SlideShare une entreprise Scribd logo

Stuxnet

Symantec
Symantec

Symantec provides an overview of how Stuxnet, the sophisticated piece of malware targeting industrial control systems, infects PLCs.

Technologie
1  sur  20
Télécharger pour lire hors ligne
Stuxnet - Infecting Industrial Control Systems Liam O Murchu Sept. 2010 Operations Manager, Symantec Security Response Stuxnet - Infecting Industrial Control Systems 1
Stuxnet CheckWinCC Network Installed AV PrintDayShares .lnkSpooler vuln P2P Updates Infect PLCs MS08-067 1 ZeroVersionsICS Goal C&CEoP 2 Zero=Projects Infect Step7Day EoP 2 Def Dates Check Task Scheduler Win32k.sys 1.5 Mb each Stuxnet - Infecting Industrial Control Systems 2
Agenda 1 60 Second Intro to PLCs 2 Programming a PLC 3 How Stuxnet Infects 4 What Stuxnet Does 5 Demonstration Stuxnet - Infecting Industrial Control Systems 3
PLCs Programmable logic controller • Monitors input and output lines – Sensors on input – Switches/equipment on outputs – Many different vendors • Stuxnet seeks specific models – s7-300 s7-400 Stuxnet is Targeted Targeting a Specific Type of PLC Searches for a Specific Configuration Stuxnet - Infecting Industrial Control Systems 4
Hardware Configuration System data blocks • Each PLC must be configured before use • Configuration is stored in system data blocks (SDB) • Stuxnet parses these blocks • Looks for magic bytes 2C CB 00 01 at offset 50h • Signifies a Profibus network card attached - CP 342-5 • Looks for 7050h and 9500h • Must have more than 33 of these values • Injects different code based on number of occurrences Stuxnet - Infecting Industrial Control Systems 5
How Stuxnet Infects PLCs Stuxnet - Infecting Industrial Control Systems 6
Programming a PLC Step7, STL and MC7 • Simatic or Step 7 software – Used to write code in STL or other languages • STL code is compiled to MC7 byte code • MC7 byte code is transferred to the PLC • Control PC can now be disconnected Stuxnet - Infecting Industrial Control Systems 7
Stuxnet: Man-in-the-Middle Attack on PLCs “Man in the app” attack • Step7 uses a library to access the PLC – S7otbxdx.dll • Stuxnet replaces that dll with its own version • Stuxnet version intercepts, reads and writes to the PLC and changes the code at this point Stuxnet - Infecting Industrial Control Systems 8
Stuxnet MC7 Byte code • Malicious dll contains at least 70 blobs of data • They are binary and encoded • These are actually blocks of MC7 byte code • This is the code that is injected onto the PLCs • Must be converted back to STL to understand it • Difficult task but we have now converted all the MC7 byte code to readable STL code • Unsure of real-world effects of this code Stuxnet - Infecting Industrial Control Systems 9
OB1 and OB35 Stuxnet changes these blocks • OB1 = main() on PLCs – Stuxnet inserts its own code at the beginning of OB1 so it runs first • OB35 is a 100ms interrupt routine – Used to monitor inputs that would require fast action – Stuxnet infects OB35 too • Stuxnet will return clean versions of these functions when they are read from the PLC Stuxnet - Infecting Industrial Control Systems 10
Demo Show infection of a PLC • Proof of concept code • Step7 software • PLC • Air pump • Balloons • Confetti • :D Stuxnet - Infecting Industrial Control Systems 11
Demo • Inflate a balloon for 5 seconds • Infect the PLC • Inflate balloon again for 5 seconds Stuxnet - Infecting Industrial Control Systems 12
Stuxnet’s PLC Code Complex and large amount of code • Demo was just 8 lines of code • Stuxnet contains hundreds of lines of code • It is difficult to understand the real-world actions without knowing what is connected on the inputs and outputs UC FC 1865; Call function 1865 return value is on the stack POP ; Return value goes into Accu1 L DW#16#DEADF007; Load DEADF007 into Accu1 ACCU1 goes to ACCU2 ==D ; BEC ; Are Accu1 and Accu2 equal? L DW#16#0; If true exit L DW#16#0; Else continue to real OB35 Stuxnet - Infecting Industrial Control Systems 13
Stuxnet’s PLC Code FC 1865 M004: CLR ; = DB888.DBX 642.4; UC FC 1874; A L 2.1; SAVE ; BE ; END_FUNCTION Stuxnet - Infecting Industrial Control Systems 14
Stuxnet’s PLC Code FC 1874 L DB888.DBW 16; L 3; <I ; JC M001; TAK ; L 4; >I ; JC M001; L DW#16#DEADF007; PUSH ; BE ; M001: L DW#16#0; PUSH ; END_FUNCTION Stuxnet - Infecting Industrial Control Systems 15
Stuxnet - Infecting Industrial Control Systems 16
Stuxnet - Infecting Industrial Control Systems 17
Targets Stats for command and control servers Stuxnet - Infecting Industrial Control Systems 18
Stuxnet Infections Stuxnet - Infecting Industrial Control Systems 19
Thank you! Liam O Murchu Nicolas Falliere Eric Chien Threat Intelligence Team All Stuxnet Reverse Engineers Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Stuxnet - Infecting Industrial Control Systems 20

Recommandé

Stuxnet
StuxnetStuxnet
StuxnetShishir Aryal
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 
Stuxnet worm
Stuxnet wormStuxnet worm
Stuxnet wormsommerville-videos
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
The World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetThe World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetSean Xie
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackAjinkya Nikam
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flameSantosh Khadsare
 
The Stuxnet Virus FINAL
The Stuxnet Virus FINALThe Stuxnet Virus FINAL
The Stuxnet Virus FINALNicholas Poole
 

Recommandé

Stuxnet
StuxnetStuxnet
StuxnetShishir Aryal
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 
Stuxnet worm
Stuxnet wormStuxnet worm
Stuxnet wormsommerville-videos
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
The World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetThe World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetSean Xie
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackAjinkya Nikam
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flameSantosh Khadsare
 
The Stuxnet Virus FINAL
The Stuxnet Virus FINALThe Stuxnet Virus FINAL
The Stuxnet Virus FINALNicholas Poole
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierAlireza Ghahrood
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart StuxnetGil Megidish
 
Stuxnet, a malicious computer worm
Stuxnet, a malicious computer wormStuxnet, a malicious computer worm
Stuxnet, a malicious computer wormSumaiya Ismail
 
Ceh v5 module 16 virus and worms
Ceh v5 module 16 virus and wormsCeh v5 module 16 virus and worms
Ceh v5 module 16 virus and wormsVi Tính Hoàng Nam
 
Ceh v5 module 14 sql injection
Ceh v5 module 14 sql injectionCeh v5 module 14 sql injection
Ceh v5 module 14 sql injectionVi Tính Hoàng Nam
 
Computer Worms
Computer WormsComputer Worms
Computer Wormssadique_ghitm
 
Nessus Software
Nessus SoftwareNessus Software
Nessus SoftwareMegha Sahu
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief OverviewSILPI ROSAN
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
Network and server performance monitoring training
Network and server performance monitoring trainingNetwork and server performance monitoring training
Network and server performance monitoring trainingManageEngine, Zoho Corporation
 
System hacking
System hackingSystem hacking
System hackingCAS
 
Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTAshley Deuble
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeydicanhasfay
 
Metaploit
MetaploitMetaploit
MetaploitAjinkya Pathak
 
Malware
MalwareMalware
MalwareAnoushka Srivastava
 
Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerAjit Dadresa
 
Hacking and Anti Hacking
Hacking and Anti HackingHacking and Anti Hacking
Hacking and Anti HackingInternational Islamic University
 
Stuxnet under the_microscope
Stuxnet under the_microscopeStuxnet under the_microscope
Stuxnet under the_microscopehiepnhatrang
 
Security Onion
Security OnionSecurity Onion
Security Onionn|u - The Open Security Community
 
Spoofing
SpoofingSpoofing
SpoofingGreater Noida Institute Of Technology
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 
Jornada de ciberdefensa stuxnet
Jornada de ciberdefensa stuxnetJornada de ciberdefensa stuxnet
Jornada de ciberdefensa stuxnetAlejandro Ramos
 

Contenu connexe

Tendances

Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierAlireza Ghahrood
 
Stuxnet, a malicious computer worm
Stuxnet, a malicious computer wormStuxnet, a malicious computer worm
Stuxnet, a malicious computer wormSumaiya Ismail
 
Ceh v5 module 16 virus and worms
Ceh v5 module 16 virus and wormsCeh v5 module 16 virus and worms
Ceh v5 module 16 virus and wormsVi Tính Hoàng Nam
 
Nessus Software
Nessus SoftwareNessus Software
Nessus SoftwareMegha Sahu
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief OverviewSILPI ROSAN
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
System hacking
System hackingSystem hacking
System hackingCAS
 
Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTAshley Deuble
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeydicanhasfay
 
Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerAjit Dadresa
 
Stuxnet under the_microscope
Stuxnet under the_microscopeStuxnet under the_microscope
Stuxnet under the_microscopehiepnhatrang
 

Tendances (20)

Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet Dossier
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart Stuxnet
 
Stuxnet, a malicious computer worm
Stuxnet, a malicious computer wormStuxnet, a malicious computer worm
Stuxnet, a malicious computer worm
 
Ceh v5 module 16 virus and worms
Ceh v5 module 16 virus and wormsCeh v5 module 16 virus and worms
Ceh v5 module 16 virus and worms
 
Ceh v5 module 14 sql injection
Ceh v5 module 14 sql injectionCeh v5 module 14 sql injection
Ceh v5 module 14 sql injection
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief Overview
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
 
Network and server performance monitoring training
Network and server performance monitoring trainingNetwork and server performance monitoring training
Network and server performance monitoring training
 
System hacking
System hackingSystem hacking
System hacking
 
Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERT
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeyd
 
Metaploit
MetaploitMetaploit
Metaploit
 
Malware
MalwareMalware
Malware
 
Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scanner
 
Hacking and Anti Hacking
Hacking and Anti HackingHacking and Anti Hacking
Hacking and Anti Hacking
 
Stuxnet under the_microscope
Stuxnet under the_microscopeStuxnet under the_microscope
Stuxnet under the_microscope
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
Spoofing
SpoofingSpoofing
Spoofing
 

En vedette

Jornada de ciberdefensa stuxnet
Jornada de ciberdefensa stuxnetJornada de ciberdefensa stuxnet
Jornada de ciberdefensa stuxnetAlejandro Ramos
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Byres Security Inc.
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for MainframesCheryl Biswas
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Byres Security Inc.
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
Cia security model
Cia security modelCia security model
Cia security modelImran Ahmed
 
التعرف على الاختراقات في الشبكات المحلية
التعرف على الاختراقات في الشبكات المحليةالتعرف على الاختراقات في الشبكات المحلية
التعرف على الاختراقات في الشبكات المحليةAhmed Al Enizi
 
Deep web power point presentation
Deep web power point presentationDeep web power point presentation
Deep web power point presentationalbafg55
 
Data Network Security
Data Network SecurityData Network Security
Data Network SecurityAtif Rehmat
 
Deep Web
Deep WebDeep Web
Deep WebSt John
 
Kritik Altyapılarda Siber Güvenlik
Kritik Altyapılarda Siber GüvenlikKritik Altyapılarda Siber Güvenlik
Kritik Altyapılarda Siber GüvenlikAlper Başaran
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security PresentationWajahat Rajab
 

En vedette (17)

Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Jornada de ciberdefensa stuxnet
Jornada de ciberdefensa stuxnetJornada de ciberdefensa stuxnet
Jornada de ciberdefensa stuxnet
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for Mainframes
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
UAE Police & Military Hostile Environs Security Training Project V
UAE Police & Military Hostile Environs Security Training Project VUAE Police & Military Hostile Environs Security Training Project V
UAE Police & Military Hostile Environs Security Training Project V
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
 
Cia security model
Cia security modelCia security model
Cia security model
 
Network Security
Network SecurityNetwork Security
Network Security
 
التعرف على الاختراقات في الشبكات المحلية
التعرف على الاختراقات في الشبكات المحليةالتعرف على الاختراقات في الشبكات المحلية
التعرف على الاختراقات في الشبكات المحلية
 
Deep web power point presentation
Deep web power point presentationDeep web power point presentation
Deep web power point presentation
 
Data Network Security
Data Network SecurityData Network Security
Data Network Security
 
Deep Web
Deep WebDeep Web
Deep Web
 
Kritik Altyapılarda Siber Güvenlik
Kritik Altyapılarda Siber GüvenlikKritik Altyapılarda Siber Güvenlik
Kritik Altyapılarda Siber Güvenlik
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security Presentation
 

Similaire à Stuxnet

Scada, a PLC's story
Scada, a PLC's storyScada, a PLC's story
Scada, a PLC's storyPaolo Stagno
 
Microcontroller 8051 timer 274 P$
Microcontroller 8051 timer 274 P$Microcontroller 8051 timer 274 P$
Microcontroller 8051 timer 274 P$PusHkar SaIni
 
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)Řőmĕő Šhűbhąm
 
IJSRED-V2I2P57
IJSRED-V2I2P57IJSRED-V2I2P57
IJSRED-V2I2P57IJSRED
 
Report (Electromagnetic Password Door Lock System)
Report (Electromagnetic Password Door Lock System)Report (Electromagnetic Password Door Lock System)
Report (Electromagnetic Password Door Lock System)Siang Wei Lee
 
Feasible Interfacing and Programming of Industrial Control Technology Unit wi...
Feasible Interfacing and Programming of Industrial Control Technology Unit wi...Feasible Interfacing and Programming of Industrial Control Technology Unit wi...
Feasible Interfacing and Programming of Industrial Control Technology Unit wi...theijes
 
Embedded systems presentation
Embedded systems presentationEmbedded systems presentation
Embedded systems presentationSurender Singh
 
Untangling the Knots in Your Digitization Implementation
Untangling the Knots in Your Digitization ImplementationUntangling the Knots in Your Digitization Implementation
Untangling the Knots in Your Digitization ImplementationSafetyChain Software
 
CCNA 2 Routing and Switching v5.0 Chapter 2
CCNA 2 Routing and Switching v5.0 Chapter 2CCNA 2 Routing and Switching v5.0 Chapter 2
CCNA 2 Routing and Switching v5.0 Chapter 2Nil Menon
 
Infrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfosec Europe
 
Industrial monitoring and control system using android application
Industrial monitoring and control system using android applicationIndustrial monitoring and control system using android application
Industrial monitoring and control system using android applicationAvinash Vemula
 
Industrial automation sustem
Industrial automation sustemIndustrial automation sustem
Industrial automation sustemParas kumar
 
dokumen.tips_industrial-automation-ppt.ppt
dokumen.tips_industrial-automation-ppt.pptdokumen.tips_industrial-automation-ppt.ppt
dokumen.tips_industrial-automation-ppt.pptssuser8d8124
 
Networking of multiple microcontrollers
Networking of multiple microcontrollersNetworking of multiple microcontrollers
Networking of multiple microcontrollersEdgefxkits & Solutions
 

Similaire à Stuxnet (20)

Stuxnet
StuxnetStuxnet
Stuxnet
 
Automation-PLC
Automation-PLCAutomation-PLC
Automation-PLC
 
Scada, a PLC's story
Scada, a PLC's storyScada, a PLC's story
Scada, a PLC's story
 
Microcontroller 8051 timer 274 P$
Microcontroller 8051 timer 274 P$Microcontroller 8051 timer 274 P$
Microcontroller 8051 timer 274 P$
 
plc scada
plc scada plc scada
plc scada
 
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
 
IJSRED-V2I2P57
IJSRED-V2I2P57IJSRED-V2I2P57
IJSRED-V2I2P57
 
Report (Electromagnetic Password Door Lock System)
Report (Electromagnetic Password Door Lock System)Report (Electromagnetic Password Door Lock System)
Report (Electromagnetic Password Door Lock System)
 
Feasible Interfacing and Programming of Industrial Control Technology Unit wi...
Feasible Interfacing and Programming of Industrial Control Technology Unit wi...Feasible Interfacing and Programming of Industrial Control Technology Unit wi...
Feasible Interfacing and Programming of Industrial Control Technology Unit wi...
 
Embedded systems presentation
Embedded systems presentationEmbedded systems presentation
Embedded systems presentation
 
Untangling the Knots in Your Digitization Implementation
Untangling the Knots in Your Digitization ImplementationUntangling the Knots in Your Digitization Implementation
Untangling the Knots in Your Digitization Implementation
 
CCNA 2 Routing and Switching v5.0 Chapter 2
CCNA 2 Routing and Switching v5.0 Chapter 2CCNA 2 Routing and Switching v5.0 Chapter 2
CCNA 2 Routing and Switching v5.0 Chapter 2
 
CCNA Icnd110 s02l05
CCNA Icnd110 s02l05CCNA Icnd110 s02l05
CCNA Icnd110 s02l05
 
Infrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLC
 
Industrial monitoring and control system using android application
Industrial monitoring and control system using android applicationIndustrial monitoring and control system using android application
Industrial monitoring and control system using android application
 
Industrial automation sustem
Industrial automation sustemIndustrial automation sustem
Industrial automation sustem
 
PLC SCADA
PLC SCADAPLC SCADA
PLC SCADA
 
Plc scada-140717081152-phpapp02
Plc scada-140717081152-phpapp02Plc scada-140717081152-phpapp02
Plc scada-140717081152-phpapp02
 
dokumen.tips_industrial-automation-ppt.ppt
dokumen.tips_industrial-automation-ppt.pptdokumen.tips_industrial-automation-ppt.ppt
dokumen.tips_industrial-automation-ppt.ppt
 
Networking of multiple microcontrollers
Networking of multiple microcontrollersNetworking of multiple microcontrollers
Networking of multiple microcontrollers
 

Plus de Symantec

Symantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of BroadcomSymantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of BroadcomSymantec
 
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...Symantec
 
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect ITSymantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect ITSymantec
 
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure ITSymantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure ITSymantec
 
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own ITSymantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own ITSymantec
 
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec
 
Symantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec
 
Symantec Cloud Security Threat Report
Symantec Cloud Security Threat ReportSymantec Cloud Security Threat Report
Symantec Cloud Security Threat ReportSymantec
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec
 
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...Symantec
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec
 
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec
 
Symantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year OnSymantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year OnSymantec
 
Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019Symantec
 
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec
 
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec
 

Plus de Symantec (20)

Symantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of BroadcomSymantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of Broadcom
 
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
 
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect ITSymantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
 
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure ITSymantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
 
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own ITSymantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own IT
 
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security Webinar
 
Symantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat Report
 
Symantec Cloud Security Threat Report
Symantec Cloud Security Threat ReportSymantec Cloud Security Threat Report
Symantec Cloud Security Threat Report
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
 
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB Projects
 
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
 
Symantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year OnSymantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year On
 
Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019
 
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front Lines
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
 
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
 

Dernier

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Dernier (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Stuxnet

  • 1. Stuxnet - Infecting Industrial Control Systems Liam O Murchu Sept. 2010 Operations Manager, Symantec Security Response Stuxnet - Infecting Industrial Control Systems 1
  • 2. Stuxnet CheckWinCC Network Installed AV PrintDayShares .lnkSpooler vuln P2P Updates Infect PLCs MS08-067 1 ZeroVersionsICS Goal C&CEoP 2 Zero=Projects Infect Step7Day EoP 2 Def Dates Check Task Scheduler Win32k.sys 1.5 Mb each Stuxnet - Infecting Industrial Control Systems 2
  • 3. Agenda 1 60 Second Intro to PLCs 2 Programming a PLC 3 How Stuxnet Infects 4 What Stuxnet Does 5 Demonstration Stuxnet - Infecting Industrial Control Systems 3
  • 4. PLCs Programmable logic controller • Monitors input and output lines – Sensors on input – Switches/equipment on outputs – Many different vendors • Stuxnet seeks specific models – s7-300 s7-400 Stuxnet is Targeted Targeting a Specific Type of PLC Searches for a Specific Configuration Stuxnet - Infecting Industrial Control Systems 4
  • 5. Hardware Configuration System data blocks • Each PLC must be configured before use • Configuration is stored in system data blocks (SDB) • Stuxnet parses these blocks • Looks for magic bytes 2C CB 00 01 at offset 50h • Signifies a Profibus network card attached - CP 342-5 • Looks for 7050h and 9500h • Must have more than 33 of these values • Injects different code based on number of occurrences Stuxnet - Infecting Industrial Control Systems 5
  • 6. How Stuxnet Infects PLCs Stuxnet - Infecting Industrial Control Systems 6
  • 7. Programming a PLC Step7, STL and MC7 • Simatic or Step 7 software – Used to write code in STL or other languages • STL code is compiled to MC7 byte code • MC7 byte code is transferred to the PLC • Control PC can now be disconnected Stuxnet - Infecting Industrial Control Systems 7
  • 8. Stuxnet: Man-in-the-Middle Attack on PLCs “Man in the app” attack • Step7 uses a library to access the PLC – S7otbxdx.dll • Stuxnet replaces that dll with its own version • Stuxnet version intercepts, reads and writes to the PLC and changes the code at this point Stuxnet - Infecting Industrial Control Systems 8
  • 9. Stuxnet MC7 Byte code • Malicious dll contains at least 70 blobs of data • They are binary and encoded • These are actually blocks of MC7 byte code • This is the code that is injected onto the PLCs • Must be converted back to STL to understand it • Difficult task but we have now converted all the MC7 byte code to readable STL code • Unsure of real-world effects of this code Stuxnet - Infecting Industrial Control Systems 9
  • 10. OB1 and OB35 Stuxnet changes these blocks • OB1 = main() on PLCs – Stuxnet inserts its own code at the beginning of OB1 so it runs first • OB35 is a 100ms interrupt routine – Used to monitor inputs that would require fast action – Stuxnet infects OB35 too • Stuxnet will return clean versions of these functions when they are read from the PLC Stuxnet - Infecting Industrial Control Systems 10
  • 11. Demo Show infection of a PLC • Proof of concept code • Step7 software • PLC • Air pump • Balloons • Confetti • :D Stuxnet - Infecting Industrial Control Systems 11
  • 12. Demo • Inflate a balloon for 5 seconds • Infect the PLC • Inflate balloon again for 5 seconds Stuxnet - Infecting Industrial Control Systems 12
  • 13. Stuxnet’s PLC Code Complex and large amount of code • Demo was just 8 lines of code • Stuxnet contains hundreds of lines of code • It is difficult to understand the real-world actions without knowing what is connected on the inputs and outputs UC FC 1865; Call function 1865 return value is on the stack POP ; Return value goes into Accu1 L DW#16#DEADF007; Load DEADF007 into Accu1 ACCU1 goes to ACCU2 ==D ; BEC ; Are Accu1 and Accu2 equal? L DW#16#0; If true exit L DW#16#0; Else continue to real OB35 Stuxnet - Infecting Industrial Control Systems 13
  • 14. Stuxnet’s PLC Code FC 1865 M004: CLR ; = DB888.DBX 642.4; UC FC 1874; A L 2.1; SAVE ; BE ; END_FUNCTION Stuxnet - Infecting Industrial Control Systems 14
  • 15. Stuxnet’s PLC Code FC 1874 L DB888.DBW 16; L 3; <I ; JC M001; TAK ; L 4; >I ; JC M001; L DW#16#DEADF007; PUSH ; BE ; M001: L DW#16#0; PUSH ; END_FUNCTION Stuxnet - Infecting Industrial Control Systems 15
  • 16. Stuxnet - Infecting Industrial Control Systems 16
  • 17. Stuxnet - Infecting Industrial Control Systems 17
  • 18. Targets Stats for command and control servers Stuxnet - Infecting Industrial Control Systems 18
  • 19. Stuxnet Infections Stuxnet - Infecting Industrial Control Systems 19
  • 20. Thank you! Liam O Murchu Nicolas Falliere Eric Chien Threat Intelligence Team All Stuxnet Reverse Engineers Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Stuxnet - Infecting Industrial Control Systems 20