©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

Stuxnet: How to Take Over a (Nuclear) Power Plant

Tomer Teller, Security Evangelist

April 2011

2 2 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

The Idea Behind Stuxnet

Simple!

We don’t want Iran to get the bomb

Sabotage the uranium enrichment process

3 3 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Real-time control system

Controls:

– Valves

– Drive speed

Does not run Windows

But..

The Target

4 4 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Operator Hello?

We are in Business

Operator (Field PG)

Controller (PLC)

5 5 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

The Operation

Drop Malware Reprogram Controller (Payload)

Target: Centrifuge in Natanz Mission Goal: No Nukes

6 6 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Agenda

1 Terminology

Stuxnet Overview 2

Infiltration, Propagation and Exploitation 3

Summary 4

7 7 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Terminology I

Exploit Software that takes advantage of

a bug in order to cause unintended

behavior (getting inside)

Worm Malware that replicates itself within

the network (propagate)

Payload The actual malicious activity,

e.g., delete file, download file

(create damage)

8 8 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Terminology II

PLC

A Programmable Logic

Controller (PLC) —

control of machinery on

factory assembly lines

Field PG Typical Windows machines,

used to program PLCs

Field PG PLC

9 9 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Visual Terminology

Operator (Field PG)

Controller

Industrial Machinery

10 10 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

“Groundbreaking” Worm

So what is so special about Stuxnet?

Why is it ―groundbreaking?‖

While We Are In This Room…

More than 50,000 new worms are propagating on the Internet

~1000 of them are undetected by antivirus

~1–2 employ unknown vulnerabilities (0-day)

11 11 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Stuxnet Overview

Architecture

Single file

(Archive)

Exploits

4 unknown

Windows bugs

2 stolen

certificates

PLC pre-recorded

commands

Techniques

Antivirus evasion

Peer-2-Peer

network

Command and

control

12 12 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Infection Statistics

This is not normal…

Number of Unique Infected Hosts by Country

13 13 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Welcome to the Battlefield

The Bushehr Nuclear Power Plant, Iran

14 14 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Operator PC (Windows)

Field PG PLC

What’s Going To Happen?

Found

Operator

Internal

Network

15 15 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Typical PLC Deployment (Goal)

Operator PC (Windows)

Field PG PLC

Internal

Network

Write

Read

Water pipe Pipeline Gas centrifuge

16 16 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Infiltrate the power plant

GOAL:

Reprogram the controller

Mission Objectives:

Propagate inside the network

Infect the operator computer

17 17 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Mission #1: Introduce Threat To Target Network

18 18 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

The Infection

Infected a willing or unknowing third party – An insider

– A contractor

– A SCADA Conference USB give-away

The original infection was most likely introduced by a removable drive

19 19 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Getting From the USB to the Computer

Stuxnet Used Two Methods to Infect the

Computer via USB

Method #1

Malformed

shortcut file

(.LNK)

Method #2

Autorun

design flaw

(.INI)

20 20 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Method #1: The LNK Vulnerability

Design-level flaw in Windows Desktop Explorer (not Internet Explorer) when viewing shortcuts

Shortcut Properties

File Name: Shortcut

File Size: 1 KB

ICON Location: c:\icon

In our scenario,

this file was the

Stuxnet worm d:\bad_file

21 21 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

How Stuxnet Exploits This Vulnerability

Stuxnet

Arrives on a

Removable

Drive (USB)

The Stuxnet worm

Shortcut file that points at the worm

Once

Viewed and

Exploited

Hides the files on the USB

Hides itself from antivirus

22 22 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Autorun.inf—“Cunning” Hack

An Autorun.inf file is a configuration file placed on removable drives that instructs Windows to automatically execute a file when inserted

STUXNET’s CODE

[autorun]

OPEN = setup.exe

Filename:

autorun.inf

Stuxnet

AutoRun

23 23 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Autorun.inf—“Cunning” Hack

An Autorun.inf file is a configuration file placed on removable drives that instructs Windows to automatically execute a file when inserted

STUXNET’s CODE

[autorun]

OPEN = setup.exe

Filename:

autorun.inf

Stuxnet

AutoRun

24 24 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

But, Files Are Visible on the USB Drive…

Catch Me If You Can

25 25 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

But, Files Are Visible on the USB Drive…

Catch Me If You Can

Files are still there.

We just don’t list them anymore

26 26 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

ANY * ANY * INFECT

Stuxnet Used Two Methods to

Infect the Computer via USB

27 27 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Compromised Certificates

Both of these companies seem to have offices

in the Hsinchu Science and Industrial Park (Taiwan),

which could indicate an insider job

These Kinds of Activities Require a Legitimate

Certificate Signed and Trusted by Microsoft

28 28 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

DEMO TIME

Autorun.inf

LNK vulnerability (MS10-046)

29 29 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Operator PC (Windows)

Field PG PLC

Mission #1 Completed

Internal

Network

30 30 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Infiltrate the power plant

GOAL:

Reprogram the controller

Mission Objectives:

Propagate inside the network

Infect the operator computer

31 31 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Microsoft Knew About This One,

and Claimed it Wasn’t Critical Enough

Network Example

To Printer

To File

Admin Area

32 32 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Stuxnet Communication Components

Communicate via Peer-2-Peer

Communicate with attackers

Infected machine

acting as Client

Infected machine

acting as Server

Get Version

Send Version

Request Update

Send Update

Master?

Do X

Do Y

Attackers

Internet

33 33 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Internet

Operator PC (Windows)

Field PG PLC

Mission #2 Completed

Found

Operator

Internal

Network

Ping

Alive!

C&C

34 34 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Infiltrate the power plant

GOAL:

Reprogram the controller

Mission Objectives:

Propagate inside the network

Infect the operator computer

35 35 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

This is a rootkit – Software which

subverts the operation system

Mission #3: Infecting The Target

Monitors PLC commands being written and read

Infects a PLC by inserting bad commands

Masks the fact the PLC is infected

When Stuxnet Reaches a Field PG,

It Installs a Trojan Horse That:

36 36 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Infected PLC Example (READ/WRITE)

Operator (Field PG) Controller Operation

Change

Speed

Infected

with

Stuxnet

5

Pre-recorded value

500 5

Operation

Monitor

Speed

5

Show expected value

500 5

37 37 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Mission Objectives:

Infiltrate the power plant

Propagate inside the network

Infect the operator computer

GOAL:

Reprogram the controller

38 38 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Mission Objectives:

Infiltrate the power plant

Propagate inside the network

Infect the operator computer

GOAL:

Reprogram the controller

Mission

Accomplished!!

39 39 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Summary

Complex Stuxnet is a very sophisticated threat

Quiet Built to stay ―under the radar‖

Dedicated Targeted Iranian nuclear plant

Expensive Used 4 unknown vulnerabilities

Blueprint Stuxnet is a template for criminals

Productivity Can target other companies

40 40 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Questions

41 41 ©2011 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Thank You

Tomer Teller, Security Evangelist

Email : tomert@checkpoint.com