I Stuxnet or: How I Learned to Stop Worrying and Love The Worm
•Download as PPT, PDF•
0 likes•730 views
Stuxnet is the most complex computer worm ever discovered. It targets industrial control systems and has been infecting systems since 2008. Stuxnet spreads through vulnerabilities in Windows and infects Siemens Step 7 software to sabotage operations at places like nuclear power plants. The worm is very sophisticated with multiple zero-day exploits, driver-level rootkits, and peer-to-peer updates. While its origins remain unknown, it is speculated that the worm was created by a nation state to sabotage Iran's nuclear program through infecting their uranium enrichment centrifuges.
![I Stuxnet or: How I Learned to Stop Worrying and Love The Worm Gil Megidish [email_address]](https://image.slidesharecdn.com/inukestuxnet-final-101123234507-phpapp01-110714191453-phpapp01/85/STUXNET_-1-320.jpg)
![DISCLAIMER ,[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
More Related Content
What's hot
What's hot (20)
Similar to I Stuxnet or: How I Learned to Stop Worrying and Love The Worm
Similar to I Stuxnet or: How I Learned to Stop Worrying and Love The Worm (20)
More from bueno buono good
More from bueno buono good (20)
Recently uploaded
Recently uploaded (20)
I Stuxnet or: How I Learned to Stop Worrying and Love The Worm
- 1. I Stuxnet or: How I Learned to Stop Worrying and Love The Worm Gil Megidish [email_address]
- 6. Bushehr Nuclear Power Plant
- 12. The List Never Ends Backdoor Worms Viruses Adware Spyware Trojan Horse Rootkit Botnet Phishing XSS Spoofing Man in the Middle D.o.S. CSRF
- 17. Exploit #2: Print Spooler Vulnerability MS10-061 Affects Windows XP and legacy Lexmark/Compaq printers.
- 18. Exploit #3:Windows Server Service MS08-067 Affects unpatched operating systems, with Kernel32.dll earlier than Oct 12, 2008.
- 19. Metasploit: point. click. root.
- 25. Two More Zero-Day Exploits
- 26. WinCCConnect : 2WSXcder … Yes!
- 27. Peer To Peer Upgrades Get version number Request payload #version# Current version Infected A Infected B
- 28. Command and Control todaysfutbol.com mypremierfutbol.com GET / 200 OK GET index.php?data=[XOR%31] 200 OK: Executable code Infected PC
- 31. Siemens SIMATIC Step 7
- 32. Step 7 Editor Developer Station WinCC MS-SQL Database PLC
- 33. Step7 Interception s7otbxdx.dll s7blk_read s7blk_write s7_blk_findfirst s7_blk_delete All communication done through s7otbxdx library Developer Station PLC
- 34. Step7 Interception s7otbxsx.dll s7blk_read s7blk_write s7_blk_findfirst s7_blk_delete Man in the middle rootkit! Developer Station PLC s7otbxdx.dll
- 35. OB1 Main Organization Block OB35 Watchdog Organization Block
- 36. What the hell does it do?
- 37. Vacon NX
- 38. Vacon NX
- 39. The End of Stuxnet ?
- 40. v So, whodunit ?
- 41. The Americans ?
- 42. The Russians ?
- 43. The Israelis ?
- 44. 19790509
- 46. Dan Hamizer
- 48. WE MAY NEVER KNOW
- 50. I Stuxnet
- 51. LESS OF THIS
- 52. AND MORE OF THIS
- 53. NONE OF THIS
- 54. AND LOTS OF THIS
- 55. THANK YOU
Editor's Notes
- I wrote my first virus in 1996 or 1997 Fixed Burgler & Major BBS viruses Why did I do it?
- Most complicated worm ever. Targets SCADA (Supervisory Control and Data Acquision) systems used in gas pipelines and power plants DNS entries date back to dec 2008. Can't tell when development has really started. Discovered in May 2010.
- Worm attacked many computers. More than 100,000 hosts with 40,000 unique ips, over 155 countries. High percentage (over 60% of total) were from Iran. But clearly, Indian and Indonesia.
- Started in 1974 with help of German’s Siemens and French scientists. Started operating in 2010 with arrival of Russian nuclear fuel
- Term invented by Fred Cohen (California) First virus for pc: ©brain by Farooq Alvi brothers in 1986 (Pakistan) First virus for exe: Jerusalem 1987. Attacks on Friday the 13th. Viruses’ names are made up by the finders, not the writers Mention: ping pong, stoned Eliashim ViruSafe, Central Point Turbo Anti Virus, many others Viruses can be written in Word Macros (so they infect Macs as well).
- Worms can be good: Xerox PARC’s Nachi worms Mentions: ILOVEYOU (Outlook, $5 billion damages), Samy Worm (1,000,000 MySpace accounts in 20 hours)
- Rootkits Story about hacked server in India Unix rootkitting as easy as Windows rootkitting
- Common Vulnerabilities and Exposures (CVE) This specific CVE describes attack on ALL iPhones, iPads and Macs 4000 CVE updates a year; recently Backdoor.Pirpi uses CVE-2010-3962
- Virus, Rookitting, Backdoor, Cross Site Request Forgery, Adware, Worms, Trojan Horse, Spyware, Denial of Service, Cross Site Scripting, Spoofing, Man in the Middle, Botnet, Phishing
- Running stuxnet will copy itself to any REMOVABLE device through hooks in filesystem. It will also hide LNK files that are 4171 bytes long, and ~WTR[a+b+c+d mod 10==0] files
- Was released in Hakin9 magazine in April, 2009. Any Windows XP host sharing a printer is vulnerable. Newer operating systems (Visa, 2003, 2008 and Win7) are vulnerable if a legacy Lexmark or Compaq printers are shared. Specially crafted print requests will store a file in %system32%
- 2 years old exploit. Why would they put in the explot if it’s no use after oct 12? Maybe because they know there are old unpatched OSes? Maybe it’s an old code Inside the worm? Specially crafted
- How do you steal certificates? These places are very close to each other physically? Can somebody have broken into both? Maybe they share the same cleaning company? An early version of stuxnet? Code outsourced to India?
- Periodically executed OB35 runs every 100ms to check for critical values
- Vacon NX (Finland) and Fararo Paya (Iran) Variable speed AC drives (frequency converter) Rotate stuff at high speeds. Speeds above 800hz need authorization of USA Nuclear Virus expects drivers at 807hz-1210hz Then changes speeds to 1410hz, then 2hz, and then 1064hz. Vacon denies any relationship with Iran
- Nov 12, Siemens releases an anti virus No fix for SQL Microsoft releases fixes throughout October Still 2 escalation bugs exist Nobody will give up on this baby Iranians don’t cooperate anyway
- The Germans, the french, al qaeda, aliens, even references to the bible.
- USA has both the motives and the means to pull this kind of thing. 2 years-old exploits, known by microsoft, never patched. Moreover, Microsoft released a huge patch update, but neglects Printer Spooler (fixes 7 days later) GoDaddy accounts, domainsbyproxy, there’s a VISA at the end of the chain! An attack against Siemens instead?
- Subcontractors of the Iranians. Have full access to facilities, and the only party that can initiate the attack via usb drive. Conficker (Ukranian?), similar virus, 7 million affected machines – botnet.
- Really need this, and capable of doing it. (8200) COMPLETE silence in the media (censorship?) Rosh Agaf Modyin Amos Yadlin said 2009
- Jewish businessman Habib Elghanian executed by a firing squad in Tehran
- Myrtus, Guava, Hadasah -> Ester, Persians -> Iranians My RTUs => SCADA (Supervisory Control and Data Acquision), RTU => Remote Terminal Unit (converts signals to/from digital) B: drive? Redundancy in code (2 privileges bugs, 2 ssl certificates, 2 exploits)
- How come so many countries were infected? Why did it spread beyond Iran? In code it’s supposed to limit itself to 3 computers, why did it spread so much? Why does it stop working on July 24 2012? What’s on that date??
- Brian Tillett of Symantec claims for traces of 30 or more programmers in stuxnet
- Could have blown up the world, but done very carefully Has been around in the works for at least 2 years Uses 4 Zero-day exploits Upgrades itself via peer-to-peer communications Has a command and control server Self replicating through WinCC sql server Uses 2 stolen signed driver certificates Fingerprints industrial control systems and only affects specific components Detects and fools over 10 different versions of anti virus software Hacks PLC devices Has a Windows root kit, and a PLC rootkit Has a code base that is larger than kernel32.dll zipped! SUPPORTS OPERATING SYSTEMS FROM WINDOWS 98 TO WINDOWS 7 AND IS BUG FREE