Monday, June 3, 2019
Stuxnet Network Worm Computer Science Essay
Stuxnet Network Worm Computer Science EssayStuxnet, a network squirm that, during the early part of 2010, began to vitiate Industrial Control Systems (ICS) and programmable logic controllers (PLCs) becoming the first rootkit for PLCs. PLCs are usu anyy not connected to the Internet, or the internal network, so the creators had to devise a system to get the worm onto these systems. The worm would use 4 zero-day vulnerabilities to propagate through internal networks, and would load itself onto flash drives. at one time the flash drive was plugged into an ICS, it would imitation itself onto the system, and begin to check to see if there was a PLC attached to the system. The worm would first gather information of its victim to determine if it was its train, and if it nominate it, the worm would began to bowdlerise the code of the PLCs which were believed to sabotage the systems. In the end it is undetermined if Stuxnet reached its goal.StuxnetStuxnet is a worm that is said to be an incredibly large and tortuous threat. It was primarily written to target a specific ICS or a set of similar systems, likely somewhere in Iran. The final goal of Stuxnet is to reprogram an ICS by modifying the code on the PLCs to secure them work in the manner the attacker intended, such as operate outside normal boundaries, and to hid these changes from the operators of the machine. The creators, in order to achieve their goal, amassed a variety of components to add the chance of success. These components included zero-day exploits, anti-virus evasion techniques, windows rootkit, the first ever PLCStuxnet 4rootkit, hooking code, process injection, network infection routines, peer-to-peer updates, and a command and control interface.The worm was found in July of 2010, and is confirmed to have existed a year prior to that, and likely it has existed before that, with a majority of the infections being based in Iran. June 2009 was the earliest Stuxnet strain seen. It did not exp loit an auto-run function of a removable storage, and did not contain signed drivers to install itself. In January of 2010, Stuxnet reappeared, this time it had signed certificate from Realtek, and could install itself without any(prenominal) problems. July of 2010 Microsoft revokes the stolen Realtek driver used by Stuxnet, and the very next day, Stuxnet reemerges with a signed JMicron Technology Corp certificate. By September of 2010, the worms exploits have been patch by Microsoft, and all stolen signed certificates revoked.Stuxnet had many features included into it to make sure it reached its goal. Some of these features included a self-replication through removable storage, spreading with a pic in Windows Print Spooler, making itself execute with the Step 7 project, updating through peer-to-peer, command and control server for updates by a hacker, bypasses security features, and hides all modified code on PLCs. Stuxnet is capable of more, far more, but these are the most not iceable features about this worm that make it a large and complex threat.Stuxnet 5InjectionThe injection method used by Stuxnet was complex, due to the fact that it had to make sure it would infect its target machine, and so it could bypass any security encountered. In order to load any .dll, including itself, Stuxnet would call the LoadLibrary with a specially crafted name that does not exist on the disk and normally attempt LoadLibrary to fail. However, W32.Stuxnet has hooked Ntdll.dll to monitor for requests to load specifically crafted file names. These specially crafted file names are mapped to another location instead that is specified by W32.Stuxnet. in one case a .dll file has been loaded by this method, GetProcAddress is hence used to find the address of a specific export from the .dll file and that export is called, handing control to the unexampled .dll file. If Stuxnet detects any security software, it allow for get the main version of it and rerun itself in a new pr ocess to bypass the scanning of the software.The process of injecting itself into a process is located in exportation 15. First it checks the configuration data of the system, and therefore it will check to see if the system is 64-bit, which if it is it will exit the system. at a time it has determined it is running on a 32-bit system it will check the OS, and then check to see if it has admin rights. If it does not it will check the os at one time more and determine if it is on XP of aspect. If it is on XP used a zero-day vulnerability in Win32k.sys, and use an escalation of privilege to restart itself in csrss.exe. If it is on Vista is uses a zero-day vulnerability in Task Scheduler, to escalate its privilege, and restart as any new task. Once it has the highest admin rights, Stuxnet will then call Export 16.Stuxnet 6Export 16 installs Stuxnet onto the system and will also check the configuration data of the system. It will then check the registry value of NTVDM Trace, and if it is 19790509, it will not proceed. This is vista to be an infection marker, or a do not infect marker. If it is not set to this it will continue installation. Stuxnet then checks the date, if it is past 06/24/2012, it will exit and not install, this is Stuxnets kill switch date. It will then see if it is on XP or Vista. If on XP it will set the DACL, if on Vista it will set the SACL. It will then create its files, including its main payload file Oem7a.pnf. It then checks the date one more time, before decrypting its files and loading itself onto the disk, and then calling export 6 to get its version. It will then compare its version number with one on the disk, and then install its rootkit files, Mrxcls.sys and Mrxnet.sys. It will then hide all its malicious files, and infect any removable storage device, and then finally infects Step 7 projects.AttackICS are operated by vary code on PLCs, which are often programmed from Windows computers that are not connected to any network. T he creator would have needed the schematics of the ICS, to know which ones the worm should go after, so it is believed an insider, or an early version of Stuxnet, retrieved them. They would then create the latest version of Stuxnet, which each feature of it was implemented for a reason and for the final goal of the worm. The worm would then need to be tested on a mirrored environment to make sure the program worked correctly. The hackers needed signed certificates to allow Stuxnets drivers to be installed and to get them they would have had to physically go into the companies and takeStuxnet 7them. Once this was accomplished the worm would needed to be introduced into the environment of infection, and was done so by a willing or un-willing third party, such as a contractor of the systems, which was most likely done with a flash drive.Once injected into the systems, Stuxnet would begin to spread in search of Windows computers used to program PLCs, which are called field PGs. Since th ese computers are not networked, Stuxnet would spread through LAN using a zero-day vulnerability, infecting Step 7 projects, and through removable storage. Once Stuxnet found a computer running Step 7, it would begin to check values from the ICS, determining if it was on the correct system. It would do this for 13 days to 3 months, and then wait two hours, before sending a network conk out to the connected devices. These burst were the newly modified PLC code that contained instructs to change the frequency at which the devices operated on, making them operate outside of normal boundaries. Victims would not see the modified code, as Stuxnet hides its modifications by intercepting read and write commands. If someone sent a read command to the PLC, Stuxnet would intercept it, and if it was to read an infected section, Stuxnet would pull an unedited copy from itself, and send it to the person. If it was a write command, Stuxnet would make it seem like it went through. Though the attac k caused more damage due to it spreading beyond the target onto outside computers, it is likely this was needful to achieve their goal. It is believed the attackers accomplished their goal before they were discovered. Due to all this, Stuxnet is believed to be one of the most complex malicious software written to date.Stuxnet 8
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment