I Stuxnet
or: How I Learned to Stop Worrying and Love The Worm
Gil Megidish
gil@megidish.net
DISCLAIMER
I, Gil Megidish, have had absolutely nothing to
do with the virus/worm presented here, nor
do I know of its ori...
My First Anti-Virus
What is Stuxnet ?
• Most complicated computer-worm ever
discovered.
• Targets industrial control systems such as in
gas pi...
Source: http://www.securelist.com/en/blog/272/Myrtus_and_Guava_Episode_3
Bushehr Nuclear Power Plant
Agenda
Introduction to Computer Virii
Stuxnet’s timeline
Infection mechanism
Targeted systems
Whodunit ?
Computer Virus
• A software that replicated itself onto other
executable files.
Computer Worm
• A software that replicates itself onto other
computers; usually via exploits.
Rootkit
• Enable continued access while actively hiding
presence.
CVE-2010-0049
• Remote exploitation of a memory corruption
vulnerability in WebKit; allows an attacker to
execute arbitrar...
The List Never Ends
Backdoor
Worms
Viruses
Adware
Spyware
Trojan Horse
Rootkit
Botnet
Phishing
XSS
Spoofing
Man in the Mid...
“Building the worm cost at least $3 million and
required a team of as many as 10 skilled
programmers working about six mon...
Timeline
• 2008.11 – Trojan.Zlob found to be using LNK vulnerability
• 2009.04 – Hakin9 magazine publishers Printer Spoole...
Timeline
• 2008.11 – Trojan.Zlob found to be using LNK vulnerability
• 2009.04 – Hakin9 magazine publishers Printer Spoole...
Exploit #1: LNK VulnerabilityCVE-2010-2568
Affects Windows 2000, Windows XP, Windows
Server 2003, Windows Vista and Window...
Exploit #2: Print Spooler Vulnerability
MS10-061
Affects Windows XP and legacy Lexmark/Compaq
printers.
Exploit #3:Windows Server ServiceMS08-067
Affects unpatched operating systems, with
Kernel32.dll earlier than Oct 12, 2008.
Metasploit: point. click. root.
Rootkitting Windows
Source: www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf
Taiwanese Ninjas?
Two More Zero-Day Exploits
WinCCConnect : 2WSXcder
… Yes!
Peer To Peer Upgrades
Get version number
Request payload
#version#
Current version
Infected A Infected B
Command and Control
todaysfutbol.com
mypremierfutbol.com
GET /
200 OK
GET index.php?data=[XOR%31]
200 OK: Executable code
...
whois mypremierfutbol.com
Siemens SIMATIC Step 7
Step 7 Editor
Developer Station
WinCC MS-SQL Database
PLC
Step7 Interception
s7otbxdx.dll
s7blk_read
s7blk_write
s7_blk_findfirst
s7_blk_delete
All communication done through s7otb...
Step7 Interception
s7otbxsx.dll
s7blk_read
s7blk_write
s7_blk_findfirst
s7_blk_delete
Man in the middle rootkit!
Developer...
OB1 Main Organization Block
OB35 Watchdog Organization Block
What the hell does it do?
Vacon NX
Vacon NX
The End of Stuxnet ? 
v
So, whodunit ?
The Americans ?
The Russians ?
The Israelis ?
19790509
b:myrtussrcobjfre_w2k_x86i386 guava.pdb
Dan Hamizer
WE MAY NEVER KNOW
Symantec's Brian Tillett put a number on the size of the
team that built the virus. He said that traces of more than
30 pr...
I Stuxnet
LESS OF THIS
AND MORE OF THIS
NONE OF THIS
AND LOTS OF THIS
THANK YOU
Links
• Symantec’s Stuxnet Dossier
http://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdf
• ESET: S...
Gil Megidish
gil@megidish.net
I Heart Stuxnet
I Heart Stuxnet
I Heart Stuxnet
I Heart Stuxnet
Upcoming SlideShare
Loading in...5
×

I Heart Stuxnet

3,732
-1

Published on

or: How I Learned To Stop Worrying And Love The Worm

Video: http://vimeo.com/17364186

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,732
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
96
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • I wrote my first virus in 1996 or 1997
    Fixed Burgler & Major BBS viruses
    Why did I do it?
  • Most complicated worm ever.
    Targets SCADA (Supervisory Control and Data Acquision) systems used in gas pipelines and power plants
    DNS entries date back to dec 2008. Can't tell when development has really started. Discovered in May 2010.
  • Worm attacked many computers.
    More than 100,000 hosts with 40,000 unique ips, over 155 countries.
    High percentage (over 60% of total) were from Iran. But clearly, Indian and Indonesia.
  • Started in 1974 with help of German’s Siemens and French scientists.
    Started operating in 2010 with arrival of Russian nuclear fuel
  • Term invented by Fred Cohen (California)
    First virus for pc: ©brain by Farooq Alvi brothers in 1986 (Pakistan)
    First virus for exe: Jerusalem 1987. Attacks on Friday the 13th.
    Viruses’ names are made up by the finders, not the writers
    Mention: ping pong, stoned
    Eliashim ViruSafe, Central Point Turbo Anti Virus, many others
    Viruses can be written in Word Macros (so they infect Macs as well).
  • Worms can be good: Xerox PARC’s Nachi worms
    Mentions: ILOVEYOU (Outlook, $5 billion damages),
    Samy Worm (1,000,000 MySpace accounts in 20 hours)
  • Rootkits
    Story about hacked server in India
    Unix rootkitting as easy as Windows rootkitting
  • Common Vulnerabilities and Exposures (CVE)
    This specific CVE describes attack on ALL iPhones, iPads and Macs
    4000 CVE updates a year; recently Backdoor.Pirpi uses CVE-2010-3962
  • Virus, Rookitting, Backdoor, Cross Site Request Forgery, Adware, Worms, Trojan Horse, Spyware, Denial of Service, Cross Site Scripting, Spoofing, Man in the Middle, Botnet, Phishing
  • Running stuxnet will copy itself to any REMOVABLE device through hooks in filesystem.
    It will also hide LNK files that are 4171 bytes long, and ~WTR[a+b+c+d mod 10==0] files
  • Was released in Hakin9 magazine in April, 2009. Any Windows XP host sharing a printer is vulnerable.
    Newer operating systems (Visa, 2003, 2008 and Win7) are vulnerable if a legacy Lexmark or Compaq printers are shared.
    Specially crafted print requests will store a file in %system32%
  • 2 years old exploit. Why would they put in the explot if it’s no use after oct 12?
    Maybe because they know there are old unpatched OSes? Maybe it’s an old code
    Inside the worm?
    Specially crafted
  • How do you steal certificates?
    These places are very close to each other physically? Can somebody have broken into both?
    Maybe they share the same cleaning company? An early version of stuxnet? Code outsourced to India?
  • Periodically executed
    OB35 runs every 100ms to check for critical values
  • Vacon NX (Finland) and Fararo Paya (Iran)
    Variable speed AC drives (frequency converter)
    Rotate stuff at high speeds.
    Speeds above 800hz need authorization of USA Nuclear
    Virus expects drivers at 807hz-1210hz
    Then changes speeds to 1410hz, then 2hz, and then 1064hz.
    Vacon denies any relationship with Iran
  • Nov 12, Siemens releases an anti virus
    No fix for SQL
    Microsoft releases fixes throughout October
    Still 2 escalation bugs exist
    Nobody will give up on this baby
    Iranians don’t cooperate anyway 
  • The Germans, the french, al qaeda, aliens, even references to the bible.
  • USA has both the motives and the means to pull this kind of thing.
    2 years-old exploits, known by microsoft, never patched.
    Moreover, Microsoft released a huge patch update, but neglects Printer Spooler (fixes 7 days later)
    GoDaddy accounts, domainsbyproxy, there’s a VISA at the end of the chain!
    An attack against Siemens instead?
  • Subcontractors of the Iranians. Have full access to facilities, and the only party
    that can initiate the attack via usb drive. Conficker (Ukranian?), similar virus, 7 million affected machines – botnet.
  • Really need this, and capable of doing it. (8200)
    COMPLETE silence in the media (censorship?)
    Rosh Agaf Modyin Amos Yadlin said 2009
  • Jewish businessman Habib Elghanian executed by a firing squad in Tehran
  • Myrtus, Guava, Hadasah -> Ester, Persians -> Iranians
    My RTUs => SCADA (Supervisory Control and Data Acquision), RTU => Remote Terminal Unit (converts signals to/from digital)
    B: drive?
    Redundancy in code (2 privileges bugs, 2 ssl certificates, 2 exploits)
  • How come so many countries were infected? Why did it spread beyond Iran?
    In code it’s supposed to limit itself to 3 computers, why did it spread so much?
    Why does it stop working on July 24 2012? What’s on that date??
  • Brian Tillett of Symantec claims for traces of 30 or more programmers in stuxnet
  • Could have blown up the world, but done very carefully
    Has been around in the works for at least 2 years
    Uses 4 Zero-day exploits
    Upgrades itself via peer-to-peer communications
    Has a command and control server
    Self replicating through WinCC sql server
    Uses 2 stolen signed driver certificates
    Fingerprints industrial control systems and only affects specific components
    Detects and fools over 10 different versions of anti virus software
    Hacks PLC devices
    Has a Windows root kit, and a PLC rootkit
    Has a code base that is larger than kernel32.dll zipped!
    SUPPORTS OPERATING SYSTEMS FROM WINDOWS 98 TO WINDOWS 7
    AND IS BUG FREE
  • I Heart Stuxnet

    1. 1. I Stuxnet or: How I Learned to Stop Worrying and Love The Worm Gil Megidish gil@megidish.net
    2. 2. DISCLAIMER I, Gil Megidish, have had absolutely nothing to do with the virus/worm presented here, nor do I know of its origins. Everything in this presentation is purely an analysis of documents written by Wikipedia, Symantec, ESET and professional security advisors.
    3. 3. My First Anti-Virus
    4. 4. What is Stuxnet ? • Most complicated computer-worm ever discovered. • Targets industrial control systems such as in gas pipelines or power plants. • An on-going work, dates back to Dec, 2008.
    5. 5. Source: http://www.securelist.com/en/blog/272/Myrtus_and_Guava_Episode_3
    6. 6. Bushehr Nuclear Power Plant
    7. 7. Agenda Introduction to Computer Virii Stuxnet’s timeline Infection mechanism Targeted systems Whodunit ?
    8. 8. Computer Virus • A software that replicated itself onto other executable files.
    9. 9. Computer Worm • A software that replicates itself onto other computers; usually via exploits.
    10. 10. Rootkit • Enable continued access while actively hiding presence.
    11. 11. CVE-2010-0049 • Remote exploitation of a memory corruption vulnerability in WebKit; allows an attacker to execute arbitrary code on victim’s machine. 15 Dec 2009 Vendor notified 15 Dec 2009 Vendor replied 11 Mar 2010 Coordinated public disclosure
    12. 12. The List Never Ends Backdoor Worms Viruses Adware Spyware Trojan Horse Rootkit Botnet Phishing XSS Spoofing Man in the Middle D.o.S. CSRF
    13. 13. “Building the worm cost at least $3 million and required a team of as many as 10 skilled programmers working about six months. “ Frank Rieger (GSMK)
    14. 14. Timeline • 2008.11 – Trojan.Zlob found to be using LNK vulnerability • 2009.04 – Hakin9 magazine publishers Printer Spooler vulnerability • • 2010.01 – Stuxnet variant found with Realtek certificate • 2010.03 – Stuxnet variant found using LNK vulnerability • • 2010.06 – VeriSign revokes Realtek’s certificate • 2010.06 – Stuxnet variant found with JMicron certificate • 2010.07 – Symantec monitors Stuxnet’s C&C traffic • 2010.07 – VeriSign revokes JMicron’s certificate • 2010.08 – Microsoft patches LNK vulnerability. • 2010.09 – Microsoft patches Printer Spooler vulnerability. 2009.06 – First variant of Stuxnet found 2010.05 – Stuxnet first detected, named RootkitTmphider
    15. 15. Timeline • 2008.11 – Trojan.Zlob found to be using LNK vulnerability • 2009.04 – Hakin9 magazine publishers Printer Spooler vulnerability • • 2010.01 – Stuxnet variant found with Realtek certificate • 2010.03 – Stuxnet variant found using LNK vulnerability • • 2010.06 – VeriSign revokes Realtek’s certificate • 2010.06 – Stuxnet variant found with JMicron certificate • 2010.07 – Symantec monitors Stuxnet’s C&C traffic • 2010.07 – VeriSign revokes JMicron’s certificate • 2010.08 – Microsoft patches LNK vulnerability. • 2010.09 – Microsoft patches Printer Spooler vulnerability. 2009.06 – First variant of Stuxnet found 2010.05 – Stuxnet first detected, named RootkitTmphider
    16. 16. Exploit #1: LNK VulnerabilityCVE-2010-2568 Affects Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows 7
    17. 17. Exploit #2: Print Spooler Vulnerability MS10-061 Affects Windows XP and legacy Lexmark/Compaq printers.
    18. 18. Exploit #3:Windows Server ServiceMS08-067 Affects unpatched operating systems, with Kernel32.dll earlier than Oct 12, 2008.
    19. 19. Metasploit: point. click. root.
    20. 20. Rootkitting Windows
    21. 21. Source: www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf
    22. 22. Taiwanese Ninjas?
    23. 23. Two More Zero-Day Exploits
    24. 24. WinCCConnect : 2WSXcder … Yes!
    25. 25. Peer To Peer Upgrades Get version number Request payload #version# Current version Infected A Infected B
    26. 26. Command and Control todaysfutbol.com mypremierfutbol.com GET / 200 OK GET index.php?data=[XOR%31] 200 OK: Executable code Infected PC
    27. 27. whois mypremierfutbol.com
    28. 28. Siemens SIMATIC Step 7
    29. 29. Step 7 Editor Developer Station WinCC MS-SQL Database PLC
    30. 30. Step7 Interception s7otbxdx.dll s7blk_read s7blk_write s7_blk_findfirst s7_blk_delete All communication done through s7otbxdx library Developer Station PLC
    31. 31. Step7 Interception s7otbxsx.dll s7blk_read s7blk_write s7_blk_findfirst s7_blk_delete Man in the middle rootkit! Developer Station PLC s7otbxdx.dll
    32. 32. OB1 Main Organization Block OB35 Watchdog Organization Block
    33. 33. What the hell does it do?
    34. 34. Vacon NX
    35. 35. Vacon NX
    36. 36. The End of Stuxnet ? 
    37. 37. v So, whodunit ?
    38. 38. The Americans ?
    39. 39. The Russians ?
    40. 40. The Israelis ?
    41. 41. 19790509
    42. 42. b:myrtussrcobjfre_w2k_x86i386 guava.pdb
    43. 43. Dan Hamizer
    44. 44. WE MAY NEVER KNOW
    45. 45. Symantec's Brian Tillett put a number on the size of the team that built the virus. He said that traces of more than 30 programmers have been found in source code. The Atlantic
    46. 46. I Stuxnet
    47. 47. LESS OF THIS
    48. 48. AND MORE OF THIS
    49. 49. NONE OF THIS
    50. 50. AND LOTS OF THIS
    51. 51. THANK YOU
    52. 52. Links • Symantec’s Stuxnet Dossier http://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdf • ESET: Stuxnet Under The Microscope http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf • Siemens Step 7 Programmer’s Handbook http://www.plcdev.com/book/export/html/373
    53. 53. Gil Megidish gil@megidish.net
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×