Transcript Slide 1
STUXNET
THE FIRST CYBERWEAPON
a talk by Alby Reid
@alby
STUXNET
Natural uranium
0.7% uranium-235
99.3% uranium-238
Low-enriched uranium
5% uranium-235
95% uranium-238
Highly-enriched (“weapons grade”) uranium
90% uranium-235
10% uranium-238
Natanz Fuel Enrichment Plant
Mostafa Ahmadi-Roshan (January 2012)
Chemistry expert and Deputy Director for Commercial Affairs at Natanz
Killed by a magnetic bomb attached to his car.
Hassan Moghaddam (November 2011)
Ballistic scientist and architect of Iranian missile programme
Killed in an explosion at the Iranian missile research facility at Bin Kaneh.
Dariush Rezaeinejad
(July 2011)
Electronic engineer specialising in high-voltage switches
Shot dead outside his home by motorcycle gunmen.
Majid Shahriari (November 2010)
Nuclear engineer and expert in neutron transport
Killed by a remote controlled bomb attached to his car.
Fereydoon Abbasi-Davani (November 2010)
Expert in fissile isotopes and laser expert
Survived a bomb attack identical to the one that killed Majid Shahriari.
Masoud Alimohammadi (Jan 2010)
Professor of Physics and quantum field theorist
Killed by a remote controlled bomb attached to a motorcycle parked near his car.
UNIQUE FEATURES:
0-DAY EXPLOITS
ADOBE READER
$30000
MAC OSX
$50 000
ANDROID
$60000
FLASH/JAVA PLUG-INS $100000
MICROSOFT WORD
$100000
MICROSOFT WINDOWS
$120000
FIREFOX/SAFARI
$150000
CHROME/IE
$200000
iOS
$250000
CVE-2010-2568
.LNK/.PIF vulnerability allowing arbitrary code execution
CVE-2010-2729
Print spooler vulnerability allowing arbitrary code
execution
CVE-2010-2743
Keyboard layout vulnerability allowing privilege
escalation
CVE-2010-3888
Task scheduler vulnerability allowing privilege escalation
UNIQUE FEATURES:
AUTHENTIC DIGITAL
SIGNATURES
Hsinchu Science and Industrial Park
Realtek Semiconductor Corp.
JMicron Technology Corp.
UNIQUE FEATURES:
USES MEMORY STICKS TO
SPREAD
INTERNET
CRITICAL INFRASTRUCTURE
The spread of Stuxnet through a single domain
UNIQUE FEATURES:
SIZE & COMPLEXITY
#include <windows.h>
#include <defs.h>
extern
extern
extern
extern
int dword_10001A90[8];
char *off_10001AB2;
char byte_10001AB9[3];
char byte_10001B87;
typedef struct {
HMODULE Handle_NtdllDll;
DWORD field_4;
int (__stdcall *proc_lstrcmpiW)(LPCTSTR lpString1, LPCTSTR lpString2);
SIZE_T (__stdcall *proc_VirtualQuery)(LPCVOID lpAddress,
PMEMORY_BASIC_INFORMATION lpBuffer, SIZE_T dwLength);
BOOL (__stdcall *proc_VirtualProtect)(LPVOID lpAddress, SIZE_T dwSize, DWORD
flNewProtect, PDWORD lpflOldProtect);
FARPROC (__stdcall *proc_GetProcAddress)(HMODULE hModule, LPCSTR lpProcName);
LPVOID (__stdcall *proc_MapViewOfFile)(HANDLE hFileMappingObject, DWORD
dwDesiredAccess, DWORD dwFileOffsetHigh, DWORD dwFileOffsetLow, SIZE_T
dwNumberOfBytesToMap);
BOOL (__stdcall *proc_UnmapViewOfFile)(LPCVOID lpBaseAddress);
BOOL (__stdcall *proc_FlushInstructionCache)(HANDLE hProcess, LPCVOID
lpBaseAddress, SIZE_T dwSize);
HMODULE (__stdcall *proc_LoadLibraryW)(LPCTSTR lpFileName);
BOOL (__stdcall *proc_FreeLibrary)(HMODULE hModule);
NTSTATUS (__stdcall *proc_ZwCreateSection)(PHANDLE SectionHandle, ACCESS_MASK
DesiredAccess, DWORD ObjectAttributes, PLARGE_INTEGER MaximumSize, ULONG
SectionPageProtection, ULONG AllocationAttributes, HANDLE FileHandle);
NTSTATUS (__stdcall *proc_ZwMapViewOfSection)(HANDLE SectionHandle, HANDLE
ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize,
PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, DWORD InheritDisposition, ULONG
AllocationType, ULONG Win32Protect);
HANDLE (__stdcall *proc_CreateThread)(LPSECURITY_ATTRIBUTES lpThreadAttributes,
SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter,
DWORD dwCreationFlags, LPDWORD lpThreadId);
DWORD (__stdcall *proc_WaitForSingleObject)(HANDLE hHandle, DWORD
dwMilliseconds);
BOOL (__stdcall *proc_GetExitCodeThread)(HANDLE hThread, LPDWORD lpExitCode);
NTSTATUS (__stdcall *proc_ZwClose)(HANDLE Handle);
} obfuscatedImports;
extern obfuscatedImports Imports;
extern
extern
extern
extern
extern
extern
extern
extern
extern
extern
extern
extern
extern
extern
extern
extern
extern
extern
extern
extern
extern
BYTE
BYTE
BYTE
BYTE
BYTE
BYTE
BYTE
BYTE
BYTE
BYTE
BYTE
BYTE
BYTE
BYTE
BYTE
BYTE
BYTE
BYTE
BYTE
BYTE
char
obfb_Kernel32dll_aslr[48];
obfb_lstrcmpiW[20];
obfb_VirtualQuery[28];
obfb_VirtualProtect[32];
obfb_GetProcAddress[32];
obfb_MapViewOfFile[28];
obfb_UnmapViewOfFile[32];
obfb_FlushInstructionCache[44];
obfb_LoadLibraryW[28];
obfb_FreeLibrary[24];
obfb_ZwCreateSection[32];
obfb_ZwMapViewOfSection[40];
obfb_CreateThread[28];
obfb_WaitForSingleObject[40];
obfb_GetExitCodeThread[36];
obfb_ZwClose[16];
obfb_CreateRemoteThread[40];
obfb_NtCreateThreadEx[36];
obfw_kernel32_dll[28];
obfw_ntdll_dll[20];
String2[];
extern
extern
extern
extern
extern
extern
BYTE
BYTE
BYTE
BYTE
BYTE
BYTE
obfb_GetExitCodeThread[36];
obfb_ZwClose[16];
obfb_CreateRemoteThread[40];
obfb_NtCreateThreadEx[36];
obfw_kernel32_dll[28];
obfw_ntdll_dll[20];
extern
extern
extern
extern
extern
extern
char String2[];
int dword_10004000;
int dword_10004010;
_DWORD dword_10004014;
_UNKNOWN unk_10004018;
int dword_1000401C;
#define __thiscall __cdecl // Test compile in C mode
BOOL __stdcall DllUnregisterServerEx(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID
lpReserved);
HRESULT __stdcall DllCanUnloadNow();
HRESULT __stdcall DllGetClassObject(const IID *const rclsid, const IID *const
riid, LPVOID *ppv);
signed int __cdecl DllRegisterServerEx();
signed int __stdcall CPlApplet(int a1);
BOOL __stdcall DllGetClassObjectEx(int a1, int a2, int a3, int a4);
signed int __cdecl sub_1000109B();
static void Scramble_ByteSequence(byte *buffer, unsigned int Key);
//void __usercall Scramble_ByteSequence<eax>(byte *buffer<ecx>, unsigned int
Key<edi>)
signed int __cdecl sub_10001161(int a1, int a2);
BOOL __cdecl sub_100011EE();
signed int __cdecl GetNeededProcAddresses();
signed int __cdecl CreateSectionAndView(HANDLE ProcessHandle, ULONG_PTR a2,
PHANDLE SectionHandle, PVOID *BaseAddress0, PVOID *BaseAddress1);
int __cdecl sub_10001456(void **a1, int a2, int a3, int a4, const void *a5,
unsigned int a6);
int __cdecl sub_100014A4(int, LPCWSTR lpString2);
int __cdecl sub_10001559(int a1, const void *a2, const void *a3, unsigned int a4,
int a5, const void *a6, unsigned int a7, int a8);
signed int __cdecl sub_100016A5(int a1, int a2, const void *a3);
unsigned int __cdecl sub_100017BE();
signed int (__cdecl *__cdecl sub_100017CD())(int);
unsigned int __cdecl sub_100017D7();
unsigned int __cdecl sub_100017E6();
int __cdecl sub_100017F5(int a1, int a2, int a3, int a4);
int __cdecl sub_10001969(LPCWSTR lpString2, const void *a2, unsigned int a3, int
a4);
void __fastcall sub_10001DAF(int a1, int a2);
obfuscatedImports * __cdecl GetHandleToNtdll();
// int __usercall sub_10001E44<eax>(int a1<eax>, int a2<edx>, int a3<ecx>);
void __cdecl Scramble_Bytes(BYTE * input, char * output);
void __cdecl Scramble_Words(WORD * input, wchar_t * output);
HMODULE __cdecl AcquireHandleToNtdll();
FARPROC __cdecl GetScrambledProcAddress(WORD * Module, BYTE * Proc);
void __cdecl memcpy_wrapper_1(void *Dst, const void *Src, unsigned int Size);
FARPROC __cdecl GetScrambledProcAddressFromKernel32(BYTE * Proc);
FARPROC __cdecl GetScrambledProcAddressFromNtdll(BYTE * Proc);
signed int __cdecl sub_10002060(int a1);
int __stdcall sub_100021FE(int a1);
int __cdecl sub_10002271(int a1, int a2, int a3);
signed int __stdcall sub_10002334(int a1);
void __cdecl memcpy_wrapper_2(void *a1, const void *a2, unsigned int a3);
int __cdecl sub_100024A7(const void *a1, int a2, void *a3);
signed int __cdecl sub_10002529(int a1, int a2);
signed int __cdecl sub_100025C7(int a1, int a2, const void *a3, int a4);
UNIQUE FEATURES:
SCADA PAYLOAD
SCADA
SUPERVISORY
CONTROL
AND
DATA
ACQUISITION
Siemens Simatic S7-300 series PLC with three CP-342-5 modules
7050h
Fararo Paya, Iran
9500h
Vacon, Finland
CP-342
CP-342
CP-342
CP-342
CP-342
CP-342
S7-300
PLC
VFD
VFD
VFD
VFD
VFD
VFD
VFD
VFD
VFD
VFD
VFD
VFD
25
Number of items
20
15
10
5
0
1
2
3
4
5
6
7
8
Group
9
10
11
12
13
14
15
25
Number of centrifuges
20
15
10
5
0
1
2
3
4
5
6
7
8
Cluster
9
10
11
12
13
14
15
New York Times, 1st June
New York Times, 29th May
NSA Headquarters, Fort Meade, Maryland
THANK YOU
Alby Reid
t: @alby
e: [email protected]
w: www.MrReid.org