Slide 1 Vitaly Shmatikov (based on Symantec’s “Stuxnet Dossier”) CS 361S Stuxnet.

Slides:



Advertisements
Similar presentations
By Hiranmayi Pai Neeraj Jain
Advertisements

Operating System Security : David Phillips A Study of Windows Rootkits.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew.
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
Real world example: Stuxnet Worm. Stuxnet: Overview June 2010: A worm targeting Siemens WinCC industrial control system. Targets high speed variable-frequency.
The 1-hour Guide to Stuxnet
Real world example: Stuxnet Worm. Overview Primary target: industrial control systems –Reprogram Industrial Control Systems (ICS) –On Programmable Logic.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Stuxnet Malware Attribution Mike Albright CS 591 Fall 2010.
Stuxnet – Getting to the target Liam O Murchu Operations Manager, Symantec Security Response 1 Feb 2011.
SCADA – Are we self- sufficient? Presented by Jack McIntyre 15/05/2015Jack McIntyre2.
STUXNET. Summary What is Stuxnet? Industial Control Systems The target/s of Stuxnet. How Stuxnet spreads. The impact of Stuxnet on PLC’s.
 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.
Advanced Persistent Threats CS461/ECE422 Spring 2012.
To receive our video stream in LiveMeeting: - Click on “Voice & Video” - Click the drop down next to the camera icon - Select “Show Main Video” Dial-in.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Stuxnet The first cyber weapon.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Configuring the MagicInfo Pro Display
Hands-On Microsoft Windows Server 2008
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
By Lance Westberg. How does Stuxnet infect industrial control systems? Stuxnet is a complex piece of malware with many different components and functionalities.
A sophisticated Malware Arpit Singh CPSC 420
Module 4: Add Client Computers and Devices to the Network.
By: Sharad Sharma, Somya Verma, and Taranjit Pabla.
Mr. Mark Welton.  The five game changing viruses  Security best practices that deal with the problems.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
Managing Windows Server 2008 R2 Lesson 2. Objectives.
Jonathan Baulch  A worm that spreads via USB drives  Exploits a previously unknown vulnerability in Windows  Trojan backdoor that looks for a specific.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
1 Higher Computing Topic 8: Supporting Software Updated
DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.
MALWARE : STUXNET CPSC 420 : COMPUTER SECURITY PRINCIPLES Somya Verma Sharad Sharma Somya Verma Sharad Sharma.
Eng. Hector M Lugo-Cordero, MS CIS4361 Department of Electrical Engineering and Computer Science February, 2012 University of Central Florida.
Lessons from Stuxnet Matthew McNeill. Quick Overview Discovered in July 2011 Sophisticated worm - many zero-day exploits, Siemens programmable logic controller.
VirusesViruses HackingHacking Back upsBack ups Stuxnet Stuxnet.
 Stuxnet: The Future of Malware? Stephan Freeman.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Troubleshooting Security Issues Lesson 6. Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer.
Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.
Flame: Modern Warfare Matthew Stratton. What is Flame? How it was found What are its capabilities How it is similar to Stuxnet and Duqu Implications.
Stuxnet.
Linux Operations and Administration
W elcome to our Presentation. Presentation Topic Virus.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
COMPUTER VIRUSES ….! Presented by: BSCS-I Maheen Zofishan Saba Naz Numan Sheikh Javaria Munawar Aisha Fatima.
Information Systems CS-507 Lecture 32. Physical Intrusion The intruder could physically enter an organization to steal information system assets or carry.
NEXT GENERATION ATTACKS & EXPLOIT MITIGATIONS TECHNIQUES ID No: 1071 Name: Karthik GK ID: College: Sathyabama university.
Sniper Corporation. Sniper Corporation is an IT security solution company that has introduced security products for the comprehensive protection related.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
BY: AUSTIN NEIGH. WHAT IS CYBER WARFARE? Hacking that is politically motivated to conduct sabotage or espionage Form of information warfare Typically.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Travis Deyarmin. In This Presentation  What is Stuxnet  What is Flame  Compare/Contrast  Who is Responsible  Possible Repercussions.
How a presumably military grade malware sabotaged the Iranian nuclear program W32.Stuxnet Presenter: Dolev Farhi |
W32.Stuxnet How a presumably military grade malware sabotaged the Iranian nuclear program Presenter: Dolev Farhi |
Securing Network Servers
Malware Reverse Engineering Process
Configuring Windows Firewall with Advanced Security
Malware Reverse Engineering Process
Cybersecurity Case Study STUXNET worm
Chap 10 Malicious Software.
Propagation, behavior, and countermeasures
Object Oriented Programming and Software Engineering CIS016-2
Presentation transcript:

slide 1 Vitaly Shmatikov (based on Symantec’s “Stuxnet Dossier”) CS 361S Stuxnet

CVE “Siemens Simatic WinCC and PCS 7 SCADA system uses a hard-coded password, which allows local users to access a back-end database and gain privileges, as demonstrated in the wild in July 2010 by the Stuxnet worm” slide 2

slide 3 MS Vulnerability Microsoft Security Bulletin MS Vulnerability in Windows Shell Could Allow Remote Code Execution The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed … This security update is rated Critical for all supported editions of Microsoft Windows. First disclosed in CVE (Jun 30, 2010) Windows Shell in Microsoft Windows XP SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 SP2 and R2, and Windows 7 allows local users or remote attackers to execute arbitrary code via a crafted (1).LNK or (2).PIF shortcut file, which is not properly handled during icon display in Windows Explorer, as demonstrated in the wild in July 2010, and originally reported for malware that leverages CVE in Siemens WinCC SCADA systems.

Stuxnet Pre-History uNovember 20, 2008: Zlob Trojan exploits an unknown vulnerability in Windows shortcuts (LNK) Later identified as MS uApril 2009: security magazine Hakin9 describes a vulnerability in Windows printer spooler service Later identified as MS uJune 22, 2009: earliest version of Stuxnet seen Does not use MS10-046, driver not signed slide 4

Stuxnet Timeline (2010) uJanuary 25: signed Stuxnet driver, valid certificate from Realtek Semiconductor uJune 17: Antivirus company from Belarus reports a new USB rootkit TmpHider uJuly 16: Microsoft issues MS Shortcut vulnerability uJuly 16: VeriSign revokes Realtek certificate uJuly 17: Stuxnet driver with valid certificate from JMicron Technology slide 5

Stuxnet Timeline Cont’d (2010) uJuly 19: Siemens says they are investigating malware affecting their WinCC SCADA system SCADA = control of industrial machinery uSeptember 14: Microsoft issues MS Print spooler vulnerability slide 6

Stuxnet Firsts uFirst to exploit multiple zero-day vulnerabilities uFirst to use stolen signing keys and valid certificates of two companies uFirst to target industrial control systems – or not? … and hide the code from the operator … and perform actual sabotage uFirst PLC (programmable logic controller) rootkit uFirst example of true cyber-warfare? slide 7

Industrial Control Systems uRun automated processes on factory floors, power and chemical plants, oil refineries, etc. uSpecialized assembly code on PLCs (Programmable Logic Controllers) PLCs are usually programmed from Windows uNot connected to the Internet (“air gap”) slide 8

uEach PLC is configured and programmed in a unique manner uStuxnet targets a specific PLC control system SIMATIC PCS 7 Process Control System Programmed using WinCC/STEP 7 slide 9 Target: SCADA

Stuxnet Propagation Methods uInitial infection via USB drive (jumps “air gap”) Zero-day MS shortcut exploit + auto-execution uSeveral network propagation methods LAN: zero-day MS print spooler exploit or old MS08-67 RPC exploit (remember Conficker?) Default password to Siemens WinCC database server Network shares Peer-to-peer communication and update mechanism uLooks for and infects Windows machines running Step 7 control software slide 10

USB Infection Vectors LNK Vulnerability (CVE ) Self-executing AutoRun.Inf slide 11 Loaded from a control panel file (CPL) pointing to malicious DLL

Bypassing Intrusion Detection uCalls LoadLibrary with a special file name that does not exist uLoadLibrary fails, but Ntdll.dll has been hooked to monitor for the special file names uThese names are mapped to another location where Stuxnet previously decrypted and stored a DLL file slide 12

Gaining Admin Privileges uIf running without administrative privileges, uses zero-day vulnerabilities to become an admin Win 2000, XP: MS keyboard layout vulnerability Vista, Windows 7: MS task scheduler vulnerability uInjects code into a trusted Windows process LSASS or Winlogon uInjection method depends on the security product used on the infected host Kaspersky KAV, McAfee, AntiVir, BitDefender, Etrust, F- Secure, Symantec, ESET NOD32, PC Cillin slide 13

Exploiting MS uIn Windows XP, a user-level program can load keyboard layout uInteger in the layout file indexes a global array of function pointers (no bounds checking, natch) Can use this to call any function… uFind a pointer to this array, find a pointer into user-modifiable memory, inject attack code there, use bad indexing to call modified function Attack code will run with admin privileges slide 14

Exploiting MS uUsers can create and edit scheduled tasks uCRC32 checksum to prevent tampering “… not suitable for protecting against intentional alteration of data” --- Wikipedia uModify user definition in the task to LocalSystem, pad until CRC32 matches the original slide 15 We should use CRC32 to … NEVER USE CRC32 FOR ANYTHING [credit: iSEC Partners]

slide 16 Infection Routine Flow Built-in expiration date Exits if finds a “magic” string

32 “Exports” (Functionalities) slide 17 1 Infects connected removable drives, starts remote procedure call (RPC) server 2 Hooks APIs for Step 7 project file infections 4 Calls the removal routine (export 18) 5 Verifies if the threat is installed correctly 6 Verifies version information 7 Calls Export 6 9 Updates itself from infected Step 7 projects 10 Updates itself from infected Step 7 projects 14 Step 7 project file infection routine 15 Initial entry point 16 Main installation 17 Replaces Step 7 DLL 18 Uninstalls Stuxnet 19 Infects removable drives 22 Network propagation routines 24 Check Internet connection 27 RPC Server 28 Command and control routine 29 Command and control routine 31 Updates itself from infected Step 7 projects 32 Same as 1

15 “Resources” (Methods) slide MrxNet.sys load driver, signed by Realtek 202 DLL for Step 7 infections 203 CAB file for WinCC infections 205Data file for Resource Autorun version of Stuxnet 208 Step 7 replacement DLL 209Data file (%windows%\help\winmic.fts) 210 Template PE file used for injection 221 Exploits MS to spread via SMB 222 Exploits MS print spooler vulnerability 231Internet connection check 240LNK template file used to build LNK exploit 241USB Loader DLL ~WTR4141.tmp 242MRxnet.sys rootkit driver 250 Exploits undisclosed win32k.sys vulnerability

Windows Rootkit uGoal: hide itself when copied to removable drive uExtracts “Resource 201” as driver MrxNet.sys This driver is digitally signed and registered as a service creating the following registry entry: –HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \MRxNet\”ImagePath” = “%System%\drivers\mrxnet.sys” uDriver filters out (hides) following files: Files with.LNK extension, size of 4,171 bytes Files named “~WTR[four digits].TMP”, size between 4Kb and 8Mb, the sum of the four digits is a multiple of 10 slide 19

Realtek and JMicron uStuxnet drivers were signed using stolen keys of two Taiwanese semiconductor companies uAllegedly located in the same office park Why is this interesting? slide 20

Command and Control uTests if can connect on port 80 to uConnects to special domains –Previously pointed to servers in Malaysia and Denmark Can be updated with other domain names uSends encrypted information about infected host Time of infection, IP address and OS version, flag specifying if the host is part of a workgroup or domain, file name of infected Step 7 project slide 21

slide 22 Remote Control of Stuxnet

How PLCs Are Programmed uPLC is loaded with blocks of code and data Code written in low-level STL language Compiled code is in MC7 assembly uThe original s7otbxdx.dll is responsible for handling block exchange between the programming device and the PLC slide 23

PLC “Rootkit” uStuxnet replaces s7otbxdx.dll with its own DLL Records blocks written to and read from PLC Infects PLC by inserting its own blocks uPLC “rootkit” Hooks routines that read, write, and enumerate code blocks on PLC Hides infection from PLC operator slide 24

Sabotage uChecks if PLC controls a cascade of at least 33 frequency converter drives manufactured by a specific Iranian or Finnish company A frequency converter drive controls speed of another device – used in water systems, gas pipelines, etc. uRecords normal behavior of PLC uExecutes sequences of commands that rapidly slow down or speed up motors Sequence depends on detected manufacturer u… while replaying normal behavior to operator slide 25

Iranian Nuclear Program uSep 2010: “delays” Warm weather blamed uOct 2010: “spies” arrested, allegedly attempted to sabotage Iran’s nuclear program uNov 2010: Iran acknowledges that its nuclear enrichment centrifuges were affected by a worm Foreign minister: “Nothing would cause a delay in Iran's nuclear activities” Intelligence minister: “enemy spy services” responsible slide 26

History of Stuxnet Propagation uFirst wave of attacks targeted 5 organizations inside Iran, starting in June initial infections Shortest span between compile time and initial infection = 12 hours (median = 26 days) uMultiple propagation mechanisms from there u12,000 resulting infections uTrue target unknown Possibly the underground enrichment facility at Natanz slide 27

Affected Systems Percentage of Stuxnet-infected hosts with Siemens software installed slide 28

Stuxnet Infections Worldwide slide 29

Whodunit? uStuxnet will not infect systems that contain safe code uHabib Elghanian Leader of Iran’s Jewish community Executed by firing squad as an Israeli spy on May 9, 1979 One of the first victims of the Islamic revolution u“Symantec cautions readers on drawing any attribution conclusions. Attackers would have natural desire to implicate another party.” slide 30

Another Clue? uProject path in Stuxnet driver: b:\myrtus\src\objfire_w2k_x86\i386\guava.pdb Guava is a plant in the myrtle (myrtus) family uBook of Esther in the Hebrew Bible Esther (born Hadassah) learns that Haman, Persian prime minister, is planning to exterminate all Jews, but foils his plot and has him impaled “Hadassah” is “myrtle” in Hebrew u“Symantec cautions readers on drawing any attribution conclusions. Attackers would have natural desire to implicate another party.” slide 31 “My RTUs” (Remote Terminal Units), similar to PLCs

Flame uPossibly related to Stuxnet, much more complex uExploits an MD5 hash collision attack on Microsoft Update code signing certificate Much more about this later uTargets mainly in Iran, but also in Lebanon, Syria, Sudan, Israel, and the Palestinian Territories Purpose: espionage rather than industrial sabotage –Logs keystrokes, records audio, grabs GPS tags from photos... Possibly developed by the NSA, CIA, and Israeli military as part of the “Olympic Games” campaign against Iranian nuclear program -- Washington Post slide 32

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.