I Heart Stuxnet

Cybersecurity Education and Research Centre

or: How I Learned To Stop Worrying And Love The Worm Video: http://vimeo.com/17364186

Tecnologia

I Stuxnet
or: How I Learned to Stop Worrying and Love The Worm
Gil Megidish
gil@megidish.net

DISCLAIMER
I, Gil Megidish, have had absolutely nothing to
do with the virus/worm presented here, nor
do I know of its origins. Everything in this
presentation is purely an analysis of
documents written by Wikipedia, Symantec,
ESET and professional security advisors.

What is Stuxnet ?
• Most complicated computer-worm ever
discovered.
• Targets industrial control systems such as in
gas pipelines or power plants.
• An on-going work, dates back to Dec, 2008.

Source: http://www.securelist.com/en/blog/272/Myrtus_and_Guava_Episode_3

Agenda
Introduction to Computer Virii
Stuxnet’s timeline
Infection mechanism
Targeted systems
Whodunit ?

Computer Virus
• A software that replicated itself onto other
executable files.

Computer Worm
• A software that replicates itself onto other
computers; usually via exploits.

Rootkit
• Enable continued access while actively hiding
presence.

CVE-2010-0049
• Remote exploitation of a memory corruption
vulnerability in WebKit; allows an attacker to
execute arbitrary code on victim’s machine.
15 Dec 2009 Vendor notified
15 Dec 2009 Vendor replied
11 Mar 2010 Coordinated public disclosure

The List Never Ends
Backdoor
Worms
Viruses
Adware
Spyware
Trojan Horse
Rootkit
Botnet
Phishing
XSS
Spoofing
Man in the Middle
D.o.S.
CSRF

“Building the worm cost at least $3 million and
required a team of as many as 10 skilled
programmers working about six months. “
Frank Rieger (GSMK)

Timeline
• 2008.11 – Trojan.Zlob found to be using LNK vulnerability
• 2009.04 – Hakin9 magazine publishers Printer Spooler vulnerability
•
• 2010.01 – Stuxnet variant found with Realtek certificate
• 2010.03 – Stuxnet variant found using LNK vulnerability
•
• 2010.06 – VeriSign revokes Realtek’s certificate
• 2010.06 – Stuxnet variant found with JMicron certificate
• 2010.07 – Symantec monitors Stuxnet’s C&C traffic
• 2010.07 – VeriSign revokes JMicron’s certificate
• 2010.08 – Microsoft patches LNK vulnerability.
• 2010.09 – Microsoft patches Printer Spooler vulnerability.
2009.06 – First variant of Stuxnet found
2010.05 – Stuxnet first detected, named RootkitTmphider

Exploit #1: LNK VulnerabilityCVE-2010-2568
Affects Windows 2000, Windows XP, Windows
Server 2003, Windows Vista and Windows 7

Exploit #2: Print Spooler Vulnerability
MS10-061
Affects Windows XP and legacy Lexmark/Compaq
printers.

Exploit #3:Windows Server ServiceMS08-067
Affects unpatched operating systems, with
Kernel32.dll earlier than Oct 12, 2008.

Source: www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf

Peer To Peer Upgrades
Get version number
Request payload
#version#
Current version
Infected A Infected B

Command and Control
todaysfutbol.com
mypremierfutbol.com
GET /
200 OK
GET index.php?data=[XOR%31]
200 OK: Executable code
Infected PC

Step 7 Editor
Developer Station
WinCC MS-SQL Database
PLC

Step7 Interception
s7otbxdx.dll
s7blk_read
s7blk_write
s7_blk_findfirst
s7_blk_delete
All communication done through s7otbxdx library
Developer Station
PLC

Step7 Interception
s7otbxsx.dll
s7blk_read
s7blk_write
s7_blk_findfirst
s7_blk_delete
Man in the middle rootkit!
Developer Station
PLC
s7otbxdx.dll

OB1 Main Organization Block
OB35 Watchdog Organization Block

Symantec's Brian Tillett put a number on the size of the
team that built the virus. He said that traces of more than
30 programmers have been found in source code.
The Atlantic

Links
• Symantec’s Stuxnet Dossier
http://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdf
• ESET: Stuxnet Under The Microscope
http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf
• Siemens Step 7 Programmer’s Handbook
http://www.plcdev.com/book/export/html/373

Mais conteúdo relacionado

Mais procurados

The Stuxnet Virus FINAL

Nicholas Poole

Android security

Midhun P Gopi

The World's First Cyber Weapon - Stuxnet

Sean Xie

Android security

Mobile Rtpl

Wannacry-A Ransomware Attack

MahimaVerma28

Broadcast Receiver

nationalmobileapps

Web Application Security 101

kali linux.pptx

anumeha bhatnagar

Understanding android security model

Pragati Rai

Security Testing Mobile Applications

Denim Group

Stuxnet

Shishir Aryal

Mobile Application Security

cclark_isec

Iptables presentation

Emin Abdul Azeez

Wireless sensor networks will be widely deployed in the near future. While much research has focused on making these networks feasible and useful, security has received little attention. Wireless Sensor Networks (WSN) are a most challenging and emerging technology for the Research due to their vital scope in the field coupled with their low processing power and associated low energy. As wireless sensor networks continue to grow, so does the need for effective security mechanisms. Because sensor networks may interact with sensitive data and/or operate in hostile unattended environments, it is imperative that these security concerns be addressed from the beginning of the system design staring with a brief overview of the sensor networks security, a review is made of and how to provide the security in the wireless sensor networks. This paper studies the security problems, Requirement, Architecture of WSN and different platform, characterized by severely constrained computational and energy resources, and an ad hoc operational environment.

Next Generation Network: Security and Architecture

ijsrd.com

Testing on frontend

Afif Alfiano

Web App Security Presentation by Ryan Holland - 05-31-2017

TriNimbus

Security Testing is described as a type of Software Testing that assures software systems and applications are free from any vulnerabilities, threats, risks that may cause a big loss. Security testing of any system is about uncovering all likely loopholes and weaknesses of the system which might end up in a loss of information, revenue, repute at the hands of the employees or outsiders of the Organization.

What is security testing and why it is so important?

ONE BCG

OWASP Melbourne - Introduction to iOS Application Penetration Testing

eightbit

Android Security

Lars Jacobs

DDOS Attack

Ahmed Salama

Mais procurados (20)

The Stuxnet Virus FINAL

Android security

The World's First Cyber Weapon - Stuxnet

Android security

Wannacry-A Ransomware Attack

Broadcast Receiver

Web Application Security 101

kali linux.pptx

Understanding android security model

Security Testing Mobile Applications

Stuxnet

Mobile Application Security

Iptables presentation

Next Generation Network: Security and Architecture

Testing on frontend

Web App Security Presentation by Ryan Holland - 05-31-2017

What is security testing and why it is so important?

OWASP Melbourne - Introduction to iOS Application Penetration Testing

Android Security

DDOS Attack

Semelhante a I Heart Stuxnet

STUXNET_

bueno buono good

Stuxnet - A weapon of the future

Hardeep Bhurji

Analysis on NIMDA Worm in Windows | Exploitation | Detection | Propagation In this presentaion wwe are mainly focussing on the blow mentioned key topics related to NIMDA warm; What is NIMDA ? Propagation via Windows Shares, Web & Emails. How NIMDA works via web browsers? What can Attacker Do after Compromising Your System? CVEs related to Nimda. Signs of Infection. NIMDA Signatures. Key aspects involved like OS, protocols, Applications & Services. Recommendations for For Network Admins & For End User Systems.

Analysis on NIMDA Worm in Windows | Exploitation | Detection | Propagation

Gayan Weerarathna

The Dynamite of Next Generation (Y) Attack

Prathan Phongthiproek

W32.Stuxnet has gained a lot of attention from researchers and media recently. There is good reason for this. Stuxnet is one of the most complex threats we have analyzed. In this paper we take a detailed look at Stuxnet and its various components and particularly focus on the final goal of Stuxnet, which is to reprogram industrial control systems. Stuxnet is a large, complex piece of malware with many different components and functionalities. We have already covered some of these components in our blog series on the topic. While some of the information from those blogs is included here, this paper is a more comprehensive and in-depth look at the threat. Stuxnet is a threat that was primarily written to target an industrial control system or set of similar systems. Industrial control systems are used in gas pipelines and power plants. Its final goal is to reprogram industrial control systems (ICS) by modifying code on programmable logic controllers (PLCs) to make them work in a manner the attacker intended and to hide those changes from the operator of the equipment. In order to achieve this goal the creators amassed a vast array of components to increase their chances of success. This includes zero-day exploits, a Windows rootkit, the first ever PLC rootkit, antivirus evasion...

Optional Reading - Symantec Stuxnet Dossier

Alireza Ghahrood

Malwares Malwares Malwares Malwares Malwares

NioLemuelLazatinConc

On December 10, 2020, Orange Tsai, a Taiwanese security researcher, discovered a pre-authentication proxy vulnerability (CVE-2021-26855) in Microsoft Exchange Servers that allows a remote actor to bypass authentication and receive admin server privileges. On March 2, Microsoft released critical security updates for four crucial zero-day vulnerabilities discovered in Exchange Servers. Within one week, at least 30,000 U.S. organizations and hundreds of thousands of organizations worldwide had fallen victim to an automated campaign run by HAFNIUM that provides the attackers with remote control over the affected systems. In this session of SecPod Labs Intelligence Series, Veerendra GG and Pooja Shetty, will discuss: 1. What is Proxyogon Vulnerability and how can it impact your security 2. What made ProxyLogon so contagious and spread like a wildfire 3. Steps you can take to remediate the risk of being attacked

ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx

SecPod

Malware Freak Show

n|u - The Open Security Community

Malware freak show

sr1nu

October Patch Tuesday Analysis 2018

Is Troy Burning: an overview of targeted trojan attacks

Maarten Van Horenbeeck

Compromising windows 8 with metasploit’s exploit

IOSR Journals

Talk of the hour, the wanna crypt ransomware

shubaira

Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows

Aaron ND Sawmadal

Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows

Aaron ND Sawmadal

Patch Tuesday Italia Febbraio

Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.

2024 February Patch Tuesday

sym

go2me1

2024 Français Patch Tuesday - Février

El análisis del Patch Tuesday de Ivanti va más allá de la aplicación de parches a sus aplicaciones y le ofrece la inteligencia y orientación necesarias para priorizar dónde debes enfocarte. Consulta los últimos análisis en nuestro blog Ivanti y únete a los expertos del sector en el webinar de Patch Tuesday. En él profundizaremos en cada uno de los informes y ofreceremos orientación sobre los riesgos asociados a las vulnerabilidades más recientes.

Patch Tuesday de Febrero

Semelhante a I Heart Stuxnet (20)

STUXNET_

Stuxnet - A weapon of the future

Analysis on NIMDA Worm in Windows | Exploitation | Detection | Propagation

The Dynamite of Next Generation (Y) Attack

Optional Reading - Symantec Stuxnet Dossier

Malwares Malwares Malwares Malwares Malwares

ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx

Malware Freak Show

Malware freak show

October Patch Tuesday Analysis 2018

Is Troy Burning: an overview of targeted trojan attacks

Compromising windows 8 with metasploit’s exploit

Talk of the hour, the wanna crypt ransomware

Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows

Patch Tuesday Italia Febbraio

2024 February Patch Tuesday

sym

2024 Français Patch Tuesday - Février

Patch Tuesday de Febrero

Mais de Gil Megidish

My Adventures in Twitch Dev

Hack The Mob: Modifying Closed-source Android Apps

0x4841434b45525a – H4x0r presentation for n00bs

Crash Course in Perl – Perl tutorial for C programmers

Small Teams Kick Ass

Game development using HTML5 technologies presentation, May 2010. This lecture was given by Gil Megidish at AlphaGeeks #6 meetup in Tel Aviv, Israel. The talk begins with some review of the game graphics techniques, and how you can achieve these with today's browsers and client side code. 4 demos were presented: sprites with canvas (luigi), framebuffer access (apple2 emulator), primitives and polygons (another world js) and image modifiers (droste effect.) The lecture was given in Hebrew, ppt is English.

Game Development With HTML5

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Mais de Gil Megidish (6)

My Adventures in Twitch Dev

Hack The Mob: Modifying Closed-source Android Apps

0x4841434b45525a – H4x0r presentation for n00bs

Crash Course in Perl – Perl tutorial for C programmers

Small Teams Kick Ass

Game Development With HTML5

Último

A Beginners Guide to Building a RAG App Using Open Source Milvus

Zilliz

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

Modernizing Securities Finance: The cloud-native prime brokerage platform transforming capital markets. Madhu Subbu, Managing Director, Head of Securities Finance Engineering Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

Real Time Object Detection Using Open CV

Khem

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Scalable LLM APIs for AI and Generative AI Application Development Ettikan Karuppiah, Director/Technologist - NVIDIA Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

DBX First Quarter 2024 Investor Presentation

Dropbox

AXA XL - Insurer Innovation Award Americas 2024

The Digital Insurer

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...