Stuxnet - Case Study


Published on

This presentation is for CISS6011 Special Topic: Cybersecurity
in University of Sydney

Published in: Education, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Stuxnet - Case Study

  1. 1. Case Study : Stuxnet By Amr Thabet
  2. 2. Stuxnet Overview <ul><li>Most sophisticated malware ever seen in public </li></ul><ul><li>Uses up to 6 Vulnerabilities (5 in Win and 1 in Siemens) </li></ul><ul><li>Its code is ~ 1.5 MB (very large) </li></ul><ul><li>Has 3 Rootkits (User-Mode, Kernel-Mode & PLC Rootkit) </li></ul><ul><li>Spreads via USB Flash Memory and Network Shares </li></ul><ul><li>It updates itself via Internet by connecting (HTTP) to two Websites (encrypted connection) </li></ul><ul><li>Infects SCADA Systems </li></ul><ul><li>The First Malware that has a physical payload </li></ul>
  3. 3. Stuxnet Life Cycle
  4. 4. Stuxnet’s Main Dropper <ul><li>The Dropper is a program </li></ul><ul><li>that contains the real malware </li></ul><ul><li>and carries it from PC to another </li></ul><ul><li>(like a ship) </li></ul><ul><li>It loads the Main DLL with a special way </li></ul><ul><li>It uses LoadLibraryA and Hooks the File Management APIs that’s used by LoadLibraryA to get the File from memory not from a file on the disk </li></ul>
  5. 5. Process Injection <ul><li>Stuxnet injects itself into a process (usually lsass.exe) </li></ul><ul><li>It copies itself into the Memory of lsass and then forces lsass to execute it by modifying its code </li></ul><ul><li>In Stuxnet case it unloads (remove) the original process (lsass) from its memory (when the process suspended) and then loads another PE File inside the memory has the same entrypoint </li></ul>
  6. 6. Escalation of Privileges <ul><li>Escalation of Privileges means do something you are not allowed to do. In stuxnet it takes the administrator privileges to install itself </li></ul><ul><li>It uses 2 vulnerabilities in win OS </li></ul><ul><li>CVE-2010-2743(MS-10-073) –Win32K.sys Keyboard Layout Vulnerability </li></ul><ul><li>CVE-xxxx-xxxx(MS-xx-xxx) –Windows Task Scheduler Vulnerability </li></ul><ul><li>These Vulnerabilities allow stuxnet to execute as a system application (runs like a system process) </li></ul>
  7. 7. Installation Mechanism <ul><li>It installs these files </li></ul><ul><li>% SystemRoot%infoem7A.PNF </li></ul><ul><li>%SystemRoot%infmdmeric3.PNF </li></ul><ul><li>%SystemRoot%infmdmcpq3.PNF </li></ul><ul><li>%SystemRoot%infoem6C.PNF </li></ul><ul><li>%SystemRoot%Driversmrxnet.sys </li></ul><ul><li>%SystemRoot%Driversmrxcls.sys </li></ul><ul><li>Then it adds MrxNet & MrxCls to registry to be sure they will be executed on every boot </li></ul>
  8. 8. Disabling Windows Defender <ul><li>It modifies some registry entries related to Window Defender: </li></ul><ul><li>SOFTWAREMicrosoftWindows DefenderReal-Time Protection </li></ul><ul><ul><li>EnableUnknownPrompts </li></ul></ul><ul><ul><li>EnableKnownGoodPrompts </li></ul></ul><ul><ul><li>ServicesAndDriversAgent </li></ul></ul><ul><li>These modifications allows stuxnet to work normally without blocking </li></ul>
  9. 9. Spreading Mechanism USB Infection <ul><li>Stuxnet uses a vulnerability in Win OS: </li></ul><ul><li>CVE-2010-2568(MS-10-046) -Windows Shell LNK Vulnerability </li></ul><ul><li>This vulnerability is found in the shortcut of the CPL files </li></ul><ul><li>In these shortcuts the Explorer loads the icon dynamically </li></ul><ul><li>This loading makes Explorer load the CPL File and calls to its Entrypoint </li></ul><ul><li>Stuxnet uses this trick to make Explorer calls to the Entrypoint of its Executable </li></ul>
  10. 10. Spreading Mechanism Network <ul><li>Stuxnet Spreads via Network by using 2 Vulnerabilities: </li></ul><ul><li>CVE-2010-2729(MS-10-061) –Windows Print Spooler Service Vulnerability </li></ul><ul><li>CVE-2008-4250(MS-08-067) –Windows Server Service NetPathCanonicalize() </li></ul><ul><li>The 1 st Vulnerability: allows Stuxnet to infect PCs that share their printers </li></ul><ul><li>The 2 nd is used before in Conflicker and it allows Stuxnet to spreads via Network Shares </li></ul>
  11. 11. Updating Mechanism <ul><li>Stuxnet updates itself via 2 Websites </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li>Stuxnet updates itself via a P2P connection (on the isolated machines) </li></ul><ul><li>They communicate via RPC connection </li></ul><ul><li>Control the ICS machines without a direct communication To the Internet </li></ul>
  12. 12. Rootkits <ul><li>Rootkit is a program (or tool) is used by malwares to hide its presence </li></ul><ul><li>In Stuxnet, they hide stuxnet files </li></ul><ul><li>in the USB Infected Flash Memory </li></ul><ul><li>Stuxnet has 2 rootkits : User-Mode and Kernel-Mode rootkit </li></ul>
  13. 13. User-Mode Rootkit <ul><li>loaded by the LNK Vulnerability </li></ul><ul><li>Used only once before Infecting a machine </li></ul><ul><li>It modifies the pointer to the File Management APIs </li></ul><ul><li>Change the input or the output of these APIs </li></ul><ul><li>Hide the Stuxnet Flash Memory Files </li></ul>
  14. 14. Kernel-Mode Rootkit <ul><li>It’s a device driver </li></ul><ul><li>It’s installed in the installation progress of Stuxnet </li></ul><ul><li>It’s a simple file system filter </li></ul><ul><li>it modifies the outputs and the inputs of the File Management functions inside the Kernel </li></ul>
  15. 15. Loading Mechanism <ul><li>There’s two ways for stuxnet to load </li></ul><ul><li>1. WTR4141.TMP : </li></ul><ul><li>Loaded by LNK Vulnerability </li></ul><ul><li>loads the Main Dropper of Stuxnet </li></ul><ul><li>2. MrxCls : </li></ul><ul><li>It’s a device driver </li></ul><ul><li>Injects Stuxnet into services.exe every time the system boots </li></ul>
  16. 16. Thank You <ul><li>For any question don’t Forget to mail me at: </li></ul><ul><li>[email_address] </li></ul><ul><li>For more about me visit my Website </li></ul><ul><li> </li></ul><ul><li>Or My Blog </li></ul><ul><li>http:// </li></ul>
  17. 17. Thank You