Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Stuxnet dc9723


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Stuxnet dc9723

  1. 1. Tomer Teller , DC9723, 18/1/11 Stuxnet: How to take over a (nuclear) power plant
  2. 2. <ul><li>A Black Hat gone good (courier -> cracker) </li></ul><ul><li>Security Evangelist at Check Point </li></ul><ul><li>Specialize in network hacking & reversing </li></ul><ul><li>Finished all levels of Angry Birds (3 stars!) </li></ul>Who Am I ?
  3. 3. <ul><li>We like Malware </li></ul><ul><li>Stuxnet is a Malware! </li></ul><ul><li>Iran is involved </li></ul><ul><li>Microsoft got pwn'd </li></ul><ul><li>Learn new techniques </li></ul><ul><li>See some DEMO’s (hopefully) </li></ul>Why are we here ?
  4. 4. <ul><li>SCADA/ICS - stands for  Supervisory Control and Data Acquisition . It generally refers to Industrial Control Systems ( ICS): computer systems that monitor and control industrial, infrastructure, or facility-based processes. </li></ul><ul><li>PLC - A Programmable Logic Controller (PLC) – Control of machinery on factory assembly lines. </li></ul><ul><li>Field PG - used to program PLCs. </li></ul><ul><li>Wincc/Step7 – SIEMENS application used to program PLC (IDE/Compiler) and is installed on a Field PG . </li></ul>Terminology
  5. 5. <ul><li>Architecture </li></ul><ul><ul><li>Single DLL </li></ul></ul><ul><ul><li>Resource containing payloads </li></ul></ul><ul><ul><li>Component based </li></ul></ul><ul><li>Exploits </li></ul><ul><ul><li>4 un-disclosed vulns! </li></ul></ul><ul><li>Techniques </li></ul><ul><ul><li>“ cunning” hack </li></ul></ul><ul><ul><li>LoadLibrary() maneuver </li></ul></ul>Threat Overview
  6. 6. This is not normal… Statistics ref: Symantec dossier paper
  7. 7. Welcome to the Battle Field
  8. 8. What’s going to happen? Here
  9. 9. What’s going to happen? Water Pipe Gas pipeline Nuclear Reactor
  10. 10. Mission Objectives Introduce Threat to Target Propagate inside the network Infect Field PG machines GOAL: Reprogram ICS machines
  11. 11. The First Infection <ul><li>An Insider </li></ul><ul><li>A Contractor </li></ul><ul><li>A Scada Confrence USB Give-away </li></ul><ul><li>Super Sheep over the fence </li></ul>
  12. 12. Removable Drive Propagation <ul><li>Okay, now what ? </li></ul><ul><li>LNK auto-execution (MS10-046) </li></ul><ul><li>Autorun.inf Technique </li></ul>
  13. 13. <ul><li>Design-Level flaw when parsing LNK files (i.e. shortcut file) </li></ul><ul><li>File format can store links to control panel applet (CPL) DLL </li></ul><ul><li>Vulnerable code processes these links like it processes icons. </li></ul><ul><li>Problem: System does not check if the DLL is in SYSTEM32 or part of a white list (registered) </li></ul><ul><li>The Result : Arbitrary DLLs can be loaded via a shortcut. </li></ul>LNK Auto-Execution (MS10-046)
  14. 14. <ul><li>LNK Binary Format </li></ul><ul><li>Offset Size Field </li></ul><ul><li>0x0000 4 HeaderSize </li></ul><ul><li>0x0004 16 LinkCLSID </li></ul><ul><li>0x0014 4 LinkFlags (optional structure) </li></ul><ul><li>. </li></ul><ul><li>. </li></ul><ul><li>0x0042 4 (reserved) </li></ul><ul><ul><li>Control Items </li></ul></ul><ul><ul><li>Offset Size Field </li></ul></ul><ul><ul><li>0x0000 2 itemIDSize 0x0002 2 wDummy </li></ul></ul><ul><ul><li>. </li></ul></ul><ul><ul><li>. </li></ul></ul><ul><ul><li>. </li></ul></ul><ul><ul><li>0x0018 n Path </li></ul></ul>LNK Binary Format (DIY)
  15. 15. <ul><li>We all know AutoRun.inf File & Dialog </li></ul><ul><li>The code that parses that file is very “flexible” </li></ul><ul><li>How flexible ? </li></ul>Autorun.inf Technique
  16. 16. EXE AutoRun Autorun.inf Technique cont.
  17. 17. <ul><li>Whenever stuxnet needs to load a DLL (including itself), it uses a special method to bypass anti-virus behavior blocking detection. </li></ul><ul><li>Stuxnet calls LoadLibrary() with a special crafted name that does not exist and causes LoadLibrary() to fail. </li></ul><ul><li>NTdll.dll was hooked to monitor for request to load specially crafted file names </li></ul><ul><li>These filename are mapped to a different location – specified by Stuxenet. </li></ul><ul><li>File name example: KERNEL32.DLL.ASLR.[ ADDRESS ] </li></ul>The LoadLibrary() Technique
  18. 18. <ul><li>User Space Rootkit </li></ul><ul><ul><li>Hide files by hooking Kernel32 & NTDLL </li></ul></ul><ul><ul><ul><li>FindFirstFileW ,FindNextFileW </li></ul></ul></ul><ul><ul><ul><li>NTQueryDirectoryFile, ZwQueryDirectoryFile </li></ul></ul></ul><ul><li>Kernel Space Rootkit </li></ul><ul><ul><li>Register a device driver (MrxNet.sys) to intercept I/O Request Packets (IRP) </li></ul></ul><ul><ul><ul><li>Monitor Directory Control & Query (read/write) </li></ul></ul></ul><ul><ul><ul><li>Detect & Infect Removable Devices </li></ul></ul></ul>User/Kernel Space rootkits
  19. 19. <ul><li>Driver was digitally signed by a legitimate certificate that is trusted by Windows. </li></ul><ul><li>Both companies seem to have offices in the Hsinchu Science and Industrial Park (Taiwan) </li></ul>Compromised Certificates
  20. 20. No Admin?! No Problem! (Vista+ Style) <ul><li>Privilege Escalation in Task Scheduler. 20-11-2010 </li></ul><ul><li>Task file’s is hashed by CRC32 </li></ul><ul><ul><li>Modify the original task to run under localSystem </li></ul></ul><ul><ul><li>Fix the CRC checksum by “padding”<- Collision </li></ul></ul>
  21. 21. No Admin?! No Problem! (XP Style) <ul><li>Privilege Escalation in Keyboard Layout (MS10-073) </li></ul><ul><li>Keyboard layout can be loaded from any where in the system </li></ul><ul><li>Out of bound index into an array of function pointers in win32k.sys </li></ul><ul><li>cf12fa38  cf933423 win32k!KbdNlsFuncTypeDummy [index 0] cf12fa3c  cf93342e win32k!KbdNlsFuncTypeNormal [index 1] cf12fa40  cf933474 win32k!KbdNlsFuncTypeAlt [index 2] cf12fa44  ff496867 [index 3] cf12fa48  ff466564 [index 4] cf12fa4c  60636261 <- user space address [index 5 ] cf12fa50  0000006e . </li></ul><ul><li>Copy bad code to that address. </li></ul><ul><li>Change layout to point at index #5 </li></ul><ul><li>Load the keyboard layout </li></ul>
  22. 22. Demo(s) Time <ul><li>Autorun.inf </li></ul><ul><li>LNK vulnerability (MS10-046) </li></ul><ul><li>User Space RootKit (source available) </li></ul>
  23. 23. Mission #1 Completed Here
  24. 24. Recap Introduce Threat to Target Propagate inside the network Infect Field PG machines GOAL: Reprogram ICS machines
  25. 25. MS08-067 – Server Service Vulnerability <ul><li>SRVSVC is an RPC interface which controls shares and files. </li></ul><ul><li>Binding to this interface via SMB and calling one of its functions -- NetprPathCanonicalize() with a malformed path string: </li></ul><ul><ul><li>e.g. /<name>/../../<rest of string> </li></ul></ul><ul><li>Results in a buffer overflow </li></ul><ul><ul><li>Successful exploitation can lead to code execution with System level privileges. </li></ul></ul>NetprPathCanonicalize() sharepath1path2/../../../../buff sharepath1/../../../buff share/../../buff /../buff Search For ‘’ Search For ‘’ Search For ‘’ Search For ‘’ Buffer Overflow
  26. 26. MS10-061 – Printer Spooler Vulnerability <ul><li>Released in 2009 in a hacker magazine </li></ul><ul><li>Allows a file to be written to the %System% folder by printing a document into a file. </li></ul><ul><li>Stuxnet “prints” 2 files </li></ul><ul><ul><li>A Managed object format (MOF) file – use for windows events </li></ul></ul><ul><ul><li>The Stuxnet worm itself </li></ul></ul><ul><li>Once the MOF file is detected by the OS in a specific directory ( C:windowssystemwbemmof<file>) </li></ul><ul><ul><li>Executes the event which is to run the executable file. </li></ul></ul>
  27. 27. Network Shares Infection <ul><li>Stuxnet enumerates all users accounts of the computer and the domain </li></ul><ul><ul><li>Try all available network resources </li></ul></ul><ul><ul><ul><li>Using the user credential </li></ul></ul></ul><ul><ul><li>Drop Stuxnet Executable on the remote share </li></ul></ul><ul><ul><ul><li>Schedule a network job to run 2 min after </li></ul></ul></ul><ul><ul><ul><li>NetScheduleJobAdd() </li></ul></ul></ul>
  28. 28. P2P Communication Component <ul><li>Stuxnet installs an RPC Client / Server. </li></ul><ul><li>Compromised computers can connect and ask for the latest version </li></ul>Infected machine acting as Client Infected machine acting as Server Get Version (0) Send Version Request Update (4) Send Update RPC Server Routines: 0: Return Current Ver 1: Inject & Execute 2: Load module 3: Inject to lsass.exe 4: Send Current Version 5: Create Process 6: Read File ref: Symantec dossier paper
  29. 29. Command & Control Component <ul><li>Stuxnet communicates back using an HTTP C&C backdoor and encrypted data. </li></ul>Infected Machine Command And Control Server GET 200 OK GET Index.php?data=[encrypted] Command X Command Y ref: Symantec dossier paper
  30. 30. Mission #2 Completed Here Ping Alive
  31. 31. Recap Introduce Threat to Target Propagate inside the network Infect Field PG machines GOAL: Reprogram ICS machines
  32. 32. PLC RootKit <ul><li>On the Field PG, Stuxnet will look for: </li></ul><ul><ul><li>Specific version STEP7/WinCC </li></ul></ul><ul><ul><li>Specific Network card </li></ul></ul><ul><ul><li>Specific PLC model & version connected </li></ul></ul><ul><li>Stuxnet will replace a DLL file that is in-charge of communicating with the PLC on the Field PG. </li></ul><ul><li>After replacement Stuxnet will be able to: </li></ul><ul><ul><li>Monitor PLC commands being written to and read from </li></ul></ul><ul><ul><li>Infect a PLC by inserting bad commands </li></ul></ul><ul><ul><li>Mask the fact the PLC is infected </li></ul></ul>
  33. 33. Infected PLC Example (READ/WRITE) Step7/WinCC New DLL PLC Original DLL Read () Data Modified Data Read() Original Data Write() Data New DLL Original DLL Write() Wrote Modified Data Field GP 5 5 500 500 5 5 ? ? ? 500 500 5
  34. 34. Recap Introduce Threat to Target Propagate inside the network Infect Field PG machines GOAL: Reprogram ICS machines
  35. 35. Mission Accomplished
  36. 36. Who’s Behind It ? <ul><li>Some say Israel: </li></ul><ul><ul><li>b: myrtus srcobjfre_w2k_x86i386 guava.pdb </li></ul></ul><ul><ul><ul><li>myrtus -> myrtle -> Hadassah -> Queen Esther </li></ul></ul></ul><ul><ul><ul><li>My-RTUs -> Remote Terminal Unit -> Control SCADA Systems </li></ul></ul></ul><ul><ul><li>0x19790509 </li></ul></ul><ul><ul><ul><li>May 09, 1979. That date coincides with the Iranian's execution of Habib Elghanian, a prominent Jewish businessman in Iran </li></ul></ul></ul><ul><li>Some say Germany </li></ul><ul><li>Some say USA </li></ul>
  37. 37. Questions <ul><li>? </li></ul>
  38. 38. kthxbye Tomer Teller [email_address]