sam skalicky biru cui. discovery architecture evaluation conclusion
TRANSCRIPT
STUXNETSam Skalicky
Biru Cui
Outline
Discovery Architecture Evaluation Conclusion
Discovery
VirusBlokAda Zero-day Microsoft
Stuxnet <= .stub + MrxNet.sys Symantec
Architecture
Organization Installation Propagation Target & Process
Architecture
Organization
Exports Resources Configuration
Architecture
Installation
E 15: environment scan, escalation E 16: copy, hide, autorun (certificate)
Architecture
Propagation WinCC SQL P2P RPC Printer spooler Removable disk
.lnk, ~WTR4141.tmp, ~WTR4132.tmp Autorun.inf
Architecture
Target Step 7 (E2/E14) PLC
Data Blocks (DB) System Data Blocks (SDB) Organization Blocks (OB) Function Blocks (FC)
Architecture
Process Broker FC: RECV OB1/OB35
Architecture
Process Profibus ID CP Frequency converter
Architecture
Process
1.41kHz 1.064kHz 2Hz
Evaluation
Complex code size propagation methods zero-day exploit certificate steal specific target Step/PLC/FC
Speculation
Where
Speculation
What
Risk
Very small risk to the majority of users Worm was target so specifically
Modifying large spinning motors to fail Shorting out Overheat Disengage from their mounting
Consumes disk space (500KB) New type of worm detected
What’s next?
W32.Duqu, a new beginning?
References
[1] “Frequently Asked Questions on Virus-L/comp.virus.” Internet: http://www.faqs.org/faqs/computer-virus/faq/, Oct. 9, 1995 [Jan. 7, 2012].
[2] “MS10-061: Printer Spooler Vulnerability.” Internet: http://blogs.technet.com/b/srd/archive/2010/09/14/ms10-061-printer-spooler-vulnerability.aspx, Sept. 14, 2010 [Jan. 7, 2012].
[3] Nicolas Falliere, Liam O Murchu, and Eric Chien, “W32.Stuxnet” Synmatec, November 2010.
[4] K. Zetter, “How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History,” Internet: http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1, July 11, 2011