Your SlideShare is downloading. ×
0
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Stuxnet: Cómo tomar el control de una Planta Nuclear
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Stuxnet: Cómo tomar el control de una Planta Nuclear

1,572

Published on

El gusano Stuxnet tuvo su resonante ruido en materia al ataque industrial generado en los últimos meses. Pero ¿cuánto sabemos en detalle de la metodología utilizada? …

El gusano Stuxnet tuvo su resonante ruido en materia al ataque industrial generado en los últimos meses. Pero ¿cuánto sabemos en detalle de la metodología utilizada?
En esta presentación Tomer realiza un desarrollo completo sobre todos los conceptos y pasos realizados con este malware diseccionado con un objetivo dirigido.
Los temas que se destacarán serán las terminologías asociadas a este ataque, detalles específicos sobre Stuxnet, y paso a paso como se realizó las etapas de toma de la planta nuclear secuenciadas en infiltración, propagación y explotación.

Por Tomer Teller, Evangelista en Seguridad

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,572
On Slideshare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
51
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Stuxnet: How toTake Over a (Nuclear)Power PlantTomer Teller, Security EvangelistApril 2011 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
  • 2. The Idea Behind Stuxnet Simple! We don’t want Iran to get the bomb Sabotage the uranium enrichment process ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |2
  • 3. The Target Real-time control system Controls: – Valves – Drive speed Does not run Windows  But.. ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |3
  • 4. Operator Hello? Controller (PLC) Operator (Field PG) We are in Business ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |4
  • 5. The Operation Reprogram Controller (Payload) Drop Malware Mission Goal: No Nukes Target: Centrifuge in Natanz ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |5
  • 6. Agenda 1 Terminology 2 Stuxnet Overview 3 Infiltration, Propagation and Exploitation 4 Summary ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |6
  • 7. Terminology I Software that takes advantage of Exploit a bug in order to cause unintended behavior (getting inside) Malware that replicates itself within Worm the network (propagate) The actual malicious activity, Payload e.g., delete file, download file (create damage) ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |7
  • 8. Terminology II A Programmable Logic Controller (PLC) — PLC control of machinery on factory assembly lines Typical Windows machines, Field PG used to program PLCs PLC Field PG ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |8
  • 9. Visual Terminology Operator (Field PG) Controller Industrial Machinery ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |9
  • 10. “Groundbreaking” Worm While We Are In This Room…More than 50,000 new worms are propagating on the Internet ~1000 of them are undetected by antivirus ~1–2 employ unknown vulnerabilities (0-day)So what is so special about Stuxnet? Why is it ―groundbreaking?‖ ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 10 |
  • 11. Stuxnet Overview Architecture Exploits Techniques Single file  4 unknown  Antivirus evasion (Archive) Windows bugs  Peer-2-Peer  2 stolen network certificates  Command and  PLC pre-recorded control commands ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 11 |
  • 12. Infection Statistics Number of Unique Infected Hosts by Country This is not normal… ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 12 |
  • 13. Welcome to the Battlefield The Bushehr Nuclear Power Plant, Iran ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 13 |
  • 14. What’s Going To Happen? Internal Network Found Operator Operator PC (Windows) PLC Field PG ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 14 |
  • 15. Typical PLC Deployment (Goal) Water pipe Pipeline Gas centrifuge Internal Network Write Read Operator PC (Windows) PLC Field PG ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 15 |
  • 16. Mission Objectives: Infiltrate the power plant Propagate inside the network Infect the operator computer GOAL:Reprogram the controller ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 16 |
  • 17. Mission #1:Introduce Threat To Target Network ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 17 |
  • 18. The Infection  Infected a willing or unknowing third party – An insider – A contractor – A SCADA Conference USB give-away  The original infection was most likely introduced by a removable drive ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 18 |
  • 19. Getting From the USB to the Computer Stuxnet Used Two Methods to Infect the Computer via USB Method #1 Method #2 Malformed Autorun shortcut file design flaw (.LNK) (.INI) ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 19 |
  • 20. Method #1: The LNK Vulnerability Design-level flaw in Windows Desktop Explorer (not Internet Explorer) when viewing shortcuts Shortcut Properties In our scenario, File Name: Shortcut this file was the File Size: 1 KB Stuxnet worm ICON Location: c:icon d:bad_file ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 20 |
  • 21. How Stuxnet Exploits ThisVulnerability Stuxnet Arrives on a  The Stuxnet worm Removable  Shortcut file that points at the worm Drive (USB) Once  Hides the files on the USB Viewed and  Hides itself from antivirus Exploited ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 21 |
  • 22. Autorun.inf—“Cunning” Hack Filename: An Autorun.inf file is a configuration file placed on autorun.inf removable drives that instructs Windows to automatically execute a file when inserted Stuxnet STUXNET’s CODE [autorun] AutoRun OPEN = setup.exe ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 22 |
  • 23. Autorun.inf—“Cunning” Hack Filename: An Autorun.inf file is a configuration file placed on autorun.inf removable drives that instructs Windows to automatically execute a file when inserted Stuxnet STUXNET’s CODE [autorun] AutoRun OPEN = setup.exe ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 23 |
  • 24. Catch Me If You Can But, Files Are Visible on the USB Drive… ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 24 |
  • 25. Catch Me If You Can But, Files Are Visible on the USB Drive… Files are still there. We just don’t list them anymore ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 25 |
  • 26. ANY * ANY * INFECT Stuxnet Used Two Methods to Infect the Computer via USB ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 26 |
  • 27. Compromised Certificates These Kinds of Activities Require a Legitimate Certificate Signed and Trusted by Microsoft Both of these companies seem to have offices in the Hsinchu Science and Industrial Park (Taiwan), which could indicate an insider job ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 27 |
  • 28. DEMO TIME  Autorun.inf  LNK vulnerability (MS10-046) ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 28 |
  • 29. Mission #1 Completed Internal Network Operator PC (Windows) PLC Field PG ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 29 |
  • 30. Mission Objectives: Infiltrate the power plant Propagate inside the network Infect the operator computer GOAL:Reprogram the controller ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 30 |
  • 31. Network Example Microsoft Knew About This One, and Claimed it Wasn’t Critical Enough To Printer To File Admin Area ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 31 |
  • 32. Stuxnet Communication Components  Communicate via Peer-2-Peer  Communicate with attackersInfected machine Infected machine Master?acting as Server acting as Client Attackers Get Version Send Version Do X Request Update Do Y Send Update Internet ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 32 |
  • 33. Mission #2 Completed Ping Internal Network Found Operator C&CAlive! Internet Operator PC (Windows) PLC Field PG ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 33 |
  • 34. Mission Objectives: Infiltrate the power plant Propagate inside the network Infect the operator computer GOAL:Reprogram the controller ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 34 |
  • 35. Mission #3: Infecting The Target When Stuxnet Reaches a Field PG, It Installs a Trojan Horse That: Monitors PLC commands being written and read Infects a PLC by inserting bad commands Masks the fact the PLC is infectedThis is a rootkit – Software whichsubverts the operation system ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 35 |
  • 36. Infected PLC Example (READ/WRITE)Operator (Field PG) Operation Controller 5 5 500 Change Speed Pre-recorded value Operation Infected with 5 5 500 Stuxnet Monitor Speed Show expected value ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 36 |
  • 37. Mission Objectives: Infiltrate the power plant Propagate inside the network Infect the operator computer GOAL:Reprogram the controller ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 37 |
  • 38. Mission Objectives: Infiltrate the power plant Mission network Propagate inside theAccomplished!! Infect the operator computer GOAL:Reprogram the controller ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 38 |
  • 39. Summary Complex Stuxnet is a very sophisticated threat Quiet Built to stay ―under the radar‖ Dedicated Targeted Iranian nuclear plant Expensive Used 4 unknown vulnerabilities Blueprint Stuxnet is a template for criminalsProductivity Can target other companies ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 39 |
  • 40. Questions ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 40 |
  • 41. Thank You Tomer Teller, Security Evangelist Email : tomert@checkpoint.com ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 41 |

×