Presentation is loading. Please wait.

Presentation is loading. Please wait.

 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.

Published byClaud Snow Modified over 9 years ago

Similar presentations

Presentation on theme: " Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert."— Presentation transcript:

1

2  Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert the systems › Also first to include a rootkit for a programmable logic controller (PLC)  Exploited 4 Zero-Day vulnerabilities  Multiple Methods of Propagation  Slowly over spun Centrifuges

3  Nothing New › Many Web Accessible › Default Passwords Still set  Examples › Polish Trains › Harrisburg, PA water facility › L.A. Traffic Light System › Many others Control System Security Assessments – 2008 Siemens Automation Summit http://graphics8.nytimes.com/packages/pdf/science/NSTB.pdf

4  September 2010 Study by Symantec http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99

5  Who Created Stuxnet? › Lots of time put into it › USA, Israel, Multi-Country Agency collaboration › INL influence?  Study back in 2008 with Siemens  Was it specifically targeted at Iran? › Maybe

6  Discovered: July 13, 2010  Type: Worm  Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000  CVE References:CVE-2010-2568 http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99

7  Estimated 8 to 10 developers over ~6 months  First variant June 2009 › Wasn’t spreading fast enough?  Second variant March 2010  Third variant April 2010 › Minor improvements  Several Different Languages  About 15,000 Lines of Code  Around 0.5 MB in size

8  Spread like a normal worm, but only targeted Siemens Systems  Infected computer could only spread to a maximum of three other computers  Scheduled to erase itself on June 24, 2012

9  Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability › BID 41732 › CVE-2010-2568 › First malware to use this › Classified as a design error (Binary Planting)

10  Microsoft Print Spooler Remote Code Execution Vulnerability › CVE-2010-2729 › Patch released September 2010  Could not find the other 2 listed

11  Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability › BID 31874 › CVE-2008-4250 › Used by Conficker

12  Self-replicates through removable drives  Spreads via Windows Print Spooler on a LAN  Copies and executes itself on remote computers through network shares  2 Compromised digital driver certificates http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

13  Copies and executes itself on remote computers running WinCC database server  Copies itself into Step 7 projects, and executes when project is loaded http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

14

15  Updates through P2P within a LAN  Contacts a command and control server which allows the hacker to download and execute code http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

16  s7otbxd.dll replaced by Stuxnet  Allowed for: › Monitoring of PLC blocks being written to and read from the PLC › Infection of a PLC by inserting or modifying choice blocks › Masking of the infection of the PLC

17  Named ‘Duqu’  Shares source code with Stuxnet › Possibly same authors or someone who has access to source code  Uses command and control server like Stuxnet  Designed to capture information not attack control systems or self-replicate › Reconnaissance http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_t o_the_next_stuxnet.pdf

18  Stuxnet Dossier by Symantec 69 Pages › http://www.symantec.com/content/en/us/e nterprise/media/security_response/whitepap ers/w32_stuxnet_dossier.pdf

19  http://www.symantec.com/connect/blogs/stuxnet-infection-step-7-projects  http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400- 3123-99&tabid=2  http://www.symantec.com/content/en/us/enterprise/media/security_response/ whitepapers/w32_stuxnet_dossier.pdf  http://www.symantec.com/connect/blogs/stuxnet-using-three-additional-zero- day-vulnerabilities  http://www.symantec.com/connect/blogs/w32stuxnet-installation-details  http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400- 3123-99  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568  http://graphics8.nytimes.com/packages/pdf/science/NSTB.pdf  http://www.pcworld.com/businesscenter/article/205827/was_stuxnet_built_to_att ack_irans_nuclear_program.html  http://www.stuxnet.net/  http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered- stuxnet/all/1  http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=1&pag ewanted=all  http://www.wired.com/threatlevel/2011/10/son-of-stuxnet-in-the-wild/

Download ppt " Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert."

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Computer Viruses and Worms* *Referred to slides by Dragan Lojpur, Zhu Fang at Florida State University.

Computer Viruses and Worms* *Referred to slides by Dragan Lojpur, Zhu Fang at Florida State University.
How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew.

How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew.
Targeted Cyberattacks: A Superset of Advanced Persistent Threats Published in: Security & Privacy, IEEE (Volume:11, Issue: 1 ), Jan.-Feb. 2013, 54- 61.

Targeted Cyberattacks: A Superset of Advanced Persistent Threats Published in: Security & Privacy, IEEE (Volume:11, Issue: 1 ), Jan.-Feb. 2013,
Real world example: Stuxnet Worm. Overview Primary target: industrial control systems –Reprogram Industrial Control Systems (ICS) –On Programmable Logic.

Real world example: Stuxnet Worm. Overview Primary target: industrial control systems –Reprogram Industrial Control Systems (ICS) –On Programmable Logic.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Stuxnet Malware Attribution Mike Albright CS 591 Fall 2010.

Stuxnet Malware Attribution Mike Albright CS 591 Fall 2010.
Novel Information Attacks From “Carpet Bombings” to “Smart Bombs”

Novel Information Attacks From “Carpet Bombings” to “Smart Bombs”
CS 450 - Nathan Digangi.  Secret, undocumented routine embedded within a useful program  Execution of the program results in execution of secret code.

CS Nathan Digangi.  Secret, undocumented routine embedded within a useful program  Execution of the program results in execution of secret code.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Stuxnet – Getting to the target Liam O Murchu Operations Manager, Symantec Security Response 1 Feb 2011.

Stuxnet – Getting to the target Liam O Murchu Operations Manager, Symantec Security Response 1 Feb 2011.
COMPUTER TERMS PART 2. NETWORK When you have two or more computers connected to each other, you have a network. The purpose of a network is to enable.

COMPUTER TERMS PART 2. NETWORK When you have two or more computers connected to each other, you have a network. The purpose of a network is to enable.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
STUXNET. Summary What is Stuxnet? Industial Control Systems The target/s of Stuxnet. How Stuxnet spreads. The impact of Stuxnet on PLC’s.

STUXNET. Summary What is Stuxnet? Industial Control Systems The target/s of Stuxnet. How Stuxnet spreads. The impact of Stuxnet on PLC’s.
Sam Cook April 18, 2013. Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.
Advanced Persistent Threats CS461/ECE422 Spring 2012.

Advanced Persistent Threats CS461/ECE422 Spring 2012.
Tyler’s Malware Jeopardy $100 VirusWormSpyware Trojan Horses Ransomware /Rootkits $200 $300 $400 $500 $400 $300 $200 $100 $500 $400 $300 $200 $100 $500.

Tyler’s Malware Jeopardy $100 VirusWormSpyware Trojan Horses Ransomware /Rootkits $200 $300 $400 $500 $400 $300 $200 $100 $500 $400 $300 $200 $100 $500.
How Stuxnet changed the landscape for plant engineers Richard Trout, Director for Client Solutions, Trout I.T.

How Stuxnet changed the landscape for plant engineers Richard Trout, Director for Client Solutions, Trout I.T.

Similar presentations

Ads by Google