Post on 06-Apr-2018
8/3/2019 Stuxnet Presentation Fit
1/21
Authors:Rahat Masood
Um-e-Ghazia
Zahid Anwar
National University of Sciences andNational University of Sciences andTechnology, Islamabad, PakistanTechnology, Islamabad, Pakistan
8/3/2019 Stuxnet Presentation Fit
2/21
Stuxnet is one of the most sophisticated and recent worm
that hit Iranian nuclear facilities in June 2010.
Senior Director at Symantec reported that Iran is the
only country that suffers a lot (about 60%) through this
worm.
Stuxnet mainly targets uranium facility at Natanz which
affects centrifuges speed.
It targets computer control systems, commonly used tomanage water supplies, oil rigs, power plants and other
facilities.
8/3/2019 Stuxnet Presentation Fit
3/21
An assumption is that 10% of centrifuges in
Natanz have been affected through this worm
from 2009 to 2010.
Rotational speed of centrifuges first increases
then drop to introduce distortions and disturb their
normal behavior.
8/3/2019 Stuxnet Presentation Fit
4/21
A complex piece of malware, intended to sabotage thenormal functioning of certain critical systems
Two main Phases":
Propagation Phase: Propagation of the virus, whichis based upon the vulnerabilities inherent in theWindows platform.
Injection Phase: Attack on SCADA Siemens systems,which controls Programmable logic controllers (PLC)
8/3/2019 Stuxnet Presentation Fit
5/21
Stuxnet contains user level as well as kernel level Rootkit that
hides their existence to gain root level privileges.
Penetrate the target infrastructure through:
Removable storage media such as USB drives.
Network (LAN) Propagation via network shares Propagation via print spooler zeroday vulnerability(MS10061)
8/3/2019 Stuxnet Presentation Fit
6/21
When a target (WinCC) is discovered, the behaviour
of the various items controlling the target architecture
is modified in order to physically impair the integrity
of the industrial production system.
This concerns modifying the normal function of
certain critical systems by manipulating their
controllers.
8/3/2019 Stuxnet Presentation Fit
7/21
8/3/2019 Stuxnet Presentation Fit
8/21
Copy of Shortcut to.lnkCopy of Copy of Shortcut to.lnk
Copy of Copy of Copy of Shortcut to.lnk
Copy of Copy of Copy of Copy of Shortcut to.lnk~WTR4141.TMP~WTR4132.TMP
First four .lnk files controls the display of shortcut icons of
all the files on system. Various .lnk files corresponds to different versions of
windows. These .lnk files load the library "-WTR4141.tmp" which, in
turn, loads the file "-WTR4132.tmp".
8/3/2019 Stuxnet Presentation Fit
9/21
The worm is also capable of distributing itself over the
network through shared folders.
Malicious payload is copied and executed through sharedcredentials on network.
Assessment of shared files by LAN user will result in the
copy of this file into his system directories.
It scans network shares on the remote computers and installs a
file (dropper) there with the name
DEFRAG.TMP .
8/3/2019 Stuxnet Presentation Fit
10/21
When a printer is shared on a system, a user is able to "print"(read and write) files in the "%System%" directory.
It allows a remote user to copy files in %SYSTEM% directory
in which user has no access.
Exploitation in this case comprises two phases: injection &execution phase.
3 Injection Phase: involves copying winsta.exeand"sYsnuIlevnt.m0f" in windows %SYSTEM% directory.
3 Execution Phase: Executing the script "sysnullevnt.mof".This file is used to trigger aforementioned copied files
8/3/2019 Stuxnet Presentation Fit
11/21
Vulnerability relates to the way that the icon for the link is
loaded.
This image is normally loaded from a CPL (Windows Control
Panel) file using the system function "LoadLibraryW()". Forcing the CPL file to change the "File Location Info field
of a LNK file, stuxnet is therefore able to force any Windows
system to execute arbitrary code.
User is redirected to malicious path by opening shortcut file.
8/3/2019 Stuxnet Presentation Fit
12/21
Backtrack 4 acts as C&C server
Metasploit Framework within backtrack 4 is used.
Metasploit Framework act as USB Drive to exploit
vulnerabilities.
3 windows XP machines 2 connected in LAN
1 XP containing Keil and proteous softwares (in
place of PLC)Virtual Box
LinuxBacktrack 4
XP1 XP2 XP3
Keil &
Proteous
Metasploit
Framework
8/3/2019 Stuxnet Presentation Fit
13/21
MS08_067 and MS10_061 are exploited through
LAN.
MS08_067 exploits through shared folder in LAN.
MS10_046 exploited in PLC assumed machine. Hardware printer is not attached but a print server is
shared on LAN through which MS10_061 exploits.
We have created Stuxnet.exe which propagates in
LA N and Plc.exe which specifically targets PLC
machine and affects normal behaviour.
8/3/2019 Stuxnet Presentation Fit
14/21
ConnectingC&Cserver & PCs on
network
Entercommands for
ms08_067
Through meterpreterupload stuxnet.exe in
shared folder
PC1 opens a sharedfolder &
stuxnet.exe
Stuxnet.exeexecutes & copyitself inC:/drive
After copying hideitself
LAN PCs when openthis exe , Stuxnet.exe
propagates
8/3/2019 Stuxnet Presentation Fit
15/21
ConnectingC&C,PCs and Print server
in LAN
Enter commands forms10
_061
PrintCommand issend to print server
via Metasploit
Two Malicious exesare inserted in print
server in locationwindows/system32
PC3 & PC5 on LANsends print
command to printserver
Malicious exes arecopied to PC5 & PC3
8/3/2019 Stuxnet Presentation Fit
16/21
ConnectingC&Cserver & PC 6 with
each other
Entercommands for
ms10_046
PC6 opens a internetexplorer shortcut file
Two dll files areopened on PC6
Meterpreter sessionis opened
Upload plc.exe &execute it through
meterpreter
KEIL project filechanges i.e. code
change
Proteous circuit Diagramoutput changed i.e.
Pressure Sensor gives alert
8/3/2019 Stuxnet Presentation Fit
17/21
8/3/2019 Stuxnet Presentation Fit
18/21
Exploits Results
MS08_067_netapi (Server
Service)
Copies a malicious file Stuxnet.exe in a folder shared on LAN.
Any machine on LAN when use this file, this exe automatically
copies into that machine.
MS10_061_spoolss (Print
Spooler)
Print command send to print server containing two random files.
These files are copied to windows system directory.
Sending print command to server automatically copies these two files
in system directory.
MS10_046_dllloader (.LNK
Vulnerability)
Opening of shortcut file , results in session establishment with
attacker machine.
Malicious plc.exe file uploaded to victim machine.
Plc.exe targets specifically PLC machine (Keil & Proteus) , which
disturbs normal functioning of pressure sensor.
Value of pressure Sensor drops to 0 & alert is generated.
8/3/2019 Stuxnet Presentation Fit
19/21
This work shows simulations through dummy malicious
Stuxnet exe files. This work will be extended by analyzing the
original six Stuxnet files in original PLC software or by
implementing pure Stuxnet worm (writing source code).
Next version of Stuxnet i-e Duqu Stuxnet 2.0 is under
consideration. Its payload is different from Stuxnet 1.0: targets
certificate authorities and redirect victims to rogue servers.
Alien Vault is a tool that can provide information about
Stuxnet detection by analyzing different events logs and
writing specific rules related to it.
8/3/2019 Stuxnet Presentation Fit
20/21
[1] Nicolas Falliere, Liam O Murchu, and Eric Chien, W32.Stuxnet Dossier ,
Symantec Security Response, Version 1.4, February 2011.
[2] Aleksandr Matrosov, Eugene Rodionov, David Harley, Juraj Malcho, Stuxnet
Under the Microscope2, Revision 1.31, 24 Sep 2010.[3] David Helan, Stuxnet: Analysis, Mythes and Realities ACTU SECU 27,
XCMO, 2011.
[4] Martin Brunner, Hans Hofinger, Christoph KrauSS, Christopher Roblee, Peter
Schoo, Sascha Todt, Infiltrating Critical Infrastructures with Next-Generation
Attacks W32.Stuxnet as a Showcase Threat, Version 1.4, December 17, 2010.
[5] Shon Harris, Allen Harper, Chris Eagle, Jonathan Ness, Gray Hat Hacking:
The Ethical Hackers Handbook , Copyright 2008 by McGraw-Hill
Companies Second Edition.
[6] WikiPedia, Stuxnet, http://en.wikipedia.org/wiki/Stuxnet , October 21, 2011.
[7] Rahat Masood, Stuxnet Simulation via Metasploit.wmv,
http://www.youtube.com/watch?v=AZNU7bCRvJg
8/3/2019 Stuxnet Presentation Fit
21/21