Professional Documents
Culture Documents
Secure Cyber
Infrastructure
Communication
Authentication
Encryption
Computation
Access control
Attestation
Forensics
Patch management
Software Audits
System Management
Intrusion Detection
Event Monitoring/Analytics
Security Assessment
Resilient Power
Control
Applications
Generation
Automatic Generation Control
Governor Control
Automatic Voltage Regulation
Protection
Transmission
State Estimation
VAR Compensation
Protection
Distribution
Load Shedding
Protection
Advanced Metering Infrastructure
Source: S Sridhar, A Hahn, M Govindarasu, Cyberphysical system security for the electric power grid. Proceedings of the IEEE
Stuxnet
Jun 2009
Mar 2010
CVE-2010-2772
Siemens Simatic WinCC and PCS 7 SCADA
system uses a hard-coded password, which
allows local users to access a back-end
database and gain privileges, as
demonstrated in the wild in July 2010 by
the Stuxnet worm, a different vulnerability
than CVE-2010-2568.
Affected Countries
Infected Computers (%)
80
60
58.85
40
18.22
20
9.2
8.31
Iran
Indonesia
India
2.57
1.56
1.28
Ajerbaijan
USA
Pakistan
Others
10
Target
Siemens S7 PLC
Siemens PCS 7
WinCC and STEP7
MS Windows
11
Initial Infection
show only the strings from the footer we can see that they are composed of legitimate autorun comFigure 17
Hidden
autorun
commands
Hidden autorun
commands
W32.Stuxnet Dossier
Figure 18
so uses another trick to enhance the chances
Two Open commands
utorun commands turn off autoplay and then
ontext
menu.
Thethe
command
that is added
is
at Stuxnet
uses
autorun commands
to specify
the file to execute as the actual autorun.inf file. Us
2\shell32.dll,-8496.
Thisbeistreated
actuallyasthe
Open autorun.inf file first and later as a legitimate execu
, the autorun.inf file will
a legitimate
context menu for the removable device the user
ommands.
12
s made to list a file with the above properties, the response from these APIs is altered to state that
not exist, thereby hiding all files with these properties.
APIs are hooked, ~WTR4132.tmp is loaded. To load a .dll file normally, a program calls the Loadwith the file name of the .dll file to be loaded into memory. W32.Stuxnet uses a different approach,
e first .dll file Figure 14
different
USB Execution Flow
ode. This
scribed in
g Behavior
n Loading
LNK Vulnerability
mp contains
xnet DLL in
tion. This is
o memory
ort 15 of
led executlation of
ort 15 is
the Installa-
to the right
execution
13
Network Propagation
Infected
machine
Copy
Target
machine
Schedule to execute
two minutes after
infection
15
MS10-061
The vulnerability could allow remote code execution if an
attacker sends a specially crafted print request to a
vulnerable system that has a print spooler interface
exposed over RPC.
Infected
machine
Print request
Target
machine
MS08-067
The vulnerability could allow remote code execution if an
affected system received a specially crafted RPC request.
malformed path
Infected
machine
SMB
Target
machine
17
WinCC
CREATE TABLE sysbinlog ( abin image ) INSERT INTO sysbinlog VALUES(0x...)
Infected
machine
SQL
Target
machine
(WinCC)
18
Peer-to-Peer Communication
s the following routines. (Note that RPC methods 7, 8, 9 are not used by Stuxnet.)
sion
Figure 13
and
ised
ds
Page 2519
a, such as
load and
call, and then
wly populated
another proe it. The newly
utable temhe original .dll
atever export
as populated
reat uses
rent techxports in the
should be
e functionality
n be ascerzing all of the
e main .dll file.
bove, the
ntains all of
trol the worm.
m this .dll
ent purpose
he threat as
e 3.
Table 3
DLL Exports
Export #
Function
Calls Export 6
10
14
15
16
Main installation
17
18
Uninstalls Stuxnet
19
22
24
27
RPC Server
28
29
31
32
Same as 1
20
Table 4
DLL Resources
Resource ID
Function
201
202
203
205
207
208
209
210
221
222
231
240
241
242
250
ty product processes are detected, version information of the main image is extracted.
mber, the target process of injection will be determined or the injection process will fail
e security product non-bypassable.
Injection Technique
roduct process
process is used for injection depending on which security products are installed. In admine if it needs to use one of the two currently undisclosed privilege escalation vulnerThen, Stuxnet executes the target process in suspended mode.
Table 5
LSASS.EXE
KAV v8 to v9
KAV Process
McAfee
Winlogon.exe
AntiVir
Lsass.exe
BitDefender
Lsass.exe
ETrust v5 to v6
Fails to Inject
ETrust (Other)
Lsass.exe
F-Secure
Lsass.exe
Symantec
Lsass.exe
ESET NOD32
Lsass.exe
Trend PC Cillin
Trend Process
23
the threat is running on a compatible version of Windows, checking whether the computer is already infected or
not, elevating the privilege of the current process to system, checking what antivirus products are installed, and
what the best process to inject into is. It then injects the .dll file into the chosen process using a unique injection
technique described in the Injection Technique section and calls export 16.
Figure 10
24
25
Export 16 first checks that the configuration data is valid, after that it checks the value NTVDM TRACE in the
26
MrxCls.sys
Resource 242
Driver digitally signed with a certificate
Allows Stuxnet to be executed at boot
Injects and executes Stuxnet into specific
processes
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MrxCls\Data
27
Digital Signature
Realtek
Realtek
JMicron
JMicron
28
www.windowsupdate.com
www.msn.com
www.mypremierfutbol.com at Malaysia
www.todaysfutbol.com at Denmark
29
30
Hiding Itself
31
Step7 Infections
Monitor PLC blocks being written to and read from the PLC.
Infect a PLC by inserting its own blocks and replacing or infecting existing blocks.
Mask the fact that a PLC is infected.
Figure 19
Figure 20
Test equipment
32
33
Modifying PLCs
34
35
Attacks
36
37
38
Security Response
Propagation History
W32.Stuxne
(12,000 infections)
Compile Time
Infection Time
Time to Infect
Attack Wave 1
Domain A
0 days 12 hours
Domain B
6 days 6 hours
Domain C
14 days 12 hours
Domain D
26 days 16 hours
Attack Wave 2
Domain B
22 days 0 hours
Attack Wave 3
Domain A
11 days 22 hours
Domain E
26 days 19 hours
Domain E
27 days 0 hours
Domain E
27 days 0 hours
Domain B
28 days 18 hours
The shortest
span between compile time and initial infection was 12 hours
This graph shows the time required after compilation to the first infection.
Figure 6
39
40