slide 1 Vitaly Shmatikov (based on Symantec’s “Stuxnet Dossier”) CS 361S StuxnetCVE-2010-2772 “Siemens Simatic WinCC and PCS 7 SCADA system uses a hard-coded password, which allows local users to access a back-end database and gain privileges, as demonstrated in the wild in July 2010 by the Stuxnet worm” slide 2slide 3 MS10-046 Vulnerability Microsoft Security Bulletin MS10-046 Vulnerability in Windows Shell Could Allow Remote Code Execution The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed … This security update is rated Critical for all supported editions of Microsoft Windows. First disclosed in CVE-2010-2568 (Jun 30, 2010) Windows Shell in Microsoft Windows XP SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 SP2 and R2, and Windows 7 allows local users or remote attackers to execute arbitrary code via a crafted (1) .LNK or (2) .PIF shortcut file, which is not properly handled during icon display in Windows Explorer, as demonstrated in the wild in July 2010, and originally reported for malware that leverages CVE-2010-2772 in Siemens WinCC SCADA systems.Stuxnet Pre-History November 20, 2008: Zlob Trojan exploits an unknown vulnerability in Windows shortcuts (LNK) • Later identified as MS10-046 April 2009: security magazine Hakin9 describes a vulnerability in Windows printer spooler service • Later identified as MS10-061 June 22, 2009: earliest version of Stuxnet seen • Does not use MS10-046, driver not signed slide 4Stuxnet Timeline (2010) January 25: signed Stuxnet driver, valid certificate from Realtek Semiconductor June 17: Antivirus company from Belarus reports a new USB rootkit TmpHider July 16: Microsoft issues MS10-046 • Shortcut vulnerability July 16: VeriSign revokes Realtek certificate July 17: Stuxnet driver with valid certificate from JMicron Technology slide 5Stuxnet Timeline Cont’d (2010) July 19: Siemens says they are investigating malware affecting their WinCC SCADA system • SCADA = control of industrial machinery September 14: Microsoft issues MS10-061 • Print spooler vulnerability slide 6Stuxnet Firsts First to exploit multiple zero-day vulnerabilities First to use stolen signing keys and valid certificates of two companies First to target industrial control systems – or not? … and hide the code from the operator … and perform actual sabotage First PLC (programmable logic controller) rootkit First example of true cyber-warfare? slide 7Industrial Control Systems Run automated processes on factory floors, power and chemical plants, oil refineries, etc. Specialized assembly code on PLCs (Programmable Logic Controllers) • PLCs are usually programmed from Windows Not connected to the Internet (“air gap”) slide 8Each PLC is configured and programmed in a unique manner Stuxnet targets a specific PLC control system • SIMATIC PCS 7 Process Control System • Programmed using WinCC/STEP 7 slide 9 Target: SCADAStuxnet Propagation Methods Initial infection via USB drive (jumps “air gap”) • Zero-day MS10-046 shortcut exploit + auto-execution Several network propagation methods • LAN: zero-day MS10-061 print spooler exploit or old MS08-67 RPC exploit (remember Conficker?) • Default password to Siemens WinCC database server • Network shares • Peer-to-peer communication and update mechanism Looks for and infects Windows machines running Step 7 control software slide 10USB Infection Vectors LNK Vulnerability (CVE-2010-2568) Self-executing AutoRun.Inf slide 11 Loaded from a control panel file (CPL) pointing to malicious DLLBypassing Intrusion Detection Calls LoadLibrary with a special file name that does not exist LoadLibrary fails, but Ntdll.dll has been hooked to monitor for the special file names These names are mapped to another location where Stuxnet previously decrypted and stored a DLL file slide 12Gaining Admin Privileges If running without administrative privileges, uses zero-day vulnerabilities to become an admin • Win 2000, XP: MS10-073 keyboard layout vulnerability • Vista, Windows 7: MS10-092 task scheduler vulnerability Injects code into a trusted Windows process • LSASS or Winlogon Injection method depends on the security product used on the infected host • Kaspersky KAV, McAfee, AntiVir, BitDefender, Etrust, F-Secure, Symantec, ESET NOD32, PC Cillin slide 13Exploiting MS10-073 In Windows XP, a user-level program can load keyboard layout Integer in the layout file indexes a global array of function pointers (no bounds checking, natch) • Can use this to call any function… Find a pointer to this array, find a pointer into user-modifiable memory, inject attack code there, use bad indexing to call modified function • Attack code will run with admin privileges slide 14Exploiting MS10-092 Users can create and edit scheduled tasks CRC32 checksum to prevent tampering • “… not suitable for protecting against intentional alteration of data” --- Wikipedia Modify user definition in the task to LocalSystem, pad until CRC32 matches the original slide 15 We should use CRC32 to … NEVER USE CRC32 FOR ANYTHING [credit: iSEC Partners]slide 16 Infection Routine Flow Built-in expiration date Exits if finds a “magic” string32 “Exports” (Functionalities) slide 17 1 Infects connected removable drives, starts remote procedure call (RPC) server 2 Hooks APIs for Step 7 project file infections 4 Calls the removal routine (export 18) 5 Verifies if the threat is installed correctly 6 Verifies version information 7 Calls Export 6 9 Updates itself from infected Step 7 projects 10 Updates itself from infected Step 7 projects 14 Step 7 project file infection routine 15 Initial entry point 16 Main installation 17 Replaces Step 7 DLL 18 Uninstalls Stuxnet 19 Infects removable drives 22 Network propagation routines 24 Check Internet connection 27 RPC Server 28 Command and control routine 29 Command and control routine 31 Updates itself from infected Step 7 projects 32 Same as 115 “Resources” (Methods) slide 18 201 MrxNet.sys load driver, signed by Realtek 202 DLL for Step 7 infections 203 CAB file for WinCC infections 205 Data file for Resource 201 207 Autorun version of Stuxnet
View Full Document
Unlocking...