STUXNETSam Skalicky

Biru Cui

Outline

Discovery Architecture Evaluation Conclusion

Discovery

VirusBlokAda Zero-day Microsoft

Stuxnet <= .stub + MrxNet.sys Symantec

Architecture

Organization Installation Propagation Target & Process

Architecture

Organization

Exports Resources Configuration

Architecture

Installation

E 15: environment scan, escalation E 16: copy, hide, autorun (certificate)

Architecture

Propagation WinCC SQL P2P RPC Printer spooler Removable disk

.lnk, ~WTR4141.tmp, ~WTR4132.tmp Autorun.inf

Architecture

Target Step 7 (E2/E14) PLC

Data Blocks (DB) System Data Blocks (SDB) Organization Blocks (OB) Function Blocks (FC)

Architecture

Process Broker FC: RECV OB1/OB35

Architecture

Process Profibus ID CP Frequency converter

Architecture

Process

1.41kHz 1.064kHz 2Hz

Evaluation

Complex code size propagation methods zero-day exploit certificate steal specific target Step/PLC/FC

Speculation

Where

Speculation

What

Risk

Very small risk to the majority of users Worm was target so specifically

Modifying large spinning motors to fail Shorting out Overheat Disengage from their mounting

Consumes disk space (500KB) New type of worm detected

What’s next?

W32.Duqu, a new beginning?

References

[1] “Frequently Asked Questions on Virus-L/comp.virus.” Internet: http://www.faqs.org/faqs/computer-virus/faq/, Oct. 9, 1995 [Jan. 7, 2012].

[2] “MS10-061: Printer Spooler Vulnerability.” Internet: http://blogs.technet.com/b/srd/archive/2010/09/14/ms10-061-printer-spooler-vulnerability.aspx, Sept. 14, 2010 [Jan. 7, 2012].

[3] Nicolas Falliere, Liam O Murchu, and Eric Chien, “W32.Stuxnet” Synmatec, November 2010.

[4] K. Zetter, “How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History,” Internet: http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1, July 11, 2011