1 / 19

Stuxnet

Stuxnet. Lee VanGundy. Background. Discovered in June/July 2010 Targeted Siemens software and equipment running Microsoft Windows First malware for SCADA systems to spy and subvert the systems Also first to include a rootkit for a programmable logic controller (PLC)

arnav
Download Presentation

Stuxnet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Stuxnet Lee VanGundy

  2. Background • Discovered in June/July 2010 • Targeted Siemens software and equipment running Microsoft Windows • First malware for SCADA systems to spy and subvert the systems • Also first to include a rootkit for a programmable logic controller (PLC) • Exploited 4 Zero-Day vulnerabilities • Multiple Methods of Propagation • Slowly over spun Centrifuges

  3. SCADA System Attacks • Nothing New • Many Web Accessible • Default Passwords Still set • Examples • Polish Trains • Harrisburg, PA water facility • L.A. Traffic Light System • Many others Control System Security Assessments – 2008 Siemens Automation Summit http://graphics8.nytimes.com/packages/pdf/science/NSTB.pdf

  4. Affected Countries • September 2010 Study by Symantec http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99

  5. Media Frenzy • Who Created Stuxnet? • Lots of time put into it • USA, Israel, Multi-Country Agency collaboration • INL influence? • Study back in 2008 with Siemens • Was it specifically targeted at Iran? • Maybe

  6. Classification • Discovered: July 13, 2010 • Type: Worm • Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000 • CVE References:CVE-2010-2568 http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99

  7. Creation/Variants • Estimated 8 to 10 developers over ~6 months • First variant June 2009 • Wasn’t spreading fast enough? • Second variant March 2010 • Third variant April 2010 • Minor improvements • Several Different Languages • About 15,000 Lines of Code • Around 0.5 MB in size

  8. Targeted • Spread like a normal worm, but only targeted Siemens Systems • Infected computer could only spread to a maximum of three other computers • Scheduled to erase itself on June 24, 2012

  9. Zero-Day Vulnerabilities • Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability • BID 41732 • CVE-2010-2568 • First malware to use this • Classified as a design error (Binary Planting)

  10. Zero-Day Vulnerabilities • Microsoft Print Spooler Remote Code Execution Vulnerability • CVE-2010-2729 • Patch released September 2010 • Could not find the other 2 listed

  11. Another Notable Vulnerability • Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability • BID 31874 • CVE-2008-4250 • Used by Conficker

  12. Propagation • Self-replicates through removable drives • Spreads via Windows Print Spooler on a LAN • Copies and executes itself on remote computers through network shares • 2 Compromised digital driver certificates http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

  13. Propagation • Copies and executes itself on remote computers running WinCC database server • Copies itself into Step 7 projects, and executes when project is loaded http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

  14. Software Infection Process http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

  15. Update and Control • Updates through P2P within a LAN • Contacts a command and control server which allows the hacker to download and execute code http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

  16. Note on PLC Modification • s7otbxd.dll replaced by Stuxnet • Allowed for: • Monitoring of PLC blocks being written to and read from the PLC • Infection of a PLC by inserting or modifying choice blocks • Masking of the infection of the PLC

  17. This Just in…Stuxnet has a kid • Named ‘Duqu’ • Shares source code with Stuxnet • Possibly same authors or someone who has access to source code • Uses command and control server like Stuxnet • Designed to capture information not attack control systems or self-replicate • Reconnaissance http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf

  18. Notable Information Source • Stuxnet Dossier by Symantec 69 Pages • http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

  19. References • http://www.symantec.com/connect/blogs/stuxnet-infection-step-7-projects • http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99&tabid=2 • http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf • http://www.symantec.com/connect/blogs/stuxnet-using-three-additional-zero-day-vulnerabilities • http://www.symantec.com/connect/blogs/w32stuxnet-installation-details • http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99 • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568 • http://graphics8.nytimes.com/packages/pdf/science/NSTB.pdf • http://www.pcworld.com/businesscenter/article/205827/was_stuxnet_built_to_attack_irans_nuclear_program.html • http://www.stuxnet.net/ • http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1 • http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=1&pagewanted=all • http://www.wired.com/threatlevel/2011/10/son-of-stuxnet-in-the-wild/

More Related