Stuxnet - eit.lth.se · Magazine Hakin9 (MS10-061) 2017-02-22 Stuxnet / Advenica 50. Title: PowerPoint Presentation Author: Håkan Ahrefors Created Date: 2/23/2017 7:53:50 AM

Stuxnet

Give and Take... Give...

A Glimpse into IT Security field

Take...

Spread the word of our Company

Long term recruitment...

Give and Take!?!

Spreading interest for Security

2017-02-22 Stuxnet / Advenica 2

Why am I here?

2017-02-22 3Stuxnet / Advenica


Main product families

Encryption Cross-DomainSolutions


Digitalt ansvar

Håkan Ahrefors MS Computer Engineering, 1997

PhD, Software Engineering, 2002

Assistant Professor, 2003-2005

IT-Security, 2005-2009

IT Security Consultant, 2009-2010

Advenica 2010 -


Håkan Ahrefors

Stuxnet

Stuxnet is a kind of malware…

…let’s start there.


Stuxnet

Malicious Code Unapproved, Unwanted, Malicious Intent

Different Goals Spread, Destroy, Steal, Herd, Sabotage, $$$

1949, von Neumann, Self-replication

Early 70s, Creeper Virus (DARPA Net)

1986 – The Brain, 1988 – Morris Worm


Malware/Worms/Trojans/Viruses

Symantec, AVG, Avast, Avira, Microsoft, ESET, McAfee, Panda, Kaspersky...

However, can't always run AV software

General rules of avoidance: NO INTERNET CONNECTION!

Limited or no local network connection

Run non-common, but trusted, software


Anti-Virus/Protection

17th of June 2010 VirusBlokAda (Belarusian AV Company) detected and put a

signature on a new threat, “Trojan-Spy.0485”

Not that out of the ordinary (~20 million new threats, 2010, AV-TEST)

Did, however, have some “new” interesting code


New Malware

Showed Embedded “0-days” exploit

Signed code (Certificate from RealTek)

Enormous effort Years in development, (500kB virus)

Several people, even several groups of people

QA


First Analysis

Remote and Local updates Remote from external servers

Local from other copies

Kill date... 24 June 2012

But Wait... More exploits (4+)

Strange code strains

WinCC servers...SIEMENS Controllers, PLC


Continued Analysis

Spreads Local LAN – Printer Spool Exploit

USB (to make air-gap jumps)

Localization India, Malaysia... and...

Iran

Industrial Espionage? Information Gathering?


…


Local Net

InternalNetwork

Internet

SpecificPurposeNetwork

”sneaker net”

Company X

Extra sensitive

WinCC -> SIEMENS Hardware for Controllers

STEP7 – Framework/Language (STL) for programming Controllers

Controllers PID, PLC

SCADA - supervisory controland data acquisition


Controllers

Iran, Indonesia, India, Pakistan, US, Russia...

WinCC -> SIEMENS Controllers...

Frequency converter ID's in S7 code

Uranium enrichment... uses Centrifuges

Many plants built with Siemens equipment


Who is the target?

?


News and a Suspect

Natanz

Different sources helped the analysis

STEP7 Code showed signs of groups of structures Grouped on 4, 8, 12, 16, 20... of “something”

Even the President of Iran “helped”

On his blog in 2008 Pictures from a visit at Natanz


.jpg Analysis

.stub

mrxnet.sys


…Info Bit

Stuxnet was Huge News during 2010

Research have continued and is still ongoing

Stuxnet code is more or less out there for the taking


Stuxnet News


Stuxnet – Timeline

June 17, 2010VirusBlokada reports"RootkitTmphider”

July 13, 2010Symantec adds unique

"W32.Temphid" signature.

July 16, 2010Microsoft Advisory .lnk files

Verisign revokes Realtek Cert

July 17, 2010Eset id new Stuxnet driver

Cert: Micron TechCorp.

July 19, 2010Siemens reports investigation

on WinCC SCADASymantec → W32.Stuxnet

July 22, 2010Verisign revokes

Micron TechCorp Cert

August 2, 2010Microsoft Releases MS10-046

Patch .LNK vuln.

September 14, 2010Microsoft releases MS10-061Patch of Printer Spooler vuln.

Oct 12, 2010Microsoft Releases MS10-073Patch Kernel elevation vuln.

June, 2009Earliest Stuxnet

Sample Compile date.

January 25, 2010Stuxnet Driver signed

With Realtek cert

March, 2010First Version to

exploit MS10-061.

November, 2008Trojan.Zlob (MS10-046)

April 2009

Magazine Hakin9

(MS10-061)


”Worm Stalking”

July 20th 2010, Symantec started to monitor the C & C traffic Each Stuxnet sample kept a log of its own events Stuxnet was a targeted attack on five organizations Organizations were targeted in June 2009, July 2009, March 2010,

April 2010, and May 2010. Three organizations were targeted once, one was targeted twice, and another was targeted three times.

12,000 infections originated from these initial 10 infections. All targeted organizations have a presence in Iran. The shortest span between compile time and initial infection was 12 hours.

In November 2014 Kaspersky lab published the name of the domains.


4 Exploits!

CVE ref. Patched

CVE-2008-4250 Oct 23, 2008

MS08-067

Vulnerability in Server Service

Could Allow Remote Code

Execution

CVE-2010-2568 Aug 2, 2010

MS10-046

Vulnerability in Windows Shell

Could Allow Remote Code

Execution

CVE-2010-2729 Sept 14, 2010

MS10-061

Vulnerability in Print Spooler

Service Could Allow Remote

Code Execution

CVE-2010-2743 Oct 12, 2010

MS10-073

Vulnerabilities in Windows

Kernel-Mode Drivers Could

Allow Elevation of Privilege


CVE-2010-2568

CVE-2010-2568 Windows Shell in Microsoft Windows XP SP3, Server 2003 SP2, Vista

SP1 and SP2, Server 2008 SP2 and R2, and Windows 7 allows local users or remote attackers to execute arbitrary code via a crafted (1) .LNK or (2) .PIF shortcut file, which is not properly handled during icon display in Windows Explorer, as demonstrated in the wild in July 2010, and originally reported for malware that leverages CVE-2010-2772 in Siemens WinCC SCADA systems.

.LNK Files


…Gets Iffy

… and then extract the icon from the loaded .cpl (dll) file...

...but...

Link to a .cpl

What Icon to Show?

.cpl = .dll


…

We load what ever dll is in the ~WTR4141.tmp file... (on Removable Media) = BAD! And as msdn.microsoft.com can tell us about the LoadLibrary function... "...If the specified module is a DLL that is not already loaded for the calling process, the system calls the

DLL's DllMain function with the DLL_PROCESS_ATTACH value. ..." = WORSE!!

…but if it looks like this

OK if it looks like this

NOTE,... No AutoRun needed... the display of the icon triggers the exploit!

Took just days before this vulnerability was added to Metasploit... But with some added feature...


”Holy Exploit, Batman!”

Remote malicious .dll loading!


What happened here?


Patch .LNK vuln.


November, 2008Trojan.Zlob (MS10-046)

April 2009

Magazine Hakin9

(MS10-061)

1-1½ year!


Hard-coded Wonders!

Posted on Siemensforums since 2008...have since beenremoved... but... it's still "out there"

uid=WinCCConnect;pwd=2WSXcde

Of course can't change it at db... ...program would stop

Loginuid/pwd?WinCC

Software

MS SQL

Glimpse of the future?

Directed attacks far more difficult to handle

SCADA systems Just one of many huge areas where “IT” security are not

implemented

Not only about the “I” of IT anymore


Stuxnet

What happened then...?

2011 Duqu

2012 Flame

Gauss

Shamoon (Wiper) – Retailation?


And then what?

Spread across LAN or via USB stick.

Created for Information Gathering

Record audio, screenshots, keyboard activity and network traffic

Also records Skype conversations

Can turn infected computers into Bluetooth beacons

harvest information about nearby Bluetooth-enabled devices


Flame

Data sent to world wide net of C&C Servers

Found initially in May 2012

Spread mostly in the Middle-East

Iran, Israel, Sudan, Syria, Lebanon etc.

After exposure, “kill” command was sent


Flame II

20 MB of Malware!

Modules

LUA, C++

SQLite db

Anti-”Anti-Virus” depending on what AV-software was installed

Active since at least 2010


Huge Flame is Huge

Signed with a fraudulent Microsoft Certificate

Used a highly advanced attack against MS Terminal Services Licensing Server to generate a “valid” but fraudulent certificate

Utilize MD5 collision attacks

Made Man-In-The-Middle attack possible on Windows Update


Certificates Again

Red October (Jan, 2013)

Miniduke (27th Feb, 2013)

NetTraveler (4th Jun, 2013)

Careto (11th Feb, 2014)

Regin (23rd Feb, 2014)

Duqu 2.0 (Jun, 2015)

Shamoon 2 (Nov, 2016)

… and…


And then what II?

Symantec revealed new information about early versions of Stuxnet

v0.5 Less developed but more aggressive

Designed to modify the pressure valves of centrifuges of Uranium-rich gas.


…Stuxnet 0.5


Even Further Back!

C&C Servers Registered 2005

Sample of Code

2007

5 years!


Meanwhile in Russia…

Equation Group! <cough!> NSA <cough!>

”Threat Actor” Highly sophisticated

Engaged in network exploitation since (at least) 2001

…perhaps even further back (1996)

Multipe malware platforms

Hightly advanced tools

Uses lots of encryption


Kaspersky labs -- 2015-02-16

Module present in several of their malware To stay persistent

Re-programs HDD firmware

Samsung, WD, Hitachi, Seagate, Toshiba…

Fanny Worm created 2008

Used 2 zero-day exploits

Stuxnets ’infamous’ .LNK exploit

Mapping of airgapped networks…


Equation Group II

Speculations 24 Sept 2010, The Guardian

1 June 2012 – New York Times

23rd June 2013, – Associated Press (Cartwright pardoned by Obama 2017)

June 2013, Edward Snowden Tailored Access Operations (TAO)

42

Olympic Games

Stuxnet "W32.Stuxnet Dossier" / Symantec

"Stuxnet under the microscope" / ESET

“Stuxnet 0.5 – The missing Link” / Symantec

“Stuxnet: Zero Victims” / Kaspersky (Nov-2014)

”Countdown to Zero Day – Stuxnet and the Launch of the World’s first Digital Weapon” / Kim Zetter (2014)

Ralph Langner On Vimeo, search for Ralph Langner

TED talks, Ralph Langner (Feb, 2011)

Documentary. Zero Days (Jul, 2016, www.imdb.com/title/tt5446858/)

Equation Group ”Equation Group FAQ v1.5” / Kaspersky Labs (Feb-2015)


Sources

http://www.imdb.com/title/tt5446858/

The end…

Håkan Ahrefors

2017-01-17 Advenica Public 44

[email protected]

advenica.com/

digitaltansvar.se/

mailto:[email protected]

https://www.advenica.com/

https://digitaltansvar.se/


Expanded slides

WinCC -> SIEMENS Hardware for Controllers

STEP7 – Framework/Language (STL) for programmingControllers

Controllers PID, PLC

SCADA - supervisory controland data acquisition


Controllers


News and a Suspect

NATANZ

Different sources helped the analysis

STEP7 Code showed signs of groups of structures Grouped on 4, 8, 12, 16, 20... of “something”

Even the President of Iran “helped”

On his blog in 2008 Pictures from a visit at Natanz


.jpg Analysis


Stuxnet – Timeline

June 17, 2010VirusBlokada reports"RootkitTmphider”

July 13, 2010Symantec adds unique

"W32.Temphid" signature.

July 16, 2010Microsoft Advisory .lnk files

Verisign revokes Realtek Cert

July 17, 2010Eset id new Stuxnet driver

Cert: Micron TechCorp.

July 19, 2010Siemens reports investigation

on WinCC SCADASymantec → W32.Stuxnet

July 22, 2010Verisign revokes

Micron TechCorp Cert


Patch .LNK vuln.


Oct 12, 2010Microsoft Releases MS10-073Patch Kernel elevation vuln.

June, 2009Earliest Stuxnet

Sample Compile date.

January 25, 2010Stuxnet Driver signed

With Realtek cert

March, 2010First Version to

exploit MS10-061.

November, 2008

Trojan.Zlob (MS10-046)

April 2009

Magazine Hakin9

(MS10-061)


Documents

Stuxnet - eit.lth.se · Magazine Hakin9 (MS10-061) 2017-02-22 Stuxnet / Advenica 50. Title: PowerPoint Presentation Author: Håkan Ahrefors Created Date: 2/23/2017 7:53:50 AM