W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3...
Transcript of W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3...
![Page 1: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/1.jpg)
W32.Stuxnet Dossier, Installation and PropagationEnsimag-4MMSR-Network Security - Student Seminar1
[email protected],[email protected],[email protected]
2012-04-18
1https://ensiwiki.ensimag.fr/index.php/4MMSR-Network_Security-2011-2012
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 1/28 2012-04-18 1 / 28
![Page 2: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/2.jpg)
Authors
Nicolas Falliere(Senior SoftwareEngineer)Liam O Murchu(Development Manager)Eric Chien(Technical Director)part of SymantecSecurity Response(antivirus and computersecurity research group,over 400 full-timeemployees)
SymantecFounded 1982Headquarters: MountainView, Californiaproviding security, storageand systems managementsolutionse. g. Norton products
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 2/28 2012-04-18 2 / 28
![Page 3: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/3.jpg)
Outline
1 Introduction
2 Architecture
3 Injection
4 Preparation
5 Propagation
6 Counter measures
7 Conclusion
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 3/28 2012-04-18 3 / 28
![Page 4: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/4.jpg)
Introduction
Outline
1 Introduction
2 Architecture
3 Injection
4 Preparation
5 Propagation
6 Counter measures
7 Conclusion
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 4/28 2012-04-18 4 / 28
![Page 5: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/5.jpg)
Introduction
Stuxnet
computer wormfirst discovered in June 2010first infected systems June 2009targets industrial control systems with PLC(Programmable Logic Controller) made by Siemensfor Windows XP, ME, 2000, 2003, Vista, 7, Server 2008
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 5/28 2012-04-18 5 / 28
![Page 6: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/6.jpg)
Introduction
Distribution
measured Sept. 29, 2010 (by monitoring traffic to Command &Control server)
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 6/28 2012-04-18 6 / 28
![Page 7: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/7.jpg)
Introduction
Attack Scenario
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 7/28 2012-04-18 7 / 28
![Page 8: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/8.jpg)
Architecture
Outline
1 Introduction
2 Architecture
3 Injection
4 Preparation
5 Propagation
6 Counter measures
7 Conclusion
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 8/28 2012-04-18 8 / 28
![Page 9: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/9.jpg)
Architecture
Architecture
DLL file
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 9/28 2012-04-18 9 / 28
![Page 10: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/10.jpg)
Injection
Outline
1 Introduction
2 Architecture
3 Injection
4 Preparation
5 Propagation
6 Counter measures
7 Conclusion
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 10/28 2012-04-18 10 / 28
![Page 11: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/11.jpg)
Injection
Injection
there is no stuxnet-process,stuxnet hides in trustedprocessesinjection is performed on everycall of an exportinjects into trusted processgoal: hide from antimalware
Trusted processesProduct process nameKaspersky KAV avp.exeMcafee Mcshield.exeAntiVir avguard.exeBitDefender bdagent.exeEtrust UmxCfg.exeF-Secure fsdfwd.exeSymantec rtvscan.exeSymantec Common Client ccSvcHst.exeEset NOD32 ekrn.exeTrend Pc-Cillin tmpproxy.exeWindows Lsass.exeWindows Winlogon.exeWindows Svchost.exe
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 11/28 2012-04-18 11 / 28
![Page 12: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/12.jpg)
Preparation
Outline
1 Introduction
2 Architecture
3 Injection
4 Preparation
5 Propagation
6 Counter measures
7 Conclusion
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 12/28 2012-04-18 12 / 28
![Page 13: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/13.jpg)
Preparation Export 15
Export 15
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 13/28 2012-04-18 13 / 28
![Page 14: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/14.jpg)
Preparation Zero-day exploit
Zero-day exploit
exploits computer application vulnerabilities that are unknown toothers or the software developer beforeVulnerability window: time period between first exploitation anddevelopment of counter measuresAttack vector: a concrete way to exploit vulnerability
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 14/28 2012-04-18 14 / 28
![Page 15: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/15.jpg)
Preparation MS10-092: 0-day Task Scheduler
MS10-092: 0-day Task Scheduler
target platform: Windows Vista and higher (introduction of new TaskScheduler)goal: escalate privileges to SYSTEMtask information as xml file read- and writable by userintegrity protected by weak CRC32 checksum
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 15/28 2012-04-18 15 / 28
![Page 16: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/16.jpg)
Preparation MS10-092: 0-day Task Scheduler
MS10-092: 0-day Task Scheduler
Attack1 create task with low privileges2 read task configuration file from %SystemRoot%\system32\Tasks3 modify task configuration file (change privileges)4 calculate CRC32 of original file and adapt altered file to match it5 run task
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 16/28 2012-04-18 16 / 28
![Page 17: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/17.jpg)
Propagation
Outline
1 Introduction
2 Architecture
3 Injection
4 Preparation
5 Propagation
6 Counter measures
7 Conclusion
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 17/28 2012-04-18 17 / 28
![Page 18: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/18.jpg)
Propagation Peer-to-peer
Peer-to-peer
implements a Microsoft RPC server and clientautomatic updates in LAN
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 18/28 2012-04-18 18 / 28
![Page 19: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/19.jpg)
Propagation WinCC
WinCC
WinCC (Windows Control Center)for supervision and controlling of Siemens’ industrial systemsMicrosoft SQL Server for loggingVulnerability: hardcoded publicly known and documented password inSQL server
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 19/28 2012-04-18 19 / 28
![Page 20: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/20.jpg)
Propagation WinCC
Infecting WinCC computers
connect as Administrator using password ’2WSXcder’create table with hex representation of main Stuxnet DLL:
CREATE TABLE sysbinlog ( abin image )INSERT INTO sysbinlog VALUES (0x...)
write dll to disk via OLE Automation Stored Proceduresadd as stored procedure and execute
SET @ainf = @aind + ‘\\sql%05x.dbi’EXEC sp_addextendedproc sp_dumpdbilog, @ainfEXEC sp_dumpdbilog
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 20/28 2012-04-18 20 / 28
![Page 21: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/21.jpg)
Propagation Network shares
Network shares
Two methods used:search for accessible network shares
search for other computers with same user accounts as local userfor all available credentials, try access $admin and $Cdrop stuxnet-dll on systemschedule task to execute stuxnet-dll
Windows RPC Vulnerability: MS08-67buffer overflow in Windows RPCalready used by Confickermore sophisticated implementation (employes recent techniques likeReturn Oriented Programming)
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 21/28 2012-04-18 21 / 28
![Page 22: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/22.jpg)
Propagation Printer spooler vulnerability
Printer spooler vulnerability
discovered April 2009, fixed Sept 14, 2010precondition: printer shared on targetgoal: remote code execution
Attackconnect to print spooler as guestprint two ”documents” to files in %SYSTEM%-directorythe files are ”printed” with print spooler’s instead guest’s of privileges
winsta.exe → stuxnet.dllwbem\mof\sysnullevnt.mof → registers event, to execute winsta.exe
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 22/28 2012-04-18 22 / 28
![Page 23: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/23.jpg)
Propagation Propagation via removable drive
LNK Vulnerability: MS10-046
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 23/28 2012-04-18 23 / 28
![Page 24: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/24.jpg)
Counter measures
Outline
1 Introduction
2 Architecture
3 Injection
4 Preparation
5 Propagation
6 Counter measures
7 Conclusion
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 24/28 2012-04-18 24 / 28
![Page 25: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/25.jpg)
Counter measures
Counter measures
For Stuxnet in particular:install recent security updates (for all used vulnerabilities exist fixesnow)
For similar future malwarenone, only impederequest software manufactures to fix known vulnerabilities quicklyinstall recent security updatesisolation (take network, usb-sticks, ... into account)
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 25/28 2012-04-18 25 / 28
![Page 26: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/26.jpg)
Conclusion
Outline
1 Introduction
2 Architecture
3 Injection
4 Preparation
5 Propagation
6 Counter measures
7 Conclusion
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 26/28 2012-04-18 26 / 28
![Page 27: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/27.jpg)
Conclusion
Conclusion
largest and costliest development effort in malware history(estimation: 10 million $)4 zero-day exploits2 compromised certificatesonly nation state capable to produce it→ cyberweapon
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 27/28 2012-04-18 27 / 28
![Page 28: W32.Stuxnet Dossier, Installation and Propagation · Outline 1 Introduction 2 Architecture 3 Injection 4 Preparation 5 Propagation 6 Counter measures 7 Conclusion Nicolas Falliere,](https://reader030.fdocuments.in/reader030/viewer/2022041013/5ec1eea95104e27878332e84/html5/thumbnails/28.jpg)
Conclusion For Further Reading
Aleksandr Matrosov Eugene Rodionov, David Harley and Juraj Malcho.“Stuxnet Under the Microscope - ESET”. In:http://go.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf.Nicolas Falliere, Liam O Murchu and Eric Chien. “W32.Stuxnet Dossier”.In: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf.Wikipedia. “Stuxnet”. In: http://en.wikipedia.org/wiki/Stuxnet.— . “Zero-day Attack”. In:http://en.wikipedia.org/wiki/Zero-day_attack.
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 28/28 2012-04-18 28 / 28