a sophisticated malware arpit singh cpsc 420 [email protected]
TRANSCRIPT
WHAT IS STUXNET ?
Stuxnet is a window specific worm first detected in June 2010 by
VirusBlokAda.
Stuxnet uses a vulnerability in the way Windows handles shortcut files.
Originally thought to spread mainly through the use of removable
drives, such as USB sticks.
Designed to steal industrial secrets and disrupt operations.
Stuxnet infected systems in many countries but 60 percent of the
computers worldwide infected in Iran, indicating industrial plants in
that country were the target.
WHAT IS SO SPECIAL ABOUT STUXNET ?
A list of Firsts
It is the first discovered worm that spies on and reprograms industrial
systems.
It is the first-ever computer worm to include a PLC rootkit.
It is also the first known worm to target critical industrial infrastructure.
Kaspersky Labs released a statement that described Stuxnet as "a working
and fearsome prototype of a cyber-weapon that will lead to the creation of a
new arms race in the world.“
Kaspersky Labs concluded that the attacks could only have been conducted
"with nation-state support", making Iran the first target of real cyber warfare.
HOW STUXNET WORKS ?
Once within a network -- initially delivered via an infected USB device
Stuxnet uses the EoP vulnerabilities to gain administrative access to
other PCs
Seeks out systems running the WinCC and PCS 7 SCADA management
programs, hijacks them by exploiting either the print spooler or MS08-
067 bugs
Tries the default Siemens passwords to commandeer the SCADA
software.
It could then reprogram the so-called PLC (programmable logic control)
software to give machinery new instructions.
HOW STUXNET WORKS ?
While the intended target of Stuxnet appears to be the manipulation of
Siemens PLCs, Stuxnet could have just as easily been designed to attack
PLCs made by other SCADA manufacturers.
The worm hides the modified PLC programs by marking each of the
worm’s function blocks in a particular way.
The wrapper contains code to recognize the worm’s marked function
blocks.
The spread of worm by USB sticks was also monitored.
Anti-virus technologies and patching are now available to protect you
against Stuxnet
HOW STUXNET SPREADS ?
Image courtesy Kaspersky Lab
TECHNIQUES USED
Stuxnet used several zero days in order to infect and spread.
Stuxnet behaves differently depending on what type of network it thinks it is
running on. Stuxnet performs some rudimentary checking to see whether it is on
a corporate network or a control systems network: If it detects that it is running
on a corporate network, it won’t invoke the older 2008 vulnerability.
Stuxnet also disguised two critical files by signing them with the legitimate
digital signatures belonging to industrial giants Realtek Semiconductor
Corp. and JMicron.
The malware weighed in a nearly half a megabyte -- an astounding size.
Written in multiple languages, including C, C++ and other object-oriented
languages
STUXNET ICS ROOTKIT
http://findingsfromthefield.com/?p=516
CONCLUSION
According to various experts around the world, Stuxnet has passed all
the tests that qualifies it to be the most sophisticated and complex piece
of malware ever written. It even initiates a debate over the cyber warfare.
Since the analyst have pointed out that the resources required to carry
out the testing and deployment of such a malware are huge and only a
state backed affair can manage that.
It is for us to see that how many more advanced malwares will we
witness in coming future since this stuxnet affair is just been called a test
because no firm complained of any damage or irregularities at the plants.
May be this the start of the cyber warfare.
RECENT DEVELOPMENTS
On Nov. 23, 2010 Iran recently was forced to stop operating
thousands of uranium enrichment centrifuges for a limited
period of time.
On November 25, 2010 Reports appeared that it has been
traded on the black market and could be used by terrorists
On Nov. 29, 2010 Iran's president has confirmed for the first
time that a computer worm affected centrifuges in the
country's uranium enrichment program.
REFRENCES
http://www.computerworld.com/s/article/9185919/
Is_Stuxnet_the_best_malware_ever_?
http://krebsonsecurity.com/2010/09/stuxnet-worm-far-more-sophisticated-than-
previously-thought/
http://findingsfromthefield.com/?p=516
http://www.cbsnews.com/stories/2010/11/29/world/main7100197.shtml
http://news.sky.com/skynews/Home/World-News/Stuxnet-Worm-Virus-Targeted-
At-Irans-Nuclear-Plant-Is-In-Hands-Of-Bad-Guys-Sky-News-Sources-Say/
Article/201011415827544
http://www.globalsecuritynewswire.org/gsn/nw_20101123_2990.php