Académique Documents
Professionnel Documents
Culture Documents
Stuxnet Getting
Getting to
to the
the target
target
Liam O Murchu
Feb 2011
Agenda
1
Stuxnet Capabilities
Stuxnet Features
Discovery disclosed in July, 2010
Attacks industrial control systems likely an Iranian
uranium enrichment facility
Modifies and hides code on Siemens PLCs
connected to frequency converters
Contains 7 methods to propagate, 4 zero day
exploits, 1 known exploit, 3 rootkits, 2 unauthorized
certificates, 2 Siemens security issues, 1 target.
3 versions, June 2009, March 2010, April 2010
Stuxnet - Sabotaging Industrial Control Systems
Stuxnet is targeted
Iranian Target
PLCs
Programmable Logic Controller
Stuxnet is Targeted
Targeting a Specific type of PLC
Searches for a Specific Configuration
Stuxnet & PLCs
Programming a PLC
Step7, STL and MC7
Attack Preparation
Stuxnet Creator
Control
PC
PLC
Uranium Enrichment
Facility
7
Attack Considerations
Internet Etc
Corporate LAN
Air Gap
Control
PC
3. Ms08-067 Vuln
4. Network Shares
5. P2P sharing
6. Wincc Hard coded Password
7. Step7 projects
Self-Replication
types:
ApiLog
types
hOmSave7
S7HK40AX
s7hkimdb.dll
S7HK41AX
s7hkimdb.dll
DB
+00WORDcount
14 14 00 00 00 00 00
+02BYTE[]records
00 00 00 00
+00WORDcount
+02BYTE[]records
s7hkimdb.dll
%Step7%\S7BIN
%SYSTEM32%
%SYSTEM%
%WINDIR%
project's hOmSave7/* subdirectories
xutils
links
s7p00001.dbf (Stuxnet datafile)
listen
xr000000.mdx (encrypted Stuxnet)
s7000001.mdx (Stuxnet config data file)
10
11
Attack Execution
Internet Etc
1. Initial Delivery
Corporate LAN
2. Network Exploits
3. Reporting
Updates
Air Gap
4. Bridge
AirGap5. Deliver Payload
12
13
Limited Spread
Attackers wanted limited spread
No Internet capable exploits used
USB exploit only infects 3 machines
USB exploit has deadline of 21 days
All exploits have a deadline
Large configuration file
~430 different settings
Why did it spread so far?
14
15
16
17
Sophistication
First threat to target hardware
Targets Uranium Enrichment
Large amount of code
Very configurable
4 zero days
Long Reconnaissance phase
Needed Hardware for testing
Targets 95/98,Win2k,Winxp,Vista,Win7
3 Rootkits
PLC programming knowledge
Stuxnet Getting to the target
18
Sophistication
It was discovered
No advanced encryption
C&C infrastructure easily taken down
Infection information stored
Blue screens?? (unconfirmed)
P2P not protected
Escaped outside of Iran
19
New Version
Not simple to create new version
Cannot just drop in new zero days
Target specific information required
PLC programming knowledge
Exploit knowledge
Real danger is the idea
Now people know it can be done
People can start their own projects knowing it is
possible
Stuxnet Getting to the target
20
21
Response
Need dedicated resources in place in advance that
can switch focus to a new threat quickly
Need engineers who are familiar with the latest
developments in the threat landscape
Need to respond quickly critical infrastructure
may be at risk
Private public partnership will be important
Growing market
We will see more of these types of threats in the
future, need to prepare for that.
22
Summary
Stuxnet is the first publicly known malware to
intend real-world damage
Required resources at the level of a nation-state
While as a whole extremely sophisticated, the
technique to inject code into PLCs is not
Enterprises should assume attackers know how
these systems work
Has changed our job at Symantec
We expect to see more of these threats
23
24
Thank you!
Liam O Murchu liam_omurchu@symantec.com
Copyright 2010 Symantec Corporation. All rights reserved.Symantec and the Symantec Logo are trademarks or registered trademarks
of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this
document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to
change without notice.
25