the stuxnet worm
play

The Stuxnet Worm Babak Yadegari and Paul Mueller CSc 566: Computer - PowerPoint PPT Presentation

Dec 17, 2022 •109 likes •540 views

The Stuxnet Worm Babak Yadegari and Paul Mueller CSc 566: Computer Security April 25, 2012 Presentation Outline Background & Overview Stuxnets Purpose How Stuxnet Spread Possible Attack Scenarios Infection RPC Server Attack

  1. The Stuxnet Worm Babak Yadegari and Paul Mueller CSc 566: Computer Security April 25, 2012

  2. Presentation Outline Background & Overview Stuxnet’s Purpose How Stuxnet Spread Possible Attack Scenarios Infection RPC Server Attack Methods of Concealment Effects & Conclusion 1

  3. What is Stuxnet? A sophisticated worm designed to target only specific Siemens SCADA systems Uses four zero-day vulnerabilities Uses two stolen digital signatures Uses rootkits on Windows and the PLCs it targeted Discovered in June 2010, but an early version first appeared a year earlier Widely suspected of targeting Iran’s uranium enrichment program Was somewhat effective: may have destroyed 1,000 centrifuges, reduced output, sowed chaos The US and Israel were likely behind it 2

  4. Tensions Between Iran and the West Iran started its nuclear program in the 1950s Iran’s revolution delayed the program A few years later, the new leaders continued it In 2002, it turned out that Iran had developed two undeclared nuclear facilities Iran suspended uranium enrichment in 2003 and resumed it in 2006 Iran: no nuclear weapons IAEA: Iran does not comply with safeguard agreements 3

  5. Obligatory Nuclear Bomb Explosion Photo Figure: What’s at stake. (Photo: sciencecabin.com) 4

  6. Who Created Stuxnet? Israel Israel expects they have 3 years before Iran completes a nuclear weapon Has confirmed that it will use cyberwarfare to defend itself Israeli officials smiled when asked if Israel had created the attack United States American officials said the attack was not created in the US Leaked cable stating that the US ambassador to Germany was told a Stuxnet-type attack could be more effective than a military attack Prior to Stuxnet being discovered, John Bumgarner wrote about a possible way of using malicious code to destroy centrifuges; Stuxnet happened soon after! 5

  7. Overview 6

  8. Siemens PLC Figure: A Siemens SIMATIC S7-300 PLC, the type of PLC Stuxnet targeted (Photo: alibaba.com) 7

  9. What was Stuxnet’s Purpose? Disrupt Iran’s nuclear bomb program Provide plausible deniability to its creator(s). It only attacks plants with certain (Natanz-like) configurations: Only certain centrifuge cascade setups will be attacked Centrifuge rotor frequencies- Sequence A gives the nominal frequency of its target centrifuges as 1064 Hz, which is reportedly exactly the IR-1’s nominal frequency Likewise, the maximum speed Stuxnet speeds the rotors up to (1,410 Hz) is at the maximum range the IR-1 rotors can withstand- spinning them at this speed will likely destroy them Looks for Finnish and Iranian centrifuges 8

  10. Infection Statistics by Country Figure: Percentage of Infected Hosts by Country 9

  11. Cascade Configuration Revealed Figure: Iran’s president revealed the cascade structure at Natanz: from right to left- 4, 8, 12, 16, 20, 24, 20, 16. (Photo: Office of the Presidency of the Islamic Republic of Iran) 10

  12. How Stuxnet Spread 11

  13. Windows Print Spooler Vulnerability Monitors print requests http://www.youtube.com/watch?v=ExgMb5WbCrE 12

  14. Windows Server Service Vulnerability (SMB) The service handles RPC calls between Windows machines This vulnerability can be exploited by creating specially crafted packets A buffer overflow occurs when the receiving side tries to process the request It allows arbitrary code execution on the remote machine 13

  15. Possible Attack Scenarios Attackers should know about the design of the target system Might be stolen by an insider Collected by a previous malware and delivered to attackers Same story for the digital certificates Malware should somehow be delivered to the target’s environment Again by an insider By infecting a third party contractor Or delivered by email 14

  16. Stuxnet Flow Graph 15

  17. Windows Shortcut Vulnerability http://www.youtube.com/watch?v=eFLNG5zHaVA 16

  18. Initial Stage I The malware first loads and runs WTR4411.TMP file from USB stick, exploiting Windows shortcut vulnerability Crafted shortcut points to WTR4411.TMP file which leads the file to be loaded and executed! Extracts another file ( WTR4132.TMP) from previously loaded file and passes control to it 17

  19. Initial Stage II %DriveLetter%\~WTR4141.tmp (A) %DriveLetter%\~WTR4132.tmp (B)�%D %DriveLetter%\Copy of Shortcut to.lnk ... 18

  20. Initial Stage II Executes A %DriveLetter%\~WTR4141.tmp (A) %DriveLetter%\~WTR4132.tmp (B)�%D %DriveLetter%\Copy of Shortcut to.lnk ... 18

  21. Initial Stage II Executes A Modify kernel32.dll and ntdll.dll to hide its files %DriveLetter%\~WTR4141.tmp (A) %DriveLetter%\~WTR4132.tmp (B)�%D %DriveLetter%\Copy of Shortcut to.lnk ... 18

  22. Initial Stage II Executes A Modify kernel32.dll and ntdll.dll to hide its files LoadLibrary() to load and execute B %DriveLetter%\~WTR4141.tmp (A) %DriveLetter%\~WTR4132.tmp (B)�%D %DriveLetter%\Copy of Shortcut to.lnk ... 18

  23. Initial Stage II Executes A Modify kernel32.dll and ntdll.dll to hide its files LoadLibrary() to load and execute B %DriveLetter%\~WTR4141.tmp (A) %DriveLetter%\~WTR4132.tmp (B)�%D %DriveLetter%\Copy of Shortcut to.lnk ... Call export 15 of library B 18

  24. Attack I After finding an appropriate target: Replaces s7otbxdx.dll library used to communicate between PLC and Step7 software Injects malicious code into PLC Runs periodic attacks against centrifuge by changing its rotor speed Sabotages the centrifuge! 19

  25. Attack II After finding an appropriate target: http://www.youtube.com/watch?v=cf0jlzVCyOI#t=83s 20

  26. Taking Control of PLCs s7otbxdx.dll Step 7 PLC Figure: The Step7 software uses a library to communicate with its PLCs 21

  27. Taking Control of PLCs Stuxnet s7otbxdx.dll Step 7 PLC s7otbxsx.dll Figure: Stuxnet wraps the library used to communicate with the PLCs 21

  28. Taking Control of PLCs Stuxnet Problems? s7otbxdx.dll Step 7 PLC s7otbxsx.dll Figure: Stuxnet wraps the library used to communicate with the PLCs 21

  29. Attack Sequences Stuxnet contains three attack sequences, named A, B, and C by Symantec. A and B are very similar, and do basically the same thing. C is more sophisticated but unfinished; it contains debug code, has missing sections, etc. Figure: Stuxnet’s attack sequences. 22

  30. Centrifuges are Neat! Figure: Diagram of a P-1 centrifuge. The Natanz centrifuges are based on the P-1. (Diagram: Institute for Science and International Security) 23

  31. Centrifuges are Neat! (Part II) Figure: Iran’s president tours centrifuges at Natanz. (Photo: Office of the Presidency of the Islamic Republic of Iran) 24

  32. Components I User-Mode Choose a process and inject the code Check to see if running on an appropriate platform (Windows XP, Vista, ...) Privilege escalation Checking for updates Kernel-Mode Mrxcls.sys : A startup driver which allows Stuxnet to survive rebooting Mrxnet.sys : Acts as a rootkit, intercepts requests to system device objects 25

  33. Components II The Internet RPC Server Futbol-themed C&C websites Another Stuxnet Update Send and receive info Stuxnet Step 7 Drivers System libraries USB drives Figure: Stuxnet Components 26

  34. Stuxnet’s Very Own RPC Server Has its own RPC server to communicate with and get updates from C&C servers Communicates with other instances over the network and gets updates from them Makes it possible to be updated even if there is no direct access to the Internet 27

  35. Methods of Concealment Uses signed drivers with digital certificates stolen from two Taiwanese companies, Realtek and JMicron Uses Windows and PLC rootkits to avoid detection. These make it difficult to find the files it places on USB drives for propagation, and on the PLCs to do the actual attacks, respectively The attack sequences try to prevent plant operators from learning of the changes in rotor speed by commanding the controllers to disable their safeties and warnings, and by reporting recorded, nominal data 28

  36. Stolen Digital Certificates Figure: The stolen Realtek signature 29

  37. Effects of Stuxnet (Intended) Mostly, to destroy centrifuges. Attack sequences A and B speed the centrifuges’ rotational speed up toward 1,410 Hz for 15 minutes; then, 27 days later, it slows them down for 50 minutes, during which time their speed may be reduced by as much as 200 Hz. Another 27 days later, the sequence repeats. The high speed is enough to probably destroy the centrifuges, and the low speed would result in inefficient processing of uranium, thereby wasting resources and slowing LEU production. 30

  38. Effects of Stuxnet (Intended) (Continued) Unnerve the Iranians- Stuxnet’s creators may also have hoped to slow Iran’s nuclear program by creating doubt and confusion In fact, the Iranians halted uranium processing on a significant number of centrifuges The creators of Stuxnet probably thought Stuxnet wouldn’t be uncovered as quickly as it was. If it hadn’t been, the damage it did would have been greater. This is supported by the slow pace of the attacks- waiting 27 days between attacks, possibly to be more stealthy 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Safety-critical Nick Kofinas Devices The Stuxnet Worm(s) Most of the following are

Safety-critical Nick Kofinas Devices The Stuxnet Worm(s) Most of the following are

How everything can be hacked Safety-critical Nick Kofinas Devices The Stuxnet Worm(s) Most of the following are Maybes Main target: Iranian nuclear program Main physical targets Centrifuge devices PLC controllers The

402 views • 21 slides
More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based

More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based

More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based malware: Exploit kits Fake AV Ransomware Today (continuation) How Malware Spreads Adware Computer Virus A type of malicious

647 views • 23 slides
Jonathan Pollet conference Part 2: Stuxnet APT-Style Attacks on SCADA Systems Stuxnet Night

Jonathan Pollet conference Part 2: Stuxnet APT-Style Attacks on SCADA Systems Stuxnet Night

Rome, May 31, 2011 Jonathan Pollet conference Part 2: Stuxnet APT-Style Attacks on SCADA Systems Stuxnet Night Dragon Jonathan Pollet, CAP, CISSP, PCIP Founder, Principal Consultant Red Tiger Security - USA 1 speaker Jonathan

223 views • 21 slides
Worm enabling exploits Cyber Security Lab Spring 10 Background reading Worm Anatomy and

Worm enabling exploits Cyber Security Lab Spring 10 Background reading Worm Anatomy and

Worm enabling exploits Cyber Security Lab Spring 10 Background reading Worm Anatomy and Model http://portal.acm.org/citation.cfm?id=948196 Smashing the Stack for Fun and Profit

525 views • 36 slides
Realworldexample:StuxnetWorm Stuxnet:Overview

Realworldexample:StuxnetWorm Stuxnet:Overview

Realworldexample:StuxnetWorm Stuxnet:Overview June2010:Awormtarge<ngSiemensWinCC industrialcontrolsystem. Targetshighspeedvariablefrequency

439 views • 39 slides
ring worm ring worm herpes ring worm herpes staphylococcal ring worm herpes impetigo

ring worm ring worm herpes ring worm herpes staphylococcal ring worm herpes impetigo

ring worm ring worm herpes ring worm herpes staphylococcal ring worm herpes impetigo staphylococcal ring worm herpes 3-4 weeks 2-3 weeks impetigo staphylococcal 1 week 1 week wrestlers are 16x more likely than other athletes to

613 views • 60 slides
CYBER BREACH MITIGATION How Do I Start & Where is my Money Best Spent ? Speakers: George Adkins

CYBER BREACH MITIGATION How Do I Start & Where is my Money Best Spent ? Speakers: George Adkins

CYBER BREACH MITIGATION How Do I Start & Where is my Money Best Spent ? Speakers: George Adkins , Wortham Power Gen Insurance Brad Luna , N-Dimensions 1 TPPA THE FUTURE IS HERE INCIDENTS WITH PUBLIC POWER ELEMENTS 2010 (Stuxnet) WORM

552 views • 34 slides
ICT and international security Gian Piero Siroli, Physics and Astronomy Dept. Univ. of Bologna

ICT and international security Gian Piero Siroli, Physics and Astronomy Dept. Univ. of Bologna

ICT and international security Gian Piero Siroli, Physics and Astronomy Dept. Univ. of Bologna & CERN Caffe della Scienza, Livorno, May 2014 What a cyber-weapon can look like: Stuxnet A worm designed to sabotage a specific

530 views • 36 slides
Easy Worm Composting at Home What is vermicomposting? Utilizing worms and microorganisms to

Easy Worm Composting at Home What is vermicomposting? Utilizing worms and microorganisms to

SSN presents: Easy Worm Composting at Home What is vermicomposting? Utilizing worms and microorganisms to convert organic waste into a nutrient rich humus like material known as vermicompost (worm castings) Why do it? Produce your own

736 views • 14 slides
REVIEW OF MICROSTRUCTURE AND PROPERTIES OF NON- FERROUS ALLOYS FOR WORM GEAR APPLICATION &

REVIEW OF MICROSTRUCTURE AND PROPERTIES OF NON- FERROUS ALLOYS FOR WORM GEAR APPLICATION &

REVIEW OF MICROSTRUCTURE AND PROPERTIES OF NON- FERROUS ALLOYS FOR WORM GEAR APPLICATION & ADVANTAGES OF CENTRIFUGALLY CAST GEARS GIRI RAJENDRAN JASON HASSEN MCC INTERNATIONAL INC OVERVIEW OF NON-FERROUS (BRONZE) MATERIAL FOR WORM

628 views • 38 slides
MAT137 - Calculus with proofs Assignment #3 due on November 5 Assignment #4 due on November 26

MAT137 - Calculus with proofs Assignment #3 due on November 5 Assignment #4 due on November 26

MAT137 - Calculus with proofs Assignment #3 due on November 5 Assignment #4 due on November 26 TODAY: Functions and inverse functions Watch videos 4.3, 4.3 by Wednesday Worm up A worm is crawling across a table. The path of the worm looks

399 views • 6 slides
Dawn Song dawnsong@cs.berkeley.edu 1 Primer on Internet Worms (I) First Instance: Morris

Dawn Song dawnsong@cs.berkeley.edu 1 Primer on Internet Worms (I) First Instance: Morris

Automatic Worm Defense (I) Dawn Song dawnsong@cs.berkeley.edu 1 Primer on Internet Worms (I) First Instance: Morris worm (1988) Infected 6000 machines (10% of Internet) $10M for downtime & cleanup Whats a worm?

512 views • 13 slides
Simulation of Gauge-Higgs models using the worm algorithm Y. Delgado , C. Gattringer, A. Schmidt

Simulation of Gauge-Higgs models using the worm algorithm Y. Delgado , C. Gattringer, A. Schmidt

Simulation of Gauge-Higgs models using the worm algorithm Y. Delgado , C. Gattringer, A. Schmidt Karl-Franzens-Universitt Graz Sarajevo, February 2013 Y. Delgado (KFU) Worm algorithm Excited QCD 2013 1 / 19 Motivation: Sign problem of QCD

450 views • 28 slides
Code-Red: a case study on the spread and victims of an Internet worm David Moore, Colleen

Code-Red: a case study on the spread and victims of an Internet worm David Moore, Colleen

Code-Red: a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeff Brown November, 2002 IMW {dmoore, cshannon} @ caida.org www.caida.org Outline What is the Code-Red worm? Detection Host

495 views • 35 slides
PEPA models of Internet worm attacks Jane Hillston. LFCS, University of Edinburgh 8th September

PEPA models of Internet worm attacks Jane Hillston. LFCS, University of Edinburgh 8th September

Introduction Internet worm models Continuous Approximation Quantified analysis Conclusions PEPA models of Internet worm attacks Jane Hillston. LFCS, University of Edinburgh 8th September 2005 Joint work with Jeremy Bradley and Stephen

1.34k views • 98 slides
CSCE 790 Computer Systems Security Introduction Professor Qiang Zeng Spring 2020 Story 1:

CSCE 790 Computer Systems Security Introduction Professor Qiang Zeng Spring 2020 Story 1:

CSCE 790 Computer Systems Security Introduction Professor Qiang Zeng Spring 2020 Story 1: Morris the first worm in history CSCE 790 Computer Systems Security 2 Story 2: Malware, Stuxnet , took down Irans nuclear facilities

344 views • 30 slides
Pathways to Discovering Supernova Neutrinos Thomas D. P . Edwards , Sebastian Baum, Bradley J.

Pathways to Discovering Supernova Neutrinos Thomas D. P . Edwards , Sebastian Baum, Bradley J.

Pathways to Discovering Supernova Neutrinos Thomas D. P . Edwards , Sebastian Baum, Bradley J. Kavanagh, Patrick Stengel, Andrzej K. Drukier, Katherine Freese, Maciej Grski, Christoph Weniger 1906.05800 1 Quantamagazine 2 Thomas D. P

427 views • 32 slides
Nuclear Performance of Accelerator-Driven Systems with Infinite U ranium Material Smer AHN

Nuclear Performance of Accelerator-Driven Systems with Infinite U ranium Material Smer AHN

Nuclear Performance of Accelerator-Driven Systems with Infinite U ranium Material Smer AHN 1 , Baar ARER 2 Yurdunaz EL K 3 1 Atlm University, Faculty of Engineering, Ankara 2 Gazi University, Faculty of Science, Ankara 3 Gazi

1.6k views • 89 slides
Mining Masterclass conference Investment Opportunities in the Mining Sector in Southern Africa 1

Mining Masterclass conference Investment Opportunities in the Mining Sector in Southern Africa 1

Simmons and Simmons Mining Masterclass conference Investment Opportunities in the Mining Sector in Southern Africa 1 November 2018 Inclusive Prosperity Southern Africa Mineral Map Mining is a strategically important sector in a mineral-rich

286 views • 18 slides
NUCLEAR WASTE AND REMEDIATION STRATEGY Course Seminar CE 641 Presented by Aniruddh Jain Roll

NUCLEAR WASTE AND REMEDIATION STRATEGY Course Seminar CE 641 Presented by Aniruddh Jain Roll

NUCLEAR WASTE AND REMEDIATION STRATEGY Course Seminar CE 641 Presented by Aniruddh Jain Roll No: 09304018 M.Tech 1st Year WHAT IS NUCLEAR ENERGY Nuclear energy is the energy released by the splitting (fission) or merging together (fusion)

468 views • 26 slides
dedate then regulatory network gere neuroscience lo Primary decomposition model wiring diagram

dedate then regulatory network gere neuroscience lo Primary decomposition model wiring diagram

dedate then regulatory network gere neuroscience lo Primary decomposition model wiring diagram please put in alphabetical order also I x us I to P The pseudo monomial analogue of this theory is in its infancy complex di discrete t the

315 views • 9 slides
Introduction ECN 102: Analysis of Economic Data Winter, 2011 J. Parman (UC-Davis) Analysis of

Introduction ECN 102: Analysis of Economic Data Winter, 2011 J. Parman (UC-Davis) Analysis of

Introduction ECN 102: Analysis of Economic Data Winter, 2011 J. Parman (UC-Davis) Analysis of Economic Data, Winter 2011 January 4, 2011 1 / 51 Contact Information Instructor: John Parman Email: jmparman@ucdavis.edu Office: 1125 SSH (NW

794 views • 51 slides
Structural-Factor Modeling of Big Dependent Data Ruey S. Tsay Booth School of Business,

Structural-Factor Modeling of Big Dependent Data Ruey S. Tsay Booth School of Business,

Structural-Factor Modeling of Big Dependent Data Ruey S. Tsay Booth School of Business, University of Chicago January 11, 2019 Joint with: Zhaoxing Gao R. Tsay (U Chicago) Factor-Modeling of Big Dependent Data January 11, 2019 1 / 56 Table

815 views • 56 slides
Analysis of Big Dependent Data in Economics and Finance Ruey S. Tsay Booth Shool of Business,

Analysis of Big Dependent Data in Economics and Finance Ruey S. Tsay Booth Shool of Business,

Analysis of Big Dependent Data in Economics and Finance Ruey S. Tsay Booth Shool of Business, University of Chicago September 2016 Ruey S. Tsay Big Dependent Data 1 / 72 Outline Big data? Machine learning? Data science? What is in for 1

3.26k views • 72 slides

More recommend