Stuxnet Final

8/4/2019 Stuxnet Final

1/19


2/19


3/19


4/19

Us was also involved

in TESTING andDEVELOPMENT.

The finger was

even pointed to

Siemens wherethe software wasused by Iranian


5/19

Organization

Stuxnet consists of a large .dll file

32 Exports (Function goals)

15 Resources (Function methods)


6/19


7/19


8/19


9/19

Stuxnet contacts the command and control server

Test if can connect to:

x www.windowsupdate.com

x www.msn.com

On port 80

Sends some basic information about the compromisedcomputer to the attacker

www.mypremierfutbol.com

www.todaysfutbol.com

The two URLs above previously pointed to servers inMalaysia and Denmark


10/19


11/19

autorun.inf.LNK vulnerability, unpatched at the time of discovery

Network sharesPrinter Spooler vulnerability unpatched at the time ofdiscoveryNetPathCanonicalize vulnerability what

Conficker/Downadup uses, fixed in 2008Default password in WinCC SQL database server

These could spread over USB, e-mail, etc


12/19

Stuxnet has the ability to hide copies of its files to copy it to removabledrives

Stuxnet extracts Resource 201 as MrxNet.sys.

The driver is registered as a service creating the following registryentry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet

\ImagePath = %System%\drivers\mrxnet.sys The driver file is a digitally signed with a legitimate Realtek digital

certificate.

The driver then filters(hides) files that :

x Files with a .LNK extension having a size of 4,171 bytes.

x Files named ~WTR[FOUR NUMBERS].TMP,

xwhose size is between 4Kb and 8Mb; the sum of the fournumbers, modulo 10 is null. For example, 4+1+3+2=10=0mod 10

x Examples:

x Copy of Copy of Copy of Copy of Shortcut to.lnk

x Copy of Shortcut to.lnk

x ~wtr4141.tmp


13/19


14/19

LNK Vulnerability (CVE-2010-2568)

AutoRun.Inf


15/19


16/19

Run the Symantec Power Eraser with the Symantec EndpointProtection Support Tool

Symantec Power Eraser Overview

If you have an infected Windows system file, you may needto replace them using from the Windows installation CD.

Restoring settings in the registry:Restoring settings in the registry:

Delete registry subkeys and entries created by the risk andreturn all modified registry entries to their previous values.


17/19

Use a firewall to block all incomingconnections from the Internet to services

that should not be publicly available Enforce a password policy

Disable AutoPlay

Turn off file sharing if not needed

Turn off and remove unnecessary services

Always keep your patch levels up-to-date


18/19

Stuxnet represents the first of many milestones in maliciouscode history

It is the first to exploit multiple 0-day vulnerabilities,

Compromise two digital certificates, And inject code into industrial control systems

and hide the code from the operator.

Stuxnet is of such great complexity

Requiring significant resources to develop

T

hat few attackers will be capable of producing a similarthreat

Stuxnet has highlighted direct-attack attempts on criticalinfrastructure are possible and not just theory or movieplotlines.


19/19

Stuxnet Final

Documents