Sam Skalicky Biru Cui

 Discovery  Architecture  Evaluation  Conclusion

 VirusBlokAda  Zero-day  Microsoft  Stuxnet <=.stub + MrxNet.sys  Symantec

 Organization  Installation  Propagation  Target & Process

 Organization  Exports  Resources  Configuration

 Installation  E 15: environment scan, escalation  E 16: copy, hide, autorun (certificate)

 Propagation  WinCC SQL  P2P RPC  Printer spooler  Removable disk .lnk, ~WTR4141.tmp, ~WTR4132.tmp  Autorun.inf

 Target  Step 7 (E2/E14)  PLC  Data Blocks (DB)  System Data Blocks (SDB)  Organization Blocks (OB)  Function Blocks (FC)

 Process  Broker  FC: RECV  OB1/OB35

 Process  Profibus ID  CP  Frequency converter

 Process  1.41kHz 1.064kHz 2Hz

 Complex  code size  propagation methods  zero-day exploit  certificate steal  specific target Step/PLC/FC

 Where

 What

 Very small risk to the majority of users  Worm was target so specifically  Modifying large spinning motors to fail  Shorting out  Overheat  Disengage from their mounting  Consumes disk space (500KB)  New type of worm detected

 W32.Duqu, a new beginning?

 [1] “Frequently Asked Questions on Virus-L/comp.virus.” Internet: Oct. 9, 1995 [Jan. 7, 2012].  [2] “MS10-061: Printer Spooler Vulnerability.” Internet: printer-spooler-vulnerability.aspx, Sept. 14, 2010 [Jan. 7, 2012] printer-spooler-vulnerability.aspx  [3] Nicolas Falliere, Liam O Murchu, and Eric Chien, “W32.Stuxnet” Synmatec, November  [4] K. Zetter, “How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History,” Internet: detectives-deciphered-stuxnet/all/1, July 11, detectives-deciphered-stuxnet/all/1