SlideShare a Scribd company logo

The 1-hour Guide to Stuxnet.ppt

Download as PPT, PDF
S
Salman Naveed

The 1-hour Guide to Stuxnet

Software
1 of 36
The 1-hour Guide to Stuxnet Carey Nachenberg Vice President, Symantec Fellow Symantec Corporation The 1-hour Guide to Stuxnet 1
2 This is Natanz, Iran The 1-hour Guide to Stuxnet
3 And these are Natanz’s Centrifuges The 1-hour Guide to Stuxnet
4 And this is how they’re controlled Programmable Logic Controller . . . . . . . . . . . . Communications Processors (Routers) Frequency Converters Centrifuges Windows PC The 1-hour Guide to Stuxnet Communications Processors route commands from the PLC to groups of mechanical devices. Frequency Converters are responsible for converting AC frequencies to either higher-or lower frequencies to operate motors. Centrifuges enrich Uranium so it can be used to power nuclear plants or weapons. The PLC is a specialized piece of hardware that orchestrates control of multiple connected mechanical devices. Industrial control systems are typically controlled by a standard PC running industrial control software like STEP7 from Siemens.
5 And this is how they’re isolated Programmable Logic Controller . . . . . . . . . . . . Communications Processors (Routers) Frequency Converters Centrifuges Windows PC Research Network The 1-hour Guide to Stuxnet
6 And this is (probably) an Israeli Mossad Programmer Who wants to introduce onto this computer right here  The 1-hour Guide to Stuxnet
7 So how exactly does this: Get onto an “air-gapped” network to disrupt these: It’s got to spread on its own… All while evading detection. Until it discovers the proper computers… Where it can disrupt the centrifuges… The 1-hour Guide to Stuxnet
It’s got to spread on its own… Stuxnet uses seven distinct mechanisms to spread to new computers. Six of these attacks targeted flaws (back doors) that were unknown to the security industry and software vendors! It copies itself to open file-shares. It attacks a hole in Windows’ print spooler. It attacks a hole in Windows RPC. It password-cracks SIEMENS DB software. It infects SIEMENS PLC data files. Peers update other peers directly. Stuxnet uses thumb drives to bridge the gap! Usually we’re surprised when we see a threat targeting one flaw... But if the centrifuges are air-gapped from the ‘net, how can Stuxnet jump to the enrichment network? USB drives! The 1-hour Guide to Stuxnet 8
Spreading – A Sidebar The 1-hour Guide to Stuxnet 9 Task #1: Job: Delete temp files Run as: Root user Run at: 10pm Windows Tasks Task #2: Job: Clean registry Run as: Jim (non-root) Run at: 6pm Task #3: Job: Print receipts Run as: Ted (non-root) Run at: 2am Windows has a built-in task scheduler system. Each user can add new tasks to be run at a certain time and with a certain permission level. (Regular users can’t add “root” level jobs) To prevent tampering, windows computes a CRC32 hash for each task record and stores this in a protected area of the computer. Task1 hash: 9B7CC653 Task2 hash: 11090343 Task3 hash: 40910276 (the tasks themselves are stored as globally readable/writable XML files)
The 1-hour Guide to Stuxnet 10 When it arrives on a machine, Stuxnet starts running with non-administrator privileges. But to do its mischief, Stuxnet needs to run with “root” privileges. Task #1: Job: Delete temp files Run as: Root user Run at: 10pm Windows Tasks Task #2: Job: Clean registry Run as: Jim (non-root) Run at: 6pm Task #3: Job: Print receipts Run as: Ted (non-root) Run at: 2am So first, Stuxnet creates a new task, using the permissions of the current user. Task #4: Job: Run stuxnet.dll Run as: Ted (non-root) Run at: 2pm Task1 hash: 9B7CC653 Task2 hash: 11090343 Task3 hash: 40910276 And of course, once Windows verifies that the job is legitimate (the user hasn’t tried to create a root- level job), it calculates the job’s hash and adds it to the security store. Task4 hash: DE9DBA76 Spreading – A Sidebar
The 1-hour Guide to Stuxnet 11 Task #1: Job: Delete temp files Run as: Root user Run at: 10pm Windows Tasks Task #2: Job: Clean registry Run as: Jim (non-root) Run at: 6pm Task #3: Job: Print receipts Run as: Ted (non-root) Run at: 2am Task1 hash: 9B7CC653 Task2 hash: 11090343 Task3 hash: 40910276 Task4 hash: DE9DBA76 Task #4: Job: Run stuxnet.dll Run as: Ted (non-root) Run at: 2pm Next Stuxnet modifies the XML job file it just added, changing its permission to “root”! (Remember, the XML files are writable) Ted (non-root) Root user But wait! The updated job file hash no longer matches the protected hash stored by Windows! If Windows were to process the updated job file, it would detect this and reject it! New hash: 66C35150 Ah, but Stuxnet is more clever than that. Stuxnet knows how to forge a CRC - it computes a set of values which, if appended to the file, will result in its CRC matching the original! And then it appends these bytes to the file! XQ New hash: DE9DBA76 And Windows will happily run the updated job, giving Stuxnet root-level privileges! Spreading – A Sidebar
Until it discovers the proper computers… Stuxnet is extremely picky and only activates its payload when it’s found an exact match. The targeted computer must be running STEP7 software from Siemens. The targeted computer must be directly connected to an S7-315 Programmable Logic Controller from Siemens. The PLC must further be connected to at least six CP-342-5 Network Modules from Siemens. Each Network Module must be connected to ~31 Fararo Paya or Vacon NX frequency converters. … It’s got to spread on its own… The 1-hour Guide to Stuxnet 12
Until it discovers the proper computers… Stuxnet is extremely picky and only activates its payload when it’s found an exact match. … Now if you do the math…. Stuxnet verifies that the discovered Programmable Logic Controller… Is controlling at least 155 total frequency converters… And recently we learned that Iran’s Uranium enrichment “cascade” just happens to use exactly 160 centrifuges. What a coincidence! The creators of Stuxnet must have guessed all of these details. The 1-hour Guide to Stuxnet 13
Now Stuxnet gets down to business… Stuxnet starts by downloading malicious logic onto the PLC hardware. What you (probably) didn’t realize is that the PLC uses a totally different microchip & computer language than Windows PCs. Stuxnet is the first known threat to target an industrial control microchip! The 1-hour Guide to Stuxnet Until it discovers the proper computers… 14
Next, Stuxnet measures the operating speed of the frequency converters during their normal operation for 13 days! And makes sure the motors are running between 807Hz and 1210Hz. (This is coincidentally the frequency range required to run centrifuges.) Now Stuxnet gets down to business… (After all, whoever wrote Stuxnet wouldn’t want it to take out a roller coaster or something.) The 1-hour Guide to Stuxnet 15
Once it’s sure, the malicious PLC logic begins its mischief! Then sleeps for 27 days. Then slows the spin rate to 2Hz for 50 mins. Then sleeps for 27 days. Stuxnet repeats this process over and over. 0Hz 1500Hz Stuxnet raises the spin rate to 1410Hz for 15 mins. Now Stuxnet gets down to business… The 1-hour Guide to Stuxnet 16
Why push the motors up to 1410Hz? 0Hz 1500Hz Well, ~1380Hz is a resonance frequency. It is believed that operation at this frequency for even a few seconds will result in disintegration of the enrichment tubes! Why reduce the motors to 2Hz? At such a low rotation rate, the vertical enrichment tubes will begin wobbling like a top (also causing damage). Now Stuxnet gets down to business… 17 The 1-hour Guide to Stuxnet
What about Iranian failsafe systems? The 1-hour Guide to Stuxnet 18 (Surely by now you’re thinking that alarm bells should have been blaring at the enrichment plant, right?) Now Stuxnet gets down to business… Maybe Stuxnet pulled a mission impossible?!?
And in fact, that’s exactly what Stuxnet did! Well, in fact, these facilities typically do have fail-safe controls. They trigger a shutdown if the frequency goes out of the acceptable range. But worry not… Stuxnet takes care of this too. Stuxnet records telemetry readings while the centrifuges are operating normally. 0Hz 1500Hz And when it launches its attack, it sends this recorded data to fool the fail-safe systems! And Stuxnet disables the emergency kill switch on the PLC as well… Just in case someone tries to be a hero. Now Stuxnet gets down to business… The 1-hour Guide to Stuxnet 20
All while evading detection… Stuxnet uses five distinct mechanisms to conceal itself. #5 Stuxnet hides its own files on infected thumb drives using 2 “rootkits.” The 1-hour Guide to Stuxnet Now Stuxnet gets down to business… 21
Stuxnet uses five distinct mechanisms to conceal itself. #4 Stuxnet inhibits different behaviors in the presence of different security products to avoid detection. Launch Attack A Launch Attack B Launch Attack C Launch Attack D Launch Attack A Launch Attack B Launch Attack C Launch Attack D Launch Attack A Launch Attack B Launch Attack C Launch Attack D All while evading detection. The 1-hour Guide to Stuxnet 22
Stuxnet uses five distinct mechanisms to conceal itself. #3 Stuxnet completely deletes itself from USB keys after it has spread to exactly three new machines. All while evading detection. The 1-hour Guide to Stuxnet 23
Stuxnet uses five distinct mechanisms to conceal itself. #2 Stuxnet’s authors “digitally signed” it with stolen digital certificates to make it look like it was created by well-known companies. Realtek The two certificates were stolen from RealTek and Jmicron… All while evading detection. …as it turns out, both companies are located less than 1km apart in the same Taiwanese business park. The 1-hour Guide to Stuxnet 24
Stuxnet uses five distinct mechanisms to conceal itself. #1 Stuxnet conceals its malicious “code” changes to the PLC from operational personnel (It hides its injected logic)! Instructions to the Centrifuges During normal operation: Spin at 1410hz In case of emergency: IGNORE OPERATOR COMMANDS PLC (To centrifuges) All while evading detection. The 1-hour Guide to Stuxnet 25
Stuxnet Epidemiology The 1-hour Guide to Stuxnet 26
Did It Succeed? Well, based on some clever Symantec engineering, we’ve got some interesting data. Fact: As Stuxnet spreads between computers, it keeps an internal log of every computer it’s visited. Fact: Stuxnet contacts two command-and-control servers every time it runs to report its status and check for commands. www.mypremierfutbol.com www.todaysfutbol.com Working with registrars, Symantec took control of these domains, forwarding all traffic to our Symantec data centers. The 1-hour Guide to Stuxnet 27
Stuxnet Bookkeeping The 1-hour Guide to Stuxnet 28 151.21.32.19 151.21.32.21 27.42.97.152 93.154.11.42 93.154.12.78 151.21.32.19 151.21.32.21 151.21.32.19 151.21.32.21 151.21.32.19 151.21.32.21 27.42.97.152 93.154.11.42 93.154.12.78 151.21.32.19 151.21.32.19 151.21.32.21 151.21.32.19 151.21.32.21 93.154.11.42 Stuxnet embeds its “visited list” inside its own body as it spreads, enabling detailed forensics!
The 1-hour Guide to Stuxnet 29 Here’s What We Found
Here’s What We Found The 1-hour Guide to Stuxnet (These graphs show how the discovered samples spread) 30
31 Here’s What We Found Data at time of discovery (July, 2010) The 1-hour Guide to Stuxnet
Here’s What We Found 67.60 8.10 4.98 2.18 2.18 1.56 1.25 12.15 0.00 10.00 20.00 30.00 40.00 50.00 60.00 70.00 80.00 IRAN SOUTH KOREA USA GREAT BRITAIN INDONESIA TAIWAN INDIA OTHERS Distribution of InfectedSystemswith SiemensSoftware Data at time of discovery (July, 2010) The 1-hour Guide to Stuxnet 32
Did It Succeed? Indications are that it did! The Institute for Science and International Security writes: “It is increasingly accepted that, in late 2009 or early 2010, Stuxnet destroyed about 1,000 IR-1 centrifuges out of about 9,000 deployed at the site.” Symantec telemetry indicates that rather than directly trying to infiltrate Natanz… These companies (likely) then unknowingly ferried the infection into Natanz’s research and enrichment networks. The attackers infected five industrial companies with potential subcontracting relationships with the plant. 33 The 1-hour Guide to Stuxnet
Whodunit? The 1-hour Guide to Stuxnet 34 19790509 According to Wikipedia, On May 9th, 1979 “Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community. He was the first Jew and one of the first civilians to be executed by the new Islamic government. This prompted the mass exodus of the once 100,000 member strong Jewish community of Iran which continues to this day.” June 22, 2009 4:31:47pm GMT June 22, 2009 6:31:47pm Local GMT + 2
To Conclude Stuxnet proves cyber-warfare against physical infrastructure is feasible. Unfortunately, the same techniques can be used to attack other physical and virtual systems. Stuxnet has signaled a fundamental shift in the malware space. The 1-hour Guide to Stuxnet 35
Thank you! Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Thank you! 36 The 1-hour Guide to Stuxnet

Recommended

Microprocessors and microcontrollers
Microprocessors and microcontrollersMicroprocessors and microcontrollers
Microprocessors and microcontrollersAditya Porwal
 
Embedded Intro India05
Embedded Intro India05Embedded Intro India05
Embedded Intro India05Rajesh Gupta
 
RTOS implementation
RTOS implementationRTOS implementation
RTOS implementationRajan Kumar
 
Interview Questions
Interview QuestionsInterview Questions
Interview Questionsrajusandeep12
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 
Coa INTERUPT
Coa INTERUPTCoa INTERUPT
Coa INTERUPTPiyush Rochwani
 
04 threads-pbl-2-slots
04 threads-pbl-2-slots04 threads-pbl-2-slots
04 threads-pbl-2-slotsmha4
 

Recommended

Microprocessors and microcontrollers
Microprocessors and microcontrollersMicroprocessors and microcontrollers
Microprocessors and microcontrollersAditya Porwal
 
Embedded Intro India05
Embedded Intro India05Embedded Intro India05
Embedded Intro India05Rajesh Gupta
 
RTOS implementation
RTOS implementationRTOS implementation
RTOS implementationRajan Kumar
 
Interview Questions
Interview QuestionsInterview Questions
Interview Questionsrajusandeep12
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 
Coa INTERUPT
Coa INTERUPTCoa INTERUPT
Coa INTERUPTPiyush Rochwani
 
04 threads-pbl-2-slots
04 threads-pbl-2-slots04 threads-pbl-2-slots
04 threads-pbl-2-slotsmha4
 
04 threads-pbl-2-slots
04 threads-pbl-2-slots04 threads-pbl-2-slots
04 threads-pbl-2-slotsmha4
 
How to-smart-home-pdf-or
How to-smart-home-pdf-orHow to-smart-home-pdf-or
How to-smart-home-pdf-orTOMAS GARCIA VERDUGO
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)ijceronline
 
Stuxnet
StuxnetStuxnet
Stuxnetbueno buono good
 
EMBEDDED SYSTEMS INTRODUCTION.pptx
EMBEDDED SYSTEMS INTRODUCTION.pptxEMBEDDED SYSTEMS INTRODUCTION.pptx
EMBEDDED SYSTEMS INTRODUCTION.pptxMohammedtajuddinTaju
 
Lab1
Lab1Lab1
Lab1Hoopeer Hoopeer
 
Difference between i3 and i5 and i7 and core 2 duo pdf
Difference between i3 and i5 and i7 and core 2 duo pdfDifference between i3 and i5 and i7 and core 2 duo pdf
Difference between i3 and i5 and i7 and core 2 duo pdfnavendu shekhar
 
Vx works RTOS
Vx works RTOSVx works RTOS
Vx works RTOSSai Malleswar
 
Networking and Computer Troubleshooting
Networking and Computer TroubleshootingNetworking and Computer Troubleshooting
Networking and Computer TroubleshootingRence Montanes
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network StackAdrien Mahieux
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkitsUltraUploader
 
Supercomputer - Overview
Supercomputer - OverviewSupercomputer - Overview
Supercomputer - OverviewARINDAM ROY
 
Embeddedsystems
EmbeddedsystemsEmbeddedsystems
EmbeddedsystemsPrabhakaran Durai
 
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...DefconRussia
 
Beyond the RTOS: A Better Way to Design Real-Time Embedded Software
Beyond the RTOS: A Better Way to Design Real-Time Embedded SoftwareBeyond the RTOS: A Better Way to Design Real-Time Embedded Software
Beyond the RTOS: A Better Way to Design Real-Time Embedded SoftwareQuantum Leaps, LLC
 
Chapter 8. Kernel-Mode RootKitsIts now time to take the box
Chapter 8. Kernel-Mode RootKitsIts now time to take the boxChapter 8. Kernel-Mode RootKitsIts now time to take the box
Chapter 8. Kernel-Mode RootKitsIts now time to take the boxJinElias52
 
Realtime
RealtimeRealtime
RealtimeMark Veltzer
 
Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Jérôme Petazzoni
 
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQDocker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQJérôme Petazzoni
 
Lab6 rtos
Lab6 rtosLab6 rtos
Lab6 rtosindirakumar86
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConNatan Silnitsky
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Andreas Granig
 

More Related Content

Similar to The 1-hour Guide to Stuxnet.ppt

04 threads-pbl-2-slots
04 threads-pbl-2-slots04 threads-pbl-2-slots
04 threads-pbl-2-slotsmha4
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)ijceronline
 
EMBEDDED SYSTEMS INTRODUCTION.pptx
EMBEDDED SYSTEMS INTRODUCTION.pptxEMBEDDED SYSTEMS INTRODUCTION.pptx
EMBEDDED SYSTEMS INTRODUCTION.pptxMohammedtajuddinTaju
 
Difference between i3 and i5 and i7 and core 2 duo pdf
Difference between i3 and i5 and i7 and core 2 duo pdfDifference between i3 and i5 and i7 and core 2 duo pdf
Difference between i3 and i5 and i7 and core 2 duo pdfnavendu shekhar
 
Networking and Computer Troubleshooting
Networking and Computer TroubleshootingNetworking and Computer Troubleshooting
Networking and Computer TroubleshootingRence Montanes
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkitsUltraUploader
 
Supercomputer - Overview
Supercomputer - OverviewSupercomputer - Overview
Supercomputer - OverviewARINDAM ROY
 
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...DefconRussia
 
Beyond the RTOS: A Better Way to Design Real-Time Embedded Software
Beyond the RTOS: A Better Way to Design Real-Time Embedded SoftwareBeyond the RTOS: A Better Way to Design Real-Time Embedded Software
Beyond the RTOS: A Better Way to Design Real-Time Embedded SoftwareQuantum Leaps, LLC
 
Chapter 8. Kernel-Mode RootKitsIts now time to take the box
Chapter 8. Kernel-Mode RootKitsIts now time to take the boxChapter 8. Kernel-Mode RootKitsIts now time to take the box
Chapter 8. Kernel-Mode RootKitsIts now time to take the boxJinElias52
 
Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Jérôme Petazzoni
 
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQDocker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQJérôme Petazzoni
 

Similar to The 1-hour Guide to Stuxnet.ppt (20)

04 threads-pbl-2-slots
04 threads-pbl-2-slots04 threads-pbl-2-slots
04 threads-pbl-2-slots
 
How to-smart-home-pdf-or
How to-smart-home-pdf-orHow to-smart-home-pdf-or
How to-smart-home-pdf-or
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
EMBEDDED SYSTEMS INTRODUCTION.pptx
EMBEDDED SYSTEMS INTRODUCTION.pptxEMBEDDED SYSTEMS INTRODUCTION.pptx
EMBEDDED SYSTEMS INTRODUCTION.pptx
 
Lab1
Lab1Lab1
Lab1
 
Difference between i3 and i5 and i7 and core 2 duo pdf
Difference between i3 and i5 and i7 and core 2 duo pdfDifference between i3 and i5 and i7 and core 2 duo pdf
Difference between i3 and i5 and i7 and core 2 duo pdf
 
Vx works RTOS
Vx works RTOSVx works RTOS
Vx works RTOS
 
Networking and Computer Troubleshooting
Networking and Computer TroubleshootingNetworking and Computer Troubleshooting
Networking and Computer Troubleshooting
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkits
 
Supercomputer - Overview
Supercomputer - OverviewSupercomputer - Overview
Supercomputer - Overview
 
Embeddedsystems
EmbeddedsystemsEmbeddedsystems
Embeddedsystems
 
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
 
Beyond the RTOS: A Better Way to Design Real-Time Embedded Software
Beyond the RTOS: A Better Way to Design Real-Time Embedded SoftwareBeyond the RTOS: A Better Way to Design Real-Time Embedded Software
Beyond the RTOS: A Better Way to Design Real-Time Embedded Software
 
Chapter 8. Kernel-Mode RootKitsIts now time to take the box
Chapter 8. Kernel-Mode RootKitsIts now time to take the boxChapter 8. Kernel-Mode RootKitsIts now time to take the box
Chapter 8. Kernel-Mode RootKitsIts now time to take the box
 
Realtime
RealtimeRealtime
Realtime
 
Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9
 
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQDocker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
 
Lab6 rtos
Lab6 rtosLab6 rtos
Lab6 rtos
 

Recently uploaded

Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConNatan Silnitsky
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Andreas Granig
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNeo4j
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Conceptsthomashtkim
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringPrakhyath Rai
 
Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmuxevmux96
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAShane Coughlan
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Lisi Hocke
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfkalichargn70th171
 
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...OnePlan Solutions
 
The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationThe Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationElement34
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckMarc Lester
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024MulesoftMunichMeetup
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio, Inc.
 
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Flutter Agency
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)Roberto Bettazzoni
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanNeo4j
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AIBusinessGPT - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AIAGATSoftware
 
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptxFrom Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptxNeo4j
 

Recently uploaded (20)

Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMs
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Concepts
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
 
Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmux
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
 
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
 
The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationThe Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test Automation
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined Deck
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
 
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AIBusinessGPT - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AI
 
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptxFrom Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
 

The 1-hour Guide to Stuxnet.ppt

  • 1. The 1-hour Guide to Stuxnet Carey Nachenberg Vice President, Symantec Fellow Symantec Corporation The 1-hour Guide to Stuxnet 1
  • 2. 2 This is Natanz, Iran The 1-hour Guide to Stuxnet
  • 3. 3 And these are Natanz’s Centrifuges The 1-hour Guide to Stuxnet
  • 4. 4 And this is how they’re controlled Programmable Logic Controller . . . . . . . . . . . . Communications Processors (Routers) Frequency Converters Centrifuges Windows PC The 1-hour Guide to Stuxnet Communications Processors route commands from the PLC to groups of mechanical devices. Frequency Converters are responsible for converting AC frequencies to either higher-or lower frequencies to operate motors. Centrifuges enrich Uranium so it can be used to power nuclear plants or weapons. The PLC is a specialized piece of hardware that orchestrates control of multiple connected mechanical devices. Industrial control systems are typically controlled by a standard PC running industrial control software like STEP7 from Siemens.
  • 5. 5 And this is how they’re isolated Programmable Logic Controller . . . . . . . . . . . . Communications Processors (Routers) Frequency Converters Centrifuges Windows PC Research Network The 1-hour Guide to Stuxnet
  • 6. 6 And this is (probably) an Israeli Mossad Programmer Who wants to introduce onto this computer right here  The 1-hour Guide to Stuxnet
  • 7. 7 So how exactly does this: Get onto an “air-gapped” network to disrupt these: It’s got to spread on its own… All while evading detection. Until it discovers the proper computers… Where it can disrupt the centrifuges… The 1-hour Guide to Stuxnet
  • 8. It’s got to spread on its own… Stuxnet uses seven distinct mechanisms to spread to new computers. Six of these attacks targeted flaws (back doors) that were unknown to the security industry and software vendors! It copies itself to open file-shares. It attacks a hole in Windows’ print spooler. It attacks a hole in Windows RPC. It password-cracks SIEMENS DB software. It infects SIEMENS PLC data files. Peers update other peers directly. Stuxnet uses thumb drives to bridge the gap! Usually we’re surprised when we see a threat targeting one flaw... But if the centrifuges are air-gapped from the ‘net, how can Stuxnet jump to the enrichment network? USB drives! The 1-hour Guide to Stuxnet 8
  • 9. Spreading – A Sidebar The 1-hour Guide to Stuxnet 9 Task #1: Job: Delete temp files Run as: Root user Run at: 10pm Windows Tasks Task #2: Job: Clean registry Run as: Jim (non-root) Run at: 6pm Task #3: Job: Print receipts Run as: Ted (non-root) Run at: 2am Windows has a built-in task scheduler system. Each user can add new tasks to be run at a certain time and with a certain permission level. (Regular users can’t add “root” level jobs) To prevent tampering, windows computes a CRC32 hash for each task record and stores this in a protected area of the computer. Task1 hash: 9B7CC653 Task2 hash: 11090343 Task3 hash: 40910276 (the tasks themselves are stored as globally readable/writable XML files)
  • 10. The 1-hour Guide to Stuxnet 10 When it arrives on a machine, Stuxnet starts running with non-administrator privileges. But to do its mischief, Stuxnet needs to run with “root” privileges. Task #1: Job: Delete temp files Run as: Root user Run at: 10pm Windows Tasks Task #2: Job: Clean registry Run as: Jim (non-root) Run at: 6pm Task #3: Job: Print receipts Run as: Ted (non-root) Run at: 2am So first, Stuxnet creates a new task, using the permissions of the current user. Task #4: Job: Run stuxnet.dll Run as: Ted (non-root) Run at: 2pm Task1 hash: 9B7CC653 Task2 hash: 11090343 Task3 hash: 40910276 And of course, once Windows verifies that the job is legitimate (the user hasn’t tried to create a root- level job), it calculates the job’s hash and adds it to the security store. Task4 hash: DE9DBA76 Spreading – A Sidebar
  • 11. The 1-hour Guide to Stuxnet 11 Task #1: Job: Delete temp files Run as: Root user Run at: 10pm Windows Tasks Task #2: Job: Clean registry Run as: Jim (non-root) Run at: 6pm Task #3: Job: Print receipts Run as: Ted (non-root) Run at: 2am Task1 hash: 9B7CC653 Task2 hash: 11090343 Task3 hash: 40910276 Task4 hash: DE9DBA76 Task #4: Job: Run stuxnet.dll Run as: Ted (non-root) Run at: 2pm Next Stuxnet modifies the XML job file it just added, changing its permission to “root”! (Remember, the XML files are writable) Ted (non-root) Root user But wait! The updated job file hash no longer matches the protected hash stored by Windows! If Windows were to process the updated job file, it would detect this and reject it! New hash: 66C35150 Ah, but Stuxnet is more clever than that. Stuxnet knows how to forge a CRC - it computes a set of values which, if appended to the file, will result in its CRC matching the original! And then it appends these bytes to the file! XQ New hash: DE9DBA76 And Windows will happily run the updated job, giving Stuxnet root-level privileges! Spreading – A Sidebar
  • 12. Until it discovers the proper computers… Stuxnet is extremely picky and only activates its payload when it’s found an exact match. The targeted computer must be running STEP7 software from Siemens. The targeted computer must be directly connected to an S7-315 Programmable Logic Controller from Siemens. The PLC must further be connected to at least six CP-342-5 Network Modules from Siemens. Each Network Module must be connected to ~31 Fararo Paya or Vacon NX frequency converters. … It’s got to spread on its own… The 1-hour Guide to Stuxnet 12
  • 13. Until it discovers the proper computers… Stuxnet is extremely picky and only activates its payload when it’s found an exact match. … Now if you do the math…. Stuxnet verifies that the discovered Programmable Logic Controller… Is controlling at least 155 total frequency converters… And recently we learned that Iran’s Uranium enrichment “cascade” just happens to use exactly 160 centrifuges. What a coincidence! The creators of Stuxnet must have guessed all of these details. The 1-hour Guide to Stuxnet 13
  • 14. Now Stuxnet gets down to business… Stuxnet starts by downloading malicious logic onto the PLC hardware. What you (probably) didn’t realize is that the PLC uses a totally different microchip & computer language than Windows PCs. Stuxnet is the first known threat to target an industrial control microchip! The 1-hour Guide to Stuxnet Until it discovers the proper computers… 14
  • 15. Next, Stuxnet measures the operating speed of the frequency converters during their normal operation for 13 days! And makes sure the motors are running between 807Hz and 1210Hz. (This is coincidentally the frequency range required to run centrifuges.) Now Stuxnet gets down to business… (After all, whoever wrote Stuxnet wouldn’t want it to take out a roller coaster or something.) The 1-hour Guide to Stuxnet 15
  • 16. Once it’s sure, the malicious PLC logic begins its mischief! Then sleeps for 27 days. Then slows the spin rate to 2Hz for 50 mins. Then sleeps for 27 days. Stuxnet repeats this process over and over. 0Hz 1500Hz Stuxnet raises the spin rate to 1410Hz for 15 mins. Now Stuxnet gets down to business… The 1-hour Guide to Stuxnet 16
  • 17. Why push the motors up to 1410Hz? 0Hz 1500Hz Well, ~1380Hz is a resonance frequency. It is believed that operation at this frequency for even a few seconds will result in disintegration of the enrichment tubes! Why reduce the motors to 2Hz? At such a low rotation rate, the vertical enrichment tubes will begin wobbling like a top (also causing damage). Now Stuxnet gets down to business… 17 The 1-hour Guide to Stuxnet
  • 18. What about Iranian failsafe systems? The 1-hour Guide to Stuxnet 18 (Surely by now you’re thinking that alarm bells should have been blaring at the enrichment plant, right?) Now Stuxnet gets down to business… Maybe Stuxnet pulled a mission impossible?!?
  • 19.
  • 20. And in fact, that’s exactly what Stuxnet did! Well, in fact, these facilities typically do have fail-safe controls. They trigger a shutdown if the frequency goes out of the acceptable range. But worry not… Stuxnet takes care of this too. Stuxnet records telemetry readings while the centrifuges are operating normally. 0Hz 1500Hz And when it launches its attack, it sends this recorded data to fool the fail-safe systems! And Stuxnet disables the emergency kill switch on the PLC as well… Just in case someone tries to be a hero. Now Stuxnet gets down to business… The 1-hour Guide to Stuxnet 20
  • 21. All while evading detection… Stuxnet uses five distinct mechanisms to conceal itself. #5 Stuxnet hides its own files on infected thumb drives using 2 “rootkits.” The 1-hour Guide to Stuxnet Now Stuxnet gets down to business… 21
  • 22. Stuxnet uses five distinct mechanisms to conceal itself. #4 Stuxnet inhibits different behaviors in the presence of different security products to avoid detection. Launch Attack A Launch Attack B Launch Attack C Launch Attack D Launch Attack A Launch Attack B Launch Attack C Launch Attack D Launch Attack A Launch Attack B Launch Attack C Launch Attack D All while evading detection. The 1-hour Guide to Stuxnet 22
  • 23. Stuxnet uses five distinct mechanisms to conceal itself. #3 Stuxnet completely deletes itself from USB keys after it has spread to exactly three new machines. All while evading detection. The 1-hour Guide to Stuxnet 23
  • 24. Stuxnet uses five distinct mechanisms to conceal itself. #2 Stuxnet’s authors “digitally signed” it with stolen digital certificates to make it look like it was created by well-known companies. Realtek The two certificates were stolen from RealTek and Jmicron… All while evading detection. …as it turns out, both companies are located less than 1km apart in the same Taiwanese business park. The 1-hour Guide to Stuxnet 24
  • 25. Stuxnet uses five distinct mechanisms to conceal itself. #1 Stuxnet conceals its malicious “code” changes to the PLC from operational personnel (It hides its injected logic)! Instructions to the Centrifuges During normal operation: Spin at 1410hz In case of emergency: IGNORE OPERATOR COMMANDS PLC (To centrifuges) All while evading detection. The 1-hour Guide to Stuxnet 25
  • 26. Stuxnet Epidemiology The 1-hour Guide to Stuxnet 26
  • 27. Did It Succeed? Well, based on some clever Symantec engineering, we’ve got some interesting data. Fact: As Stuxnet spreads between computers, it keeps an internal log of every computer it’s visited. Fact: Stuxnet contacts two command-and-control servers every time it runs to report its status and check for commands. www.mypremierfutbol.com www.todaysfutbol.com Working with registrars, Symantec took control of these domains, forwarding all traffic to our Symantec data centers. The 1-hour Guide to Stuxnet 27
  • 28. Stuxnet Bookkeeping The 1-hour Guide to Stuxnet 28 151.21.32.19 151.21.32.21 27.42.97.152 93.154.11.42 93.154.12.78 151.21.32.19 151.21.32.21 151.21.32.19 151.21.32.21 151.21.32.19 151.21.32.21 27.42.97.152 93.154.11.42 93.154.12.78 151.21.32.19 151.21.32.19 151.21.32.21 151.21.32.19 151.21.32.21 93.154.11.42 Stuxnet embeds its “visited list” inside its own body as it spreads, enabling detailed forensics!
  • 29. The 1-hour Guide to Stuxnet 29 Here’s What We Found
  • 30. Here’s What We Found The 1-hour Guide to Stuxnet (These graphs show how the discovered samples spread) 30
  • 31. 31 Here’s What We Found Data at time of discovery (July, 2010) The 1-hour Guide to Stuxnet
  • 32. Here’s What We Found 67.60 8.10 4.98 2.18 2.18 1.56 1.25 12.15 0.00 10.00 20.00 30.00 40.00 50.00 60.00 70.00 80.00 IRAN SOUTH KOREA USA GREAT BRITAIN INDONESIA TAIWAN INDIA OTHERS Distribution of InfectedSystemswith SiemensSoftware Data at time of discovery (July, 2010) The 1-hour Guide to Stuxnet 32
  • 33. Did It Succeed? Indications are that it did! The Institute for Science and International Security writes: “It is increasingly accepted that, in late 2009 or early 2010, Stuxnet destroyed about 1,000 IR-1 centrifuges out of about 9,000 deployed at the site.” Symantec telemetry indicates that rather than directly trying to infiltrate Natanz… These companies (likely) then unknowingly ferried the infection into Natanz’s research and enrichment networks. The attackers infected five industrial companies with potential subcontracting relationships with the plant. 33 The 1-hour Guide to Stuxnet
  • 34. Whodunit? The 1-hour Guide to Stuxnet 34 19790509 According to Wikipedia, On May 9th, 1979 “Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community. He was the first Jew and one of the first civilians to be executed by the new Islamic government. This prompted the mass exodus of the once 100,000 member strong Jewish community of Iran which continues to this day.” June 22, 2009 4:31:47pm GMT June 22, 2009 6:31:47pm Local GMT + 2
  • 35. To Conclude Stuxnet proves cyber-warfare against physical infrastructure is feasible. Unfortunately, the same techniques can be used to attack other physical and virtual systems. Stuxnet has signaled a fundamental shift in the malware space. The 1-hour Guide to Stuxnet 35
  • 36. Thank you! Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Thank you! 36 The 1-hour Guide to Stuxnet

Editor's Notes

  1. One WinCC (MS SQL) system per N Step7 systems. It holds telemetry data that comes back from the PLCs. Could jump from that machine to developer’s machine via network shares.
  2. Print servers may have been connected between the airgap? And it auto-spreads over thumb drives! Stuxnet uses thumb drives to bridge the gap!
  3. Threat reads the PLC from the windows box to determine how many routers are connected to the PLC. The number of routers/network modules must be six (CP-342-5) – (found by querying the PLC), and the frequency converters must be of the two types from Iran or wherever. In Iran, there are 160 centrifuges in a cascade, we know this, and so with 31 motors per network module, this would cover up to 6*31 possible frequency converters. 5 router would be too little. ProfibusIDs like a UPC code for each frequency converter; this PID is stored in the PLC’s configuration data. PLC model itself 315-2 must be correct. Has to monitor for 13 days of operation between 800hz and 1200hz Washing machine analogy – off-balance due to load, danger of domino effect Threat reads the PLC from the windows box to determine how many routers are connected to the PLC. The number of routers/network modules must be six (CP-342-5) – (found by querying the PLC), and the frequency converters must be of the two types from Iran or wherever. In Iran, there are 160 centrifuges in a cascade, we know this, and so with 31 motors per network module, this would cover up to 6*31 possible frequency converters. 5 router would be too little.
  4. Sets the frequency converters to 1410Hz for 15 minutes (ramp up time may be > 16 minutes and thus, reach only ~1381Hz) Waits 27 days (must be operating between 807Hz and 1210Hz) Sets the frequency converters to 2Hz for 50 minutes (ramp down time ~33 minutes) Waits 27 days (must be operating between 807Hz and 1210Hz) Repeat at 2 (1410Hz for 15 minutes)
  5. Sets the frequency converters to 1410Hz for 15 minutes (ramp up time may be > 16 minutes and thus, reach only ~1381Hz) Waits 27 days (must be operating between 807Hz and 1210Hz) Sets the frequency converters to 2Hz for 50 minutes (ramp down time ~33 minutes) Waits 27 days (must be operating between 807Hz and 1210Hz) Repeat at 2 (1410Hz for 15 minutes)
  6. What about fail-safe systems? Well, Stuxnet hid itself from these. The threat actively recorded normal operation of the centrifuges and played this back while it was accelerating these centrifuges to dangerous speeds – just like the picture on the wall here hides the fact that the person is falling down the stairs. <click> So, none of the fail-safe systems noticed that anything was wrong, just like this security guard doesn’t notice anything unusual on his screen. So, if Stuxnet can do all of this, imagine what a targeted attack launched by a state-sponsored competitor could do to Qualcomm...
  7. Stuxnet also uses another trick hide itself on removable drives. It adds a second Open menu option to the right-click menu. One of these Open commands is the legitimate one and one is the command added by Stuxnet. If a user chooses to open the drive via this menu, Stuxnet will execute first. Stuxnet then opens the drive to hide that anything suspicious has occurred.