Post on 18-May-2020
W32.Stuxnet Dossier, Installation and PropagationEnsimag-4MMSR-Network Security - Student Seminar1
david.souto@ensimag.imag.fr,daniil.yanenko@ensimag.imag.fr,florian.richter@ensimag.imag.fr
2012-04-18
1https://ensiwiki.ensimag.fr/index.php/4MMSR-Network_Security-2011-2012
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 1/28 2012-04-18 1 / 28
Authors
Nicolas Falliere(Senior SoftwareEngineer)Liam O Murchu(Development Manager)Eric Chien(Technical Director)part of SymantecSecurity Response(antivirus and computersecurity research group,over 400 full-timeemployees)
SymantecFounded 1982Headquarters: MountainView, Californiaproviding security, storageand systems managementsolutionse. g. Norton products
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 2/28 2012-04-18 2 / 28
Outline
1 Introduction
2 Architecture
3 Injection
4 Preparation
5 Propagation
6 Counter measures
7 Conclusion
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 3/28 2012-04-18 3 / 28
Introduction
Outline
1 Introduction
2 Architecture
3 Injection
4 Preparation
5 Propagation
6 Counter measures
7 Conclusion
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 4/28 2012-04-18 4 / 28
Introduction
Stuxnet
computer wormfirst discovered in June 2010first infected systems June 2009targets industrial control systems with PLC(Programmable Logic Controller) made by Siemensfor Windows XP, ME, 2000, 2003, Vista, 7, Server 2008
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 5/28 2012-04-18 5 / 28
Introduction
Distribution
measured Sept. 29, 2010 (by monitoring traffic to Command &Control server)
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 6/28 2012-04-18 6 / 28
Introduction
Attack Scenario
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 7/28 2012-04-18 7 / 28
Architecture
Outline
1 Introduction
2 Architecture
3 Injection
4 Preparation
5 Propagation
6 Counter measures
7 Conclusion
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 8/28 2012-04-18 8 / 28
Architecture
Architecture
DLL file
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 9/28 2012-04-18 9 / 28
Injection
Outline
1 Introduction
2 Architecture
3 Injection
4 Preparation
5 Propagation
6 Counter measures
7 Conclusion
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 10/28 2012-04-18 10 / 28
Injection
Injection
there is no stuxnet-process,stuxnet hides in trustedprocessesinjection is performed on everycall of an exportinjects into trusted processgoal: hide from antimalware
Trusted processesProduct process nameKaspersky KAV avp.exeMcafee Mcshield.exeAntiVir avguard.exeBitDefender bdagent.exeEtrust UmxCfg.exeF-Secure fsdfwd.exeSymantec rtvscan.exeSymantec Common Client ccSvcHst.exeEset NOD32 ekrn.exeTrend Pc-Cillin tmpproxy.exeWindows Lsass.exeWindows Winlogon.exeWindows Svchost.exe
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 11/28 2012-04-18 11 / 28
Preparation
Outline
1 Introduction
2 Architecture
3 Injection
4 Preparation
5 Propagation
6 Counter measures
7 Conclusion
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 12/28 2012-04-18 12 / 28
Preparation Export 15
Export 15
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 13/28 2012-04-18 13 / 28
Preparation Zero-day exploit
Zero-day exploit
exploits computer application vulnerabilities that are unknown toothers or the software developer beforeVulnerability window: time period between first exploitation anddevelopment of counter measuresAttack vector: a concrete way to exploit vulnerability
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 14/28 2012-04-18 14 / 28
Preparation MS10-092: 0-day Task Scheduler
MS10-092: 0-day Task Scheduler
target platform: Windows Vista and higher (introduction of new TaskScheduler)goal: escalate privileges to SYSTEMtask information as xml file read- and writable by userintegrity protected by weak CRC32 checksum
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 15/28 2012-04-18 15 / 28
Preparation MS10-092: 0-day Task Scheduler
MS10-092: 0-day Task Scheduler
Attack1 create task with low privileges2 read task configuration file from %SystemRoot%\system32\Tasks3 modify task configuration file (change privileges)4 calculate CRC32 of original file and adapt altered file to match it5 run task
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 16/28 2012-04-18 16 / 28
Propagation
Outline
1 Introduction
2 Architecture
3 Injection
4 Preparation
5 Propagation
6 Counter measures
7 Conclusion
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 17/28 2012-04-18 17 / 28
Propagation Peer-to-peer
Peer-to-peer
implements a Microsoft RPC server and clientautomatic updates in LAN
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 18/28 2012-04-18 18 / 28
Propagation WinCC
WinCC
WinCC (Windows Control Center)for supervision and controlling of Siemens’ industrial systemsMicrosoft SQL Server for loggingVulnerability: hardcoded publicly known and documented password inSQL server
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 19/28 2012-04-18 19 / 28
Propagation WinCC
Infecting WinCC computers
connect as Administrator using password ’2WSXcder’create table with hex representation of main Stuxnet DLL:
CREATE TABLE sysbinlog ( abin image )INSERT INTO sysbinlog VALUES (0x...)
write dll to disk via OLE Automation Stored Proceduresadd as stored procedure and execute
SET @ainf = @aind + ‘\\sql%05x.dbi’EXEC sp_addextendedproc sp_dumpdbilog, @ainfEXEC sp_dumpdbilog
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 20/28 2012-04-18 20 / 28
Propagation Network shares
Network shares
Two methods used:search for accessible network shares
search for other computers with same user accounts as local userfor all available credentials, try access $admin and $Cdrop stuxnet-dll on systemschedule task to execute stuxnet-dll
Windows RPC Vulnerability: MS08-67buffer overflow in Windows RPCalready used by Confickermore sophisticated implementation (employes recent techniques likeReturn Oriented Programming)
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 21/28 2012-04-18 21 / 28
Propagation Printer spooler vulnerability
Printer spooler vulnerability
discovered April 2009, fixed Sept 14, 2010precondition: printer shared on targetgoal: remote code execution
Attackconnect to print spooler as guestprint two ”documents” to files in %SYSTEM%-directorythe files are ”printed” with print spooler’s instead guest’s of privileges
winsta.exe → stuxnet.dllwbem\mof\sysnullevnt.mof → registers event, to execute winsta.exe
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 22/28 2012-04-18 22 / 28
Propagation Propagation via removable drive
LNK Vulnerability: MS10-046
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 23/28 2012-04-18 23 / 28
Counter measures
Outline
1 Introduction
2 Architecture
3 Injection
4 Preparation
5 Propagation
6 Counter measures
7 Conclusion
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 24/28 2012-04-18 24 / 28
Counter measures
Counter measures
For Stuxnet in particular:install recent security updates (for all used vulnerabilities exist fixesnow)
For similar future malwarenone, only impederequest software manufactures to fix known vulnerabilities quicklyinstall recent security updatesisolation (take network, usb-sticks, ... into account)
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 25/28 2012-04-18 25 / 28
Conclusion
Outline
1 Introduction
2 Architecture
3 Injection
4 Preparation
5 Propagation
6 Counter measures
7 Conclusion
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 26/28 2012-04-18 26 / 28
Conclusion
Conclusion
largest and costliest development effort in malware history(estimation: 10 million $)4 zero-day exploits2 compromised certificatesonly nation state capable to produce it→ cyberweapon
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 27/28 2012-04-18 27 / 28
Conclusion For Further Reading
Aleksandr Matrosov Eugene Rodionov, David Harley and Juraj Malcho.“Stuxnet Under the Microscope - ESET”. In:http://go.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf.Nicolas Falliere, Liam O Murchu and Eric Chien. “W32.Stuxnet Dossier”.In: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf.Wikipedia. “Stuxnet”. In: http://en.wikipedia.org/wiki/Stuxnet.— . “Zero-day Attack”. In:http://en.wikipedia.org/wiki/Zero-day_attack.
Nicolas Falliere, Liam O Murchu, Eric Chien ()W32.Stuxnet Dossier 28/28 2012-04-18 28 / 28