Presentation is loading. Please wait.

Presentation is loading. Please wait.

W32.Stuxnet How a presumably military grade malware sabotaged the Iranian nuclear program Presenter: Dolev Farhi | dolev@dc416.com.

Published byEthel Lamb Modified over 6 years ago

Similar presentations

Presentation on theme: "W32.Stuxnet How a presumably military grade malware sabotaged the Iranian nuclear program Presenter: Dolev Farhi | dolev@dc416.com."— Presentation transcript:

1 W32.Stuxnet How a presumably military grade malware sabotaged the Iranian nuclear program Presenter: Dolev Farhi |

2 acknowledgements! W32.Stuxnet
Before we start spinning the Centrifuges… acknowledgements!

3 W32.Stuxnet ~]# whoami

4 W32.Stuxnet ~]# Stuxnet --help Stuxnet (W32.Stuxnet) is an advanced malware discovered in 2010 which infected dozens of manufacturing sites, but it seemed that it had a particular interest in a very specific geographical location based on the malware characteristics and later, by the numbers of affected machines reported. Stuxnet specifically attacked industrial control systems and attacked Siemens WinCC/PCS7 products running Windows. To be more specific, it attacked PLCs: controllers which allow automating processes used to control factory assembly lines and centrifuges (separation of nuclear materials)

5 W32.Stuxnet First identified by VirusBlokAda
~]# history | grep Stuxnet First identified by VirusBlokAda It was initially believed the earliest Stuxnet version dates back to 2009, but Stuxnet 0.5, in fact, dated back to late 2005 / early 2006. Stuxnet release to the internet was due to what was believed to be a programming error introduced in one of the ongoing software updates The first version of Stuxnet closed specific valves, causing pressure to grow 5 times higher than normal. Later versions of Stuxnet changed frequencies of the PLC’s attached motors

6 W32.Stuxnet

7 W32.Stuxnet ~]# Stuxnet --list-zero-days | wc –l 5 The final version of Stuxnet used 4 OS level zero days in total (2 RCEs and 2 local PEs) and 1 application zero day. mandatory buzz lightyear meme

8 W32.Stuxnet Mode of operation
~]# Stuxnet --target uranium4peace.nuclear.ir \ --dump >> /home/Obama/dailyscripts/log.txt Mode of operation if os != windows && software != siemens && … && ... &&... : sys.exit(1) else: kaboom() Stuxnet had a very strict set of requirements that had to be met in order for the payloads to be triggered Once a machine met the requirements, Stuxnet worked in two different scenes, one which attacked the Siemens PLCs and the other was initiating an MiTM inside the PLC (more on that later) Stuxnet main targets: A Windows machine 2. One or more Siemens PC7 PLCs and WinCC / STEP7 software on that machine, this piece of software is a program that provides machinery control in industrial systems. 3. not infect anything that has no value to the operation

9 W32.Stuxnet Siemens WinCC and Simatic S7 PLC
~]# man uranium Siemens WinCC and Simatic S7 PLC

10 W32.Stuxnet How it spreads
~]# Oprah.py –-generate “You get a zero day” How it spreads Stuxnet used multiple spreading vectors: Via flash drivers (infection of PLCs was not trivial as they were mostly not connected to the internet) which may indicate on the work of double agents or outside contractors Different Stuxnet versions spread in different ways, but the recent one used a Windows LNK hole and older versions used autorun.inf Stuxnet used vulnerabilities against WinCC (Siemens), Microsoft’s spooler service, Microsoft’s SMB protocol and Microsoft Windows Server RPC.

11 W32.Stuxnet ‘Upstream’ communication
~]# curl –data \ “location=Iran&mission=spin2death&reason=forthelulz” \ ‘Upstream’ communication Once Stuxnet infects a relevant machine which matches the strict criteria, it attempts to contact a server in Malaysia and Denmark via HTTP: These domain names were registered in 2005 by an unknown source. Stuxnet communicated the malware spreading process to several command & control servers, which also provided the creators a way of upgrading the software and perform other tasks.

12 W32.Stuxnet The actual attack
~]# Stuxnet --target uranium4peace.nuclear.ir ~]# echo $? ~]# wall –n mission accomplished comrade The actual attack On top of the strict criterias systems had to meet in order for Stuxnet to infect them, it required PLCs to have frequency converter drives to be attached to them. Stuxnet looked for 2 specific vendors from Finland and Iran. It attacks systems that spin between 807hz to 1210hz, once it found them, it manipulated the operation of the motors by changing their rotational speed. it modified the frequency anywhere from 1410hz to 2hz, all while sending false data back to the operators. It had a logic condition to stop replicating itself on June 24th, 2014 … which happened to be the 7th anniversary of Mahmoud Ahmadinejad’s election as president of Iran

13 W32.Stuxnet ~]# env | grep “Stuxnet\|Malware\|Zero\|Hackers” It was reported on June 2nd by FireEye that a Malware similar to Stuxnet was found, targeting Siemens simulated control system environments, focused on industrial control systems. the Malware family was named IronGate. MiTMs PLC and monitoring softwares Sandbox detection and evasion Replaces DLLs and looks for specific processes Introduces false data to the operators similar to Stuxnet

14 W32.Stuxnet Interesting read & watch list:
(1) Nova: Rise of the Hackers (Documentary) (2) Countdown to Zero Day by Kim Zetter (Book) (*) Zero Days 2016 (a movie released this year)

15 W32.Stuxnet

Download ppt "W32.Stuxnet How a presumably military grade malware sabotaged the Iranian nuclear program Presenter: Dolev Farhi | dolev@dc416.com."

Similar presentations

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Virus code actions Or ‘how viruses work’. Replication Spreads quickly and can be difficult to control Can be attached to any type of file and make copies.

Virus code actions Or ‘how viruses work’. Replication Spreads quickly and can be difficult to control Can be attached to any type of file and make copies.
How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew.

How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew.
CONTROL SYSTEMS AND CYBER SECURITY 2600 MEETING JUNE 6,2014 MICHAEL TOECKER Mikhail Turcher, big fanci pantsie.

CONTROL SYSTEMS AND CYBER SECURITY 2600 MEETING JUNE 6,2014 MICHAEL TOECKER Mikhail Turcher, big fanci pantsie.
The 1-hour Guide to Stuxnet

The 1-hour Guide to Stuxnet
Real world example: Stuxnet Worm. Overview Primary target: industrial control systems –Reprogram Industrial Control Systems (ICS) –On Programmable Logic.

Real world example: Stuxnet Worm. Overview Primary target: industrial control systems –Reprogram Industrial Control Systems (ICS) –On Programmable Logic.
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
Stuxnet – Getting to the target Liam O Murchu Operations Manager, Symantec Security Response 1 Feb 2011.

Stuxnet – Getting to the target Liam O Murchu Operations Manager, Symantec Security Response 1 Feb 2011.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
STUXNET. Summary What is Stuxnet? Industial Control Systems The target/s of Stuxnet. How Stuxnet spreads. The impact of Stuxnet on PLC’s.

STUXNET. Summary What is Stuxnet? Industial Control Systems The target/s of Stuxnet. How Stuxnet spreads. The impact of Stuxnet on PLC’s.
 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.

 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.
Advanced Persistent Threats CS461/ECE422 Spring 2012.

Advanced Persistent Threats CS461/ECE422 Spring 2012.
How Stuxnet changed the landscape for plant engineers Richard Trout, Director for Client Solutions, Trout I.T.

How Stuxnet changed the landscape for plant engineers Richard Trout, Director for Client Solutions, Trout I.T.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Stuxnet The first cyber weapon.

Stuxnet The first cyber weapon.
Instilling rigor and imagination in analysis Countering the Iranian Nuclear Threat Stuxnet and its Broader Implications Randolph H. Pherson Mary C. Boardman.

Instilling rigor and imagination in analysis Countering the Iranian Nuclear Threat Stuxnet and its Broader Implications Randolph H. Pherson Mary C. Boardman.
A sophisticated Malware Arpit Singh CPSC 420

A sophisticated Malware Arpit Singh CPSC 420
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
By: Sharad Sharma, Somya Verma, and Taranjit Pabla.

By: Sharad Sharma, Somya Verma, and Taranjit Pabla.

Similar presentations

Ads by Google