Stuxnet: Cómo tomar el control de una Planta Nuclear
-
Upload
cxo-community -
Category
Technology
-
view
1.854 -
download
1
description
Transcript of Stuxnet: Cómo tomar el control de una Planta Nuclear
©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Stuxnet: How to Take Over a (Nuclear) Power Plant
Tomer Teller, Security Evangelist
April 2011
2 2 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
The Idea Behind Stuxnet
Simple!
We don’t want Iran to get the bomb
Sabotage the uranium enrichment process
3 3 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Real-time control system
Controls:
– Valves
– Drive speed
Does not run Windows
But..
The Target
4 4 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Operator Hello?
We are in Business
Operator (Field PG)
Controller (PLC)
5 5 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
The Operation
Drop Malware Reprogram Controller (Payload)
Target: Centrifuge in Natanz Mission Goal: No Nukes
6 6 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Agenda
1 Terminology
Stuxnet Overview 2
Infiltration, Propagation and Exploitation 3
Summary 4
7 7 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Terminology I
Exploit Software that takes advantage of
a bug in order to cause unintended
behavior (getting inside)
Worm Malware that replicates itself within
the network (propagate)
Payload The actual malicious activity,
e.g., delete file, download file
(create damage)
8 8 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Terminology II
PLC
A Programmable Logic
Controller (PLC) —
control of machinery on
factory assembly lines
Field PG Typical Windows machines,
used to program PLCs
Field PG PLC
9 9 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Visual Terminology
Operator (Field PG)
Controller
Industrial Machinery
10 10 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
“Groundbreaking” Worm
So what is so special about Stuxnet?
Why is it ―groundbreaking?‖
While We Are In This Room…
More than 50,000 new worms are propagating on the Internet
~1000 of them are undetected by antivirus
~1–2 employ unknown vulnerabilities (0-day)
11 11 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Stuxnet Overview
Architecture
Single file
(Archive)
Exploits
4 unknown
Windows bugs
2 stolen
certificates
PLC pre-recorded
commands
Techniques
Antivirus evasion
Peer-2-Peer
network
Command and
control
12 12 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Infection Statistics
This is not normal…
Number of Unique Infected Hosts by Country
13 13 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Welcome to the Battlefield
The Bushehr Nuclear Power Plant, Iran
14 14 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Operator PC (Windows)
Field PG PLC
What’s Going To Happen?
Found
Operator
Internal
Network
15 15 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Typical PLC Deployment (Goal)
Operator PC (Windows)
Field PG PLC
Internal
Network
Write
Read
Water pipe Pipeline Gas centrifuge
16 16 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Infiltrate the power plant
GOAL:
Reprogram the controller
Mission Objectives:
Propagate inside the network
Infect the operator computer
17 17 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Mission #1: Introduce Threat To Target Network
18 18 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
The Infection
Infected a willing or unknowing third party – An insider
– A contractor
– A SCADA Conference USB give-away
The original infection was most likely introduced by a removable drive
19 19 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Getting From the USB to the Computer
Stuxnet Used Two Methods to Infect the
Computer via USB
Method #1
Malformed
shortcut file
(.LNK)
Method #2
Autorun
design flaw
(.INI)
20 20 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Method #1: The LNK Vulnerability
Design-level flaw in Windows Desktop Explorer (not Internet Explorer) when viewing shortcuts
Shortcut Properties
File Name: Shortcut
File Size: 1 KB
ICON Location: c:\icon
In our scenario,
this file was the
Stuxnet worm d:\bad_file
21 21 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
How Stuxnet Exploits This Vulnerability
Stuxnet
Arrives on a
Removable
Drive (USB)
The Stuxnet worm
Shortcut file that points at the worm
Once
Viewed and
Exploited
Hides the files on the USB
Hides itself from antivirus
22 22 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Autorun.inf—“Cunning” Hack
An Autorun.inf file is a configuration file placed on removable drives that instructs Windows to automatically execute a file when inserted
STUXNET’s CODE
[autorun]
OPEN = setup.exe
Filename:
autorun.inf
Stuxnet
AutoRun
23 23 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Autorun.inf—“Cunning” Hack
An Autorun.inf file is a configuration file placed on removable drives that instructs Windows to automatically execute a file when inserted
STUXNET’s CODE
[autorun]
OPEN = setup.exe
Filename:
autorun.inf
Stuxnet
AutoRun
24 24 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
But, Files Are Visible on the USB Drive…
Catch Me If You Can
25 25 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
But, Files Are Visible on the USB Drive…
Catch Me If You Can
Files are still there.
We just don’t list them anymore
26 26 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
ANY * ANY * INFECT
Stuxnet Used Two Methods to
Infect the Computer via USB
27 27 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Compromised Certificates
Both of these companies seem to have offices
in the Hsinchu Science and Industrial Park (Taiwan),
which could indicate an insider job
These Kinds of Activities Require a Legitimate
Certificate Signed and Trusted by Microsoft
28 28 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
DEMO TIME
Autorun.inf
LNK vulnerability (MS10-046)
29 29 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Operator PC (Windows)
Field PG PLC
Mission #1 Completed
Internal
Network
30 30 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Infiltrate the power plant
GOAL:
Reprogram the controller
Mission Objectives:
Propagate inside the network
Infect the operator computer
31 31 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Microsoft Knew About This One,
and Claimed it Wasn’t Critical Enough
Network Example
To Printer
To File
Admin Area
32 32 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Stuxnet Communication Components
Communicate via Peer-2-Peer
Communicate with attackers
Infected machine
acting as Client
Infected machine
acting as Server
Get Version
Send Version
Request Update
Send Update
Master?
Do X
Do Y
Attackers
Internet
33 33 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Internet
Operator PC (Windows)
Field PG PLC
Mission #2 Completed
Found
Operator
Internal
Network
Ping
Alive!
C&C
34 34 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Infiltrate the power plant
GOAL:
Reprogram the controller
Mission Objectives:
Propagate inside the network
Infect the operator computer
35 35 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
This is a rootkit – Software which
subverts the operation system
Mission #3: Infecting The Target
Monitors PLC commands being written and read
Infects a PLC by inserting bad commands
Masks the fact the PLC is infected
When Stuxnet Reaches a Field PG,
It Installs a Trojan Horse That:
36 36 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Infected PLC Example (READ/WRITE)
Operator (Field PG) Controller Operation
Change
Speed
Infected
with
Stuxnet
5
Pre-recorded value
500 5
Operation
Monitor
Speed
5
Show expected value
500 5
37 37 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Mission Objectives:
Infiltrate the power plant
Propagate inside the network
Infect the operator computer
GOAL:
Reprogram the controller
38 38 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Mission Objectives:
Infiltrate the power plant
Propagate inside the network
Infect the operator computer
GOAL:
Reprogram the controller
Mission
Accomplished!!
39 39 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Summary
Complex Stuxnet is a very sophisticated threat
Quiet Built to stay ―under the radar‖
Dedicated Targeted Iranian nuclear plant
Expensive Used 4 unknown vulnerabilities
Blueprint Stuxnet is a template for criminals
Productivity Can target other companies
40 40 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Questions
41 41 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Thank You
Tomer Teller, Security Evangelist
Email : [email protected]