Scribd
Upload
50 views

Stuxnet VB2010

Stuxnet is a computer worm discovered in 2010 that targets industrial system components. It spreads via shared network printers and exploits multiple unpatched vulnerabilities, including two zero-day vulnerabilities. The worm copies itself to remote systems using the MS10-061 print spooler exploit and executes its code by adding instructions to the Windows Management Instrumentation repository using the MOF file format. Analysis of the worm revealed sophisticated techniques and a focus on infecting industrial control systems, indicating it was likely part of a nation-state sponsored attack.

Uploaded by

Chris Lemieux
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
50 views

Stuxnet VB2010

Stuxnet is a computer worm discovered in 2010 that targets industrial system components. It spreads via shared network printers and exploits multiple unpatched vulnerabilities, including two zero-day vulnerabilities. The worm copies itself to remote systems using the MS10-061 print spooler exploit and executes its code by adding instructions to the Windows Management Instrumentation repository using the MOF file format. Analysis of the worm revealed sophisticated techniques and a focus on infecting industrial control systems, indicating it was likely part of a nation-state sponsored attack.

Uploaded by

Chris Lemieux
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

Click to edit Master title style

• Click to edit Master text styles


– Second level
• Third level
Unravellling Stuxnet
– Fourth level
» Fifth level
Aleks Gostev, Costin G. Raiu
Global Research and Analysis Team (GReAT)
Kaspersky Lab

September 29th, 2010. Virus Bulletin 2010 Conference


Stuxnet
Click to edit Master title style

• • Discovery
Click to edit Master text styles
• Nemesis
– Second level
• Third level
• Analy(sz)ing Stuxnet
– Fourth level
• Shared printers» Fifth level

• Analysis of network replication


• Spreading via MS10-061
• Elevation of privilege vulnerabilities
• Conclusions

VB2010 Vancouver 2
Discovery
Click to edit Master title style

• • Early
ClickJuly – fellow
to edit researchers
Master text styles at VBA
––Main
Secondpointlevel
was stolen digital certificates
– VBA discovered
• Third level the LNK vulnerability and reported to
MS – Fourth level
– First focus» Fifth
on level
signed RealTek drivers
– This was just the beginning
• Questions:
– What was the purpose of the worm?
– Full functionality?
– Show me the money!!!

VB2010 Vancouver 3
Nemesis
Click to edit Master title style

• • Incident
Click toresponse
edit Masterteam
textatstyles
KL
• Stuxnet
– Secondclearly
levelrequired cross departmental
investigation – eventually cross-vendor
• Third level
• Results:
– Fourth level
» Fifth level
– Huge amount of code
– Parallel investigation with multiple people/teams
– In the end took 2 months
– MS08-067 – but different exploit code from Conficker
– Fully patched computers got infected
– Created virtual test environments
– Used 2 networks – only one remotely infected
VB2010 Vancouver 4
Stuxnet
Click to edit Master title style

• Click to edit Master text styles


– Second level
• Third level
– Fourth level
» Fifth level

VB2010 Vancouver 5
Hands up please
Click to edit Master title style

• Click to edit Master text styles


– Second level
How many
• Third level
of you have shared
printers in the test networks
– Fourth level
» Fifth level

you use for malware analysis?

VB2010 Vancouver 6
New 0-day
Click to edit Master title style

• • Allowed
Click toStuxnet
edit Master to text styles
remotely infect computers
– Second level
with shared printers
• Third level
• Already –researching
Fourth level
another vulnerability
» Fifth level

exploited by Stuxnet – an
EoP
• Finding two 0-day
vulnerabilities in two days
was a big surprise for us

VB2010 Vancouver 7
Remote infection
Click to edit Master title style

• • Stuxnet
Click tocopies two files
edit Master textvia MS10-061 exploit:
styles
––the wormlevel
Second body “winsta.exe” in %system%
– and “sysnullevent.mof”
• Third level in %system%\mof\
– Fourth level
• Windows uses MOFCompiler functionality to
» Fifth level
automatically add contents of “.mof” file to the WMI
repository
• Next, Windows attempts to act on the instruction from
the repository
• Result - the body of the worm is executed

VB2010 Vancouver 8
MOF-file (Managed Object Format)
Click to edit Master title style

• Click to edit Master text styles


– Second level
• Third level
– Fourth level
» Fifth level

VB2010 Vancouver 9
Windiff of repositories
Click to edit Master title style

• Click to edit Master text styles


– Second level
• Third level
– Fourth level
» Fifth level

MOF file contains Visual Basic code which completes three actions

VB2010 Vancouver 10
Was it really 0-day?
Click to edit Master title style

• • Hakin9
Click tomagazine
edit Master published an article in
text styles
April 2009
– Second level
• Carsten level – “Print Your Shell”
Kohler
• Third
• Describes a method
– Fourth level to copy arbitrary
» Fifth level
data to remote systems
• Exactly what Stuxnet used
• Fixed via MS10-061

VB2010 Vancouver 11
An EoP vulnerability
Click to edit Master title style

•• 0-day
Click EoP,
to editfound
Master bytext styles
Maxim Golovkin
– Second level
• Vulnerability in
• Third level
win32k.sys – Fourth level
» Fifth level
• NtUserSendInput
function
• Reported to MS via
MAPP
• MSRC advisory
issued, patch pending

VB2010 Vancouver 12
Conclusions
Click to edit Master title style

• Elegant + dangerous techniques


• Click to edit Master text styles
• AV– solutions
Second level don’t scan CIM repositories
• CIM/MOF not commonly used by malware… YET
• Third -level
• Shared –printers
Fourth level
=> main targets were
» Fifth level
organizations
– Extremely common in industrial networks
• Methods show attackers carefully analyzed target
systems
• Next steps:
– adding protection technologies in our products
– Working together: security vendors, MS, Siemens, etc..
VB2010 Vancouver 13
Click to edit Master title style

• Click to edit Master text styles


– Second level
• Third level
– Fourth level

Thank you! Questions?


» Fifth level

Aleks Gostev, Costin Raiu


GReAT
Kaspersky Lab

Virus Bulletin 2010 Conference

You might also like