I Stuxnet

or: How I Learned to Stop Worrying and Love The Worm

Gil Megidishgil@megidish.net

DISCLAIMER

I, Gil Megidish, have had absolutely nothing to do with the virus/worm presented here, nor

do I know of its origins. Everything in this presentation is purely an analysis of

documents written by Wikipedia, Symantec, ESET and professional security advisors.

My First Anti-Virus

What is Stuxnet ?

• Most complicated computer-worm ever discovered.

• Targets industrial control systems such as in gas pipelines or power plants.

• An on-going work, dates back to Dec, 2008.

Source: http://www.securelist.com/en/blog/272/Myrtus_and_Guava_Episode_3

Bushehr Nuclear Power Plant

Agenda

Introduction to Computer ViriiStuxnet’s timelineInfection mechanismTargeted systemsWhodunit ?

Computer Virus

• A software that replicated itself onto other executable files.

Computer Worm

• A software that replicates itself onto other computers; usually via exploits.

Rootkit

• Enable continued access while actively hiding presence.

CVE-2010-0049

• Remote exploitation of a memory corruption vulnerability in WebKit; allows an attacker to execute arbitrary code on victim’s machine.

15 Dec 2009 Vendor notified15 Dec 2009 Vendor replied11 Mar 2010 Coordinated public disclosure

The List Never Ends

Backdoor

Worms

Viruses

Adware

Spyware

Trojan Horse

Rootkit

BotnetPhishing

XSS

Spoofing

Man in the Middle

D.o.S.

CSRF

“Building the worm cost at least $3 million and required a team of as many as 10 skilled programmers working about six months. “

Frank Rieger (GSMK)

Timeline• 2008.11 – Trojan.Zlob found to be using LNK vulnerability• 2009.04 – Hakin9 magazine publishers Printer Spooler vulnerability• • 2010.01 – Stuxnet variant found with Realtek certificate• 2010.03 – Stuxnet variant found using LNK vulnerability• • 2010.06 – VeriSign revokes Realtek’s certificate• 2010.06 – Stuxnet variant found with JMicron certificate• 2010.07 – Symantec monitors Stuxnet’s C&C traffic• 2010.07 – VeriSign revokes JMicron’s certificate• 2010.08 – Microsoft patches LNK vulnerability.• 2010.09 – Microsoft patches Printer Spooler vulnerability.

2009.06 – First variant of Stuxnet found

2010.05 – Stuxnet first detected, named RootkitTmphider

Timeline• 2008.11 – Trojan.Zlob found to be using LNK vulnerability• 2009.04 – Hakin9 magazine publishers Printer Spooler vulnerability• • 2010.01 – Stuxnet variant found with Realtek certificate• 2010.03 – Stuxnet variant found using LNK vulnerability• • 2010.06 – VeriSign revokes Realtek’s certificate• 2010.06 – Stuxnet variant found with JMicron certificate• 2010.07 – Symantec monitors Stuxnet’s C&C traffic• 2010.07 – VeriSign revokes JMicron’s certificate• 2010.08 – Microsoft patches LNK vulnerability.• 2010.09 – Microsoft patches Printer Spooler vulnerability.

2009.06 – First variant of Stuxnet found

2010.05 – Stuxnet first detected, named RootkitTmphider

Exploit #1: LNK VulnerabilityCVE-2010-2568

Affects Windows 2000, Windows XP, WindowsServer 2003, Windows Vista and Windows 7

Exploit #2: Print Spooler VulnerabilityMS10-061

Affects Windows XP and legacy Lexmark/Compaqprinters.

Exploit #3:Windows Server ServiceMS08-067

Affects unpatched operating systems, withKernel32.dll earlier than Oct 12, 2008.

Metasploit: point. click. root.

Rootkitting Windows

Source: www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf

Taiwanese Ninjas?

Two More Zero-Day Exploits

WinCCConnect : 2WSXcder… Yes!

Peer To Peer Upgrades

Get version number

Request payload

#version#

Current version

Infected A Infected B

Command and Control

todaysfutbol.commypremierfutbol.com

GET /

200 OK

GET index.php?data=[XOR%31]

200 OK: Executable codeInfected PC

whois mypremierfutbol.com

Siemens SIMATIC Step 7

Step 7 Editor

Developer Station

WinCC MS-SQL Database

PLC

Step7 Interception

s7otbxdx.dll

s7blk_reads7blk_write

s7_blk_findfirsts7_blk_delete

All communication done through s7otbxdx library

Developer StationPLC

Step7 Interception

s7otbxsx.dll

s7blk_reads7blk_write

s7_blk_findfirsts7_blk_delete

Man in the middle rootkit!

Developer StationPLC

s7otbxdx.dll

OB1 Main Organization Block

OB35 Watchdog Organization Block

What the hell does it do?

Vacon NX

Vacon NX

The End of Stuxnet ?

v

So, whodunit ?

The Americans ?

The Russians ?

The Israelis ?

19790509

b:\myrtus\src\objfre_w2k_x86\i386 \guava.pdb

Dan Hamizer

WE MAY NEVER KNOW

Symantec's Brian Tillett put a number on the size of the team that built the virus. He said that traces of more than

30 programmers have been found in source code.

The Atlantic

I Stuxnet

LESS OF THIS

AND MORE OF THIS

NONE OF THIS

AND LOTS OF THIS

THANK YOU

Links

• Symantec’s Stuxnet Dossier http://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdf

• ESET: Stuxnet Under The Microscope http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf

• Siemens Step 7 Programmer’s Handbook http://www.plcdev.com/book/export/html/373

Gil Megidishgil@megidish.net