SlideShare a Scribd company logo

Stuxnet

bueno buono good
bueno buono good
BusinessTechnology
1 of 18
Download to read offline
Stuxnet - Infecting Industrial Control Systems Liam O Murchu Sep 2010 Operations Manager, Symantec Security Response 1
Stuxnet CheckWinCC Network Installed AV PrintDayShares .lnkSpoolerICS vuln P2P Updates Infect PLCs MS08-067 1 ZeroVersions2 Goal C&CEoP Zero=Projects Infect Step7Day EoP 2 Def Dates Check Task Scheduler Win32k.sys 1.5 Mb each Stuxnet - Infecting Industrial Control Systems 2
Agenda 1 60 second Intro to PLCs 2 Programming a PLC 3 How Stuxnet infects 4 What Stuxnet does 5 Demonstration Stuxnet & PLCs 3
PLCs Programmable Logic Controller • Monitors Input and Output lines – Sensors on input – switches/equipment on outputs – Many different vendors • Stuxnet seeks specific Models – s7-300 s7-400 Stuxnet is Targeted Targeting a Specific type of PLC Searches for a Specific Configuration Stuxnet & PLCs 4
Hardware configuration System Data Blocks • Each PLC must be configured before use. • Configuration is stored in System Data Blocks (SDBs) • Stuxnet parses these blocks • Looks for magic bytes 2C CB 00 01 at offset 50h • Signifies a Profibus network card attached - CP 342-5 • Looks for 7050h and 9500h • Must have more than 33 of these values • Injects different code based on number of occurrences Stuxnet & PLCs 5
How Stuxnet Infects PLCs Stuxnet – Inside the PLC 6
Programming a PLC Step7, STL and MC7 • Simatic or Step 7 software – Used to write code in STL or other languages • STL code is compiled to MC7 byte code • MC7 byte code is transferred to the PLC • Control PC can now be disconnected Stuxnet Infecting PLCs 7
Stuxnet: Man in the Middle attack on PLCs “Man in the App” attack • Step7 uses a library to access the PLC – S7otbxdx.dll • Stuxnet replaces that dll with its own version • Stuxnet’s version intercepts reads and writes to the PLC and changes the code at this point. Stuxnet Infecting PLCs 8
Stuxnet MC7 Byte code • Stuxnet contains at least 70 binary blobs of data • They are encoded and stored in the fake dll • These are actually blocks of MC7 byte code • This is the code that is injected onto the PLCs • Must be converted back to STL to understand it • Difficult task but we have now converted all the MC7 byte code to readable STL code • Just unsure of real world effects of this code. Presentation Identifier Goes Here 9
OB1 and OB35 Stuxnet changes these blocks • OB1 = main() on PLCs – Stuxnet inserts its own code at the beginning of OB1 so it runs first. • OB35 is a 100ms interrupt routine – Used to monitor inputs that would require fast action – Stuxnet infects OB35 too • Stuxnet will return clean versions of these functions when they are read from the PLC. Stuxnet infecting PLCs 10
Demo Show Infection of a PLC • Inflate a balloon for 5 seconds • Infect the PLC • Inflate balloon again for 5 seconds Stuxnet Demo 11
Stuxnet’s PLC code Complex and large amount of code • Demo was just 8 lines of code. • Stuxnet contains hundreds of lines of code • It is difficult to understand the real world actions without knowing what is connected on the inputs and outputs. UC FC 1865; POP ; L DW#16#DEADF007; ==D ; BEC ; L DW#16#0; L DW#16#0; Presentation Identifier Goes Here 12
Stuxnet 13
Stuxnet 14
Targets Stats for Command and Control Servers Stuxnet - Infecting Industrial Control Systems 15
Stuxnet Infections Stuxnet - Infecting Industrial Control Systems 16
White Paper Available W32.Stuxnet Dossier • Stuxnet Technical Details Available here: • http://www.symantec.com/content/en/us/enterprise/media/se curity_response/whitepapers/w32_stuxnet_dossier.pdf Stuxnet - Infecting Industrial Control Systems 17
Thank you! Liam O Murchu - liam_omurchu@symantec.com Nicolas Falliere Eric Chien Threat Intelligence Team All Stuxnet Reverse Engineers Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Stuxnet – Infecting Industrial Control systems 18

Recommended

Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackAjinkya Nikam
 
Stuxnet worm
Stuxnet wormStuxnet worm
Stuxnet wormsommerville-videos
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart StuxnetGil Megidish
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for MainframesCheryl Biswas
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Byres Security Inc.
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
The World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetThe World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetSean Xie
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 

Recommended

Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackAjinkya Nikam
 
Stuxnet worm
Stuxnet wormStuxnet worm
Stuxnet wormsommerville-videos
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart StuxnetGil Megidish
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for MainframesCheryl Biswas
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Byres Security Inc.
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
The World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetThe World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetSean Xie
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 
How stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsHow stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsYury Chemerkin
 
Stuxnet
StuxnetStuxnet
StuxnetSymantec
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the futureHardeep Bhurji
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flameSantosh Khadsare
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 
Stuxnet
StuxnetStuxnet
Stuxnetshiva_sathish
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Byres Security Inc.
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcampGregory Hanis
 
Malware freak show
Malware freak showMalware freak show
Malware freak showsr1nu
 
RCS Demo HackingTeam
RCS Demo HackingTeam RCS Demo HackingTeam
RCS Demo HackingTeam OWASP Foundation
 
Offline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encriptionOffline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encriptionmalvvv
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise247infotech
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control أحلام انصارى
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database ServerFahri Firdausillah
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
Troopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTamas K Lengyel
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overviewn|u - The Open Security Community
 
Linux Security
Linux SecurityLinux Security
Linux Securitynayakslideshare
 
Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?Symantec Italia
 
Cours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts ClésCours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts ClésFranck Franchin
 

More Related Content

What's hot

How stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsHow stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsYury Chemerkin
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the futureHardeep Bhurji
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Byres Security Inc.
 
Malware freak show
Malware freak showMalware freak show
Malware freak showsr1nu
 
Offline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encriptionOffline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encriptionmalvvv
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise247infotech
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control أحلام انصارى
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
Troopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTamas K Lengyel
 

What's hot (20)

How stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsHow stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systems
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the future
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
 
Malware freak show
Malware freak showMalware freak show
Malware freak show
 
RCS Demo HackingTeam
RCS Demo HackingTeam RCS Demo HackingTeam
RCS Demo HackingTeam
 
Offline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encriptionOffline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encription
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
 
Troopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUF
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
 
Linux Security
Linux SecurityLinux Security
Linux Security
 

Viewers also liked

Cours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts ClésCours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts ClésFranck Franchin
 
Sécurité des systèmes d'information
Sécurité des systèmes d'informationSécurité des systèmes d'information
Sécurité des systèmes d'informationFranck Franchin
 
La securité informatique - Etat des Lieux - Nov. 2016
La securité informatique - Etat des Lieux - Nov. 2016La securité informatique - Etat des Lieux - Nov. 2016
La securité informatique - Etat des Lieux - Nov. 2016Olivier DUPONT
 
Sécurité informatique
Sécurité informatiqueSécurité informatique
Sécurité informatiqueoussama Hafid
 

Viewers also liked (7)

Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?
 
Cours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts ClésCours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts Clés
 
Sécurité des systèmes d'information
Sécurité des systèmes d'informationSécurité des systèmes d'information
Sécurité des systèmes d'information
 
Cyber Sécurité : Connaître son adversaire pour mieux parer les attaques
Cyber Sécurité : Connaître son adversaire pour mieux parer les attaquesCyber Sécurité : Connaître son adversaire pour mieux parer les attaques
Cyber Sécurité : Connaître son adversaire pour mieux parer les attaques
 
Principes de bon sens pour une gouvernance cyber sécurité efficiente
Principes de bon sens pour une gouvernance cyber sécurité efficientePrincipes de bon sens pour une gouvernance cyber sécurité efficiente
Principes de bon sens pour une gouvernance cyber sécurité efficiente
 
La securité informatique - Etat des Lieux - Nov. 2016
La securité informatique - Etat des Lieux - Nov. 2016La securité informatique - Etat des Lieux - Nov. 2016
La securité informatique - Etat des Lieux - Nov. 2016
 
Sécurité informatique
Sécurité informatiqueSécurité informatique
Sécurité informatique
 

Similar to Stuxnet

Microcontroller 8051 timer 274 P$
Microcontroller 8051 timer 274 P$Microcontroller 8051 timer 274 P$
Microcontroller 8051 timer 274 P$PusHkar SaIni
 
Scada, a PLC's story
Scada, a PLC's storyScada, a PLC's story
Scada, a PLC's storyPaolo Stagno
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiKuniyasu Suzaki
 
Infrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfosec Europe
 
CCNA 2 Routing and Switching v5.0 Chapter 2
CCNA 2 Routing and Switching v5.0 Chapter 2CCNA 2 Routing and Switching v5.0 Chapter 2
CCNA 2 Routing and Switching v5.0 Chapter 2Nil Menon
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierAlireza Ghahrood
 
CCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
CCNAv5 - S2: Chapter2 Basic Switching Concepts and ConfigurationCCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
CCNAv5 - S2: Chapter2 Basic Switching Concepts and ConfigurationVuz Dở Hơi
 
Chapter 02 - Introduction to Switched Networks
Chapter 02 - Introduction to Switched NetworksChapter 02 - Introduction to Switched Networks
Chapter 02 - Introduction to Switched NetworksYaser Rahmati
 
KPUCC-Rs instructor ppt_chapter2_final
KPUCC-Rs instructor ppt_chapter2_finalKPUCC-Rs instructor ppt_chapter2_final
KPUCC-Rs instructor ppt_chapter2_finalFisal Anwari
 
Chapter 13 : Introduction to switched networks
Chapter 13 : Introduction to switched networksChapter 13 : Introduction to switched networks
Chapter 13 : Introduction to switched networksteknetir
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)Michael Smith
 
Joa Overview
Joa OverviewJoa Overview
Joa Overviewholtek
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
Design & Implementation Of Fault Identification In Underground Cables Using IOT
Design & Implementation Of Fault Identification In Underground Cables Using IOTDesign & Implementation Of Fault Identification In Underground Cables Using IOT
Design & Implementation Of Fault Identification In Underground Cables Using IOTIRJET Journal
 
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)Řőmĕő Šhűbhąm
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019Dragos, Inc.
 
IJSRED-V2I2P57
IJSRED-V2I2P57IJSRED-V2I2P57
IJSRED-V2I2P57IJSRED
 

Similar to Stuxnet (20)

Microcontroller 8051 timer 274 P$
Microcontroller 8051 timer 274 P$Microcontroller 8051 timer 274 P$
Microcontroller 8051 timer 274 P$
 
Scada, a PLC's story
Scada, a PLC's storyScada, a PLC's story
Scada, a PLC's story
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by Suzaki
 
Infrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLC
 
CCNA 2 Routing and Switching v5.0 Chapter 2
CCNA 2 Routing and Switching v5.0 Chapter 2CCNA 2 Routing and Switching v5.0 Chapter 2
CCNA 2 Routing and Switching v5.0 Chapter 2
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet Dossier
 
CCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
CCNAv5 - S2: Chapter2 Basic Switching Concepts and ConfigurationCCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
CCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
 
Chapter 02 - Introduction to Switched Networks
Chapter 02 - Introduction to Switched NetworksChapter 02 - Introduction to Switched Networks
Chapter 02 - Introduction to Switched Networks
 
KPUCC-Rs instructor ppt_chapter2_final
KPUCC-Rs instructor ppt_chapter2_finalKPUCC-Rs instructor ppt_chapter2_final
KPUCC-Rs instructor ppt_chapter2_final
 
Chapter 13 : Introduction to switched networks
Chapter 13 : Introduction to switched networksChapter 13 : Introduction to switched networks
Chapter 13 : Introduction to switched networks
 
Automation-PLC
Automation-PLCAutomation-PLC
Automation-PLC
 
Microcontroller
MicrocontrollerMicrocontroller
Microcontroller
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
 
Joa Overview
Joa OverviewJoa Overview
Joa Overview
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
Design & Implementation Of Fault Identification In Underground Cables Using IOT
Design & Implementation Of Fault Identification In Underground Cables Using IOTDesign & Implementation Of Fault Identification In Underground Cables Using IOT
Design & Implementation Of Fault Identification In Underground Cables Using IOT
 
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019
 
IJSRED-V2I2P57
IJSRED-V2I2P57IJSRED-V2I2P57
IJSRED-V2I2P57
 
plc scada
plc scada plc scada
plc scada
 

More from bueno buono good

Informe del Relator Especial sobre los derechos de los pueblos indígenas, Ja...
Informe del Relator Especial sobre los derechos de los pueblos indígenas, Ja...Informe del Relator Especial sobre los derechos de los pueblos indígenas, Ja...
Informe del Relator Especial sobre los derechos de los pueblos indígenas, Ja...bueno buono good
 
Complete patents nikola_tesla
Complete patents nikola_teslaComplete patents nikola_tesla
Complete patents nikola_teslabueno buono good
 
Global energy transmittion tesla tower 2014
Global energy transmittion tesla tower 2014Global energy transmittion tesla tower 2014
Global energy transmittion tesla tower 2014bueno buono good
 
Wikileaks secret-tpp-treaty-ip-chapter
Wikileaks secret-tpp-treaty-ip-chapterWikileaks secret-tpp-treaty-ip-chapter
Wikileaks secret-tpp-treaty-ip-chapterbueno buono good
 
Farmaci coinvolti traffici_illegali_14.08.2014
Farmaci coinvolti traffici_illegali_14.08.2014Farmaci coinvolti traffici_illegali_14.08.2014
Farmaci coinvolti traffici_illegali_14.08.2014bueno buono good
 
Country reports on_terrorism_2013-7
Country reports on_terrorism_2013-7Country reports on_terrorism_2013-7
Country reports on_terrorism_2013-7bueno buono good
 
Bohemian grove-members-list 2010
Bohemian grove-members-list 2010Bohemian grove-members-list 2010
Bohemian grove-members-list 2010bueno buono good
 
Bohemian grove-and-other-retreats1
Bohemian grove-and-other-retreats1Bohemian grove-and-other-retreats1
Bohemian grove-and-other-retreats1bueno buono good
 
Cremation of care traduzione italiano
Cremation of care traduzione italianoCremation of care traduzione italiano
Cremation of care traduzione italianobueno buono good
 

More from bueno buono good (20)

Privacy facebook 2015
Privacy facebook 2015Privacy facebook 2015
Privacy facebook 2015
 
LIBERTÀ STAMPA 2014
LIBERTÀ STAMPA 2014LIBERTÀ STAMPA 2014
LIBERTÀ STAMPA 2014
 
Inceneration and health
Inceneration and healthInceneration and health
Inceneration and health
 
Informe del Relator Especial sobre los derechos de los pueblos indígenas, Ja...
Informe del Relator Especial sobre los derechos de los pueblos indígenas, Ja...Informe del Relator Especial sobre los derechos de los pueblos indígenas, Ja...
Informe del Relator Especial sobre los derechos de los pueblos indígenas, Ja...
 
Galline libere guida
Galline libere guidaGalline libere guida
Galline libere guida
 
Water resourcers group
Water resourcers groupWater resourcers group
Water resourcers group
 
NkpPS
NkpPSNkpPS
NkpPS
 
Tesla confid
Tesla confidTesla confid
Tesla confid
 
Complete patents nikola_tesla
Complete patents nikola_teslaComplete patents nikola_tesla
Complete patents nikola_tesla
 
Global energy transmittion tesla tower 2014
Global energy transmittion tesla tower 2014Global energy transmittion tesla tower 2014
Global energy transmittion tesla tower 2014
 
Wikileaks secret-tpp-treaty-ip-chapter
Wikileaks secret-tpp-treaty-ip-chapterWikileaks secret-tpp-treaty-ip-chapter
Wikileaks secret-tpp-treaty-ip-chapter
 
Ttip draft
Ttip draftTtip draft
Ttip draft
 
2013 cpi brochure_en
2013 cpi brochure_en2013 cpi brochure_en
2013 cpi brochure_en
 
Farmaci coinvolti traffici_illegali_14.08.2014
Farmaci coinvolti traffici_illegali_14.08.2014Farmaci coinvolti traffici_illegali_14.08.2014
Farmaci coinvolti traffici_illegali_14.08.2014
 
Country reports on_terrorism_2013-7
Country reports on_terrorism_2013-7Country reports on_terrorism_2013-7
Country reports on_terrorism_2013-7
 
Doc 10502 290_en
Doc 10502 290_enDoc 10502 290_en
Doc 10502 290_en
 
Sipri yearbook 2013
Sipri yearbook 2013Sipri yearbook 2013
Sipri yearbook 2013
 
Bohemian grove-members-list 2010
Bohemian grove-members-list 2010Bohemian grove-members-list 2010
Bohemian grove-members-list 2010
 
Bohemian grove-and-other-retreats1
Bohemian grove-and-other-retreats1Bohemian grove-and-other-retreats1
Bohemian grove-and-other-retreats1
 
Cremation of care traduzione italiano
Cremation of care traduzione italianoCremation of care traduzione italiano
Cremation of care traduzione italiano
 

Recently uploaded

Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsIndiaMART InterMESH Limited
 
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...Aggregage
 
WSMM Media and Entertainment Feb_March_Final.pdf
WSMM Media and Entertainment Feb_March_Final.pdfWSMM Media and Entertainment Feb_March_Final.pdf
WSMM Media and Entertainment Feb_March_Final.pdfJamesConcepcion7
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers referencessuser2c065e
 
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdfGUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdfDanny Diep To
 
Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...
Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...
Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...PRnews2
 
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...Operational Excellence Consulting
 
Simplify Your Funding: Quick and Easy Business Loans
Simplify Your Funding: Quick and Easy Business LoansSimplify Your Funding: Quick and Easy Business Loans
Simplify Your Funding: Quick and Easy Business LoansNugget Global
 
Rakhi sets symbolizing the bond of love.pptx
Rakhi sets symbolizing the bond of love.pptxRakhi sets symbolizing the bond of love.pptx
Rakhi sets symbolizing the bond of love.pptxRakhi Bazaar
 
20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdfChris Skinner
 
Unveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesUnveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesDoe Paoro
 
Interoperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverseInteroperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverseSiemens
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterJamesConcepcion7
 
How to Conduct a Service Gap Analysis for Your Business
How to Conduct a Service Gap Analysis for Your BusinessHow to Conduct a Service Gap Analysis for Your Business
How to Conduct a Service Gap Analysis for Your BusinessHelp Desk Migration
 
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...Hector Del Castillo, CPM, CPMM
 
Types of Cyberattacks - ASG I.T. Consulting.pdf
Types of Cyberattacks - ASG I.T. Consulting.pdfTypes of Cyberattacks - ASG I.T. Consulting.pdf
Types of Cyberattacks - ASG I.T. Consulting.pdfASGITConsulting
 
Darshan Hiranandani (Son of Niranjan Hiranandani).pdf
Darshan Hiranandani (Son of Niranjan Hiranandani).pdfDarshan Hiranandani (Son of Niranjan Hiranandani).pdf
Darshan Hiranandani (Son of Niranjan Hiranandani).pdfShashank Mehta
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOne Monitar
 
Neha Jhalani Hiranandani: A Guide to Her Life and Career
Neha Jhalani Hiranandani: A Guide to Her Life and CareerNeha Jhalani Hiranandani: A Guide to Her Life and Career
Neha Jhalani Hiranandani: A Guide to Her Life and Careerr98588472
 

Recently uploaded (20)

Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan Dynamics
 
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
 
WSMM Media and Entertainment Feb_March_Final.pdf
WSMM Media and Entertainment Feb_March_Final.pdfWSMM Media and Entertainment Feb_March_Final.pdf
WSMM Media and Entertainment Feb_March_Final.pdf
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers reference
 
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdfGUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
 
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptxThe Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
 
Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...
Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...
Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...
 
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
 
Simplify Your Funding: Quick and Easy Business Loans
Simplify Your Funding: Quick and Easy Business LoansSimplify Your Funding: Quick and Easy Business Loans
Simplify Your Funding: Quick and Easy Business Loans
 
Rakhi sets symbolizing the bond of love.pptx
Rakhi sets symbolizing the bond of love.pptxRakhi sets symbolizing the bond of love.pptx
Rakhi sets symbolizing the bond of love.pptx
 
20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf
 
Unveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesUnveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic Experiences
 
Interoperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverseInteroperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverse
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare Newsletter
 
How to Conduct a Service Gap Analysis for Your Business
How to Conduct a Service Gap Analysis for Your BusinessHow to Conduct a Service Gap Analysis for Your Business
How to Conduct a Service Gap Analysis for Your Business
 
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
 
Types of Cyberattacks - ASG I.T. Consulting.pdf
Types of Cyberattacks - ASG I.T. Consulting.pdfTypes of Cyberattacks - ASG I.T. Consulting.pdf
Types of Cyberattacks - ASG I.T. Consulting.pdf
 
Darshan Hiranandani (Son of Niranjan Hiranandani).pdf
Darshan Hiranandani (Son of Niranjan Hiranandani).pdfDarshan Hiranandani (Son of Niranjan Hiranandani).pdf
Darshan Hiranandani (Son of Niranjan Hiranandani).pdf
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
 
Neha Jhalani Hiranandani: A Guide to Her Life and Career
Neha Jhalani Hiranandani: A Guide to Her Life and CareerNeha Jhalani Hiranandani: A Guide to Her Life and Career
Neha Jhalani Hiranandani: A Guide to Her Life and Career
 

Stuxnet

  • 1. Stuxnet - Infecting Industrial Control Systems Liam O Murchu Sep 2010 Operations Manager, Symantec Security Response 1
  • 2. Stuxnet CheckWinCC Network Installed AV PrintDayShares .lnkSpoolerICS vuln P2P Updates Infect PLCs MS08-067 1 ZeroVersions2 Goal C&CEoP Zero=Projects Infect Step7Day EoP 2 Def Dates Check Task Scheduler Win32k.sys 1.5 Mb each Stuxnet - Infecting Industrial Control Systems 2
  • 3. Agenda 1 60 second Intro to PLCs 2 Programming a PLC 3 How Stuxnet infects 4 What Stuxnet does 5 Demonstration Stuxnet & PLCs 3
  • 4. PLCs Programmable Logic Controller • Monitors Input and Output lines – Sensors on input – switches/equipment on outputs – Many different vendors • Stuxnet seeks specific Models – s7-300 s7-400 Stuxnet is Targeted Targeting a Specific type of PLC Searches for a Specific Configuration Stuxnet & PLCs 4
  • 5. Hardware configuration System Data Blocks • Each PLC must be configured before use. • Configuration is stored in System Data Blocks (SDBs) • Stuxnet parses these blocks • Looks for magic bytes 2C CB 00 01 at offset 50h • Signifies a Profibus network card attached - CP 342-5 • Looks for 7050h and 9500h • Must have more than 33 of these values • Injects different code based on number of occurrences Stuxnet & PLCs 5
  • 6. How Stuxnet Infects PLCs Stuxnet – Inside the PLC 6
  • 7. Programming a PLC Step7, STL and MC7 • Simatic or Step 7 software – Used to write code in STL or other languages • STL code is compiled to MC7 byte code • MC7 byte code is transferred to the PLC • Control PC can now be disconnected Stuxnet Infecting PLCs 7
  • 8. Stuxnet: Man in the Middle attack on PLCs “Man in the App” attack • Step7 uses a library to access the PLC – S7otbxdx.dll • Stuxnet replaces that dll with its own version • Stuxnet’s version intercepts reads and writes to the PLC and changes the code at this point. Stuxnet Infecting PLCs 8
  • 9. Stuxnet MC7 Byte code • Stuxnet contains at least 70 binary blobs of data • They are encoded and stored in the fake dll • These are actually blocks of MC7 byte code • This is the code that is injected onto the PLCs • Must be converted back to STL to understand it • Difficult task but we have now converted all the MC7 byte code to readable STL code • Just unsure of real world effects of this code. Presentation Identifier Goes Here 9
  • 10. OB1 and OB35 Stuxnet changes these blocks • OB1 = main() on PLCs – Stuxnet inserts its own code at the beginning of OB1 so it runs first. • OB35 is a 100ms interrupt routine – Used to monitor inputs that would require fast action – Stuxnet infects OB35 too • Stuxnet will return clean versions of these functions when they are read from the PLC. Stuxnet infecting PLCs 10
  • 11. Demo Show Infection of a PLC • Inflate a balloon for 5 seconds • Infect the PLC • Inflate balloon again for 5 seconds Stuxnet Demo 11
  • 12. Stuxnet’s PLC code Complex and large amount of code • Demo was just 8 lines of code. • Stuxnet contains hundreds of lines of code • It is difficult to understand the real world actions without knowing what is connected on the inputs and outputs. UC FC 1865; POP ; L DW#16#DEADF007; ==D ; BEC ; L DW#16#0; L DW#16#0; Presentation Identifier Goes Here 12
  • 13. Stuxnet 13
  • 14. Stuxnet 14
  • 15. Targets Stats for Command and Control Servers Stuxnet - Infecting Industrial Control Systems 15
  • 16. Stuxnet Infections Stuxnet - Infecting Industrial Control Systems 16
  • 17. White Paper Available W32.Stuxnet Dossier • Stuxnet Technical Details Available here: • http://www.symantec.com/content/en/us/enterprise/media/se curity_response/whitepapers/w32_stuxnet_dossier.pdf Stuxnet - Infecting Industrial Control Systems 17
  • 18. Thank you! Liam O Murchu - liam_omurchu@symantec.com Nicolas Falliere Eric Chien Threat Intelligence Team All Stuxnet Reverse Engineers Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Stuxnet – Infecting Industrial Control systems 18