stuxnet: now what? - ningapi.ning.com/files/4hst*bbtpb413guewxjajgmg5... · security for systems...

Security for Systems Administrators - © 2010 SANS 1 Security for Systems Administrators - © 2010 SANS 1

Stuxnet: Now What?

Alan Paller John Strand

Security for Systems Administrators - © 2010 SANS 2

The Stuxnex Worm Threat

Here is John Strand

-- SANS certified Instructor and course author of SANS Security 464: Hacker Detection for System Administrators


So… You Want to Run a Nuclear Power Plant?


So… You Want to Build a Nuclear Power Plant?

•  Atomstroyexport was one of the contractors working on the Busheher power plant…

•  Their website has been compromised for quite some time… –  http://www.atomstroyexport.com/index-e.htm –  Has served malware from www.bubamubaches.info, which

has been shut down for two years


But We are Getting Ahead of Ourselves..

•  Let’s look at some dates –  In the wild as far back as June 2009

•  May have taken 6 months to write –  With a multi- disciplined team of individuals –  This means serious financial backing –  It is also not a good sign for the rest of us ... more on this

later

•  First reported by VirusBlokAda June 2010 – One year later

•  What? Yeah, one year in the wild before it was reported

Really Late… But First!


But Why do People Care?

•  This malware has generated a lot of buzz –  It has been in almost every newspaper –  It has been on national TV

•  It has the markings of state sponsorship –  Not everyone has the funding for four 0-days –  Or the funding to build a full PLC lab

•  Anytime you say “nuclear” people pay attention •  And, it has effected very few systems •  If you are not the specific target it is after, it does

nothing


But Why Do We Care?

•  This malware cuts to the core of a few issues •  Targeted Malware exists •  Malware in cyberspace can impact “the real world” •  Whether we like it or not our lives are dependent on

computers •  It also drives home some things we already knew

–  Know your systems: Baselines are critical –  Know your network: What is leaving your network –  Know your people: USB devices can destroy you

•  There is no quick technical fix


Wait, What?

Hi John,

Company X is asked every day if Product X could have stopped the latest du jour threat that is bypassing traditional blacklisting-based antivirus.

On June 26th, 2010, we showed how Product X beat down Stuxnet. On August 26th, Product X beat down DLL Hijacking attempts. The threats keep coming, so which ones should we beat down next?


USB Threat Update

•  Let’s say you disabled Autorun on all your systems •  Further, let’s say you disable USB mass storage

devices •  You can still be compromised by a tin of Altoids •  Enter Programmable HID USB Keystroke Dongle •  The latest attack vector from IronGeek •  He is now trying to find fixes •  Implemented S.E.T •  Upload any Metasploit Payload •  First lab 464


On to the Details

•  Remember the Windows baseline section of 464? –  tasklist /m!–  tasklist /m s7otbxdx.dll

•  Stuxnet used dll replacement to insert execution redirection

•  In fact, it moved s7otbxdx.dll to s7otbxsx.dll inserted its own s7otbxdx.dll –  This is important because it means the attackers had an

understanding of the original code –  93, of the original 109 exports are forwarded to the

renamed s7otbxsx.dll –  The remaining 16 get us excited


What are the Remaining 16?

•  It looks for very specific conditions to be met –  Infected WinCC environment –  PLC project has data block 890 configured –  data block 890 exceeds a certain length –  data block 890 contains the string "hnds" at a certain

position –  PLC has to be connected

•  Then it does “something bad” •  Which means it was a targeted attack •  I am not afraid of the man who wants to take over

100 PLCs… I am afraid of the man who wants one.


How did it Infect?

•  USB… Yep, plain old USB •  The easiest way to bypass the firewall, IDS and IPS •  There were a number of 0-days

–  .lnk file vulnerability –  Print Spooler (CVE-2010-2729) –  Win32 Keyboard Layout Vulnerability –  Privilege escalation via Task Schedule

•  There has been some misinformation about the Task Scheduler vulnerability from some AV vendors –  You do not need to be in the local administrators group

•  It also used some older exploits like 08-067 –  Conficker anyone?


How did it Communicate?

•  Once it infects a system it tries to connect to two sites to verify connectivity: –  www.mypremierfutbol.com –  www.todaysfutbol.com –  Clearly not targeting a US audience….

•  P2P Communication •  C2 servers in Malaysia and Denmark

–  Checking Versions •  It also uses peer-to-peer communication •  Remember what we covered in the network lab?

–  Yeah, it tried to spread via shares –  Watch that system-to-system communication –  464 Day Two, Not_Normal Lab

•  Watch for PLC systems connecting to the Internet


How do You Kill it?

•  Very easy •  Simply delete s7otbxdx.dll and rename s7otbxsx.dll •  But that does not quite solve the issue •  We still need to identify root cause analysis

–  How did it get in? –  How come it was not detected? –  How did it get on our PLC network?

•  If you are not the target network it does nothing •  And it has a kill date of June 24, 2012

–  Which is kind of nice…


Quote of the Event:

•  “The behavioral pattern of Stuxnet suggests that the virus is apparently only activated in plants with a specific configuration. It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process. This pattern can, for example, be localized by one specific data block and two code blocks.”


What About Cyber Warfare?

•  It was a piece of software that targeted physical assets

•  It most likely targeted a site with military importance •  It was created by a nation state with deep pockets •  It most likely will be used as a template for the future

–  Recon your target –  Set your malware to only activate when certain

“constellations” are present –  Attack

•  Kind of scary if you think about it Marcus Ranum


What has Changed?

•  “First Salvo in Cyber Warfare” –  Well, that we know of

•  Was it successful? –  Well, that is speculation –  Some centrifuges went offline in Natanz –  Also, rumors of an “accident” –  The Bushehr plant was delayed due to a “leak”

•  The blueprint exists –  BTW, you would not need the 0-days to be successful

•  Cyber Criminals now know how to do this –  This scares me a bit, think PLC, and all the places it exists –  Oil and gas, Manufacturing, energy


What Has Stayed The Same?

•  Custom Malware –  Back to 464 slide one of day one, Heartland –  Creating custom malware is easy, you did it!

•  Zero-Day Vulnerabilities –  These exist, you may not be able to rely on CERTS to tell you

everything –  If your whole security architecture fall flat due to a 0-day you

do not have a security architecture •  Targeted Attacks

–  We need to get away from defensive paradigms from 5-7 years ago

–  Just look at Aurora •  It has happened before

–  Venezuela, 2003 Targeted attacks against SCADA systems –  Oil tankers


Back to 464…

•  Baseline your systems –  Processes, DLL’s for Core applications, Users, etc.

•  Baseline your network traffic –  Why would you allow PLC systems to connect to the Internet?

•  Monitor those baselines –  If at all possible, do this hourly

•  Don’t use shady Russian contractors with compromised websites

•  Train everyone, because everyone is a target –  Secure the human

•  Yes, even you –  Sounds paranoid, I know


Someone is Learning!


Oddities

•  No presentation would be complete without covering some of the “stranger” aspects of the code

•  When Stuxnet completes it uses 0xDEADF007 to indicate that it has reached the “end state” –  This can mean either Dead Fool or Dead Foot. –  Dead Foot = Engine failure on an airplane

•  It sets a registry key of 19790509 to alert new instances of the worm that the current system is infected –  On this date Habib Elghanain was executed in Tehran for

spying for Israel


Some Advice, from People other than John Strand

•  The 10 most common plant cyber-security mistakes –  Assuming that someone else (like the IT department) is looking

after the security of control systems –  No risk analysis for cyber incidents –  A lack of policies and procedures –  Assuming that IT security solutions will work on the plant floor –  Addressing security on a piecemeal basis –  Forgetting the human aspects of security –  Designing control system networks without sufficient defense-

in-depth architectures –  Poor patch management for applications on the plant floor –  Failing to detect abnormalities –  Allowing remote access to the control system

From: http://www.chemicalprocessing.com/articles/2008/127.html


Other Sources

•  Melissa Hathaway’s Interview –  http://www.nytimes.com/2010/09/27/technology/27virus.html?

_r=3&partner=rss&emc=rss –  90 days to weaponization may be a bit optimistic

•  Ralph Langner is an excellent source of information –  http://langner.com/en –  First to reverse many aspects of the the attack –  Prone to speculation, but that is fun and we all do it

•  Symantec’s write-up is quite good –  http://www.symantec.com/security_response/writeup.jsp?

docid=2010-071400-3123-99 •  Looking for SCADA/PLC Security tools? Check out Digital

Bond –  http://www.digitalbond.com/index.php/research/


How to fight back

•  Ratio of System Administrators to Security Professionals is 5:1 or higher

•  Let’s Train SysAdmins within our organizations to be the human sensor network against potentially malicious activity within their systems

•  Let’s provide continuous education program for system administrators so that the skills learned will become second nature


Who is this course for

Organizations with 100s of System Administrators, DBAs and Help Desk staff who

•  interface with a security organization and auditors

•  Manage critical systems which can not afford to be breached


Course Content

“This is an excellent course and should be a requirement for all our sysadmins - not to mention at least some of our business partners and higher members of the IT food chain to influence the importance of this work.”

--Bob Timberlake, University of Kansas


Course Content

“Very useful for me as a system administrator. Some of the information I have seen in another SANS class (SEC504), but this is more focused on what I encounter day-to-day”

-- Dustin Odya, Indiana University


Who is this course for

•  I've been waiting for this type of course to come from SANS so I could get task-specific security training for sysadmins. Some of the other courses (e.g. 301, 401) were much more involved in core security issues than what we need to certify admins. This fits the bill.

-- Tom Siu, Case Western University


Course Contents

•  5 common configuration mistakes that lead to systems being compromised

•  How to easily monitor your network for suspicious behavior

•  How to identify and remove malware in your system

•  How to harden your Windows/Linux system from a Security perspective

•  How to use “Command Line Kung Fu” to unleash the power of your OS against attackers


Course Delivery

•  First two days of Security 564 contain 8 hands-on workshops, giving sysadmins (and security professionals) new skills (delivered live in person or over the web)

•  Quarterly 90-minute threat and tool update briefings demonstrate how to use the skills previously acquired when facing new attack vectors so that your systems will be more difficult to compromise (delivered live over the web)


How to proceed

•  Contact Scott Weil, [email protected], with any questions regarding the course content, scheduling, pricing

•  Next briefing is on November 3, “Blue Team Extravaganza” available to those who have purchased the continuing education module for SANS Hacker Detection for SysAdmins

stuxnet: now what? - ningapi.ning.com/files/4hst*bbtpb413guewxjajgmg5... · security for systems...

Documents