stuxnet getting to the target
Download
Skip this Video
Download Presentation
Stuxnet – Getting to the target

Loading in 2 Seconds...

play fullscreen
1 / 25

Stuxnet – Getting to the target - PowerPoint PPT Presentation


  • 187 Views
  • Uploaded on

Stuxnet – Getting to the target. Liam O Murchu. Feb 2011. Operations Manager, Symantec Security Response. Agenda. Stuxnet Capabilities. 1. Network Distribution Tactics. 2. Intel & Targets. 3. Sophistication & Success. 4. Solutions & Lessons Learned. 5. Stuxnet Features.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Stuxnet – Getting to the target' - yaakov


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
stuxnet getting to the target

Stuxnet – Getting to the target

Liam O Murchu

Feb 2011

Operations Manager, Symantec Security Response

agenda
Agenda

Stuxnet Capabilities

1

Network Distribution Tactics

2

Intel & Targets

3

Sophistication & Success

4

Solutions & Lessons Learned

5

Stuxnet – Getting to the target

stuxnet features
Stuxnet Features
  • Discovery disclosed in July, 2010
  • Attacks industrial control systems likely an Iranian uranium enrichment facility
  • Modifies and hides code on Siemens PLCs connected to frequency converters
  • Contains 7 methods to propagate, 4 zero day exploits, 1 known exploit, 3 rootkits, 2 unauthorized certificates, 2 Siemens security issues, 1 target.
  • 3 versions, June 2009, March 2010, April 2010

Stuxnet - Sabotaging Industrial Control Systems

stuxnet is targeted
Stuxnet is targeted

Iranian Target

Stuxnet – Getting to the target

slide5
PLCs

Programmable Logic Controller

  • Monitors Input and Output lines
    • Sensors on input
    • switches/equipment on outputs
    • Many different vendors
  • Stuxnet seeks specific Models
    • s7-300 s7-400
  • Stuxnet is Targeted
  • Targeting a Specific type of PLC
  • Searches for a Specific Configuration

Stuxnet & PLCs

programming a plc
Programming a PLC

Step7, STL and MC7

  • Simatic or Step 7 software
    • Used to write code in STL or other languages
  • STL code is compiled to MC7 byte code
  • MC7 byte code is transferred to the PLC
  • Control PC can now be disconnected

Stuxnet Infecting PLCs

attack preparation
Attack Preparation

Stuxnet Creator

Control

PC

Uranium Enrichment

Facility

PLC

Stuxnet – Getting to the target

attack considerations
Attack Considerations

Internet Etc

Corporate LAN

Air Gap

Stuxnet – Getting to the target

how stuxnet attacks corporations
How Stuxnet Attacks Corporations

Stuxnet uses 7 different methods to propagate!

  • USB drives – Zero Day
  • Print Spooler Vuln – Zero Day
  • Ms08-067 Vuln
  • Network Shares
  • P2P sharing
  • Wincc Hard coded Password
  • Step7 projects

Control PC

Stuxnet – Getting to the target

self replication step 7 project files
Self-ReplicationStep 7 Project Files

types:

DB 14 14 00 00 00 00 00 00 00 00 00

+00 WORD count

+02 BYTE[] records

+00 WORD count

+02 BYTE[] records

MyProject.s7p

ApiLog

S7HK40AX

S7HK41AX

hOmSave7

xutils

links

listen

types

s7p00001.dbf (Stuxnet datafile)

s7hkimdb.dll

s7hkimdb.dll

xr000000.mdx (encrypted Stuxnet)

s7000001.mdx (Stuxnet config data file)

s7hkimdb.dll

  • %Step7%\S7BIN
  • %SYSTEM32%
  • %SYSTEM%
  • %WINDIR%
  • project\'s hOmSave7/* subdirectories

Stuxnet - Sabotaging Industrial Control Systems

stuxnet windows rootkit
Stuxnet Windows Rootkit

Stuxnet - Sabotaging Industrial Control Systems

attack execution
Attack Execution

Internet Etc

1. Initial Delivery

Corporate LAN

3. Reporting

Updates

2. Network Exploits

Air Gap

4. Bridge

AirGap

5. Deliver Payload

Stuxnet – Getting to the target

delivering the threat
Delivering the threat
  • Stuxnet targeted specific companies in Iran
  • Only 10 initial targets
  • Resulting in over 14k infections
  • Research was needed to identify valuable targets
  • Companies connected to Uranium enrichment
  • Hope to infect someone who would visit a Uranium enrichment facility
  • Someone who worked on Uranium enrichment projects
  • Actual delivery method is unknown

Stuxnet – Getting to the target

limited spread
Limited Spread
  • Attackers wanted limited spread
  • No Internet capable exploits used
  • USB exploit only infects 3 machines
  • USB exploit has deadline of 21 days
  • All exploits have a deadline
  • Large configuration file
  • ~430 different settings
  • Why did it spread so far?

Stuxnet – Getting to the target

why did it spread so far
Why did it spread so far?
  • Zero .lnk vulnerability wildly successful
  • Step7 project infection very successful
  • Misunderstanding of how contractors interact
  • Misunderstanding of how connected companies are
  • Intended?
  • Needed to be more aggressive to succeed?

Stuxnet – Getting to the target

was stuxnet successful
Was Stuxnet Successful
  • We don’t know.
  • 1 year in the wild undiscovered
  • Over 100k infections
  • Majority in Iran
  • Natanz shut down
  • Industrial Companies Infected
  • Reports of infections at Natanz and Busheir
  • IAEA report states 1000 centrifuges offline in Nov 2009

Stuxnet – Getting to the target

was stuxnet successful1
Was Stuxnet Successful
  • We don’t know.
  • Discovered 3 months after USB zero day added
  • No report of centrifuges out of action since March
  • Gained high media attention
  • Analysis performed
  • Iranian authorities aware

Stuxnet – Getting to the target

sophistication
Sophistication
  • First threat to target hardware
  • Targets Uranium Enrichment
  • Large amount of code
  • Very configurable
  • 4 zero days
  • Long Reconnaissance phase
  • Needed Hardware for testing
  • Targets 95/98,Win2k,Winxp,Vista,Win7…
  • 3 Rootkits
  • PLC programming knowledge

Stuxnet – Getting to the target

sophistication1
Sophistication
  • It was discovered
  • No advanced encryption
  • C&C infrastructure easily taken down
  • Infection information stored
  • Blue screens?? (unconfirmed)
  • P2P not protected
  • Escaped outside of Iran

Stuxnet – Getting to the target

new version
New Version
  • Not simple to create new version
  • Cannot just drop in new zero days
  • Target specific information required
  • PLC programming knowledge
  • Exploit knowledge
  • Real danger is the idea
  • Now people know it can be done
  • People can start their own projects knowing it is possible

Stuxnet – Getting to the target

solutions lessons learned
Solutions & lessons learned
  • Insider threat is significant – Employees are major risk
  • IP is extremely valuable, protect it at all costs
  • Monitor systems and networks
  • Watch for red flags
  • Implemented real air gaps
  • Or accept this is not possible and protect computers inside the air gap more vigorously
  • White listing, behavior blocking and reputation based solutions can mitigate threat.
  • Device blocking – USBs, contractor laptops, etc..
  • Vigilance is key

Stuxnet – Getting to the target

response
Response
  • Need dedicated resources in place in advance that can switch focus to a new threat quickly
  • Need engineers who are familiar with the latest developments in the threat landscape
  • Need to respond quickly – critical infrastructure may be at risk
  • Private public partnership will be important
  • Growing market
  • We will see more of these types of threats in the future, need to prepare for that.

Stuxnet – Getting to the target

summary
Summary
  • Stuxnet is the first publicly known malware to intend real-world damage
  • Required resources at the level of a nation-state
  • While as a whole extremely sophisticated, the technique to inject code into PLCs is not
  • Enterprises should assume attackers know how these systems work
  • Has changed our job at Symantec
  • We expect to see more of these threats

Stuxnet – Getting to the target

white paper available
White Paper Available

W32.Stuxnet Dossier

  • Stuxnet Technical Details Available here:
  • http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

Stuxnet – Getting to the target

liam o murchu liam omurchu@symantec com
Liam O Murchu - [email protected]

Stuxnet – Getting to the target

ad