8/4/2019 Stuxnet Final
1/19
8/4/2019 Stuxnet Final
2/19
8/4/2019 Stuxnet Final
3/19
8/4/2019 Stuxnet Final
4/19
Us was also involved
in TESTING andDEVELOPMENT.
The finger was
even pointed to
Siemens wherethe software wasused by Iranian
8/4/2019 Stuxnet Final
5/19
Organization
Stuxnet consists of a large .dll file
32 Exports (Function goals)
15 Resources (Function methods)
8/4/2019 Stuxnet Final
6/19
8/4/2019 Stuxnet Final
7/19
8/4/2019 Stuxnet Final
8/19
8/4/2019 Stuxnet Final
9/19
Stuxnet contacts the command and control server
Test if can connect to:
x www.windowsupdate.com
x www.msn.com
On port 80
Sends some basic information about the compromisedcomputer to the attacker
www.mypremierfutbol.com
www.todaysfutbol.com
The two URLs above previously pointed to servers inMalaysia and Denmark
8/4/2019 Stuxnet Final
10/19
8/4/2019 Stuxnet Final
11/19
autorun.inf.LNK vulnerability, unpatched at the time of discovery
Network sharesPrinter Spooler vulnerability unpatched at the time ofdiscoveryNetPathCanonicalize vulnerability what
Conficker/Downadup uses, fixed in 2008Default password in WinCC SQL database server
These could spread over USB, e-mail, etc
8/4/2019 Stuxnet Final
12/19
Stuxnet has the ability to hide copies of its files to copy it to removabledrives
Stuxnet extracts Resource 201 as MrxNet.sys.
The driver is registered as a service creating the following registryentry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet
\ImagePath = %System%\drivers\mrxnet.sys The driver file is a digitally signed with a legitimate Realtek digital
certificate.
The driver then filters(hides) files that :
x Files with a .LNK extension having a size of 4,171 bytes.
x Files named ~WTR[FOUR NUMBERS].TMP,
xwhose size is between 4Kb and 8Mb; the sum of the fournumbers, modulo 10 is null. For example, 4+1+3+2=10=0mod 10
x Examples:
x Copy of Copy of Copy of Copy of Shortcut to.lnk
x Copy of Shortcut to.lnk
x ~wtr4141.tmp
8/4/2019 Stuxnet Final
13/19
8/4/2019 Stuxnet Final
14/19
LNK Vulnerability (CVE-2010-2568)
AutoRun.Inf
8/4/2019 Stuxnet Final
15/19
8/4/2019 Stuxnet Final
16/19
Run the Symantec Power Eraser with the Symantec EndpointProtection Support Tool
Symantec Power Eraser Overview
If you have an infected Windows system file, you may needto replace them using from the Windows installation CD.
Restoring settings in the registry:Restoring settings in the registry:
Delete registry subkeys and entries created by the risk andreturn all modified registry entries to their previous values.
8/4/2019 Stuxnet Final
17/19
Use a firewall to block all incomingconnections from the Internet to services
that should not be publicly available Enforce a password policy
Disable AutoPlay
Turn off file sharing if not needed
Turn off and remove unnecessary services
Always keep your patch levels up-to-date
8/4/2019 Stuxnet Final
18/19
Stuxnet represents the first of many milestones in maliciouscode history
It is the first to exploit multiple 0-day vulnerabilities,
Compromise two digital certificates, And inject code into industrial control systems
and hide the code from the operator.
Stuxnet is of such great complexity
Requiring significant resources to develop
T
hat few attackers will be capable of producing a similarthreat
Stuxnet has highlighted direct-attack attempts on criticalinfrastructure are possible and not just theory or movieplotlines.
8/4/2019 Stuxnet Final
19/19
Top Related