the stuxnet worm
DESCRIPTION
The Stuxnet Worm. Jonathan Baulch. What is Stuxnet?. A worm that spreads via USB drives Exploits a previously unknown vulnerability in Windows Trojan backdoor that looks for a specific software created by Siemens. Stuxnet Timeline. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: The Stuxnet Worm](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681472f550346895db46b9b/html5/thumbnails/1.jpg)
Jonathan Baulch
![Page 2: The Stuxnet Worm](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681472f550346895db46b9b/html5/thumbnails/2.jpg)
A worm that spreads via USB drives Exploits a previously unknown vulnerability
in Windows Trojan backdoor that looks for a specific softwarecreated by Siemens
![Page 3: The Stuxnet Worm](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681472f550346895db46b9b/html5/thumbnails/3.jpg)
June 2009 – Earliest Stuxnet version seen. Lacks many complexities of the later versions
January 25, 2010 – Stuxnet driver signed with valid certificate from Realtek Semiconductor Corps
June 17, 2010 – Virusblokada reports W32.Stuxnet named RootkitTmphider
July 13, 2010 – Symantec adds detection known as W32.Temphid
![Page 4: The Stuxnet Worm](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681472f550346895db46b9b/html5/thumbnails/4.jpg)
July 16, 2010 – Verisign revokes Realtek Semiconductor Corps certificate
July 17, 2010 – Eset identifies new Stuxnet driver with certificate from JMicron Technology Corp.
July 19, 2010 – Siemens reports they are investigating reports of malware affecting Siemens WinCC SCADA systems
![Page 5: The Stuxnet Worm](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681472f550346895db46b9b/html5/thumbnails/5.jpg)
August 6, 2010 – Symantec reports how Stuxnet can inject and hide code on a PLC
September 30, 2010 – Symantec presents at Virus Bulletin and releases comprehensive analysis of Stuxnet
![Page 6: The Stuxnet Worm](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681472f550346895db46b9b/html5/thumbnails/6.jpg)
Self-replicates through removable drives exploiting a vulnerability allowing auto-execution
Spreads in a LAN through a vulnerability in the Windows Print Spooler
Copies and executes itself on remote computers through network shares
![Page 7: The Stuxnet Worm](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681472f550346895db46b9b/html5/thumbnails/7.jpg)
Copies and executes itself on remote computers running a WinCC database server
Copies itself into Step 7 projects in such a way that it automatically loads when Step 7 is run
Updates itself through a peer-to-peer mechanism within a LAN
![Page 8: The Stuxnet Worm](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681472f550346895db46b9b/html5/thumbnails/8.jpg)
Exploits 4 different zero-day Microsoft vulnerabilities
Contacts a command and control server that allows a hacker to download and execute code
Contains a Windows rootkit that hides its binaries
![Page 9: The Stuxnet Worm](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681472f550346895db46b9b/html5/thumbnails/9.jpg)
Attempts to bypass security products
Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system
Hides modified code on PLCs
![Page 10: The Stuxnet Worm](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681472f550346895db46b9b/html5/thumbnails/10.jpg)
PLC – Programmable Logic Controller◦ Loaded with blocks of code and data written using
a variety of languages such as STL or SCL
◦ PLCs are small embedded industrial control systems that run automated processes on factory floors, chemical and nuclear plants, oil refineries, etc.
![Page 11: The Stuxnet Worm](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681472f550346895db46b9b/html5/thumbnails/11.jpg)
It has yet to be discovered who authored the Stuxnet worm and who/what the target was.◦ Research project that got out of control. There is
history of accidental releases of worms by researches before.
◦ Criminal worm designed to demonstrate the power the authors possess.
◦ Worm released by the U.S. military to scare government into increasing the budget for cyber security.
◦ Developed by Israel to attack Iran
![Page 12: The Stuxnet Worm](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681472f550346895db46b9b/html5/thumbnails/12.jpg)
Iran was one of the top countries to be affected most by the Stuxnet worm.
Iran currently is constructing a nuclear plant in Bushehr and experts believe the delays have been the result of Stuxnet.
Report by Siemens expert, Ralph Langer, says that Stuxnet could easily cause a refinery’s centrifuge to malfunction.
![Page 13: The Stuxnet Worm](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681472f550346895db46b9b/html5/thumbnails/13.jpg)
Stuxnet achieved many things in the malicious code realm
First to exploit 4 0-day vulnerabilities
Compromised 2 digital certificates
Injected code into industrial control systems and hid the code from operators.
![Page 14: The Stuxnet Worm](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681472f550346895db46b9b/html5/thumbnails/14.jpg)
Many experts say it is the most complex malicious software created in the history of cyber security.
Highlights that it is possible to attack critical infrastructures in places other than Hollywood movies.
Improbable that copy cat attacks will begin to be mass produced due to the complexity of the software.
![Page 15: The Stuxnet Worm](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681472f550346895db46b9b/html5/thumbnails/15.jpg)
W32.Stuxnet Dossier - http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Schneier on Security - http://www.schneier.com/blog/archives/2010/10/stuxnet.html Details on the first-ever control system malware - http://news.cnet.com/8301-27080_3-20011159-
245.html