Designing IA for AI - Information Architecture Conference 2024
I Heart Stuxnet
1. I Stuxnet
or: How I Learned to Stop Worrying and Love The Worm
Gil Megidish
gil@megidish.net
2. DISCLAIMER
I, Gil Megidish, have had absolutely nothing to
do with the virus/worm presented here, nor
do I know of its origins. Everything in this
presentation is purely an analysis of
documents written by Wikipedia, Symantec,
ESET and professional security advisors.
4. What is Stuxnet ?
• Most complicated computer-worm ever
discovered.
• Targets industrial control systems such as in
gas pipelines or power plants.
• An on-going work, dates back to Dec, 2008.
11. CVE-2010-0049
• Remote exploitation of a memory corruption
vulnerability in WebKit; allows an attacker to
execute arbitrary code on victim’s machine.
15 Dec 2009 Vendor notified
15 Dec 2009 Vendor replied
11 Mar 2010 Coordinated public disclosure
12. The List Never Ends
Backdoor
Worms
Viruses
Adware
Spyware
Trojan Horse
Rootkit
Botnet
Phishing
XSS
Spoofing
Man in the Middle
D.o.S.
CSRF
13. “Building the worm cost at least $3 million and
required a team of as many as 10 skilled
programmers working about six months. “
Frank Rieger (GSMK)
14. Timeline
• 2008.11 – Trojan.Zlob found to be using LNK vulnerability
• 2009.04 – Hakin9 magazine publishers Printer Spooler vulnerability
•
• 2010.01 – Stuxnet variant found with Realtek certificate
• 2010.03 – Stuxnet variant found using LNK vulnerability
•
• 2010.06 – VeriSign revokes Realtek’s certificate
• 2010.06 – Stuxnet variant found with JMicron certificate
• 2010.07 – Symantec monitors Stuxnet’s C&C traffic
• 2010.07 – VeriSign revokes JMicron’s certificate
• 2010.08 – Microsoft patches LNK vulnerability.
• 2010.09 – Microsoft patches Printer Spooler vulnerability.
2009.06 – First variant of Stuxnet found
2010.05 – Stuxnet first detected, named RootkitTmphider
15. Timeline
• 2008.11 – Trojan.Zlob found to be using LNK vulnerability
• 2009.04 – Hakin9 magazine publishers Printer Spooler vulnerability
•
• 2010.01 – Stuxnet variant found with Realtek certificate
• 2010.03 – Stuxnet variant found using LNK vulnerability
•
• 2010.06 – VeriSign revokes Realtek’s certificate
• 2010.06 – Stuxnet variant found with JMicron certificate
• 2010.07 – Symantec monitors Stuxnet’s C&C traffic
• 2010.07 – VeriSign revokes JMicron’s certificate
• 2010.08 – Microsoft patches LNK vulnerability.
• 2010.09 – Microsoft patches Printer Spooler vulnerability.
2009.06 – First variant of Stuxnet found
2010.05 – Stuxnet first detected, named RootkitTmphider
16. Exploit #1: LNK VulnerabilityCVE-2010-2568
Affects Windows 2000, Windows XP, Windows
Server 2003, Windows Vista and Windows 7
17. Exploit #2: Print Spooler Vulnerability
MS10-061
Affects Windows XP and legacy Lexmark/Compaq
printers.
18. Exploit #3:Windows Server ServiceMS08-067
Affects unpatched operating systems, with
Kernel32.dll earlier than Oct 12, 2008.
49. Symantec's Brian Tillett put a number on the size of the
team that built the virus. He said that traces of more than
30 programmers have been found in source code.
The Atlantic
I wrote my first virus in 1996 or 1997
Fixed Burgler & Major BBS viruses
Why did I do it?
Most complicated worm ever.
Targets SCADA (Supervisory Control and Data Acquision) systems used in gas pipelines and power plants
DNS entries date back to dec 2008. Can't tell when development has really started. Discovered in May 2010.
Worm attacked many computers.
More than 100,000 hosts with 40,000 unique ips, over 155 countries.
High percentage (over 60% of total) were from Iran. But clearly, Indian and Indonesia.
Started in 1974 with help of German’s Siemens and French scientists.
Started operating in 2010 with arrival of Russian nuclear fuel
Worms can be good: Xerox PARC’s Nachi worms
Mentions: ILOVEYOU (Outlook, $5 billion damages),
Samy Worm (1,000,000 MySpace accounts in 20 hours)
Rootkits
Story about hacked server in India
Unix rootkitting as easy as Windows rootkitting
Common Vulnerabilities and Exposures (CVE)
This specific CVE describes attack on ALL iPhones, iPads and Macs
4000 CVE updates a year; recently Backdoor.Pirpi uses CVE-2010-3962
Virus, Rookitting, Backdoor, Cross Site Request Forgery, Adware, Worms, Trojan Horse, Spyware, Denial of Service, Cross Site Scripting, Spoofing, Man in the Middle, Botnet, Phishing
Running stuxnet will copy itself to any REMOVABLE device through hooks in filesystem.
It will also hide LNK files that are 4171 bytes long, and ~WTR[a+b+c+d mod 10==0] files
Was released in Hakin9 magazine in April, 2009. Any Windows XP host sharing a printer is vulnerable.
Newer operating systems (Visa, 2003, 2008 and Win7) are vulnerable if a legacy Lexmark or Compaq printers are shared.
Specially crafted print requests will store a file in %system32%
2 years old exploit. Why would they put in the explot if it’s no use after oct 12?
Maybe because they know there are old unpatched OSes? Maybe it’s an old code
Inside the worm?
Specially crafted
How do you steal certificates?
These places are very close to each other physically? Can somebody have broken into both?
Maybe they share the same cleaning company? An early version of stuxnet? Code outsourced to India?
Periodically executed
OB35 runs every 100ms to check for critical values
Vacon NX (Finland) and Fararo Paya (Iran)
Variable speed AC drives (frequency converter)
Rotate stuff at high speeds.
Speeds above 800hz need authorization of USA Nuclear
Virus expects drivers at 807hz-1210hz
Then changes speeds to 1410hz, then 2hz, and then 1064hz.
Vacon denies any relationship with Iran
Nov 12, Siemens releases an anti virus
No fix for SQL
Microsoft releases fixes throughout October
Still 2 escalation bugs exist
Nobody will give up on this baby
Iranians don’t cooperate anyway
The Germans, the french, al qaeda, aliens, even references to the bible.
USA has both the motives and the means to pull this kind of thing.
2 years-old exploits, known by microsoft, never patched.
Moreover, Microsoft released a huge patch update, but neglects Printer Spooler (fixes 7 days later)
GoDaddy accounts, domainsbyproxy, there’s a VISA at the end of the chain!
An attack against Siemens instead?
Subcontractors of the Iranians. Have full access to facilities, and the only party
that can initiate the attack via usb drive. Conficker (Ukranian?), similar virus, 7 million affected machines – botnet.
Really need this, and capable of doing it. (8200)
COMPLETE silence in the media (censorship?)
Rosh Agaf Modyin Amos Yadlin said 2009
Jewish businessman Habib Elghanian executed by a firing squad in Tehran
Myrtus, Guava, Hadasah -> Ester, Persians -> Iranians
My RTUs => SCADA (Supervisory Control and Data Acquision), RTU => Remote Terminal Unit (converts signals to/from digital)
B: drive?
Redundancy in code (2 privileges bugs, 2 ssl certificates, 2 exploits)
How come so many countries were infected? Why did it spread beyond Iran?
In code it’s supposed to limit itself to 3 computers, why did it spread so much?
Why does it stop working on July 24 2012? What’s on that date??
Brian Tillett of Symantec claims for traces of 30 or more programmers in stuxnet
Could have blown up the world, but done very carefully
Has been around in the works for at least 2 years
Uses 4 Zero-day exploits
Upgrades itself via peer-to-peer communications
Has a command and control server
Self replicating through WinCC sql server
Uses 2 stolen signed driver certificates
Fingerprints industrial control systems and only affects specific components
Detects and fools over 10 different versions of anti virus software
Hacks PLC devices
Has a Windows root kit, and a PLC rootkit
Has a code base that is larger than kernel32.dll zipped!
SUPPORTS OPERATING SYSTEMS FROM WINDOWS 98 TO WINDOWS 7
AND IS BUG FREE