1 / 33

A Forensic Dissection of Stuxnet

A Forensic Dissection of Stuxnet. Carey Nachenberg Vice President, Symantec Fellow Symantec Corporation Adjunct Professor of Computer Science University of California at Los Angeles. The Biology of Stuxnet. 1. What I’d Also Like to Discuss… (If I had more time). =. 1010100. 10101 1 01101.

kass
Télécharger la présentation

A Forensic Dissection of Stuxnet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Forensic Dissection of Stuxnet Carey Nachenberg Vice President, Symantec Fellow Symantec Corporation Adjunct Professor of Computer ScienceUniversity of California at Los Angeles The Biology of Stuxnet 1

  2. What I’d Also Like to Discuss… (If I had more time) = 1010100 10101101101 10101001101 00110100 1010100 (Birds do it, bees do itcomputer viruses do it) 00101101 00101101010 00101111010 11011011 11011011 11111011 00011011101 11111011101 00100011 11111011 01000101 01000100111 01000101011 11000100 11000100 (We have documentedevidence of both random andintentional mutation) (Parasitism is oneof the most commonforms of infection) The Biology of Stuxnet

  3. This is Natanz, Iran The Biology of Stuxnet

  4. And these are Natanz’s Centrifuges The Biology of Stuxnet

  5. And this is how they’re controlled A standard PC controls the entire enrichment process! WindowsPC Programmable Logic Controller CommunicationsProcessors (Routers) STEP7 Frequency Converters ensure the centrifuges spin at the right speed. The PLC decides how fast to spin the centrifuges. Communications Processors route commands from the PLC to centrifuges. . . . Centrifuges spin Uranium to remove impurities. . . . FrequencyConverters . . . . . . Centrifuges The Biology of Stuxnet

  6. And this is how they’re isolated WindowsPC Programmable Logic Controller CommunicationsProcessors (Routers) STEP7 Research Network . . . . . . FrequencyConverters . . . . . . Centrifuges The Biology of Stuxnet

  7. And this is (possibly) an Israeli Mossad Programmer Who wants to introduce onto this computer right here  The Biology of Stuxnet

  8. Get onto an “air-gapped”network to disrupt these: So how exactly does this: It’s got to spread on its own… Until it discovers the proper computers… Where it can disrupt the centrifuges… All while evading detection. The Biology of Stuxnet

  9. It’s got to spread on its own… Stuxnet uses seven distinct mechanisms to spread to new computers. Sixof these attacks targeted flaws (back doors) that wereunknownto the security industry and software vendors! It copies itself toopen file-shares. But if the centrifuges are air-gapped from the ‘net, how can Stuxnet jump to the enrichment network? ? It attacks a holein Windows’ print spooler. Usually we’re surprisedwhen we see a threattargeting one flaw... Stuxnet uses thumb drives to bridge the gap! It attacks a holein Windows RPC. It password-cracks SIEMENS DB software. 2.0 2.0 2.0 2.0 2.0 2.0 2.0 It infects SIEMENSPLC data files. Peers update other peers directly. USB drives! The Biology of Stuxnet 9

  10. Until it discovers the proper computers… It’s got to spread on its own… Stuxnet is extremely picky and only activatesits payload when it’s found an exact match. The targeted computer must be runningSTEP7 software from Siemens. STEP7 The targeted computer must be directly connected to an S7-315 Programmable Logic Controller from Siemens. The PLC must further be connected to at least six CP-342-5 Network Modules from Siemens. Each Network Module must be connected to ~31 Fararo Paya or Vacon NX frequency converters. … The Biology of Stuxnet 10

  11. Until it discovers the proper computers… Stuxnet is extremely picky and only activatesitspayloadwhen it’s found an exact match. What a coincidence! The creators of Stuxnet must have guessed all of these details. STEP7 Now if you do the math…. Stuxnet verifies that the discovered Programmable Logic Controller… Is controlling at least 155 total frequency converters… And recently we learned that Iran’sUranium enrichment “cascade” just happensto use exactly 160 centrifuges. … The Biology of Stuxnet 11

  12. Until it discovers the proper computers… Now Stuxnet gets down to business… What you (probably) didn’t realize is that the PLC uses a totally different microchip & computer language than Windows PCs. Stuxnet is the first known threat to target an industrialcontrol microchip! Stuxnet starts by downloading malicious logic onto the PLC hardware. The Biology of Stuxnet 12

  13. Now Stuxnet gets down to business… And makes sure the motors are running between 807Hz and 1210Hz. (This is coincidentally the frequency range required to run centrifuges.) (After all, whoever wrote Stuxnet wouldn’t want it to take out a roller coaster or something.) Next, Stuxnet measures the operating speed of the frequency converters during their normal operation for 13 days! The Biology of Stuxnet 13

  14. Now Stuxnet gets down to business… Once it’s sure, the malicious PLC logic begins its mischief! Stuxnet raises the spin rate to 1410Hzfor 15 mins. Then sleeps for 27 days. Then slows the spin rate to 2Hz for 50 mins. Then sleeps for 27 days. Stuxnet repeats this process over and over. 1500Hz 0Hz The Biology of Stuxnet 14

  15. Now Stuxnet gets down to business… Why push the motors up to 1410Hz? Well, ~1380Hz is a resonance frequency. It is believed that operation at this frequency for even a few seconds will result in disintegration of the enrichment tubes! Why reduce the motors to 2Hz? At such a low rotation rate, the vertical enrichment tubeswill begin wobbling like a top (also causing damage). 1500Hz 0Hz The Biology of Stuxnet 15

  16. Now Stuxnet gets down to business… What about Iranian failsafe systems? (Surely alarm bells must have been blaring at the enrichment plant, right?) Maybe Stuxnet pulled a mission impossible?!? The Biology of Stuxnet

  17. Now Stuxnet gets down to business… And in fact, that’s exactly what Stuxnet did! Stuxnet records telemetry readings while the centrifuges are operating normally. Well, in fact, these facilities typically do have fail-safe controls. They trigger a shutdown if the frequency goes out of the acceptable range. And when it launches its attack, it sends this recorded data to fool the fail-safe systems! But worry not…Stuxnet takes care of this too. And Stuxnet disablesthe emergency kill switchon the PLC as well… Just in case someone tries to be a hero. 1500Hz 0Hz The Biology of Stuxnet 18

  18. All while evading detection… Now Stuxnet gets down to business… Stuxnet uses five distinct mechanisms to conceal itself. #5 Stuxnet hides its own files on infected thumb drives using 2 “rootkits.” The 1-hour Guide to Stuxnet

  19. All while evading detection. Stuxnet uses five distinct mechanisms to conceal itself. #4 Stuxnet inhibits different behaviors in the presence of different security products to avoid detection. Launch Attack A Launch Attack B Launch Attack C Launch Attack D Launch Attack A Launch Attack B Launch Attack C Launch Attack D Launch Attack A Launch Attack B Launch Attack C Launch Attack D The 1-hour Guide to Stuxnet

  20. All while evading detection. Stuxnet uses five distinct mechanisms to conceal itself. #3 Stuxnet completely deletes itself from USB keys after it has spread to exactly three new machines. The 1-hour Guide to Stuxnet

  21. All while evading detection. Stuxnet uses five distinct mechanisms to conceal itself. #2 Stuxnet’s authors “digitally signed” it with stolen digital certificates to make it look like it was created by well-known companies. The two certificates were stolen from RealTek and Jmicron… Realtek …as it turns out, both companies are located less than 1km apart in the same Taiwanese business park. The 1-hour Guide to Stuxnet

  22. All while evading detection. Stuxnet uses five distinct mechanisms to conceal itself. #1 Stuxnet conceals its malicious “code” changes to the PLC from operational personnel (It hides its injected logic)! Instructions to the Centrifuges During normal operation: Spin at 1410hz In case of emergency: IGNORE OPERATOR COMMANDS During normal operation: Spin at 1064hz In case of emergency: Spin down to 0hz SIEMENS PLC (To centrifuges) The 1-hour Guide to Stuxnet

  23. Did It Succeed? Indications are that it did! Symantec telemetry indicates that rather than directly trying to infiltrate Natanz… The attackers infected five industrial companies with potential subcontracting relationships with the plant. These companies (likely) then unknowingly ferried the infection into Natanz’s research and enrichment networks. The Institute for Science and International Security writes: “It is increasingly accepted that, in late 2009 or early 2010, Stuxnetdestroyed about 1,000 IR-1 centrifuges out of about 9,000 deployed at the site.” The Biology of Stuxnet 24

  24. Did It Succeed? Fact: Stuxnet contacts two command-and-control servers every time it runs to report its status and check for commands. Well, based on some clever Symantec engineering, we’ve got some interesting data. Working with registrars, Symantec took control of these domains, forwarding all traffic to our Symantec data centers. Fact: As Stuxnet spreads between computers, it keeps an internal log of every computer it’s visited. www.mypremierfutbol.com www.todaysfutbol.com The Biology of Stuxnet 25

  25. Stuxnet Bookkeeping 27.42.97.152 27.42.97.152 151.21.32.21 151.21.32.19 151.21.32.19 151.21.32.21 93.154.11.42 93.154.12.78 93.154.12.78 93.154.11.42 151.21.32.19 Stuxnet embeds its “visited list” inside its own body as it spreads, enabling detailed forensics! 151.21.32.19 151.21.32.19 151.21.32.19 151.21.32.19 151.21.32.21 151.21.32.21 151.21.32.21 151.21.32.21 93.154.11.42 The Biology of Stuxnet

  26. Here’s What We Found The 1-hour Guide to Stuxnet

  27. Here’s What We Found (These graphs show how the discovered samples spread) The Biology of Stuxnet 28

  28. Here’s What We Found Data at time of discovery (July, 2010) The Biology of Stuxnet

  29. Whodunit? According to Wikipedia, On May 9th, 1979 “Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community. He was the first Jew and one of the first civilians to be executed by the new Islamic government. This prompted the mass exodus of the once 100,000 member strong Jewish community of Iran which continues to this day.” 19790509 June 22, 2009 4:31:47pm GMT June 22, 2009 6:31:47pm Local GMT + 2 The Biology of Stuxnet

  30. To Conclude Stuxnet has signaled a fundamental shift in the malware space. Stuxnet proves cyber-warfare against physical infrastructure is feasible. Unfortunately, the same techniques can be used to attack other physical and virtual systems. The Biology of Stuxnet 31

  31. The Biology of Stuxnet

  32. All while evading detection… Now Stuxnet gets down to business… Stuxnet used five distinct mechanisms to conceal itself. #1 Stuxnet hides its files on thumb drives using a “rootkit” #2 Stuxnet adjusts its behavior basedon which security product was present Launch Attack A Launch Attack B Launch Attack C Launch Attack D #3 #4 Stuxnet was signed with one of 2 stolen digital certificates, making it look like a trusted file Stuxnet self-destructs on USB keys once it had spread to 3 new machines Realtek #5 Stuxnet hid its centrifuge controllerchanges using a second “rootkit” The Biology of Stuxnet

More Related