SlideShare a Scribd company logo

Stuxnet

bueno buono good
bueno buono good

Stuxnet is a computer virus that targets industrial control systems. It spreads through infected USB drives and networks, then infects PLCs (Programmable Logic Controllers) that are configured for specific industrial processes. Once infected, Stuxnet alters the PLC code to change the industrial process without the operator's knowledge through a "man in the middle" attack when programming software updates the PLC. The presentation demonstrates how Stuxnet infects a PLC and alters its code to change an industrial process.

1 of 18
Download to read offline
Stuxnet - Infecting Industrial Control Systems Liam O Murchu Sep 2010 Operations Manager, Symantec Security Response 1
Stuxnet CheckWinCC Network Installed AV PrintDayShares .lnkSpoolerICS vuln P2P Updates Infect PLCs MS08-067 1 ZeroVersions2 Goal C&CEoP Zero=Projects Infect Step7Day EoP 2 Def Dates Check Task Scheduler Win32k.sys 1.5 Mb each Stuxnet - Infecting Industrial Control Systems 2
Agenda 1 60 second Intro to PLCs 2 Programming a PLC 3 How Stuxnet infects 4 What Stuxnet does 5 Demonstration Stuxnet & PLCs 3
PLCs Programmable Logic Controller • Monitors Input and Output lines – Sensors on input – switches/equipment on outputs – Many different vendors • Stuxnet seeks specific Models – s7-300 s7-400 Stuxnet is Targeted Targeting a Specific type of PLC Searches for a Specific Configuration Stuxnet & PLCs 4
Hardware configuration System Data Blocks • Each PLC must be configured before use. • Configuration is stored in System Data Blocks (SDBs) • Stuxnet parses these blocks • Looks for magic bytes 2C CB 00 01 at offset 50h • Signifies a Profibus network card attached - CP 342-5 • Looks for 7050h and 9500h • Must have more than 33 of these values • Injects different code based on number of occurrences Stuxnet & PLCs 5
How Stuxnet Infects PLCs Stuxnet – Inside the PLC 6
Programming a PLC Step7, STL and MC7 • Simatic or Step 7 software – Used to write code in STL or other languages • STL code is compiled to MC7 byte code • MC7 byte code is transferred to the PLC • Control PC can now be disconnected Stuxnet Infecting PLCs 7
Stuxnet: Man in the Middle attack on PLCs “Man in the App” attack • Step7 uses a library to access the PLC – S7otbxdx.dll • Stuxnet replaces that dll with its own version • Stuxnet’s version intercepts reads and writes to the PLC and changes the code at this point. Stuxnet Infecting PLCs 8
Stuxnet MC7 Byte code • Stuxnet contains at least 70 binary blobs of data • They are encoded and stored in the fake dll • These are actually blocks of MC7 byte code • This is the code that is injected onto the PLCs • Must be converted back to STL to understand it • Difficult task but we have now converted all the MC7 byte code to readable STL code • Just unsure of real world effects of this code. Presentation Identifier Goes Here 9
OB1 and OB35 Stuxnet changes these blocks • OB1 = main() on PLCs – Stuxnet inserts its own code at the beginning of OB1 so it runs first. • OB35 is a 100ms interrupt routine – Used to monitor inputs that would require fast action – Stuxnet infects OB35 too • Stuxnet will return clean versions of these functions when they are read from the PLC. Stuxnet infecting PLCs 10
Demo Show Infection of a PLC • Inflate a balloon for 5 seconds • Infect the PLC • Inflate balloon again for 5 seconds Stuxnet Demo 11
Stuxnet’s PLC code Complex and large amount of code • Demo was just 8 lines of code. • Stuxnet contains hundreds of lines of code • It is difficult to understand the real world actions without knowing what is connected on the inputs and outputs. UC FC 1865; POP ; L DW#16#DEADF007; ==D ; BEC ; L DW#16#0; L DW#16#0; Presentation Identifier Goes Here 12
Stuxnet 13
Stuxnet 14
Targets Stats for Command and Control Servers Stuxnet - Infecting Industrial Control Systems 15
Stuxnet Infections Stuxnet - Infecting Industrial Control Systems 16
White Paper Available W32.Stuxnet Dossier • Stuxnet Technical Details Available here: • http://www.symantec.com/content/en/us/enterprise/media/se curity_response/whitepapers/w32_stuxnet_dossier.pdf Stuxnet - Infecting Industrial Control Systems 17
Thank you! Liam O Murchu - liam_omurchu@symantec.com Nicolas Falliere Eric Chien Threat Intelligence Team All Stuxnet Reverse Engineers Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Stuxnet – Infecting Industrial Control systems 18

Recommended

Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attack
Ajinkya Nikam
 
Stuxnet worm
Stuxnet wormStuxnet worm
Stuxnet worm
sommerville-videos
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart Stuxnet
Gil Megidish
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for Mainframes
Cheryl Biswas
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1
Byres Security Inc.
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case Study
Amr Thabet
 
The World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetThe World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - Stuxnet
Sean Xie
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.
Hardeep Bhurji
 

Recommended

Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attack
Ajinkya Nikam
 
Stuxnet worm
Stuxnet wormStuxnet worm
Stuxnet worm
sommerville-videos
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart Stuxnet
Gil Megidish
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for Mainframes
Cheryl Biswas
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1
Byres Security Inc.
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case Study
Amr Thabet
 
The World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetThe World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - Stuxnet
Sean Xie
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.
Hardeep Bhurji
 
How stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsHow stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systems
Yury Chemerkin
 
Stuxnet
StuxnetStuxnet
Stuxnet
Symantec
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the future
Hardeep Bhurji
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
Santosh Khadsare
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
Iftach Ian Amit
 
Stuxnet
StuxnetStuxnet
Stuxnet
shiva_sathish
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
INSIGHT FORENSIC
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2
Byres Security Inc.
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
Gregory Hanis
 
Malware freak show
Malware freak showMalware freak show
Malware freak show
sr1nu
 
RCS Demo HackingTeam
RCS Demo HackingTeam RCS Demo HackingTeam
RCS Demo HackingTeam
OWASP Foundation
 
Offline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encriptionOffline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encription
malvvv
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise
247infotech
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control
أحلام انصارى
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
Fahri Firdausillah
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
AlienVault
 
Troopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUF
Tamas K Lengyel
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
n|u - The Open Security Community
 
Linux Security
Linux SecurityLinux Security
Linux Security
nayakslideshare
 
Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?
Symantec Italia
 
Cours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts ClésCours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts Clés
Franck Franchin
 

More Related Content

What's hot

How stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsHow stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systems
Yury Chemerkin
 
Stuxnet
StuxnetStuxnet
Stuxnet
Symantec
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the future
Hardeep Bhurji
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
Santosh Khadsare
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
Iftach Ian Amit
 
Stuxnet
StuxnetStuxnet
Stuxnet
shiva_sathish
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
INSIGHT FORENSIC
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2
Byres Security Inc.
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
Gregory Hanis
 
Malware freak show
Malware freak showMalware freak show
Malware freak show
sr1nu
 
RCS Demo HackingTeam
RCS Demo HackingTeam RCS Demo HackingTeam
RCS Demo HackingTeam
OWASP Foundation
 
Offline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encriptionOffline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encription
malvvv
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise
247infotech
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control
أحلام انصارى
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
Fahri Firdausillah
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
AlienVault
 
Troopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUF
Tamas K Lengyel
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
n|u - The Open Security Community
 
Linux Security
Linux SecurityLinux Security
Linux Security
nayakslideshare
 

What's hot (20)

How stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsHow stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systems
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the future
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
 
Malware freak show
Malware freak showMalware freak show
Malware freak show
 
RCS Demo HackingTeam
RCS Demo HackingTeam RCS Demo HackingTeam
RCS Demo HackingTeam
 
Offline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encriptionOffline attacks-and-hard-disk-encription
Offline attacks-and-hard-disk-encription
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
 
Troopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUF
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
 
Linux Security
Linux SecurityLinux Security
Linux Security
 

Viewers also liked

Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?
Symantec Italia
 
Cours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts ClésCours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts Clés
Franck Franchin
 
Sécurité des systèmes d'information
Sécurité des systèmes d'informationSécurité des systèmes d'information
Sécurité des systèmes d'information
Franck Franchin
 
Cyber Sécurité : Connaître son adversaire pour mieux parer les attaques
Cyber Sécurité : Connaître son adversaire pour mieux parer les attaquesCyber Sécurité : Connaître son adversaire pour mieux parer les attaques
Cyber Sécurité : Connaître son adversaire pour mieux parer les attaques
ELCA Informatique SA / ELCA Informatik AG
 
Principes de bon sens pour une gouvernance cyber sécurité efficiente
Principes de bon sens pour une gouvernance cyber sécurité efficientePrincipes de bon sens pour une gouvernance cyber sécurité efficiente
Principes de bon sens pour une gouvernance cyber sécurité efficiente
ELCA Informatique SA / ELCA Informatik AG
 
La securité informatique - Etat des Lieux - Nov. 2016
La securité informatique - Etat des Lieux - Nov. 2016La securité informatique - Etat des Lieux - Nov. 2016
La securité informatique - Etat des Lieux - Nov. 2016
Olivier DUPONT
 
Sécurité informatique
Sécurité informatiqueSécurité informatique
Sécurité informatique
oussama Hafid
 

Viewers also liked (7)

Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?
 
Cours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts ClésCours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts Clés
 
Sécurité des systèmes d'information
Sécurité des systèmes d'informationSécurité des systèmes d'information
Sécurité des systèmes d'information
 
Cyber Sécurité : Connaître son adversaire pour mieux parer les attaques
Cyber Sécurité : Connaître son adversaire pour mieux parer les attaquesCyber Sécurité : Connaître son adversaire pour mieux parer les attaques
Cyber Sécurité : Connaître son adversaire pour mieux parer les attaques
 
Principes de bon sens pour une gouvernance cyber sécurité efficiente
Principes de bon sens pour une gouvernance cyber sécurité efficientePrincipes de bon sens pour une gouvernance cyber sécurité efficiente
Principes de bon sens pour une gouvernance cyber sécurité efficiente
 
La securité informatique - Etat des Lieux - Nov. 2016
La securité informatique - Etat des Lieux - Nov. 2016La securité informatique - Etat des Lieux - Nov. 2016
La securité informatique - Etat des Lieux - Nov. 2016
 
Sécurité informatique
Sécurité informatiqueSécurité informatique
Sécurité informatique
 

Similar to Stuxnet

Microcontroller 8051 timer 274 P$
Microcontroller 8051 timer 274 P$Microcontroller 8051 timer 274 P$
Microcontroller 8051 timer 274 P$
PusHkar SaIni
 
Scada, a PLC's story
Scada, a PLC's storyScada, a PLC's story
Scada, a PLC's story
Paolo Stagno
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by Suzaki
Kuniyasu Suzaki
 
Infrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLC
Infosec Europe
 
CCNA 2 Routing and Switching v5.0 Chapter 2
CCNA 2 Routing and Switching v5.0 Chapter 2CCNA 2 Routing and Switching v5.0 Chapter 2
CCNA 2 Routing and Switching v5.0 Chapter 2
Nil Menon
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet Dossier
Alireza Ghahrood
 
Chapter 02 - Introduction to Switched Networks
Chapter 02 - Introduction to Switched NetworksChapter 02 - Introduction to Switched Networks
Chapter 02 - Introduction to Switched Networks
Yaser Rahmati
 
KPUCC-Rs instructor ppt_chapter2_final
KPUCC-Rs instructor ppt_chapter2_finalKPUCC-Rs instructor ppt_chapter2_final
KPUCC-Rs instructor ppt_chapter2_final
Fisal Anwari
 
CCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
CCNAv5 - S2: Chapter2 Basic Switching Concepts and ConfigurationCCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
CCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
Vuz Dở Hơi
 
Chapter 13 : Introduction to switched networks
Chapter 13 : Introduction to switched networksChapter 13 : Introduction to switched networks
Chapter 13 : Introduction to switched networks
teknetir
 
Automation-PLC
Automation-PLCAutomation-PLC
Automation-PLC
Pallavi7776
 
Microcontroller
MicrocontrollerMicrocontroller
Microcontroller
sanjay kumar
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
Michael Smith
 
Joa Overview
Joa OverviewJoa Overview
Joa Overview
holtek
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Design & Implementation Of Fault Identification In Underground Cables Using IOT
Design & Implementation Of Fault Identification In Underground Cables Using IOTDesign & Implementation Of Fault Identification In Underground Cables Using IOT
Design & Implementation Of Fault Identification In Underground Cables Using IOT
IRJET Journal
 
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
Řőmĕő Šhűbhąm
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019
Dragos, Inc.
 
IJSRED-V2I2P57
IJSRED-V2I2P57IJSRED-V2I2P57
IJSRED-V2I2P57
IJSRED
 
plc scada
plc scada plc scada
plc scada
Ayush Gautam
 

Similar to Stuxnet (20)

Microcontroller 8051 timer 274 P$
Microcontroller 8051 timer 274 P$Microcontroller 8051 timer 274 P$
Microcontroller 8051 timer 274 P$
 
Scada, a PLC's story
Scada, a PLC's storyScada, a PLC's story
Scada, a PLC's story
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by Suzaki
 
Infrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLC
 
CCNA 2 Routing and Switching v5.0 Chapter 2
CCNA 2 Routing and Switching v5.0 Chapter 2CCNA 2 Routing and Switching v5.0 Chapter 2
CCNA 2 Routing and Switching v5.0 Chapter 2
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet Dossier
 
Chapter 02 - Introduction to Switched Networks
Chapter 02 - Introduction to Switched NetworksChapter 02 - Introduction to Switched Networks
Chapter 02 - Introduction to Switched Networks
 
KPUCC-Rs instructor ppt_chapter2_final
KPUCC-Rs instructor ppt_chapter2_finalKPUCC-Rs instructor ppt_chapter2_final
KPUCC-Rs instructor ppt_chapter2_final
 
CCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
CCNAv5 - S2: Chapter2 Basic Switching Concepts and ConfigurationCCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
CCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
 
Chapter 13 : Introduction to switched networks
Chapter 13 : Introduction to switched networksChapter 13 : Introduction to switched networks
Chapter 13 : Introduction to switched networks
 
Automation-PLC
Automation-PLCAutomation-PLC
Automation-PLC
 
Microcontroller
MicrocontrollerMicrocontroller
Microcontroller
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
 
Joa Overview
Joa OverviewJoa Overview
Joa Overview
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
Design & Implementation Of Fault Identification In Underground Cables Using IOT
Design & Implementation Of Fault Identification In Underground Cables Using IOTDesign & Implementation Of Fault Identification In Underground Cables Using IOT
Design & Implementation Of Fault Identification In Underground Cables Using IOT
 
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019
 
IJSRED-V2I2P57
IJSRED-V2I2P57IJSRED-V2I2P57
IJSRED-V2I2P57
 
plc scada
plc scada plc scada
plc scada
 

More from bueno buono good

Privacy facebook 2015
Privacy facebook 2015Privacy facebook 2015
Privacy facebook 2015
bueno buono good
 
LIBERTÀ STAMPA 2014
LIBERTÀ STAMPA 2014LIBERTÀ STAMPA 2014
LIBERTÀ STAMPA 2014
bueno buono good
 
Inceneration and health
Inceneration and healthInceneration and health
Inceneration and health
bueno buono good
 
Informe del Relator Especial sobre los derechos de los pueblos indígenas, Ja...
Informe del Relator Especial sobre los derechos de los pueblos indígenas, Ja...Informe del Relator Especial sobre los derechos de los pueblos indígenas, Ja...
Informe del Relator Especial sobre los derechos de los pueblos indígenas, Ja...
bueno buono good
 
Galline libere guida
Galline libere guidaGalline libere guida
Galline libere guida
bueno buono good
 
Water resourcers group
Water resourcers groupWater resourcers group
Water resourcers group
bueno buono good
 
NkpPS
NkpPSNkpPS
NkpPS
bueno buono good
 
Complete patents nikola_tesla
Complete patents nikola_teslaComplete patents nikola_tesla
Complete patents nikola_tesla
bueno buono good
 
Global energy transmittion tesla tower 2014
Global energy transmittion tesla tower 2014Global energy transmittion tesla tower 2014
Global energy transmittion tesla tower 2014
bueno buono good
 
Wikileaks secret-tpp-treaty-ip-chapter
Wikileaks secret-tpp-treaty-ip-chapterWikileaks secret-tpp-treaty-ip-chapter
Wikileaks secret-tpp-treaty-ip-chapter
bueno buono good
 
Ttip draft
Ttip draftTtip draft
Ttip draft
bueno buono good
 
2013 cpi brochure_en
2013 cpi brochure_en2013 cpi brochure_en
2013 cpi brochure_en
bueno buono good
 
Farmaci coinvolti traffici_illegali_14.08.2014
Farmaci coinvolti traffici_illegali_14.08.2014Farmaci coinvolti traffici_illegali_14.08.2014
Farmaci coinvolti traffici_illegali_14.08.2014
bueno buono good
 
Country reports on_terrorism_2013-7
Country reports on_terrorism_2013-7Country reports on_terrorism_2013-7
Country reports on_terrorism_2013-7
bueno buono good
 
Doc 10502 290_en
Doc 10502 290_enDoc 10502 290_en
Doc 10502 290_en
bueno buono good
 
Sipri yearbook 2013
Sipri yearbook 2013Sipri yearbook 2013
Sipri yearbook 2013
bueno buono good
 
Bohemian grove-members-list 2010
Bohemian grove-members-list 2010Bohemian grove-members-list 2010
Bohemian grove-members-list 2010
bueno buono good
 
Bohemian grove-and-other-retreats1
Bohemian grove-and-other-retreats1Bohemian grove-and-other-retreats1
Bohemian grove-and-other-retreats1
bueno buono good
 
Cremation of care traduzione italiano
Cremation of care traduzione italianoCremation of care traduzione italiano
Cremation of care traduzione italiano
bueno buono good
 

More from bueno buono good (20)

Privacy facebook 2015
Privacy facebook 2015Privacy facebook 2015
Privacy facebook 2015
 
LIBERTÀ STAMPA 2014
LIBERTÀ STAMPA 2014LIBERTÀ STAMPA 2014
LIBERTÀ STAMPA 2014
 
Inceneration and health
Inceneration and healthInceneration and health
Inceneration and health
 
Informe del Relator Especial sobre los derechos de los pueblos indígenas, Ja...
Informe del Relator Especial sobre los derechos de los pueblos indígenas, Ja...Informe del Relator Especial sobre los derechos de los pueblos indígenas, Ja...
Informe del Relator Especial sobre los derechos de los pueblos indígenas, Ja...
 
Galline libere guida
Galline libere guidaGalline libere guida
Galline libere guida
 
Water resourcers group
Water resourcers groupWater resourcers group
Water resourcers group
 
NkpPS
NkpPSNkpPS
NkpPS
 
Tesla confid
Tesla confidTesla confid
Tesla confid
 
Complete patents nikola_tesla
Complete patents nikola_teslaComplete patents nikola_tesla
Complete patents nikola_tesla
 
Global energy transmittion tesla tower 2014
Global energy transmittion tesla tower 2014Global energy transmittion tesla tower 2014
Global energy transmittion tesla tower 2014
 
Wikileaks secret-tpp-treaty-ip-chapter
Wikileaks secret-tpp-treaty-ip-chapterWikileaks secret-tpp-treaty-ip-chapter
Wikileaks secret-tpp-treaty-ip-chapter
 
Ttip draft
Ttip draftTtip draft
Ttip draft
 
2013 cpi brochure_en
2013 cpi brochure_en2013 cpi brochure_en
2013 cpi brochure_en
 
Farmaci coinvolti traffici_illegali_14.08.2014
Farmaci coinvolti traffici_illegali_14.08.2014Farmaci coinvolti traffici_illegali_14.08.2014
Farmaci coinvolti traffici_illegali_14.08.2014
 
Country reports on_terrorism_2013-7
Country reports on_terrorism_2013-7Country reports on_terrorism_2013-7
Country reports on_terrorism_2013-7
 
Doc 10502 290_en
Doc 10502 290_enDoc 10502 290_en
Doc 10502 290_en
 
Sipri yearbook 2013
Sipri yearbook 2013Sipri yearbook 2013
Sipri yearbook 2013
 
Bohemian grove-members-list 2010
Bohemian grove-members-list 2010Bohemian grove-members-list 2010
Bohemian grove-members-list 2010
 
Bohemian grove-and-other-retreats1
Bohemian grove-and-other-retreats1Bohemian grove-and-other-retreats1
Bohemian grove-and-other-retreats1
 
Cremation of care traduzione italiano
Cremation of care traduzione italianoCremation of care traduzione italiano
Cremation of care traduzione italiano
 

Recently uploaded

DearbornMusic-KatherineJasperFullSailUni
DearbornMusic-KatherineJasperFullSailUniDearbornMusic-KatherineJasperFullSailUni
DearbornMusic-KatherineJasperFullSailUni
katiejasper96
 
PM Surya Ghar Muft Bijli Yojana: Online Application, Eligibility, Subsidies &...
PM Surya Ghar Muft Bijli Yojana: Online Application, Eligibility, Subsidies &...PM Surya Ghar Muft Bijli Yojana: Online Application, Eligibility, Subsidies &...
PM Surya Ghar Muft Bijli Yojana: Online Application, Eligibility, Subsidies &...
Ksquare Energy Pvt. Ltd.
 
Sustainable Logistics for Cost Reduction_ IPLTech Electric's Eco-Friendly Tra...
Sustainable Logistics for Cost Reduction_ IPLTech Electric's Eco-Friendly Tra...Sustainable Logistics for Cost Reduction_ IPLTech Electric's Eco-Friendly Tra...
Sustainable Logistics for Cost Reduction_ IPLTech Electric's Eco-Friendly Tra...
IPLTech Electric
 
GKohler - Retail Scavenger Hunt Presentation
GKohler - Retail Scavenger Hunt PresentationGKohler - Retail Scavenger Hunt Presentation
GKohler - Retail Scavenger Hunt Presentation
GraceKohler1
 
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel ChartSatta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
➒➌➎➏➑➐➋➑➐➐Dpboss Matka Guessing Satta Matka Kalyan Chart Indian Matka
 
Pitch Deck Teardown: Kinnect's $250k Angel deck
Pitch Deck Teardown: Kinnect's $250k Angel deckPitch Deck Teardown: Kinnect's $250k Angel deck
Pitch Deck Teardown: Kinnect's $250k Angel deck
HajeJanKamps
 
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta MatkaDpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
➒➌➎➏➑➐➋➑➐➐Dpboss Matka Guessing Satta Matka Kalyan Chart Indian Matka
 
欧洲杯赌球-欧洲杯赌球买球官方官网-欧洲杯赌球比赛投注官网|【​网址​🎉ac55.net🎉​】
欧洲杯赌球-欧洲杯赌球买球官方官网-欧洲杯赌球比赛投注官网|【​网址​🎉ac55.net🎉​】欧洲杯赌球-欧洲杯赌球买球官方官网-欧洲杯赌球比赛投注官网|【​网址​🎉ac55.net🎉​】
欧洲杯赌球-欧洲杯赌球买球官方官网-欧洲杯赌球比赛投注官网|【​网址​🎉ac55.net🎉​】
valvereliz227
 
The Most Inspiring Entrepreneurs to Follow in 2024.pdf
The Most Inspiring Entrepreneurs to Follow in 2024.pdfThe Most Inspiring Entrepreneurs to Follow in 2024.pdf
The Most Inspiring Entrepreneurs to Follow in 2024.pdf
thesiliconleaders
 
Call8328958814 satta matka Kalyan result satta guessing
Call8328958814 satta matka Kalyan result satta guessingCall8328958814 satta matka Kalyan result satta guessing
Call8328958814 satta matka Kalyan result satta guessing
➑➌➋➑➒➎➑➑➊➍
 
Business storytelling: key ingredients to a story
Business storytelling: key ingredients to a storyBusiness storytelling: key ingredients to a story
Business storytelling: key ingredients to a story
Alexandra Fulford
 
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Indian Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Indian MatkaDpboss Matka Guessing Satta Matta Matka Kalyan Chart Indian Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Indian Matka
dpbossdpboss69
 
Part 2 Deep Dive: Navigating the 2024 Slowdown
Part 2 Deep Dive: Navigating the 2024 SlowdownPart 2 Deep Dive: Navigating the 2024 Slowdown
Part 2 Deep Dive: Navigating the 2024 Slowdown
jeffkluth1
 
Profiles of Iconic Fashion Personalities.pdf
Profiles of Iconic Fashion Personalities.pdfProfiles of Iconic Fashion Personalities.pdf
Profiles of Iconic Fashion Personalities.pdf
TTop Threads
 
2022 Vintage Roman Numerals Men Rings
2022 Vintage Roman Numerals Men Rings2022 Vintage Roman Numerals Men Rings
2022 Vintage Roman Numerals Men Rings
aragme
 
Kirill Klip GEM Royalty TNR Gold Copper Presentation
Kirill Klip GEM Royalty TNR Gold Copper PresentationKirill Klip GEM Royalty TNR Gold Copper Presentation
Kirill Klip GEM Royalty TNR Gold Copper Presentation
Kirill Klip
 
TIMES BPO: Business Plan For Startup Industry
TIMES BPO: Business Plan For Startup IndustryTIMES BPO: Business Plan For Startup Industry
TIMES BPO: Business Plan For Startup Industry
timesbpobusiness
 
CULR Spring 2024 Journal.pdf testing for duke
CULR Spring 2024 Journal.pdf testing for dukeCULR Spring 2024 Journal.pdf testing for duke
CULR Spring 2024 Journal.pdf testing for duke
ZevinAttisha
 
IMG_20240615_091110.pdf dpboss guessing
IMG_20240615_091110.pdf dpboss guessingIMG_20240615_091110.pdf dpboss guessing
IMG_20240615_091110.pdf dpboss guessing
CALL❾⓿❹⓿❾❻❸❸❺❹ DPBOSS GUESSING FIX PANNA JODI BLAST
 
Best Competitive Marble Pricing in Dubai - ☎ 9928909666
Best Competitive Marble Pricing in Dubai - ☎ 9928909666Best Competitive Marble Pricing in Dubai - ☎ 9928909666
Best Competitive Marble Pricing in Dubai - ☎ 9928909666
Stone Art Hub
 

Recently uploaded (20)

DearbornMusic-KatherineJasperFullSailUni
DearbornMusic-KatherineJasperFullSailUniDearbornMusic-KatherineJasperFullSailUni
DearbornMusic-KatherineJasperFullSailUni
 
PM Surya Ghar Muft Bijli Yojana: Online Application, Eligibility, Subsidies &...
PM Surya Ghar Muft Bijli Yojana: Online Application, Eligibility, Subsidies &...PM Surya Ghar Muft Bijli Yojana: Online Application, Eligibility, Subsidies &...
PM Surya Ghar Muft Bijli Yojana: Online Application, Eligibility, Subsidies &...
 
Sustainable Logistics for Cost Reduction_ IPLTech Electric's Eco-Friendly Tra...
Sustainable Logistics for Cost Reduction_ IPLTech Electric's Eco-Friendly Tra...Sustainable Logistics for Cost Reduction_ IPLTech Electric's Eco-Friendly Tra...
Sustainable Logistics for Cost Reduction_ IPLTech Electric's Eco-Friendly Tra...
 
GKohler - Retail Scavenger Hunt Presentation
GKohler - Retail Scavenger Hunt PresentationGKohler - Retail Scavenger Hunt Presentation
GKohler - Retail Scavenger Hunt Presentation
 
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel ChartSatta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
 
Pitch Deck Teardown: Kinnect's $250k Angel deck
Pitch Deck Teardown: Kinnect's $250k Angel deckPitch Deck Teardown: Kinnect's $250k Angel deck
Pitch Deck Teardown: Kinnect's $250k Angel deck
 
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta MatkaDpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
 
欧洲杯赌球-欧洲杯赌球买球官方官网-欧洲杯赌球比赛投注官网|【​网址​🎉ac55.net🎉​】
欧洲杯赌球-欧洲杯赌球买球官方官网-欧洲杯赌球比赛投注官网|【​网址​🎉ac55.net🎉​】欧洲杯赌球-欧洲杯赌球买球官方官网-欧洲杯赌球比赛投注官网|【​网址​🎉ac55.net🎉​】
欧洲杯赌球-欧洲杯赌球买球官方官网-欧洲杯赌球比赛投注官网|【​网址​🎉ac55.net🎉​】
 
The Most Inspiring Entrepreneurs to Follow in 2024.pdf
The Most Inspiring Entrepreneurs to Follow in 2024.pdfThe Most Inspiring Entrepreneurs to Follow in 2024.pdf
The Most Inspiring Entrepreneurs to Follow in 2024.pdf
 
Call8328958814 satta matka Kalyan result satta guessing
Call8328958814 satta matka Kalyan result satta guessingCall8328958814 satta matka Kalyan result satta guessing
Call8328958814 satta matka Kalyan result satta guessing
 
Business storytelling: key ingredients to a story
Business storytelling: key ingredients to a storyBusiness storytelling: key ingredients to a story
Business storytelling: key ingredients to a story
 
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Indian Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Indian MatkaDpboss Matka Guessing Satta Matta Matka Kalyan Chart Indian Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Indian Matka
 
Part 2 Deep Dive: Navigating the 2024 Slowdown
Part 2 Deep Dive: Navigating the 2024 SlowdownPart 2 Deep Dive: Navigating the 2024 Slowdown
Part 2 Deep Dive: Navigating the 2024 Slowdown
 
Profiles of Iconic Fashion Personalities.pdf
Profiles of Iconic Fashion Personalities.pdfProfiles of Iconic Fashion Personalities.pdf
Profiles of Iconic Fashion Personalities.pdf
 
2022 Vintage Roman Numerals Men Rings
2022 Vintage Roman Numerals Men Rings2022 Vintage Roman Numerals Men Rings
2022 Vintage Roman Numerals Men Rings
 
Kirill Klip GEM Royalty TNR Gold Copper Presentation
Kirill Klip GEM Royalty TNR Gold Copper PresentationKirill Klip GEM Royalty TNR Gold Copper Presentation
Kirill Klip GEM Royalty TNR Gold Copper Presentation
 
TIMES BPO: Business Plan For Startup Industry
TIMES BPO: Business Plan For Startup IndustryTIMES BPO: Business Plan For Startup Industry
TIMES BPO: Business Plan For Startup Industry
 
CULR Spring 2024 Journal.pdf testing for duke
CULR Spring 2024 Journal.pdf testing for dukeCULR Spring 2024 Journal.pdf testing for duke
CULR Spring 2024 Journal.pdf testing for duke
 
IMG_20240615_091110.pdf dpboss guessing
IMG_20240615_091110.pdf dpboss guessingIMG_20240615_091110.pdf dpboss guessing
IMG_20240615_091110.pdf dpboss guessing
 
Best Competitive Marble Pricing in Dubai - ☎ 9928909666
Best Competitive Marble Pricing in Dubai - ☎ 9928909666Best Competitive Marble Pricing in Dubai - ☎ 9928909666
Best Competitive Marble Pricing in Dubai - ☎ 9928909666
 

Stuxnet

  • 1. Stuxnet - Infecting Industrial Control Systems Liam O Murchu Sep 2010 Operations Manager, Symantec Security Response 1
  • 2. Stuxnet CheckWinCC Network Installed AV PrintDayShares .lnkSpoolerICS vuln P2P Updates Infect PLCs MS08-067 1 ZeroVersions2 Goal C&CEoP Zero=Projects Infect Step7Day EoP 2 Def Dates Check Task Scheduler Win32k.sys 1.5 Mb each Stuxnet - Infecting Industrial Control Systems 2
  • 3. Agenda 1 60 second Intro to PLCs 2 Programming a PLC 3 How Stuxnet infects 4 What Stuxnet does 5 Demonstration Stuxnet & PLCs 3
  • 4. PLCs Programmable Logic Controller • Monitors Input and Output lines – Sensors on input – switches/equipment on outputs – Many different vendors • Stuxnet seeks specific Models – s7-300 s7-400 Stuxnet is Targeted Targeting a Specific type of PLC Searches for a Specific Configuration Stuxnet & PLCs 4
  • 5. Hardware configuration System Data Blocks • Each PLC must be configured before use. • Configuration is stored in System Data Blocks (SDBs) • Stuxnet parses these blocks • Looks for magic bytes 2C CB 00 01 at offset 50h • Signifies a Profibus network card attached - CP 342-5 • Looks for 7050h and 9500h • Must have more than 33 of these values • Injects different code based on number of occurrences Stuxnet & PLCs 5
  • 6. How Stuxnet Infects PLCs Stuxnet – Inside the PLC 6
  • 7. Programming a PLC Step7, STL and MC7 • Simatic or Step 7 software – Used to write code in STL or other languages • STL code is compiled to MC7 byte code • MC7 byte code is transferred to the PLC • Control PC can now be disconnected Stuxnet Infecting PLCs 7
  • 8. Stuxnet: Man in the Middle attack on PLCs “Man in the App” attack • Step7 uses a library to access the PLC – S7otbxdx.dll • Stuxnet replaces that dll with its own version • Stuxnet’s version intercepts reads and writes to the PLC and changes the code at this point. Stuxnet Infecting PLCs 8
  • 9. Stuxnet MC7 Byte code • Stuxnet contains at least 70 binary blobs of data • They are encoded and stored in the fake dll • These are actually blocks of MC7 byte code • This is the code that is injected onto the PLCs • Must be converted back to STL to understand it • Difficult task but we have now converted all the MC7 byte code to readable STL code • Just unsure of real world effects of this code. Presentation Identifier Goes Here 9
  • 10. OB1 and OB35 Stuxnet changes these blocks • OB1 = main() on PLCs – Stuxnet inserts its own code at the beginning of OB1 so it runs first. • OB35 is a 100ms interrupt routine – Used to monitor inputs that would require fast action – Stuxnet infects OB35 too • Stuxnet will return clean versions of these functions when they are read from the PLC. Stuxnet infecting PLCs 10
  • 11. Demo Show Infection of a PLC • Inflate a balloon for 5 seconds • Infect the PLC • Inflate balloon again for 5 seconds Stuxnet Demo 11
  • 12. Stuxnet’s PLC code Complex and large amount of code • Demo was just 8 lines of code. • Stuxnet contains hundreds of lines of code • It is difficult to understand the real world actions without knowing what is connected on the inputs and outputs. UC FC 1865; POP ; L DW#16#DEADF007; ==D ; BEC ; L DW#16#0; L DW#16#0; Presentation Identifier Goes Here 12
  • 13. Stuxnet 13
  • 14. Stuxnet 14
  • 15. Targets Stats for Command and Control Servers Stuxnet - Infecting Industrial Control Systems 15
  • 16. Stuxnet Infections Stuxnet - Infecting Industrial Control Systems 16
  • 17. White Paper Available W32.Stuxnet Dossier • Stuxnet Technical Details Available here: • http://www.symantec.com/content/en/us/enterprise/media/se curity_response/whitepapers/w32_stuxnet_dossier.pdf Stuxnet - Infecting Industrial Control Systems 17
  • 18. Thank you! Liam O Murchu - liam_omurchu@symantec.com Nicolas Falliere Eric Chien Threat Intelligence Team All Stuxnet Reverse Engineers Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Stuxnet – Infecting Industrial Control systems 18