SlideShare une entreprise Scribd logo

Stuxnet Targeted PLCs with Malware Injection Attack

Symantec
Symantec

Symantec provides an overview of how Stuxnet, the sophisticated piece of malware targeting industrial control systems, infects PLCs.

Technologie
1  sur  20
Télécharger pour lire hors ligne
Stuxnet - Infecting Industrial Control Systems Liam O Murchu Sept. 2010 Operations Manager, Symantec Security Response Stuxnet - Infecting Industrial Control Systems 1
Stuxnet CheckWinCC Network Installed AV PrintDayShares .lnkSpooler vuln P2P Updates Infect PLCs MS08-067 1 ZeroVersionsICS Goal C&CEoP 2 Zero=Projects Infect Step7Day EoP 2 Def Dates Check Task Scheduler Win32k.sys 1.5 Mb each Stuxnet - Infecting Industrial Control Systems 2
Agenda 1 60 Second Intro to PLCs 2 Programming a PLC 3 How Stuxnet Infects 4 What Stuxnet Does 5 Demonstration Stuxnet - Infecting Industrial Control Systems 3
PLCs Programmable logic controller • Monitors input and output lines – Sensors on input – Switches/equipment on outputs – Many different vendors • Stuxnet seeks specific models – s7-300 s7-400 Stuxnet is Targeted Targeting a Specific Type of PLC Searches for a Specific Configuration Stuxnet - Infecting Industrial Control Systems 4
Hardware Configuration System data blocks • Each PLC must be configured before use • Configuration is stored in system data blocks (SDB) • Stuxnet parses these blocks • Looks for magic bytes 2C CB 00 01 at offset 50h • Signifies a Profibus network card attached - CP 342-5 • Looks for 7050h and 9500h • Must have more than 33 of these values • Injects different code based on number of occurrences Stuxnet - Infecting Industrial Control Systems 5
How Stuxnet Infects PLCs Stuxnet - Infecting Industrial Control Systems 6
Programming a PLC Step7, STL and MC7 • Simatic or Step 7 software – Used to write code in STL or other languages • STL code is compiled to MC7 byte code • MC7 byte code is transferred to the PLC • Control PC can now be disconnected Stuxnet - Infecting Industrial Control Systems 7
Stuxnet: Man-in-the-Middle Attack on PLCs “Man in the app” attack • Step7 uses a library to access the PLC – S7otbxdx.dll • Stuxnet replaces that dll with its own version • Stuxnet version intercepts, reads and writes to the PLC and changes the code at this point Stuxnet - Infecting Industrial Control Systems 8
Stuxnet MC7 Byte code • Malicious dll contains at least 70 blobs of data • They are binary and encoded • These are actually blocks of MC7 byte code • This is the code that is injected onto the PLCs • Must be converted back to STL to understand it • Difficult task but we have now converted all the MC7 byte code to readable STL code • Unsure of real-world effects of this code Stuxnet - Infecting Industrial Control Systems 9
OB1 and OB35 Stuxnet changes these blocks • OB1 = main() on PLCs – Stuxnet inserts its own code at the beginning of OB1 so it runs first • OB35 is a 100ms interrupt routine – Used to monitor inputs that would require fast action – Stuxnet infects OB35 too • Stuxnet will return clean versions of these functions when they are read from the PLC Stuxnet - Infecting Industrial Control Systems 10
Demo Show infection of a PLC • Proof of concept code • Step7 software • PLC • Air pump • Balloons • Confetti • :D Stuxnet - Infecting Industrial Control Systems 11
Demo • Inflate a balloon for 5 seconds • Infect the PLC • Inflate balloon again for 5 seconds Stuxnet - Infecting Industrial Control Systems 12
Stuxnet’s PLC Code Complex and large amount of code • Demo was just 8 lines of code • Stuxnet contains hundreds of lines of code • It is difficult to understand the real-world actions without knowing what is connected on the inputs and outputs UC FC 1865; Call function 1865 return value is on the stack POP ; Return value goes into Accu1 L DW#16#DEADF007; Load DEADF007 into Accu1 ACCU1 goes to ACCU2 ==D ; BEC ; Are Accu1 and Accu2 equal? L DW#16#0; If true exit L DW#16#0; Else continue to real OB35 Stuxnet - Infecting Industrial Control Systems 13
Stuxnet’s PLC Code FC 1865 M004: CLR ; = DB888.DBX 642.4; UC FC 1874; A L 2.1; SAVE ; BE ; END_FUNCTION Stuxnet - Infecting Industrial Control Systems 14
Stuxnet’s PLC Code FC 1874 L DB888.DBW 16; L 3; <I ; JC M001; TAK ; L 4; >I ; JC M001; L DW#16#DEADF007; PUSH ; BE ; M001: L DW#16#0; PUSH ; END_FUNCTION Stuxnet - Infecting Industrial Control Systems 15
Stuxnet - Infecting Industrial Control Systems 16
Stuxnet - Infecting Industrial Control Systems 17
Targets Stats for command and control servers Stuxnet - Infecting Industrial Control Systems 18
Stuxnet Infections Stuxnet - Infecting Industrial Control Systems 19
Thank you! Liam O Murchu Nicolas Falliere Eric Chien Threat Intelligence Team All Stuxnet Reverse Engineers Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Stuxnet - Infecting Industrial Control Systems 20

Recommandé

Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
The World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetThe World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetSean Xie
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackAjinkya Nikam
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 
Stuxnet
StuxnetStuxnet
StuxnetShishir Aryal
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flameSantosh Khadsare
 
The Stuxnet Virus FINAL
The Stuxnet Virus FINALThe Stuxnet Virus FINAL
The Stuxnet Virus FINALNicholas Poole
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart StuxnetGil Megidish
 

Recommandé

Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
The World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetThe World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetSean Xie
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackAjinkya Nikam
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 
Stuxnet
StuxnetStuxnet
StuxnetShishir Aryal
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flameSantosh Khadsare
 
The Stuxnet Virus FINAL
The Stuxnet Virus FINALThe Stuxnet Virus FINAL
The Stuxnet Virus FINALNicholas Poole
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart StuxnetGil Megidish
 
Stuxnet worm
Stuxnet wormStuxnet worm
Stuxnet wormsommerville-videos
 
Network security (syed azam)
Network security (syed azam)Network security (syed azam)
Network security (syed azam)sayyed azam
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierAlireza Ghahrood
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackAhmed Ghazey
 
Wannacry
WannacryWannacry
WannacryAravindVV
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attackAmna
 
WannaCry ransomware attack
WannaCry ransomware attackWannaCry ransomware attack
WannaCry ransomware attackAbdelhakim Salama
 
What is network security and Types
What is network security and TypesWhat is network security and Types
What is network security and TypesVikram Khanna
 
COMPUTER VIRUS
COMPUTER VIRUSCOMPUTER VIRUS
COMPUTER VIRUSArnab Singha
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Security threats
Security threatsSecurity threats
Security threatsQamar Farooq
 
Network security presentation
Network security presentationNetwork security presentation
Network security presentationKudzai Rerayi
 
Ransomware: Wannacry
Ransomware: WannacryRansomware: Wannacry
Ransomware: WannacryMikel Solabarrieta
 
12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacksHaltdos
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Ransomware - The Growing Threat
Ransomware - The Growing ThreatRansomware - The Growing Threat
Ransomware - The Growing ThreatNick Miller
 
An introduction to denial of service attacks
An introduction to denial of service attacksAn introduction to denial of service attacks
An introduction to denial of service attacksRollingsherman
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attackstollen_fusion
 
Cyber attacks
Cyber attacks Cyber attacks
Cyber attacks Anuradha Moti T
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 
Jornada de ciberdefensa stuxnet
Jornada de ciberdefensa stuxnetJornada de ciberdefensa stuxnet
Jornada de ciberdefensa stuxnetAlejandro Ramos
 

Contenu connexe

Tendances

Network security (syed azam)
Network security (syed azam)Network security (syed azam)
Network security (syed azam)sayyed azam
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierAlireza Ghahrood
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackAhmed Ghazey
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attackAmna
 
What is network security and Types
What is network security and TypesWhat is network security and Types
What is network security and TypesVikram Khanna
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Network security presentation
Network security presentationNetwork security presentation
Network security presentationKudzai Rerayi
 
12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacksHaltdos
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Ransomware - The Growing Threat
Ransomware - The Growing ThreatRansomware - The Growing Threat
Ransomware - The Growing ThreatNick Miller
 
An introduction to denial of service attacks
An introduction to denial of service attacksAn introduction to denial of service attacks
An introduction to denial of service attacksRollingsherman
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 

Tendances (20)

Stuxnet worm
Stuxnet wormStuxnet worm
Stuxnet worm
 
Network security (syed azam)
Network security (syed azam)Network security (syed azam)
Network security (syed azam)
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet Dossier
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Wannacry
WannacryWannacry
Wannacry
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attack
 
WannaCry ransomware attack
WannaCry ransomware attackWannaCry ransomware attack
WannaCry ransomware attack
 
What is network security and Types
What is network security and TypesWhat is network security and Types
What is network security and Types
 
COMPUTER VIRUS
COMPUTER VIRUSCOMPUTER VIRUS
COMPUTER VIRUS
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Security threats
Security threatsSecurity threats
Security threats
 
Network security presentation
Network security presentationNetwork security presentation
Network security presentation
 
Ransomware: Wannacry
Ransomware: WannacryRansomware: Wannacry
Ransomware: Wannacry
 
12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacks
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Ransomware - The Growing Threat
Ransomware - The Growing ThreatRansomware - The Growing Threat
Ransomware - The Growing Threat
 
An introduction to denial of service attacks
An introduction to denial of service attacksAn introduction to denial of service attacks
An introduction to denial of service attacks
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
 
Cyber attacks
Cyber attacks Cyber attacks
Cyber attacks
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
 

En vedette

Jornada de ciberdefensa stuxnet
Jornada de ciberdefensa stuxnetJornada de ciberdefensa stuxnet
Jornada de ciberdefensa stuxnetAlejandro Ramos
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Byres Security Inc.
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for MainframesCheryl Biswas
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Byres Security Inc.
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
Cia security model
Cia security modelCia security model
Cia security modelImran Ahmed
 
التعرف على الاختراقات في الشبكات المحلية
التعرف على الاختراقات في الشبكات المحليةالتعرف على الاختراقات في الشبكات المحلية
التعرف على الاختراقات في الشبكات المحليةAhmed Al Enizi
 
Deep web power point presentation
Deep web power point presentationDeep web power point presentation
Deep web power point presentationalbafg55
 
Data Network Security
Data Network SecurityData Network Security
Data Network SecurityAtif Rehmat
 
Deep Web
Deep WebDeep Web
Deep WebSt John
 
Kritik Altyapılarda Siber Güvenlik
Kritik Altyapılarda Siber GüvenlikKritik Altyapılarda Siber Güvenlik
Kritik Altyapılarda Siber GüvenlikAlper Başaran
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security PresentationWajahat Rajab
 

En vedette (17)

Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Jornada de ciberdefensa stuxnet
Jornada de ciberdefensa stuxnetJornada de ciberdefensa stuxnet
Jornada de ciberdefensa stuxnet
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for Mainframes
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
UAE Police & Military Hostile Environs Security Training Project V
UAE Police & Military Hostile Environs Security Training Project VUAE Police & Military Hostile Environs Security Training Project V
UAE Police & Military Hostile Environs Security Training Project V
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
 
Cia security model
Cia security modelCia security model
Cia security model
 
Network Security
Network SecurityNetwork Security
Network Security
 
التعرف على الاختراقات في الشبكات المحلية
التعرف على الاختراقات في الشبكات المحليةالتعرف على الاختراقات في الشبكات المحلية
التعرف على الاختراقات في الشبكات المحلية
 
Deep web power point presentation
Deep web power point presentationDeep web power point presentation
Deep web power point presentation
 
Data Network Security
Data Network SecurityData Network Security
Data Network Security
 
Deep Web
Deep WebDeep Web
Deep Web
 
Kritik Altyapılarda Siber Güvenlik
Kritik Altyapılarda Siber GüvenlikKritik Altyapılarda Siber Güvenlik
Kritik Altyapılarda Siber Güvenlik
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security Presentation
 

Similaire à Stuxnet Targeted PLCs with Malware Injection Attack

Scada, a PLC's story
Scada, a PLC's storyScada, a PLC's story
Scada, a PLC's storyPaolo Stagno
 
Microcontroller 8051 timer 274 P$
Microcontroller 8051 timer 274 P$Microcontroller 8051 timer 274 P$
Microcontroller 8051 timer 274 P$PusHkar SaIni
 
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)Řőmĕő Šhűbhąm
 
IJSRED-V2I2P57
IJSRED-V2I2P57IJSRED-V2I2P57
IJSRED-V2I2P57IJSRED
 
Report (Electromagnetic Password Door Lock System)
Report (Electromagnetic Password Door Lock System)Report (Electromagnetic Password Door Lock System)
Report (Electromagnetic Password Door Lock System)Siang Wei Lee
 
Feasible Interfacing and Programming of Industrial Control Technology Unit wi...
Feasible Interfacing and Programming of Industrial Control Technology Unit wi...Feasible Interfacing and Programming of Industrial Control Technology Unit wi...
Feasible Interfacing and Programming of Industrial Control Technology Unit wi...theijes
 
Embedded systems presentation
Embedded systems presentationEmbedded systems presentation
Embedded systems presentationSurender Singh
 
Untangling the Knots in Your Digitization Implementation
Untangling the Knots in Your Digitization ImplementationUntangling the Knots in Your Digitization Implementation
Untangling the Knots in Your Digitization ImplementationSafetyChain Software
 
CCNA 2 Routing and Switching v5.0 Chapter 2
CCNA 2 Routing and Switching v5.0 Chapter 2CCNA 2 Routing and Switching v5.0 Chapter 2
CCNA 2 Routing and Switching v5.0 Chapter 2Nil Menon
 
Infrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfosec Europe
 
Industrial monitoring and control system using android application
Industrial monitoring and control system using android applicationIndustrial monitoring and control system using android application
Industrial monitoring and control system using android applicationAvinash Vemula
 
Industrial automation sustem
Industrial automation sustemIndustrial automation sustem
Industrial automation sustemParas kumar
 
dokumen.tips_industrial-automation-ppt.ppt
dokumen.tips_industrial-automation-ppt.pptdokumen.tips_industrial-automation-ppt.ppt
dokumen.tips_industrial-automation-ppt.pptssuser8d8124
 
Networking of multiple microcontrollers
Networking of multiple microcontrollersNetworking of multiple microcontrollers
Networking of multiple microcontrollersEdgefxkits & Solutions
 

Similaire à Stuxnet Targeted PLCs with Malware Injection Attack (20)

Stuxnet
StuxnetStuxnet
Stuxnet
 
Automation-PLC
Automation-PLCAutomation-PLC
Automation-PLC
 
Scada, a PLC's story
Scada, a PLC's storyScada, a PLC's story
Scada, a PLC's story
 
Microcontroller 8051 timer 274 P$
Microcontroller 8051 timer 274 P$Microcontroller 8051 timer 274 P$
Microcontroller 8051 timer 274 P$
 
plc scada
plc scada plc scada
plc scada
 
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
INDUSTRIAL AUTOMATION ( SHUBHAM KURDIYA)
 
IJSRED-V2I2P57
IJSRED-V2I2P57IJSRED-V2I2P57
IJSRED-V2I2P57
 
Report (Electromagnetic Password Door Lock System)
Report (Electromagnetic Password Door Lock System)Report (Electromagnetic Password Door Lock System)
Report (Electromagnetic Password Door Lock System)
 
Feasible Interfacing and Programming of Industrial Control Technology Unit wi...
Feasible Interfacing and Programming of Industrial Control Technology Unit wi...Feasible Interfacing and Programming of Industrial Control Technology Unit wi...
Feasible Interfacing and Programming of Industrial Control Technology Unit wi...
 
Embedded systems presentation
Embedded systems presentationEmbedded systems presentation
Embedded systems presentation
 
Untangling the Knots in Your Digitization Implementation
Untangling the Knots in Your Digitization ImplementationUntangling the Knots in Your Digitization Implementation
Untangling the Knots in Your Digitization Implementation
 
CCNA 2 Routing and Switching v5.0 Chapter 2
CCNA 2 Routing and Switching v5.0 Chapter 2CCNA 2 Routing and Switching v5.0 Chapter 2
CCNA 2 Routing and Switching v5.0 Chapter 2
 
CCNA Icnd110 s02l05
CCNA Icnd110 s02l05CCNA Icnd110 s02l05
CCNA Icnd110 s02l05
 
Infrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLC
 
Industrial monitoring and control system using android application
Industrial monitoring and control system using android applicationIndustrial monitoring and control system using android application
Industrial monitoring and control system using android application
 
Industrial automation sustem
Industrial automation sustemIndustrial automation sustem
Industrial automation sustem
 
PLC SCADA
PLC SCADAPLC SCADA
PLC SCADA
 
Plc scada-140717081152-phpapp02
Plc scada-140717081152-phpapp02Plc scada-140717081152-phpapp02
Plc scada-140717081152-phpapp02
 
dokumen.tips_industrial-automation-ppt.ppt
dokumen.tips_industrial-automation-ppt.pptdokumen.tips_industrial-automation-ppt.ppt
dokumen.tips_industrial-automation-ppt.ppt
 
Networking of multiple microcontrollers
Networking of multiple microcontrollersNetworking of multiple microcontrollers
Networking of multiple microcontrollers
 

Plus de Symantec

Symantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of BroadcomSymantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of BroadcomSymantec
 
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...Symantec
 
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect ITSymantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect ITSymantec
 
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure ITSymantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure ITSymantec
 
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own ITSymantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own ITSymantec
 
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec
 
Symantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec
 
Symantec Cloud Security Threat Report
Symantec Cloud Security Threat ReportSymantec Cloud Security Threat Report
Symantec Cloud Security Threat ReportSymantec
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec
 
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...Symantec
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec
 
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec
 
Symantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year OnSymantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year OnSymantec
 
Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019Symantec
 
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec
 
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec
 

Plus de Symantec (20)

Symantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of BroadcomSymantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of Broadcom
 
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
 
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect ITSymantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
 
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure ITSymantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
 
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own ITSymantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own IT
 
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security Webinar
 
Symantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat Report
 
Symantec Cloud Security Threat Report
Symantec Cloud Security Threat ReportSymantec Cloud Security Threat Report
Symantec Cloud Security Threat Report
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
 
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB Projects
 
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
 
Symantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year OnSymantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year On
 
Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019
 
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front Lines
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
 
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
 

Dernier

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 

Dernier (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

Stuxnet Targeted PLCs with Malware Injection Attack

  • 1. Stuxnet - Infecting Industrial Control Systems Liam O Murchu Sept. 2010 Operations Manager, Symantec Security Response Stuxnet - Infecting Industrial Control Systems 1
  • 2. Stuxnet CheckWinCC Network Installed AV PrintDayShares .lnkSpooler vuln P2P Updates Infect PLCs MS08-067 1 ZeroVersionsICS Goal C&CEoP 2 Zero=Projects Infect Step7Day EoP 2 Def Dates Check Task Scheduler Win32k.sys 1.5 Mb each Stuxnet - Infecting Industrial Control Systems 2
  • 3. Agenda 1 60 Second Intro to PLCs 2 Programming a PLC 3 How Stuxnet Infects 4 What Stuxnet Does 5 Demonstration Stuxnet - Infecting Industrial Control Systems 3
  • 4. PLCs Programmable logic controller • Monitors input and output lines – Sensors on input – Switches/equipment on outputs – Many different vendors • Stuxnet seeks specific models – s7-300 s7-400 Stuxnet is Targeted Targeting a Specific Type of PLC Searches for a Specific Configuration Stuxnet - Infecting Industrial Control Systems 4
  • 5. Hardware Configuration System data blocks • Each PLC must be configured before use • Configuration is stored in system data blocks (SDB) • Stuxnet parses these blocks • Looks for magic bytes 2C CB 00 01 at offset 50h • Signifies a Profibus network card attached - CP 342-5 • Looks for 7050h and 9500h • Must have more than 33 of these values • Injects different code based on number of occurrences Stuxnet - Infecting Industrial Control Systems 5
  • 6. How Stuxnet Infects PLCs Stuxnet - Infecting Industrial Control Systems 6
  • 7. Programming a PLC Step7, STL and MC7 • Simatic or Step 7 software – Used to write code in STL or other languages • STL code is compiled to MC7 byte code • MC7 byte code is transferred to the PLC • Control PC can now be disconnected Stuxnet - Infecting Industrial Control Systems 7
  • 8. Stuxnet: Man-in-the-Middle Attack on PLCs “Man in the app” attack • Step7 uses a library to access the PLC – S7otbxdx.dll • Stuxnet replaces that dll with its own version • Stuxnet version intercepts, reads and writes to the PLC and changes the code at this point Stuxnet - Infecting Industrial Control Systems 8
  • 9. Stuxnet MC7 Byte code • Malicious dll contains at least 70 blobs of data • They are binary and encoded • These are actually blocks of MC7 byte code • This is the code that is injected onto the PLCs • Must be converted back to STL to understand it • Difficult task but we have now converted all the MC7 byte code to readable STL code • Unsure of real-world effects of this code Stuxnet - Infecting Industrial Control Systems 9
  • 10. OB1 and OB35 Stuxnet changes these blocks • OB1 = main() on PLCs – Stuxnet inserts its own code at the beginning of OB1 so it runs first • OB35 is a 100ms interrupt routine – Used to monitor inputs that would require fast action – Stuxnet infects OB35 too • Stuxnet will return clean versions of these functions when they are read from the PLC Stuxnet - Infecting Industrial Control Systems 10
  • 11. Demo Show infection of a PLC • Proof of concept code • Step7 software • PLC • Air pump • Balloons • Confetti • :D Stuxnet - Infecting Industrial Control Systems 11
  • 12. Demo • Inflate a balloon for 5 seconds • Infect the PLC • Inflate balloon again for 5 seconds Stuxnet - Infecting Industrial Control Systems 12
  • 13. Stuxnet’s PLC Code Complex and large amount of code • Demo was just 8 lines of code • Stuxnet contains hundreds of lines of code • It is difficult to understand the real-world actions without knowing what is connected on the inputs and outputs UC FC 1865; Call function 1865 return value is on the stack POP ; Return value goes into Accu1 L DW#16#DEADF007; Load DEADF007 into Accu1 ACCU1 goes to ACCU2 ==D ; BEC ; Are Accu1 and Accu2 equal? L DW#16#0; If true exit L DW#16#0; Else continue to real OB35 Stuxnet - Infecting Industrial Control Systems 13
  • 14. Stuxnet’s PLC Code FC 1865 M004: CLR ; = DB888.DBX 642.4; UC FC 1874; A L 2.1; SAVE ; BE ; END_FUNCTION Stuxnet - Infecting Industrial Control Systems 14
  • 15. Stuxnet’s PLC Code FC 1874 L DB888.DBW 16; L 3; <I ; JC M001; TAK ; L 4; >I ; JC M001; L DW#16#DEADF007; PUSH ; BE ; M001: L DW#16#0; PUSH ; END_FUNCTION Stuxnet - Infecting Industrial Control Systems 15
  • 16. Stuxnet - Infecting Industrial Control Systems 16
  • 17. Stuxnet - Infecting Industrial Control Systems 17
  • 18. Targets Stats for command and control servers Stuxnet - Infecting Industrial Control Systems 18
  • 19. Stuxnet Infections Stuxnet - Infecting Industrial Control Systems 19
  • 20. Thank you! Liam O Murchu Nicolas Falliere Eric Chien Threat Intelligence Team All Stuxnet Reverse Engineers Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Stuxnet - Infecting Industrial Control Systems 20