i (nuke) stuxnet 7
TRANSCRIPT
-
8/4/2019 I (Nuke) Stuxnet 7
1/56
-
8/4/2019 I (Nuke) Stuxnet 7
2/56
DISCLAIMER
I, Gil Megidish, have had absolutely nothing to
do with the virus/worm presented here, nordo I know of its origins. Everything in this
presentation is purely an analysis of
documents written by Wikipedia, Symantec,
ESET and professional security advisors.
-
8/4/2019 I (Nuke) Stuxnet 7
3/56
My First Anti-Virus
-
8/4/2019 I (Nuke) Stuxnet 7
4/56
What is Stuxnet ?
Most complicated computer-worm ever
discovered.
Targets industrial control systems such as in
gas pipelines or power plants.
An on-going work, dates back to Dec, 2008.
-
8/4/2019 I (Nuke) Stuxnet 7
5/56
Source: http://www.securelist.com/en/blog/272/Myrtus_and_Guava_Episode_3
-
8/4/2019 I (Nuke) Stuxnet 7
6/56
Bushehr Nuclear Power Plant
-
8/4/2019 I (Nuke) Stuxnet 7
7/56
Agenda
Introduction to Computer Virii
Stuxnets timelineInfection mechanism
Targeted systems
Whodunit ?
-
8/4/2019 I (Nuke) Stuxnet 7
8/56
Computer Virus
A software that replicated itself onto other
executable files.
-
8/4/2019 I (Nuke) Stuxnet 7
9/56
Computer Worm
A software that replicates itself onto other
computers; usually via exploits.
-
8/4/2019 I (Nuke) Stuxnet 7
10/56
Rootkit
Enable continued access while actively hiding
presence.
-
8/4/2019 I (Nuke) Stuxnet 7
11/56
CVE-2010-0049
Remote exploitation of a memory corruption
vulnerability in WebKit; allows an attacker to
execute arbitrary code on victims machine.
15 Dec 2009 Vendor notified
15 Dec 2009 Vendor replied11 Mar 2010 Coordinated public disclosure
-
8/4/2019 I (Nuke) Stuxnet 7
12/56
The List Never Ends
Backdoor
Worms
Viruses
Adware
Spyware
Trojan Horse
Rootkit
BotnetPhishing
XSS
Spoofing
Man in the Middle
D.o.S.
CSRF
-
8/4/2019 I (Nuke) Stuxnet 7
13/56
Building the worm cost at least $3 million and
required a team of as many as 10 skilledprogrammers working about six months.
Frank Rieger (GSMK)
-
8/4/2019 I (Nuke) Stuxnet 7
14/56
Timeline
2008.11 Trojan.Zlob found to be using LNK vulnerability
2009.04 Hakin9 magazine publishers Printer Spooler vulnerability
2010.01 Stuxnet variant found with Realtek certificate
2010.03 Stuxnet variant found using LNK vulnerability
2010.06VeriSign revokes Realteks certificate
2010.06 Stuxnet variant found with JMicron certificate
2010.07Symantec monitors Stuxnets C&C traffic 2010.07VeriSign revokes JMicrons certificate
2010.08 Microsoft patches LNK vulnerability.
2010.09 Microsoft patches Printer Spooler vulnerability.
2009.06 First variant of Stuxnet found
2010.05 Stuxnet first detected, named RootkitTmphider
-
8/4/2019 I (Nuke) Stuxnet 7
15/56
Timeline
2008.11 Trojan.Zlob found to be using LNK vulnerability
2009.04 Hakin9 magazine publishers Printer Spooler vulnerability
2010.01 Stuxnet variant found with Realtek certificate
2010.03 Stuxnet variant found using LNK vulnerability
2010.06VeriSign revokes Realteks certificate
2010.06 Stuxnet variant found with JMicron certificate
2010.07Symantec monitors Stuxnets C&C traffic 2010.07VeriSign revokes JMicrons certificate
2010.08 Microsoft patches LNK vulnerability.
2010.09 Microsoft patches Printer Spooler vulnerability.
2009.06 First variant of Stuxnet found
2010.05 Stuxnet first detected, named RootkitTmphider
-
8/4/2019 I (Nuke) Stuxnet 7
16/56
Exploit #1: LNK VulnerabilityCVE-2010-2568
Affects Windows 2000, Windows XP, Windows
Server 2003, Windows Vista and Windows 7
-
8/4/2019 I (Nuke) Stuxnet 7
17/56
Exploit #2: Print Spooler VulnerabilityMS10-061
Affects Windows XP and legacy Lexmark/Compaq
printers.
-
8/4/2019 I (Nuke) Stuxnet 7
18/56
Exploit #3:Windows Server ServiceMS08-067
Affects unpatched operating systems, with
Kernel32.dll earlier than Oct 12, 2008.
-
8/4/2019 I (Nuke) Stuxnet 7
19/56
Metasploit: point. click. root.
-
8/4/2019 I (Nuke) Stuxnet 7
20/56
Rootkitting Windows
-
8/4/2019 I (Nuke) Stuxnet 7
21/56
-
8/4/2019 I (Nuke) Stuxnet 7
22/56
-
8/4/2019 I (Nuke) Stuxnet 7
23/56
Source: www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf
-
8/4/2019 I (Nuke) Stuxnet 7
24/56
Taiwanese Ninjas?
-
8/4/2019 I (Nuke) Stuxnet 7
25/56
Two More Zero-Day Exploits
-
8/4/2019 I (Nuke) Stuxnet 7
26/56
WinCCConnect : 2WScder Yes!
-
8/4/2019 I (Nuke) Stuxnet 7
27/56
Peer To Peer Upgrades
Get version number
Request payload
#version#
Current version
Infected A Infected B
-
8/4/2019 I (Nuke) Stuxnet 7
28/56
Command and Control
todaysfutbol.com
mypremierfutbol.com
GET /
200 OK
GET index.php?data=[XOR%31]
200 OK: Executable code
Infected PC
-
8/4/2019 I (Nuke) Stuxnet 7
29/56
whois mypremierfutbol.com
-
8/4/2019 I (Nuke) Stuxnet 7
30/56
-
8/4/2019 I (Nuke) Stuxnet 7
31/56
Siemens SIMATIC Step 7
-
8/4/2019 I (Nuke) Stuxnet 7
32/56
Step 7 Editor
Developer Station
WinCC MS-SQL Database
PLC
-
8/4/2019 I (Nuke) Stuxnet 7
33/56
Step7 Interception
s7otbxdx.dll
s7blk_reads7blk_write
s7_blk_findfirsts7_blk_delete
All communication done through s7otbxdx library
Developer StationPLC
-
8/4/2019 I (Nuke) Stuxnet 7
34/56
Step7 Interception
s7otbxsx.dll
s7blk_reads7blk_write
s7_blk_findfirsts7_blk_delete
Man in the middle rootkit!
Developer StationPLC
s7otbxdx.dll
-
8/4/2019 I (Nuke) Stuxnet 7
35/56
OB1 Main Organization Block
OB35 Watchdog Organization Block
-
8/4/2019 I (Nuke) Stuxnet 7
36/56
What the hell does it do?
-
8/4/2019 I (Nuke) Stuxnet 7
37/56
Vacon NX
-
8/4/2019 I (Nuke) Stuxnet 7
38/56
Vacon NX
-
8/4/2019 I (Nuke) Stuxnet 7
39/56
The End of Stuxnet ?
-
8/4/2019 I (Nuke) Stuxnet 7
40/56
v
So, whodunit ?
-
8/4/2019 I (Nuke) Stuxnet 7
41/56
The Americans ?
-
8/4/2019 I (Nuke) Stuxnet 7
42/56
The Russians ?
-
8/4/2019 I (Nuke) Stuxnet 7
43/56
The Israelis ?
-
8/4/2019 I (Nuke) Stuxnet 7
44/56
19790509
-
8/4/2019 I (Nuke) Stuxnet 7
45/56
b:\myrtus\src\objfre_w2k_x86\i386 \guava.pdb
-
8/4/2019 I (Nuke) Stuxnet 7
46/56
Dan Hamizer
-
8/4/2019 I (Nuke) Stuxnet 7
47/56
-
8/4/2019 I (Nuke) Stuxnet 7
48/56
WE MAY NEVER KNOW
-
8/4/2019 I (Nuke) Stuxnet 7
49/56
Symantec's Brian Tillettput a number on the size of the
team that built the virus. He said that traces of more than
30 programmers have been found in source code.
The Atlantic
-
8/4/2019 I (Nuke) Stuxnet 7
50/56
I Stuxnet
LESS OF THIS
-
8/4/2019 I (Nuke) Stuxnet 7
51/56
LESS OF THIS
-
8/4/2019 I (Nuke) Stuxnet 7
52/56
AND MORE OF THIS
NONE OF THIS
-
8/4/2019 I (Nuke) Stuxnet 7
53/56
NONE OF THIS
-
8/4/2019 I (Nuke) Stuxnet 7
54/56
AND LOTS OF THIS
-
8/4/2019 I (Nuke) Stuxnet 7
55/56
THANK YOU
-
8/4/2019 I (Nuke) Stuxnet 7
56/56
Links
Symantecs Stuxnet Dossierhttp://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdf
ESET: Stuxnet Under The Microscopehttp://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf
Siemens Step 7 Programmers Handbookhttp://www.plcdev.com/book/export/html/373
http://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdfhttp://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdfhttp://www.plcdev.com/book/export/html/373http://www.plcdev.com/book/export/html/373http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdfhttp://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdfhttp://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdfhttp://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdfhttp://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdfhttp://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdf