I Heart Stuxnet

I Stuxnet or: How I Learned to Stop Worrying and Love The Worm Gil Megidish [email_address]

DISCLAIMER
I, Gil Megidish, have had absolutely nothing to do with the virus/worm presented here, nor do I know of its origins. Everything in this presentation is purely an analysis of documents written by Wikipedia, Symantec, ESET and professional security advisors.

My First Anti-Virus

What is Stuxnet ?
Most complicated computer-worm ever discovered.
Targets industrial control systems such as in gas pipelines or power plants.
An on-going work, dates back to Dec, 2008.

Source: http://www.securelist.com/en/blog/272/Myrtus_and_Guava_Episode_3

Bushehr Nuclear Power Plant

Agenda
Introduction to Computer Virii
Stuxnet’s timeline
Infection mechanism
Targeted systems
Whodunit ?

Computer Virus
A software that replicated itself onto other executable files.

Computer Worm
A software that replicates itself onto other computers; usually via exploits.

Rootkit
Enable continued access while actively hiding presence.

CVE-2010-0049
Remote exploitation of a memory corruption vulnerability in WebKit; allows an attacker to execute arbitrary code on victim’s machine.
15 Dec 2009 Vendor notified
15 Dec 2009 Vendor replied
11 Mar 2010 Coordinated public disclosure

The List Never Ends Backdoor Worms Viruses Adware Spyware Trojan Horse Rootkit Botnet Phishing XSS Spoofing Man in the Middle D.o.S. CSRF

“ Building the worm cost at least $3 million and required a team of as many as 10 skilled programmers working about six months. “
Frank Rieger (GSMK)

Timeline
2008.11 – Trojan.Zlob found to be using LNK vulnerability
2009.04 – Hakin9 magazine publishers Printer Spooler vulnerability
2010.01 – Stuxnet variant found with Realtek certificate
2010.03 – Stuxnet variant found using LNK vulnerability
2010.06 – VeriSign revokes Realtek’s certificate
2010.06 – Stuxnet variant found with JMicron certificate
2010.07 – Symantec monitors Stuxnet’s C&C traffic
2010.07 – VeriSign revokes JMicron’s certificate
2010.08 – Microsoft patches LNK vulnerability.
2010.09 – Microsoft patches Printer Spooler vulnerability.
2009.06 – First variant of Stuxnet found 2010.05 – Stuxnet first detected, named RootkitTmphider

Exploit #1: LNK Vulnerability
Affects Windows 2000, Windows XP, Windows
Server 2003, Windows Vista and Windows 7
CVE-2010-2568

Exploit #2: Print Spooler Vulnerability MS10-061 Affects Windows XP and legacy Lexmark/Compaq printers.

Exploit #3:Windows Server Service MS08-067 Affects unpatched operating systems, with Kernel32.dll earlier than Oct 12, 2008.

Metasploit: point. click. root.

Rootkitting Windows

Source: www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf

Taiwanese Ninjas?

Two More Zero-Day Exploits

WinCCConnect : 2WSXcder … Yes!

Peer To Peer Upgrades Get version number Request payload #version# Current version Infected A Infected B

Command and Control todaysfutbol.com mypremierfutbol.com GET / 200 OK GET index.php?data=[XOR%31] 200 OK: Executable code Infected PC

whois mypremierfutbol.com

Siemens SIMATIC Step 7

Step 7 Editor Developer Station WinCC MS-SQL Database PLC

Step7 Interception s7otbxdx.dll s7blk_read s7blk_write s7_blk_findfirst s7_blk_delete All communication done through s7otbxdx library Developer Station PLC

Step7 Interception s7otbxsx.dll s7blk_read s7blk_write s7_blk_findfirst s7_blk_delete Man in the middle rootkit! Developer Station PLC s7otbxdx.dll

OB1 Main Organization Block OB35 Watchdog Organization Block

What the hell does it do?

Vacon NX

The End of Stuxnet ? 

v So, whodunit ?

The Americans ?

The Russians ?

The Israelis ?

19790509

b:yrtusrcbjfre_w2k_x86386 uava.pdb

Dan Hamizer

WE MAY NEVER KNOW

Symantec's Brian Tillett put a number on the size of the team that built the virus. He said that traces of more than 30 programmers have been found in source code.
The Atlantic

I Stuxnet

LESS OF THIS

AND MORE OF THIS

NONE OF THIS

AND LOTS OF THIS

THANK YOU

Links
Symantec’s Stuxnet Dossier http://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdf
ESET: Stuxnet Under The Microscope http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf
Siemens Step 7 Programmer’s Handbook http://www.plcdev.com/book/export/html/373

Gil Megidish [email_address]

I Heart Stuxnet

by Gil Megidish on Nov 23, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

Statistics

I Heart Stuxnet — Presentation Transcript