Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
I Stuxnet
or: How I Learned to Stop Worrying and Love The Worm
Gil Megidish
gil@megidish.net
DISCLAIMER
I, Gil Megidish, have had absolutely nothing to
do with the virus/worm presented here, nor
do I know of its ori...
My First Anti-Virus
What is Stuxnet ?
• Most complicated computer-worm ever
discovered.
• Targets industrial control systems such as in
gas pi...
Source: http://www.securelist.com/en/blog/272/Myrtus_and_Guava_Episode_3
Bushehr Nuclear Power Plant
Agenda
Introduction to Computer Virii
Stuxnet’s timeline
Infection mechanism
Targeted systems
Whodunit ?
Computer Virus
• A software that replicated itself onto other
executable files.
Computer Worm
• A software that replicates itself onto other
computers; usually via exploits.
Rootkit
• Enable continued access while actively hiding
presence.
CVE-2010-0049
• Remote exploitation of a memory corruption
vulnerability in WebKit; allows an attacker to
execute arbitrar...
The List Never Ends
Backdoor
Worms
Viruses
Adware
Spyware
Trojan Horse
Rootkit
Botnet
Phishing
XSS
Spoofing
Man in the Mid...
“Building the worm cost at least $3 million and
required a team of as many as 10 skilled
programmers working about six mon...
Timeline
• 2008.11 – Trojan.Zlob found to be using LNK vulnerability
• 2009.04 – Hakin9 magazine publishers Printer Spoole...
Timeline
• 2008.11 – Trojan.Zlob found to be using LNK vulnerability
• 2009.04 – Hakin9 magazine publishers Printer Spoole...
Exploit #1: LNK VulnerabilityCVE-2010-2568
Affects Windows 2000, Windows XP, Windows
Server 2003, Windows Vista and Window...
Exploit #2: Print Spooler Vulnerability
MS10-061
Affects Windows XP and legacy Lexmark/Compaq
printers.
Exploit #3:Windows Server ServiceMS08-067
Affects unpatched operating systems, with
Kernel32.dll earlier than Oct 12, 2008.
Metasploit: point. click. root.
Rootkitting Windows
Source: www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf
Taiwanese Ninjas?
Two More Zero-Day Exploits
WinCCConnect : 2WSXcder
… Yes!
Peer To Peer Upgrades
Get version number
Request payload
#version#
Current version
Infected A Infected B
Command and Control
todaysfutbol.com
mypremierfutbol.com
GET /
200 OK
GET index.php?data=[XOR%31]
200 OK: Executable code
...
whois mypremierfutbol.com
Siemens SIMATIC Step 7
Step 7 Editor
Developer Station
WinCC MS-SQL Database
PLC
Step7 Interception
s7otbxdx.dll
s7blk_read
s7blk_write
s7_blk_findfirst
s7_blk_delete
All communication done through s7otb...
Step7 Interception
s7otbxsx.dll
s7blk_read
s7blk_write
s7_blk_findfirst
s7_blk_delete
Man in the middle rootkit!
Developer...
OB1 Main Organization Block
OB35 Watchdog Organization Block
What the hell does it do?
Vacon NX
Vacon NX
The End of Stuxnet ? 
v
So, whodunit ?
The Americans ?
The Russians ?
The Israelis ?
19790509
b:myrtussrcobjfre_w2k_x86i386 guava.pdb
Dan Hamizer
WE MAY NEVER KNOW
Symantec's Brian Tillett put a number on the size of the
team that built the virus. He said that traces of more than
30 pr...
I Stuxnet
LESS OF THIS
AND MORE OF THIS
NONE OF THIS
AND LOTS OF THIS
THANK YOU
Links
• Symantec’s Stuxnet Dossier
http://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdf
• ESET: S...
Gil Megidish
gil@megidish.net
I Heart Stuxnet
I Heart Stuxnet
I Heart Stuxnet
I Heart Stuxnet
Upcoming SlideShare
Loading in …5
×

I Heart Stuxnet

4,421 views

Published on

or: How I Learned To Stop Worrying And Love The Worm

Video: http://vimeo.com/17364186

Published in: Technology
  • Be the first to comment

I Heart Stuxnet

  1. 1. I Stuxnet or: How I Learned to Stop Worrying and Love The Worm Gil Megidish gil@megidish.net
  2. 2. DISCLAIMER I, Gil Megidish, have had absolutely nothing to do with the virus/worm presented here, nor do I know of its origins. Everything in this presentation is purely an analysis of documents written by Wikipedia, Symantec, ESET and professional security advisors.
  3. 3. My First Anti-Virus
  4. 4. What is Stuxnet ? • Most complicated computer-worm ever discovered. • Targets industrial control systems such as in gas pipelines or power plants. • An on-going work, dates back to Dec, 2008.
  5. 5. Source: http://www.securelist.com/en/blog/272/Myrtus_and_Guava_Episode_3
  6. 6. Bushehr Nuclear Power Plant
  7. 7. Agenda Introduction to Computer Virii Stuxnet’s timeline Infection mechanism Targeted systems Whodunit ?
  8. 8. Computer Virus • A software that replicated itself onto other executable files.
  9. 9. Computer Worm • A software that replicates itself onto other computers; usually via exploits.
  10. 10. Rootkit • Enable continued access while actively hiding presence.
  11. 11. CVE-2010-0049 • Remote exploitation of a memory corruption vulnerability in WebKit; allows an attacker to execute arbitrary code on victim’s machine. 15 Dec 2009 Vendor notified 15 Dec 2009 Vendor replied 11 Mar 2010 Coordinated public disclosure
  12. 12. The List Never Ends Backdoor Worms Viruses Adware Spyware Trojan Horse Rootkit Botnet Phishing XSS Spoofing Man in the Middle D.o.S. CSRF
  13. 13. “Building the worm cost at least $3 million and required a team of as many as 10 skilled programmers working about six months. “ Frank Rieger (GSMK)
  14. 14. Timeline • 2008.11 – Trojan.Zlob found to be using LNK vulnerability • 2009.04 – Hakin9 magazine publishers Printer Spooler vulnerability • • 2010.01 – Stuxnet variant found with Realtek certificate • 2010.03 – Stuxnet variant found using LNK vulnerability • • 2010.06 – VeriSign revokes Realtek’s certificate • 2010.06 – Stuxnet variant found with JMicron certificate • 2010.07 – Symantec monitors Stuxnet’s C&C traffic • 2010.07 – VeriSign revokes JMicron’s certificate • 2010.08 – Microsoft patches LNK vulnerability. • 2010.09 – Microsoft patches Printer Spooler vulnerability. 2009.06 – First variant of Stuxnet found 2010.05 – Stuxnet first detected, named RootkitTmphider
  15. 15. Timeline • 2008.11 – Trojan.Zlob found to be using LNK vulnerability • 2009.04 – Hakin9 magazine publishers Printer Spooler vulnerability • • 2010.01 – Stuxnet variant found with Realtek certificate • 2010.03 – Stuxnet variant found using LNK vulnerability • • 2010.06 – VeriSign revokes Realtek’s certificate • 2010.06 – Stuxnet variant found with JMicron certificate • 2010.07 – Symantec monitors Stuxnet’s C&C traffic • 2010.07 – VeriSign revokes JMicron’s certificate • 2010.08 – Microsoft patches LNK vulnerability. • 2010.09 – Microsoft patches Printer Spooler vulnerability. 2009.06 – First variant of Stuxnet found 2010.05 – Stuxnet first detected, named RootkitTmphider
  16. 16. Exploit #1: LNK VulnerabilityCVE-2010-2568 Affects Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows 7
  17. 17. Exploit #2: Print Spooler Vulnerability MS10-061 Affects Windows XP and legacy Lexmark/Compaq printers.
  18. 18. Exploit #3:Windows Server ServiceMS08-067 Affects unpatched operating systems, with Kernel32.dll earlier than Oct 12, 2008.
  19. 19. Metasploit: point. click. root.
  20. 20. Rootkitting Windows
  21. 21. Source: www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf
  22. 22. Taiwanese Ninjas?
  23. 23. Two More Zero-Day Exploits
  24. 24. WinCCConnect : 2WSXcder … Yes!
  25. 25. Peer To Peer Upgrades Get version number Request payload #version# Current version Infected A Infected B
  26. 26. Command and Control todaysfutbol.com mypremierfutbol.com GET / 200 OK GET index.php?data=[XOR%31] 200 OK: Executable code Infected PC
  27. 27. whois mypremierfutbol.com
  28. 28. Siemens SIMATIC Step 7
  29. 29. Step 7 Editor Developer Station WinCC MS-SQL Database PLC
  30. 30. Step7 Interception s7otbxdx.dll s7blk_read s7blk_write s7_blk_findfirst s7_blk_delete All communication done through s7otbxdx library Developer Station PLC
  31. 31. Step7 Interception s7otbxsx.dll s7blk_read s7blk_write s7_blk_findfirst s7_blk_delete Man in the middle rootkit! Developer Station PLC s7otbxdx.dll
  32. 32. OB1 Main Organization Block OB35 Watchdog Organization Block
  33. 33. What the hell does it do?
  34. 34. Vacon NX
  35. 35. Vacon NX
  36. 36. The End of Stuxnet ? 
  37. 37. v So, whodunit ?
  38. 38. The Americans ?
  39. 39. The Russians ?
  40. 40. The Israelis ?
  41. 41. 19790509
  42. 42. b:myrtussrcobjfre_w2k_x86i386 guava.pdb
  43. 43. Dan Hamizer
  44. 44. WE MAY NEVER KNOW
  45. 45. Symantec's Brian Tillett put a number on the size of the team that built the virus. He said that traces of more than 30 programmers have been found in source code. The Atlantic
  46. 46. I Stuxnet
  47. 47. LESS OF THIS
  48. 48. AND MORE OF THIS
  49. 49. NONE OF THIS
  50. 50. AND LOTS OF THIS
  51. 51. THANK YOU
  52. 52. Links • Symantec’s Stuxnet Dossier http://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdf • ESET: Stuxnet Under The Microscope http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf • Siemens Step 7 Programmer’s Handbook http://www.plcdev.com/book/export/html/373
  53. 53. Gil Megidish gil@megidish.net

×