Professional Documents
Culture Documents
Stuxnet is one of the most sophisticated and recent worm that hit Iranian nuclear facilities in June 2010. Senior Director at Symantec reported that Iran is the only country that suffers a lot (about 60%) through this worm. Stuxnet mainly targets uranium facility at Natanz which affects centrifuges speed. It targets computer control systems, commonly used to manage water supplies, oil rigs, power plants and other facilities.
An assumption is that 10% of centrifuges in Natanz have been affected through this worm from 2009 to 2010. Rotational speed of centrifuges first increases then drop to introduce distortions and disturb their normal behavior.
A complex piece of malware, intended to sabotage the normal functioning of certain critical systems Two main Phases":
Propagation Phase: Propagation of the virus, which is based upon the vulnerabilities inherent in the Windows platform. Injection Phase: Attack on SCADA Siemens systems, which controls Programmable logic controllers (PLC)
Stuxnet contains user level as well as kernel level Rootkit that hides their existence to gain root level privileges. Penetrate the target infrastructure through:
Removable storage media
Network (LAN) Propagation via network shares Propagation via print spooler zeroday vulnerability(MS10061)
When a target (WinCC) is discovered, the behaviour of the various items controlling the target architecture is modified in order to physically impair the integrity of the industrial production system. This concerns modifying the normal function of certain critical systems by manipulating their controllers.
Copy of Shortcut to.lnk Copy of Copy of Shortcut to.lnk Copy of Copy of Copy of Shortcut to.lnk Copy of Copy of Copy of Copy of Shortcut to.lnk ~WTR4141.TMP ~WTR4132.TMP
First four .lnk files controls the display of shortcut icons of all the files on system. Various .lnk files corresponds to different versions of windows. These .lnk files load the library "-WTR4141.tmp" which, in turn, loads the file "-WTR4132.tmp".
The worm is also capable of distributing itself over the network through shared folders. Malicious payload is copied and executed through shared credentials on network. Assessment of shared files by LAN user will result in the copy of this file into his system directories. It scans network shares on the remote computers and installs a file (dropper) there with the name DEFRAG<GetTickCount>.TMP .
When a printer is shared on a system, a user is able to "print" (read and write) files in the "%System%" directory. It allows a remote user to copy files in %SYSTEM% directory in which user has no access. Exploitation in this case comprises two phases: injection & execution phase.
3 3
Injection Phase: involves copying winsta.exe and"sYsnuIlevnt.m0f" in windows %SYSTEM% directory. Execution Phase: Executing the script "sysnullevnt.mof". This file is used to trigger aforementioned copied files
Vulnerability relates to the way that the icon for the link is loaded. This image is normally loaded from a CPL (Windows Control Panel) file using the system function "LoadLibraryW()". Forcing the CPL file to change the "File Location Info field of a LNK file, stuxnet is therefore able to force any Windows system to execute arbitrary code. User is redirected to malicious path by opening shortcut file.
Backtrack 4 acts as C&C server Metasploit Framework within backtrack 4 is used. Metasploit Framework act as USB Drive to exploit vulnerabilities. 3 windows XP machines 2 connected in LAN 1 XP containing Keil and proteous softwares (in place of PLC)
Virtual Box Linux Backtrack 4 Metasploit Framework
XP1
XP2
MS08_067 and MS10_061 are exploited through LAN. MS08_067 exploits through shared folder in LAN. MS10_046 exploited in PLC assumed machine. Hardware printer is not attached but a print server is shared on LAN through which MS10_061 exploits. We have created Stuxnet.exe which propagates in LAN and Plc.exe which specifically targets PLC machine and affects normal behaviour.
Proteous circuit Diagram output changed i.e. Pressure Sensor gives alert
Results (Server Copies a malicious file Stuxnet.exe in a folder shared on LAN. Any machine on LAN when use this file, this exe automatically copies into that machine. (Print Print command send to print server containing two random files. These files are copied to windows system directory. Sending print command to server automatically copies these two files in system directory.
MS10_061_spoolss Spooler)
MS10_046_dllloader (.LNK Opening of shortcut file , results in session establishment with Vulnerability) attacker machine. Malicious plc.exe file uploaded to victim machine. Plc.exe targets specifically PLC machine (Keil & Proteus) , which disturbs normal functioning of pressure sensor. Value of pressure Sensor drops to 0 & alert is generated.
This work shows simulations through dummy malicious Stuxnet exe files. This work will be extended by analyzing the original six Stuxnet files in original PLC software or by implementing pure Stuxnet worm (writing source code). Next version of Stuxnet i-e Duqu Stuxnet 2.0 is under consideration. Its payload is different from Stuxnet 1.0: targets certificate authorities and redirect victims to rogue servers. Alien Vault is a tool that can provide information about Stuxnet detection by analyzing different events logs and writing specific rules related to it.
[1] Nicolas Falliere, Liam O Murchu, and Eric Chien, W32.Stuxnet Dossier, Symantec Security Response, Version 1.4, February 2011. [2] Aleksandr Matrosov, Eugene Rodionov, David Harley, Juraj Malcho, Stuxnet Under the Microscope2, Revision 1.31, 24 Sep 2010. [3] David Helan, Stuxnet: Analysis, Mythes and Realities ACTU SECU 27, XCMO, 2011. [4] Martin Brunner, Hans Hofinger, Christoph KrauSS, Christopher Roblee, Peter Schoo, Sascha Todt, Infiltrating Critical Infrastructures with Next-Generation Attacks W32.Stuxnet as a Showcase Threat, Version 1.4, December 17, 2010. [5] Shon Harris, Allen Harper, Chris Eagle, Jonathan Ness, Gray Hat Hacking: The Ethical Hackers Handbook, Copyright 2008 by McGraw-Hill Companies Second Edition. [6] WikiPedia, Stuxnet, http://en.wikipedia.org/wiki/Stuxnet, October 21, 2011. [7] Rahat Masood, Stuxnet Simulation via Metasploit.wmv, http://www.youtube.com/watch?v=AZNU7bCRvJg