cse443-lecture-22-stuxnet

cse443-lecture-22-stuxnet - Realworldexample:StuxnetWorm...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Realworldexample:StuxnetWorm Stuxnet:Overview June2010:Awormtarge<ngSiemensWinCC industrialcontrolsystem. Targetshighspeedvariablefrequency programmablelogicmotorcontrollersfromjust twovendors:Vacon(Finland)andFararoPaya (Iran) Onlywhenthecontrollersarerunningat807Hz to1210Hz.Makesthefrequencyofthose controllersvaryfrom1410Hzto2Hzto1064Hz. hWp://en.wikipedia.org/wiki/Stuxnet 2 StuxnetInfec<onSta<s<cs 29September2010,FromSyman<c InfectedHosts IndustrialControlSystems(ICS) ICSareoperatedbyaspecializedassemblylikecode onprogrammablelogiccontrollers(PLCs). ThePLCsareprogrammedtypicallyfromWindows computers. TheICSarenotconnectedtotheInternet. ICSusuallyconsideravailabilityandeaseof maintenancefirstandsecuritylast. ICSconsiderthe"airgap"assufficientsecurity. SeimensSIMATICPLCs 5 NuclearCentrifugeTechnology Uranium235separa<onefficiencyiscri<callydependent onthecentrifuges'speedofrota<on Separa<onistheore<callypropor<onaltotheperipheral speedraisedtothe4thpower.Soanyincreasein peripheralspeedishelpful. Thatimpliesyouneedstrongtubes,butbrutestrengthisn't enough:centrifugedesignsalsorunintoproblemswith "shaking"astheypassthroughnaturallyresonant frequencies "shaking"athighspeedcancausecatastrophicfailurestooccur. www.fas.org/programs/ssp/nukes/fuelcycle/centrifuges/ engineering.html 6 ConceptuallyUnderstanding"Shaking" Video: http://www.youtube.com/watch?v=LV_UuzEznHs 7 SomeNotesAboutThatVideo Thenaturalresonantfrequencyforagivenelementisnotalways the"highest"speedthe"magic"frequencyisdependentona varietyoffactorsincludingthelengthofthevibra<ngelementand thes<ffnessofitsmaterial. Whilethetallest(rightmost)modelexhibitedresonantvibra<on first,themagnitudeofitsvibra<ondidn'tnecessarilycon<nueto increaseasthefrequencywasdialedupfurther.Therewasa par<cularvalueatwhichthevibra<oninducedineachofthe modelswasatitsmostextreme. Specula<on:CouldthefrequencyvaluesusedbyStuxnethavebeen selectedtopar<cularlytargetaspecificfamilyofIranian centrifuges? TheIranianshaveadmiWedthat*something*happenedasaresult ofthemalware. 8 StuxnetandCentrifugeProblems 9 AchievingAPersistentImpact ButwhywouldStuxnetwanttomakethecentrifugesshake destruc<vely?Wasn'tinfec<ngtheirsystemsdisrup<ve enoughinandofitself?No. Ifyouonlycauseproblemssolelyinthecybersphere, itis,atleastconceptually,possibleto"wipeandreload" therebyfixingboththeinfectedcontrolsystemsandthe modifiedprogrammablemotorcontrollersatthetargeted facility.Sojwareonlycyberonlyimpactsareseldom"long term"or"persistent"innature. However,ifthecyberaWackisabletocausephysical damage,suchascausingthousandsofcentrifugestoshake themselvestopieces,orageneratortoselfdestruct,that wouldtakefarlongertoremediate. 10 ADeptHomelandSecurityVideo2007 http://www.youtube.com/watch?v=fJyWngDco3g 11 AnotherKeyPoint:AvoidingBlowback Whywouldana<onstateadversaryreleasesuchanarrowly targetedpieceofmalware? Blowback WhilemostoftheStuxnetinfec<onstookplaceinIran,some infec<onsdidhappeninothercountries,includingtheU.S. Prudent"cyberwarriors"mighttakeallpossiblestepstoinsurethat ifStuxnetdid"getawayfromthem,"itwouldn'twreakhavocon friendlyorneutraltargets. SonowyouknowwhyStuxnetappearstohavebeensonarrowly tailored. atermborrowedfromchemicalwarfare anunexpectedchangeinwindpaWernscansendanairbornechemical weapondrijingawayfromitsintendedenemytargetandbacktoward friendlytroops. 12 Timeline 2009June:EarliestStuxnetseen 2010Jan:Stuxnetdriversigned Doesnothavesigneddrivers Withavalidcer<ficatebelongingtoRealtekSemiconductors VerisignrevokesRealtekcer<ficate 2010June:VirusblokadareportsW32.Stuxnet 2010July:An<virusvendorEsetiden<fiesnewStuxnet driver Withavalidcer<ficatebelongingtoJMicronTechnologyCorp VerisignrevokesJMicroncer<ficate 2010July:Siemensreporttheyareinves<ga<ngmalware SCADAsystems Stuxnet:TechOverview Componentsused Zerodayexploits Windowsrootkit PLCrootkit(firstever) An<virusevasion PeertoPeerupdates Signeddriverwithavalidcer<ficate Commandandcontrolinterface Stuxnetconsistsofalarge.dllfile Designedtosabotageindustrialprocessescontrolled bySiemensSIMATICWinCCandPCS7systems. PossibleAWackScenario(Conjecture) Reconnaissance EachPLCisconfiguredinauniquemanner TargetedICS'sschema<csneeded Designdocsstolenbyaninsider? RetrievedbyanearlyversionofStuxnet StuxnetdevelopedwiththegoalofsabotagingaspecificsetofICS. Development MirroreddevelopmentEnvironmentneeded ICSHardware PLCmodules PLCdevelopmentsojware Es<ma<on 6+manyearsbyanexperiencedandwellfundeddevelopmentteam AWackScenario(2) Themaliciousbinariesneedtobesignedtoavoidsuspicion Twodigitalcer<ficateswerecompromised. Highprobabilitythatthedigitalcer<ficates/keyswerestolen fromthecompaniespremises. RealtekandJMicronareincloseproximity. Ini<alInfec<on Stuxnetneededtobeintroducedtothetargetedenvironment Deliverymethod Insider Thirdparty,suchasacontractor USBdrive WindowsMaintenanceLaptop TargetedemailaWack AWackScenario(3) Infec<onSpread LookforWindowscomputerthatprogramthe PLC's TheFieldPGaretypicallynotnetworked SpreadtheInfec<ononcomputersonthelocalLAN Zerodayvulnerabili<es Twoyearoldvulnerability SpreadtoallavailableUSBdrives WhenaUSBdriveisconnectedtotheFieldPG, theInfec<onjumpstotheFieldPG The"airgap"isthusbreached AWackScenario(4) TargetInfec<on LookforSpecificPLC RunningStep7Opera<ngSystem ChangePLCcode Sabotagesystem Hidemodifica<ons CommandandControlmaynotbepossible Duetothe"airgap" Func<onalityalreadyembedded Stuxnet Architecture: 32 Exports 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. Infectconnectedremovabledrives,Startsremoteprocedurecall(RPC)server HooksAPIsforStep7projectfileinfec<ons ? Callstheremovalrou<ne(export18) Verifiesifthethreatisinstalledcorrectly Verifiesversioninforma<on CallsExport6 ? UpdatesitselffrominfectedStep7projects UpdatesitselffrominfectedStep7projects ? ? ? Step7projectfileinfec<onrou<ne Ini<alentrypoint Maininstalla<on ReplacesStep7DLL UninstallsStuxnet Infectsremovabledrives ? ? Networkpropaga<onrou<nes ? CheckInternetconnec<on ? ? RPCServer Commandandcontrolrou<ne Commandandcontrolrou<ne ? UpdatesitselffrominfectedStep7projects Sameas1 19 StuxnetArchitecture:15Resources RIDFunc<on 1. 201MrxNet.sysloaddriver,signedbyRealtek 2. 202DLLforStep7infec<ons 3. 203CABfileforWinCCinfec<ons 4. 205DatafileforResource201 5. 207AutorunversionofStuxnet 6. 208Step7replacementDLL 7. 209Datafile(%windows%\help\winmic.js) 8. 210TemplatePEfileusedforinjec<on 9. 221ExploitsMS08067tospreadviaSMB. 10. 222ExploitsMS10061PrintSpoolerVulnerability 11. 231Internetconnec<oncheck 12. 240LNKtemplatefileusedtobuildLNKexploit 13. 241USBLoaderDLL~WTR4141.tmp 14. 242MRxnet.sysrootkitdriver 15. 250Exploitsundisclosedwin32k.sysvulnerability BypassingIntrusionDetec<on StuxnetcallsLoadLibrary Withaspeciallycrajedfilenamethatdoesnot exist WhichcausesLoadLibrarytofail. However,W32.StuxnethashookedNtdll.dll Tomonitorspeciallycrajedfilenames. Mappedtoaloca<onspecifiedbyW32.Stuxnet. Wherea.dllfilewasstoredbytheStuxnet previously. CodeInjec<on StuxnetusedtrustedWindowsprocessesorsecurityproducts Lsass.exe Winlogin.exe Svchost.exe KasperskyKAV(avp.exe) Mcafee(Mcshield.exe) An<Vir(avguard.exe) BitDefender(bdagent.exe) Etrust(UmxCfg.exe) FSecure(fsdfwd.exe) Symantec(rtvscan.exe) SymantecCommonClient(ccSvcHst.exe) EsetNOD32(ekrn.exe) TrendPcCillin(tmpproxy.exe) Stuxnetdetectstheversionofthesecurityproductandbasedonthe versionnumberadaptsitsinjec<onprocess Configura<on Stuxnetcollectsandstoresthefollowinginforma<on: MajorOSVersionandMinorOSVersion FlagsusedbyStuxnet Flagspecifyingifthecomputerispartofaworkgroupordomain Timeofinfec<on IPaddressofthecompromisedcomputer filenameofinfectedprojectfile Installa<on:ControlFlow Installa<on:Infec<onrou<neflow Command&Control Stuxnettestsifitcanconnectto www.windowsupdate.com www.msn.com Onport80 Contactsthecommandandcontrolserver www.mypremierfutbol.com www.todaysfutbol.com ThetwoURLsabovepreviouslypointedtoserversin MalaysiaandDenmark Sendsinfoaboutthecompromisedcomputer Command&Control(2) Command&Controlpayload Part1 0x00byte1,fixedvalue 0x01bytefromConfigura<onData 0x02byteOSmajorversion 0x03byteOSminorversion 0x04byteOSservicepackmajorversion 0x05bytesizeofpart1ofpayload 0x06byteunused,0 0x07byteunused,0 0x08dwordfromC.Data 0x0Cwordunknown 0x0EwordOSsuitemask 0x10byteunused,0 0x11byteflags 0x12stringcomputername,nullterminated 0xXXstringdomainname,nullterminated Part2 0x00dwordIPaddressof interface1,ifany 0x04dwordIPaddressof interface2,ifany 0x08dwordIPaddressof interface3,ifany 0x0Cdwordfrom Configura<onData0x10 byteunused 0x11stringcopyofS7Pstring fromC.Data(418h) WindowsRootkitFunc<onality StuxnetextractsResource201asMrxNet.sys. Registeredasaservice: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet \"ImagePath"="%System%\drivers\mrxnet.sys" Digitallysignedwithalegi<mateRealtekdigitalcer<ficate. Thedriverthenhidesfilesthat: have".LNK"extension. arenamed"~WTR[fournumbers].TMP", sizebetween4Kband8Mb; Examples: thesumofthefournumbers,modulo10is0. "CopyofCopyofCopyofCopyofShortcutto.lnk" "CopyofShortcutto.lnk" "~wtr4141.tmp" Propaga<onMethods:Network Peertopeercommunica<onandupdates Infec<ngWinCCmachinesviaahardcodeddatabaseserverpassword Networkshares MS10061PrintSpoolerZeroDayVulnerability MS08067WindowsServerServiceVulnerability Propaga<onMethods:USB LNKVulnerability(CVE20102568) AutoRun.Inf ModifyingPLC's TheendgoalofStuxnetistoinfectspecifictypesofPLCdevices. PLCdevicesareloadedwithblocksofcodeanddatawriWeninSTL ThecompiledcodeisinassemblycalledMC7. Theoriginals7otbxdx.dllisresponsibleforhandlingPLCblock exchangebetweentheprogrammingdeviceandthePLC. MonitorPLCblocksbeingwriWentoandreadfromthePLC. InfectaPLCbyinser<ngitsownblocks TheseblocksarethenrunbythePLC,inordertoexecute,control,and monitoranindustrialprocess. Byreplacingthis.dllfilewithitsown,Stuxnetisabletoperformthe followingac<ons: ModifyingPLC's Whatwasthetarget? 60%Infec<onsinIran BushehrNuclearPlantin Noothercommercial Iran gain Stuxnetselfdestruct date SiemensspecificPLC's Whodidit? Israel? 19790509.Asafecodethatpreventsinfec<on WhereisthiscodealreadyinICScoded? USA? Russia? UK? China? May9,1979:HabibElghanianwasexecutedbyafiring squadinTehran HewasthefirstJewandoneofthefirstcivilianstobe executedbythenewIslamicgovernment Propaganda Iran'sMinistryofForeignAffairs: "WesternstatesaretryingtostopIran's(nuclear) ac<vi<esbyembarkingonpsychologicalwarfare andaggrandizing,butIranwouldbynomeans giveupitsrightsbysuchmeasures," "NothingwouldcauseadelayinIran'snuclear ac<vi<es" Iran'sMinisterofintelligence "Enemyspyservices"wereresponsibleforStuxnet Propaganda:debka.com(2) AnalarmedIranasksforoutsidehelptostopStuxnet NotonlyhavetheirownaWemptstodefeatthe invadingwormfailed,buttheymademaWersworse: Themalwormbecamemoreaggressiveandreturnedto theaWackonpartsofthesystemsdamagedintheini<al aWack. Oneexpertsaid:"TheIranianshavebeenforcedto realizethattheywouldbebeWeroffnot'irrita<ng'the invaderbecauseithitsbackwithabiggerpunch." Conclusion Stuxnetisasignificantmilestoneinmalicious codehistory Itisthefirsttoexploitmul<ple0dayvulnerabili<es. Usedtwo(compromised)digitalcer<ficates. Injectedcodeintoindustrialcontrolsystems. Hidthecodefromtheoperator. Stuxnetisofgreatcomplexity Requiringsignificantresourcestodevelop StuxnethashighlightedthatdirectaWackson cri<calinfrastructurearepossible. References NicolasFalliere,LiamOMurchu,andEricChie, "W32.StuxnetDossier",February2011,Symantec.com RalphLangner,"CrackingStuxnet,a21stcenturycyber weapon",hWp://www.ted.com/,Mar31,2011. EricByres,AndrewGinterandJoelLangill,StuxnetReport: ASystemAWack,Afivepartseries, www.isssource.com/stuxnetreportasystemaWack/, March2011 "CyberWar,CyberTerrorismandCyberEspionage," hWp://pages.uoregon.edu/joe/cyberwar/cyberwar.ppt ACK:Manysourcesontheweb.I(pmate<@wright.edu) merelyassembledtheslides.May2011. 39 ...
View Full Document

This note was uploaded on 02/11/2012 for the course CSE 443 taught by Professor Trentjaeger during the Spring '11 term at Penn State.

Ask a homework question - tutors are online