Stuxnet - Case Study
AmrHassanThabet
6,676 views
17 slides
Jul 07, 2011
Slide 1 of 17
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
About This Presentation
This presentation is for CISS6011 Special Topic: Cybersecurity
in University of Sydney
Slide Content
Case Study : StuxnetCase Study : Stuxnet
By Amr ThabetBy Amr Thabet
By Amr ThabetBy Amr Thabet
Stuxnet OverviewStuxnet Overview
Most sophisticated malware ever seen in public Most sophisticated malware ever seen in public
Uses up to 6 Vulnerabilities (5 in Win and 1 in Siemens)Uses up to 6 Vulnerabilities (5 in Win and 1 in Siemens)
Its code is ~ 1.5 MB (very large)Its code is ~ 1.5 MB (very large)
Has 3 Rootkits (User-Mode, Kernel-Mode & PLC Has 3 Rootkits (User-Mode, Kernel-Mode & PLC
Rootkit)Rootkit)
Spreads via USB Flash Memory and Network SharesSpreads via USB Flash Memory and Network Shares
It updates itself via Internet by connecting (HTTP) to It updates itself via Internet by connecting (HTTP) to
two Websites (encrypted connection)two Websites (encrypted connection)
Infects SCADA Systems Infects SCADA Systems
The First Malware that has a physical payloadThe First Malware that has a physical payload
Most sophisticated malware ever seen in public Most sophisticated malware ever seen in public
Uses up to 6 Vulnerabilities (5 in Win and 1 in Siemens)Uses up to 6 Vulnerabilities (5 in Win and 1 in Siemens)
Its code is ~ 1.5 MB (very large)Its code is ~ 1.5 MB (very large)
Has 3 Rootkits (User-Mode, Kernel-Mode & PLC Has 3 Rootkits (User-Mode, Kernel-Mode & PLC
Rootkit)Rootkit)
Spreads via USB Flash Memory and Network SharesSpreads via USB Flash Memory and Network Shares
It updates itself via Internet by connecting (HTTP) to It updates itself via Internet by connecting (HTTP) to
two Websites (encrypted connection)two Websites (encrypted connection)
Infects SCADA Systems Infects SCADA Systems
The First Malware that has a physical payloadThe First Malware that has a physical payload
Stuxnet Life CycleStuxnet Life Cycle
Stuxnet’s Main DropperStuxnet’s Main Dropper
The Dropper is a program The Dropper is a program
that contains the real malwarethat contains the real malware
and carries it from PC to anotherand carries it from PC to another
(like a ship)(like a ship)
It loads the Main DLL with a special wayIt loads the Main DLL with a special way
It uses LoadLibraryA and Hooks the File It uses LoadLibraryA and Hooks the File
Management APIs that’s used by LoadLibraryA Management APIs that’s used by LoadLibraryA
to get the File from memory not from a file on to get the File from memory not from a file on
the diskthe disk
The Dropper is a program The Dropper is a program
that contains the real malwarethat contains the real malware
and carries it from PC to anotherand carries it from PC to another
(like a ship)(like a ship)
It loads the Main DLL with a special wayIt loads the Main DLL with a special way
It uses LoadLibraryA and Hooks the File It uses LoadLibraryA and Hooks the File
Management APIs that’s used by LoadLibraryA Management APIs that’s used by LoadLibraryA
to get the File from memory not from a file on to get the File from memory not from a file on
the diskthe disk
Process InjectionProcess Injection
Stuxnet injects itself into a process (usually Stuxnet injects itself into a process (usually
lsass.exe)lsass.exe)
It copies itself into the Memory of lsass and then It copies itself into the Memory of lsass and then
forces lsass to execute it by modifying its codeforces lsass to execute it by modifying its code
In Stuxnet case it unloads (remove) the original In Stuxnet case it unloads (remove) the original
process (lsass) from its memory (when the process (lsass) from its memory (when the
process suspended) and then loads another PE process suspended) and then loads another PE
File inside the memory has the same entrypoint File inside the memory has the same entrypoint
Stuxnet injects itself into a process (usually Stuxnet injects itself into a process (usually
lsass.exe)lsass.exe)
It copies itself into the Memory of lsass and then It copies itself into the Memory of lsass and then
forces lsass to execute it by modifying its codeforces lsass to execute it by modifying its code
In Stuxnet case it unloads (remove) the original In Stuxnet case it unloads (remove) the original
process (lsass) from its memory (when the process (lsass) from its memory (when the
process suspended) and then loads another PE process suspended) and then loads another PE
File inside the memory has the same entrypoint File inside the memory has the same entrypoint
Escalation of PrivilegesEscalation of Privileges
Escalation of Privileges means do something Escalation of Privileges means do something
you are not allowed to do. In stuxnet it takes the you are not allowed to do. In stuxnet it takes the
administrator privileges to install itselfadministrator privileges to install itself
It uses 2 vulnerabilities in win OSIt uses 2 vulnerabilities in win OS
CVE-2010-2743(MS-10-073) –Win32K.sys Keyboard CVE-2010-2743(MS-10-073) –Win32K.sys Keyboard
Layout VulnerabilityLayout Vulnerability
CVE-xxxx-xxxx(MS-xx-xxx) –Windows Task Scheduler CVE-xxxx-xxxx(MS-xx-xxx) –Windows Task Scheduler
VulnerabilityVulnerability
These Vulnerabilities allow stuxnet to execute as These Vulnerabilities allow stuxnet to execute as
a system application (runs like a system process)a system application (runs like a system process)
Escalation of Privileges means do something Escalation of Privileges means do something
you are not allowed to do. In stuxnet it takes the you are not allowed to do. In stuxnet it takes the
administrator privileges to install itselfadministrator privileges to install itself
It uses 2 vulnerabilities in win OSIt uses 2 vulnerabilities in win OS
CVE-2010-2743(MS-10-073) –Win32K.sys Keyboard CVE-2010-2743(MS-10-073) –Win32K.sys Keyboard
Layout VulnerabilityLayout Vulnerability
CVE-xxxx-xxxx(MS-xx-xxx) –Windows Task Scheduler CVE-xxxx-xxxx(MS-xx-xxx) –Windows Task Scheduler
VulnerabilityVulnerability
These Vulnerabilities allow stuxnet to execute as These Vulnerabilities allow stuxnet to execute as
a system application (runs like a system process)a system application (runs like a system process)
Installation MechanismInstallation Mechanism
It installs these filesIt installs these files
%%SystemRoot%\inf\oem7A.PNF
%SystemRoot%\inf\mdmeric3.PNF
%SystemRoot%\inf\mdmcpq3.PNF
%SystemRoot%\inf\oem6C.PNF
%SystemRoot%\Drivers\mrxnet.sys
%SystemRoot%\Drivers\mrxcls.sys
Then it adds MrxNet & MrxCls to registry Then it adds MrxNet & MrxCls to registry
to be sure they will be executed on every to be sure they will be executed on every
bootboot
It installs these filesIt installs these files
%%SystemRoot%\inf\oem7A.PNF
%SystemRoot%\inf\mdmeric3.PNF
%SystemRoot%\inf\mdmcpq3.PNF
%SystemRoot%\inf\oem6C.PNF
%SystemRoot%\Drivers\mrxnet.sys
%SystemRoot%\Drivers\mrxcls.sys
Then it adds MrxNet & MrxCls to registry Then it adds MrxNet & MrxCls to registry
to be sure they will be executed on every to be sure they will be executed on every
bootboot
Disabling Windows DefenderDisabling Windows Defender
It modifies some registry entries related to It modifies some registry entries related to
Window Defender:Window Defender:
SOFTWARE\Microsoft\Windows Defender\Real-SOFTWARE\Microsoft\Windows Defender\Real-
Time ProtectionTime Protection
EnableUnknownPromptsEnableUnknownPrompts
EnableKnownGoodPromptsEnableKnownGoodPrompts
ServicesAndDriversAgentServicesAndDriversAgent
These modifications allows stuxnet to work These modifications allows stuxnet to work
normally without blockingnormally without blocking
It modifies some registry entries related to It modifies some registry entries related to
Window Defender:Window Defender:
SOFTWARE\Microsoft\Windows Defender\Real-SOFTWARE\Microsoft\Windows Defender\Real-
Time ProtectionTime Protection
EnableUnknownPromptsEnableUnknownPrompts
EnableKnownGoodPromptsEnableKnownGoodPrompts
ServicesAndDriversAgentServicesAndDriversAgent
These modifications allows stuxnet to work These modifications allows stuxnet to work
normally without blockingnormally without blocking
Spreading MechanismSpreading Mechanism
USB InfectionUSB Infection
Stuxnet uses a vulnerability in Win OS:Stuxnet uses a vulnerability in Win OS:
CVE-2010-2568(MS-10-046) -Windows Shell LNK CVE-2010-2568(MS-10-046) -Windows Shell LNK
VulnerabilityVulnerability
This vulnerability is found in the shortcut of the This vulnerability is found in the shortcut of the
CPL filesCPL files
In these shortcuts the Explorer loads the icon In these shortcuts the Explorer loads the icon
dynamicallydynamically
This loading makes Explorer load the CPL File This loading makes Explorer load the CPL File
and calls to its Entrypoint and calls to its Entrypoint
Stuxnet uses this trick to make Explorer calls to Stuxnet uses this trick to make Explorer calls to
the Entrypoint of its Executablethe Entrypoint of its Executable
USB InfectionUSB Infection
Stuxnet uses a vulnerability in Win OS:Stuxnet uses a vulnerability in Win OS:
CVE-2010-2568(MS-10-046) -Windows Shell LNK CVE-2010-2568(MS-10-046) -Windows Shell LNK
VulnerabilityVulnerability
This vulnerability is found in the shortcut of the This vulnerability is found in the shortcut of the
CPL filesCPL files
In these shortcuts the Explorer loads the icon In these shortcuts the Explorer loads the icon
dynamicallydynamically
This loading makes Explorer load the CPL File This loading makes Explorer load the CPL File
and calls to its Entrypoint and calls to its Entrypoint
Stuxnet uses this trick to make Explorer calls to Stuxnet uses this trick to make Explorer calls to
the Entrypoint of its Executablethe Entrypoint of its Executable
Spreading MechanismSpreading Mechanism
NetworkNetwork
Stuxnet Spreads via Network by using 2 Stuxnet Spreads via Network by using 2
Vulnerabilities:Vulnerabilities:
CVE-2010-2729(MS-10-061) –Windows Print Spooler CVE-2010-2729(MS-10-061) –Windows Print Spooler
Service VulnerabilityService Vulnerability
CVE-2008-4250(MS-08-067) –Windows Server Service CVE-2008-4250(MS-08-067) –Windows Server Service
NetPathCanonicalize() NetPathCanonicalize()
The 1The 1
stst
Vulnerability: allows Stuxnet to infect Vulnerability: allows Stuxnet to infect
PCs that share their PCs that share their printersprinters
The 2The 2
ndnd
is used before in is used before in ConflickerConflicker and it and it
allows Stuxnet to spreads via Network Sharesallows Stuxnet to spreads via Network Shares
NetworkNetwork
Stuxnet Spreads via Network by using 2 Stuxnet Spreads via Network by using 2
Vulnerabilities:Vulnerabilities:
CVE-2010-2729(MS-10-061) –Windows Print Spooler CVE-2010-2729(MS-10-061) –Windows Print Spooler
Service VulnerabilityService Vulnerability
CVE-2008-4250(MS-08-067) –Windows Server Service CVE-2008-4250(MS-08-067) –Windows Server Service
NetPathCanonicalize() NetPathCanonicalize()
The 1The 1
stst
Vulnerability: allows Stuxnet to infect Vulnerability: allows Stuxnet to infect
PCs that share their PCs that share their printersprinters
The 2The 2
ndnd
is used before in is used before in ConflickerConflicker and it and it
allows Stuxnet to spreads via Network Sharesallows Stuxnet to spreads via Network Shares
Updating MechanismUpdating Mechanism
Stuxnet updates itself via 2 Websites Stuxnet updates itself via 2 Websites
www.mypremierfutbol.comwww.mypremierfutbol.com
www.todaysfutbol.comwww.todaysfutbol.com
Stuxnet updates itself via a P2P connection (on Stuxnet updates itself via a P2P connection (on
the isolated machines)the isolated machines)
They communicate via RPC connection They communicate via RPC connection
Control the ICS machines Control the ICS machines withoutwithout a direct a direct
communication To the Internetcommunication To the Internet
Stuxnet updates itself via 2 Websites Stuxnet updates itself via 2 Websites
www.mypremierfutbol.comwww.mypremierfutbol.com
www.todaysfutbol.comwww.todaysfutbol.com
Stuxnet updates itself via a P2P connection (on Stuxnet updates itself via a P2P connection (on
the isolated machines)the isolated machines)
They communicate via RPC connection They communicate via RPC connection
Control the ICS machines Control the ICS machines withoutwithout a direct a direct
communication To the Internetcommunication To the Internet
RootkitsRootkits
RootkitRootkit is a program (or tool) is used by is a program (or tool) is used by
malwares to hide its presence malwares to hide its presence
In Stuxnet, they hide stuxnet filesIn Stuxnet, they hide stuxnet files
in the USB Infected Flash Memoryin the USB Infected Flash Memory
Stuxnet has 2 rootkitsStuxnet has 2 rootkits: User-Mode and Kernel-: User-Mode and Kernel-
Mode rootkitMode rootkit
RootkitRootkit is a program (or tool) is used by is a program (or tool) is used by
malwares to hide its presence malwares to hide its presence
In Stuxnet, they hide stuxnet filesIn Stuxnet, they hide stuxnet files
in the USB Infected Flash Memoryin the USB Infected Flash Memory
Stuxnet has 2 rootkitsStuxnet has 2 rootkits: User-Mode and Kernel-: User-Mode and Kernel-
Mode rootkitMode rootkit
User-Mode RootkitUser-Mode Rootkit
loaded by the loaded by the LNKLNK Vulnerability Vulnerability
Used only once before Infecting a machineUsed only once before Infecting a machine
It modifies the pointer to the File Management It modifies the pointer to the File Management
APIs APIs
Change the input or the output of these APIsChange the input or the output of these APIs
Hide the Stuxnet Flash Memory FilesHide the Stuxnet Flash Memory Files
loaded by the loaded by the LNKLNK Vulnerability Vulnerability
Used only once before Infecting a machineUsed only once before Infecting a machine
It modifies the pointer to the File Management It modifies the pointer to the File Management
APIs APIs
Change the input or the output of these APIsChange the input or the output of these APIs
Hide the Stuxnet Flash Memory FilesHide the Stuxnet Flash Memory Files
Kernel-Mode RootkitKernel-Mode Rootkit
It’s a device driverIt’s a device driver
It’s installed in the installation progress of It’s installed in the installation progress of
StuxnetStuxnet
It’s a simple file system filterIt’s a simple file system filter
it modifies the outputs and the inputs of the it modifies the outputs and the inputs of the
File Management functions inside the KernelFile Management functions inside the Kernel
It’s a device driverIt’s a device driver
It’s installed in the installation progress of It’s installed in the installation progress of
StuxnetStuxnet
It’s a simple file system filterIt’s a simple file system filter
it modifies the outputs and the inputs of the it modifies the outputs and the inputs of the
File Management functions inside the KernelFile Management functions inside the Kernel
Loading MechanismLoading Mechanism
There’s two ways for stuxnet to load There’s two ways for stuxnet to load
1. WTR4141.TMP1. WTR4141.TMP::
Loaded by LNK Vulnerability Loaded by LNK Vulnerability
loads the Main Dropper of Stuxnet loads the Main Dropper of Stuxnet
2. MrxCls2. MrxCls: :
It’s a device driver It’s a device driver
Injects Stuxnet into services.exe every time the Injects Stuxnet into services.exe every time the
system bootssystem boots
There’s two ways for stuxnet to load There’s two ways for stuxnet to load
1. WTR4141.TMP1. WTR4141.TMP::
Loaded by LNK Vulnerability Loaded by LNK Vulnerability
loads the Main Dropper of Stuxnet loads the Main Dropper of Stuxnet
2. MrxCls2. MrxCls: :
It’s a device driver It’s a device driver
Injects Stuxnet into services.exe every time the Injects Stuxnet into services.exe every time the
system bootssystem boots
Thank YouThank You
For any question don’t Forget to mail me For any question don’t Forget to mail me
at:at:
[email protected]@student.alx.edu.eg
For more about me visit my WebsiteFor more about me visit my Website
http://www.amrthabet.co.cchttp://www.amrthabet.co.cc
Or My BlogOr My Blog
http://http://blog.amrthabet.co.ccblog.amrthabet.co.cc
For any question don’t Forget to mail me For any question don’t Forget to mail me
at:at:
[email protected]@student.alx.edu.eg
For more about me visit my WebsiteFor more about me visit my Website
http://www.amrthabet.co.cchttp://www.amrthabet.co.cc
Or My BlogOr My Blog
http://http://blog.amrthabet.co.ccblog.amrthabet.co.cc
Thank YouThank You
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 6,676
- Slides 17
- Favorites 7
- Age 5263 days
Related Slideshows
1
MGV Residential Design projects for different clients, including a New Mexico Adobe project-1-.pdf
mannyvesa
27 views
16
EUNITED_Advocacy and Public Engagement through Visual Media
GeorgeDiamandis11
32 views
31
DESIGN THINKINGGG PPT 2 TOPIC IDEATION.pptx
HibaZaidi2
25 views
36
DESIGN THINKING CHAPTER 1 PPTT PPT 1.pptx
HibaZaidi2
29 views
112
Hinduism and Its History - PowerPoint Slides.pptx
ConorMcCormack10
25 views
20
Service Attributes of Manufactured Parts.pptx
MustafaEnesKrmac
25 views