• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Stuxnet  - Case Study

Stuxnet - Case Study



This presentation is for CISS6011 Special Topic: Cybersecurity

This presentation is for CISS6011 Special Topic: Cybersecurity
in University of Sydney



Total Views
Views on SlideShare
Embed Views



12 Embeds 133

http://blog.amrthabet.co.cc 86
http://amrthabet.blogspot.com 20
http://feeds.feedburner.com 15
http://www.slashdocs.com 3
http://amrthabet.blogspot.co.uk 2
http://amrthabet.blogspot.ie 1
http://amrthabet.blogspot.co.il 1
http://amrthabet.blogspot.in 1
http://www.slideshare.net 1
http://amrthabet.blogspot.se 1
http://amrthabet.blogspot.be 1
http://amrthabet.blogspot.jp 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Stuxnet  - Case Study Stuxnet - Case Study Presentation Transcript

    • Case Study : Stuxnet By Amr Thabet
    • Stuxnet Overview
      • Most sophisticated malware ever seen in public
      • Uses up to 6 Vulnerabilities (5 in Win and 1 in Siemens)
      • Its code is ~ 1.5 MB (very large)
      • Has 3 Rootkits (User-Mode, Kernel-Mode & PLC Rootkit)
      • Spreads via USB Flash Memory and Network Shares
      • It updates itself via Internet by connecting (HTTP) to two Websites (encrypted connection)
      • Infects SCADA Systems
      • The First Malware that has a physical payload
    • Stuxnet Life Cycle
    • Stuxnet’s Main Dropper
      • The Dropper is a program
      • that contains the real malware
      • and carries it from PC to another
      • (like a ship)
      • It loads the Main DLL with a special way
      • It uses LoadLibraryA and Hooks the File Management APIs that’s used by LoadLibraryA to get the File from memory not from a file on the disk
    • Process Injection
      • Stuxnet injects itself into a process (usually lsass.exe)
      • It copies itself into the Memory of lsass and then forces lsass to execute it by modifying its code
      • In Stuxnet case it unloads (remove) the original process (lsass) from its memory (when the process suspended) and then loads another PE File inside the memory has the same entrypoint
    • Escalation of Privileges
      • Escalation of Privileges means do something you are not allowed to do. In stuxnet it takes the administrator privileges to install itself
      • It uses 2 vulnerabilities in win OS
      • CVE-2010-2743(MS-10-073) –Win32K.sys Keyboard Layout Vulnerability
      • CVE-xxxx-xxxx(MS-xx-xxx) –Windows Task Scheduler Vulnerability
      • These Vulnerabilities allow stuxnet to execute as a system application (runs like a system process)
    • Installation Mechanism
      • It installs these files
      • % SystemRoot%infoem7A.PNF
      • %SystemRoot%infmdmeric3.PNF
      • %SystemRoot%infmdmcpq3.PNF
      • %SystemRoot%infoem6C.PNF
      • %SystemRoot%Driversmrxnet.sys
      • %SystemRoot%Driversmrxcls.sys
      • Then it adds MrxNet & MrxCls to registry to be sure they will be executed on every boot
    • Disabling Windows Defender
      • It modifies some registry entries related to Window Defender:
      • SOFTWAREMicrosoftWindows DefenderReal-Time Protection
        • EnableUnknownPrompts
        • EnableKnownGoodPrompts
        • ServicesAndDriversAgent
      • These modifications allows stuxnet to work normally without blocking
    • Spreading Mechanism USB Infection
      • Stuxnet uses a vulnerability in Win OS:
      • CVE-2010-2568(MS-10-046) -Windows Shell LNK Vulnerability
      • This vulnerability is found in the shortcut of the CPL files
      • In these shortcuts the Explorer loads the icon dynamically
      • This loading makes Explorer load the CPL File and calls to its Entrypoint
      • Stuxnet uses this trick to make Explorer calls to the Entrypoint of its Executable
    • Spreading Mechanism Network
      • Stuxnet Spreads via Network by using 2 Vulnerabilities:
      • CVE-2010-2729(MS-10-061) –Windows Print Spooler Service Vulnerability
      • CVE-2008-4250(MS-08-067) –Windows Server Service NetPathCanonicalize()
      • The 1 st Vulnerability: allows Stuxnet to infect PCs that share their printers
      • The 2 nd is used before in Conflicker and it allows Stuxnet to spreads via Network Shares
    • Updating Mechanism
      • Stuxnet updates itself via 2 Websites
      • www.mypremierfutbol.com
      • www.todaysfutbol.com
      • Stuxnet updates itself via a P2P connection (on the isolated machines)
      • They communicate via RPC connection
      • Control the ICS machines without a direct communication To the Internet
    • Rootkits
      • Rootkit is a program (or tool) is used by malwares to hide its presence
      • In Stuxnet, they hide stuxnet files
      • in the USB Infected Flash Memory
      • Stuxnet has 2 rootkits : User-Mode and Kernel-Mode rootkit
    • User-Mode Rootkit
      • loaded by the LNK Vulnerability
      • Used only once before Infecting a machine
      • It modifies the pointer to the File Management APIs
      • Change the input or the output of these APIs
      • Hide the Stuxnet Flash Memory Files
    • Kernel-Mode Rootkit
      • It’s a device driver
      • It’s installed in the installation progress of Stuxnet
      • It’s a simple file system filter
      • it modifies the outputs and the inputs of the File Management functions inside the Kernel
    • Loading Mechanism
      • There’s two ways for stuxnet to load
      • 1. WTR4141.TMP :
      • Loaded by LNK Vulnerability
      • loads the Main Dropper of Stuxnet
      • 2. MrxCls :
      • It’s a device driver
      • Injects Stuxnet into services.exe every time the system boots
    • Thank You
      • For any question don’t Forget to mail me at:
      • [email_address]
      • For more about me visit my Website
      • http://www.amrthabet.co.cc
      • Or My Blog
      • http:// blog.amrthabet.co.cc
    • Thank You