I (Nuke) Stuxnet 7

download I (Nuke) Stuxnet 7

of 56

Transcript of I (Nuke) Stuxnet 7

  • 8/4/2019 I (Nuke) Stuxnet 7

    1/56

  • 8/4/2019 I (Nuke) Stuxnet 7

    2/56

    DISCLAIMER

    I, Gil Megidish, have had absolutely nothing to

    do with the virus/worm presented here, nordo I know of its origins. Everything in this

    presentation is purely an analysis of

    documents written by Wikipedia, Symantec,

    ESET and professional security advisors.

  • 8/4/2019 I (Nuke) Stuxnet 7

    3/56

    My First Anti-Virus

  • 8/4/2019 I (Nuke) Stuxnet 7

    4/56

    What is Stuxnet ?

    Most complicated computer-worm ever

    discovered.

    Targets industrial control systems such as in

    gas pipelines or power plants.

    An on-going work, dates back to Dec, 2008.

  • 8/4/2019 I (Nuke) Stuxnet 7

    5/56

    Source: http://www.securelist.com/en/blog/272/Myrtus_and_Guava_Episode_3

  • 8/4/2019 I (Nuke) Stuxnet 7

    6/56

    Bushehr Nuclear Power Plant

  • 8/4/2019 I (Nuke) Stuxnet 7

    7/56

    Agenda

    Introduction to Computer Virii

    Stuxnets timelineInfection mechanism

    Targeted systems

    Whodunit ?

  • 8/4/2019 I (Nuke) Stuxnet 7

    8/56

    Computer Virus

    A software that replicated itself onto other

    executable files.

  • 8/4/2019 I (Nuke) Stuxnet 7

    9/56

    Computer Worm

    A software that replicates itself onto other

    computers; usually via exploits.

  • 8/4/2019 I (Nuke) Stuxnet 7

    10/56

    Rootkit

    Enable continued access while actively hiding

    presence.

  • 8/4/2019 I (Nuke) Stuxnet 7

    11/56

    CVE-2010-0049

    Remote exploitation of a memory corruption

    vulnerability in WebKit; allows an attacker to

    execute arbitrary code on victims machine.

    15 Dec 2009 Vendor notified

    15 Dec 2009 Vendor replied11 Mar 2010 Coordinated public disclosure

  • 8/4/2019 I (Nuke) Stuxnet 7

    12/56

    The List Never Ends

    Backdoor

    Worms

    Viruses

    Adware

    Spyware

    Trojan Horse

    Rootkit

    BotnetPhishing

    XSS

    Spoofing

    Man in the Middle

    D.o.S.

    CSRF

  • 8/4/2019 I (Nuke) Stuxnet 7

    13/56

    Building the worm cost at least $3 million and

    required a team of as many as 10 skilledprogrammers working about six months.

    Frank Rieger (GSMK)

  • 8/4/2019 I (Nuke) Stuxnet 7

    14/56

    Timeline

    2008.11 Trojan.Zlob found to be using LNK vulnerability

    2009.04 Hakin9 magazine publishers Printer Spooler vulnerability

    2010.01 Stuxnet variant found with Realtek certificate

    2010.03 Stuxnet variant found using LNK vulnerability

    2010.06VeriSign revokes Realteks certificate

    2010.06 Stuxnet variant found with JMicron certificate

    2010.07Symantec monitors Stuxnets C&C traffic 2010.07VeriSign revokes JMicrons certificate

    2010.08 Microsoft patches LNK vulnerability.

    2010.09 Microsoft patches Printer Spooler vulnerability.

    2009.06 First variant of Stuxnet found

    2010.05 Stuxnet first detected, named RootkitTmphider

  • 8/4/2019 I (Nuke) Stuxnet 7

    15/56

    Timeline

    2008.11 Trojan.Zlob found to be using LNK vulnerability

    2009.04 Hakin9 magazine publishers Printer Spooler vulnerability

    2010.01 Stuxnet variant found with Realtek certificate

    2010.03 Stuxnet variant found using LNK vulnerability

    2010.06VeriSign revokes Realteks certificate

    2010.06 Stuxnet variant found with JMicron certificate

    2010.07Symantec monitors Stuxnets C&C traffic 2010.07VeriSign revokes JMicrons certificate

    2010.08 Microsoft patches LNK vulnerability.

    2010.09 Microsoft patches Printer Spooler vulnerability.

    2009.06 First variant of Stuxnet found

    2010.05 Stuxnet first detected, named RootkitTmphider

  • 8/4/2019 I (Nuke) Stuxnet 7

    16/56

    Exploit #1: LNK VulnerabilityCVE-2010-2568

    Affects Windows 2000, Windows XP, Windows

    Server 2003, Windows Vista and Windows 7

  • 8/4/2019 I (Nuke) Stuxnet 7

    17/56

    Exploit #2: Print Spooler VulnerabilityMS10-061

    Affects Windows XP and legacy Lexmark/Compaq

    printers.

  • 8/4/2019 I (Nuke) Stuxnet 7

    18/56

    Exploit #3:Windows Server ServiceMS08-067

    Affects unpatched operating systems, with

    Kernel32.dll earlier than Oct 12, 2008.

  • 8/4/2019 I (Nuke) Stuxnet 7

    19/56

    Metasploit: point. click. root.

  • 8/4/2019 I (Nuke) Stuxnet 7

    20/56

    Rootkitting Windows

  • 8/4/2019 I (Nuke) Stuxnet 7

    21/56

  • 8/4/2019 I (Nuke) Stuxnet 7

    22/56

  • 8/4/2019 I (Nuke) Stuxnet 7

    23/56

    Source: www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf

  • 8/4/2019 I (Nuke) Stuxnet 7

    24/56

    Taiwanese Ninjas?

  • 8/4/2019 I (Nuke) Stuxnet 7

    25/56

    Two More Zero-Day Exploits

  • 8/4/2019 I (Nuke) Stuxnet 7

    26/56

    WinCCConnect : 2WScder Yes!

  • 8/4/2019 I (Nuke) Stuxnet 7

    27/56

    Peer To Peer Upgrades

    Get version number

    Request payload

    #version#

    Current version

    Infected A Infected B

  • 8/4/2019 I (Nuke) Stuxnet 7

    28/56

    Command and Control

    todaysfutbol.com

    mypremierfutbol.com

    GET /

    200 OK

    GET index.php?data=[XOR%31]

    200 OK: Executable code

    Infected PC

  • 8/4/2019 I (Nuke) Stuxnet 7

    29/56

    whois mypremierfutbol.com

  • 8/4/2019 I (Nuke) Stuxnet 7

    30/56

  • 8/4/2019 I (Nuke) Stuxnet 7

    31/56

    Siemens SIMATIC Step 7

  • 8/4/2019 I (Nuke) Stuxnet 7

    32/56

    Step 7 Editor

    Developer Station

    WinCC MS-SQL Database

    PLC

  • 8/4/2019 I (Nuke) Stuxnet 7

    33/56

    Step7 Interception

    s7otbxdx.dll

    s7blk_reads7blk_write

    s7_blk_findfirsts7_blk_delete

    All communication done through s7otbxdx library

    Developer StationPLC

  • 8/4/2019 I (Nuke) Stuxnet 7

    34/56

    Step7 Interception

    s7otbxsx.dll

    s7blk_reads7blk_write

    s7_blk_findfirsts7_blk_delete

    Man in the middle rootkit!

    Developer StationPLC

    s7otbxdx.dll

  • 8/4/2019 I (Nuke) Stuxnet 7

    35/56

    OB1 Main Organization Block

    OB35 Watchdog Organization Block

  • 8/4/2019 I (Nuke) Stuxnet 7

    36/56

    What the hell does it do?

  • 8/4/2019 I (Nuke) Stuxnet 7

    37/56

    Vacon NX

  • 8/4/2019 I (Nuke) Stuxnet 7

    38/56

    Vacon NX

  • 8/4/2019 I (Nuke) Stuxnet 7

    39/56

    The End of Stuxnet ?

  • 8/4/2019 I (Nuke) Stuxnet 7

    40/56

    v

    So, whodunit ?

  • 8/4/2019 I (Nuke) Stuxnet 7

    41/56

    The Americans ?

  • 8/4/2019 I (Nuke) Stuxnet 7

    42/56

    The Russians ?

  • 8/4/2019 I (Nuke) Stuxnet 7

    43/56

    The Israelis ?

  • 8/4/2019 I (Nuke) Stuxnet 7

    44/56

    19790509

  • 8/4/2019 I (Nuke) Stuxnet 7

    45/56

    b:\myrtus\src\objfre_w2k_x86\i386 \guava.pdb

  • 8/4/2019 I (Nuke) Stuxnet 7

    46/56

    Dan Hamizer

  • 8/4/2019 I (Nuke) Stuxnet 7

    47/56

  • 8/4/2019 I (Nuke) Stuxnet 7

    48/56

    WE MAY NEVER KNOW

  • 8/4/2019 I (Nuke) Stuxnet 7

    49/56

    Symantec's Brian Tillettput a number on the size of the

    team that built the virus. He said that traces of more than

    30 programmers have been found in source code.

    The Atlantic

  • 8/4/2019 I (Nuke) Stuxnet 7

    50/56

    I Stuxnet

    LESS OF THIS

  • 8/4/2019 I (Nuke) Stuxnet 7

    51/56

    LESS OF THIS

  • 8/4/2019 I (Nuke) Stuxnet 7

    52/56

    AND MORE OF THIS

    NONE OF THIS

  • 8/4/2019 I (Nuke) Stuxnet 7

    53/56

    NONE OF THIS

  • 8/4/2019 I (Nuke) Stuxnet 7

    54/56

    AND LOTS OF THIS

  • 8/4/2019 I (Nuke) Stuxnet 7

    55/56

    THANK YOU

  • 8/4/2019 I (Nuke) Stuxnet 7

    56/56

    Links

    Symantecs Stuxnet Dossierhttp://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdf

    ESET: Stuxnet Under The Microscopehttp://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf

    Siemens Step 7 Programmers Handbookhttp://www.plcdev.com/book/export/html/373

    http://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdfhttp://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdfhttp://www.plcdev.com/book/export/html/373http://www.plcdev.com/book/export/html/373http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdfhttp://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdfhttp://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdfhttp://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdfhttp://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdfhttp://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdf