaissance http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf
Notable Information Source • Stuxnet Dossier by Symantec 69 Pages • http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
References • http://www.symantec.com/connect/blogs/stuxnet-infection-step-7-projects • http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99&tabid=2 • http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf • http://www.symantec.com/connect/blogs/stuxnet-using-three-additional-zero-day-vulnerabilities • http://www.symantec.com/connect/blogs/w32stuxnet-installation-details • http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99 • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568 • http://graphics8.nytimes.com/packages/pdf/science/NSTB.pdf • http://www.pcworld.com/businesscenter/article/205827/was_stuxnet_built_to_attack_irans_nuclear_program.html • http://www.stuxnet.net/ • http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1 • http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=1&pagewanted=all • http://www.wired.com/threatlevel/2011/10/son-of-stuxnet-in-the-wild/