The History and Analysis of Stuxnet

Hey, hello, great to meet you. Our next speaker is Liz Chena Posty. She is a security application developer in PostSphere. She started a journey She mostly self-taught in hacking tools for spare time. She's got a huge list of tools that she has developed. And is experienced in speaking at various security conferences. And so this should be something that should be quite interesting at the senior year. And she is talking about the history and analysis of Snuxnet. I understand that in her spare time she loves trying to kill you with a gun and runs in and catches a fly. Okay, I got it. To break up an old topic, I know, and a little bit of a

rematch, I think it's a play on topic, how it would be like if this film onto your desk is about our animals, this day and age, and how you approach it, how you tear it apart. I want you to show it again, how many people have seen the internals of the infamous Stuxnet virus? The actual internal guts of it, how some of it works. Maybe one? So today we're going to look at the history as well as some of the analysis of the main Stuxnet program. So to preface this talk, Stuxnet took an entire team of a version of yours six months to crack. I'm not an entire team, you're more of a guy who spends

six months here saving and talking to you about it. The goal of the talk is to solely speak about the main dropper so we have some context so they don't get too disappointed with me. So I'll keep updating these slides as much as I can as I take my journey through Stuxnet and other analysis skills. So thank you for your understanding there. So as he mentioned, I'm Lily. I work for GoSecure and Threat Intelligence is a security application developer. So the agenda for today, the first of this is going to be a bit of a disclaimer. We'll have samples here, like a couple that we can actually pull apart on our own and get to play with. We'll be going through some classification, timeline and history.

We'll talk about the off-hole operation itself and its different level of components. We'll talk about defense and then we'll essentially go into closing word matters. So, let's begin with an introduction here. For those who may not be familiar, we're going over a little bit of the history and then we'll move into the rest of it. So, before we begin, tools and techniques that I cover in this talk The sample is on my cup so that it can fall down and then play with the eye earlier in the show.

So, SUXNET essentially is a computer-run neural virus. It's capable of lateral movement throughout a data target environment. It's also a rootkit, so it's able to gain access to the kernel driver remains. We'll go over essentially what that means. So, they can just hide themselves from users on the machine as they have higher level access. That's essentially what Stuxnet is in the first view, what its class is. So Stuxnet lives not only in user mode, it also lives in a kernel-based router space, so that's RAMES2 and RAME1. And this is just a basic diagram for those who don't completely understand what So this is a bit backwards, but this is far into the future. We're going to take a look

at it for more. overarching perspective. So this guy here, his name is James Parkright. He is the commander of US Strategic Command. So in between 2006 and 2010, what he had stated, which he wasn't supposed to state, was that the goal is to gain access to the Matanz plant's industrial computer controls. The computer code would invade the specialized computers that command the centrifuges. And he got a lot of heat from that, and rightfully so. So, Sexnet still fully unacknowledged today officially. So, he was really opened up to the making. So, when was it discovered? In June of 2010, the Saudi Sergei, who worked for Barstow at the time, had discovered blue screens of death happening on the tents of plant sheets. And

I think you're going to lie, this is most likely happening, right? So for those who aren't familiar, drivers, when they're interacting with kernel space and things like that, if anyone has messed with some kernel exploitation before, once you get that blue screen, you're feeling like you found something good. So there was something going on with the rootkits at that time that were causing their conflict with another driver, some other issue, or causing blue screens to death on Windows 10.

So moving forward to July 15th, 2010, this is Brian Krebs, he had a write-out, and he stated that he was thinking that they were leveraging vulnerability in regards to Windows Auto-Run and Auto-Play features, in regards to Windows Shortcuts for LNK files. And so this is just starting to begin to understand what this malware does, but didn't have a full overall So Stuxnet wasn't always called Stuxnet. Actually, it started with the name Tinkert, and then later called Temfin, and then finally Stuxnet. And the final name was derived from a combination of keywords found in the malware. And what we're going to do is we're actually going to see where that name came from later on, which will be quite

interesting. Moving on to May of 2011, so who did it? This guy here, Gary Samore, he's the White House coordinator for arms control and weapons of mass destruction. So he stated in 2011, "We're glad the Iranians are having trouble with their centerpiece machines, and that we, the U.S. and its allies, are doing everything we can to make sure that we complicate matters for them." So, not like a full confession, but a confession. So, again, quite interesting. Moving into... June 1st of 2012, it was disclosed there was a leak to the New York Times from an agent who sent that they're quite offended with the fact that they call it Stuxnet because in fact it's actually called Operation Olympic Games, which is

the holding of the operation of the malware which they've made. And then we start getting Stuxnet variants up into 2012. Essentially, a Iranian scientist said to have emailed out to Kyiv's chief research officer for any help. So again, they're starting to get reutilized, spreading even more plastics, obviously, in the territory. Then again, in 2012, in December, a electrical supply company in Iran came under cyber attack as well. And they thought it was due to school hackers. Well, it was Stuxnet again. So again, going past its intended target. So this is pretty much why we get to discover this interesting EET attack today. So in 2013, it affected a Washington power plant. So again, even further, it just keeps going and going

and going. causing all kinds of issues all around the world, even three years after its original discovery. So if you take a look here, based on the information that we have, the US is seemingly the likely one who made it. But no evidence that it will be used necessarily. Iran shared mostly infection, but 1.56% hit the US. So it's kind of like letting a bomb haven fly or go back on you, just kind of funny. And here you can see the infection share map there. And again, most of that is obviously just directly inside of Iran itself. I'm only going to do why that actually is.

So now we can talk a little bit about the actual operation itself. So Operation Olympic Games. So let's have a look here. First thing we need to ask ourselves is if you have an operation this big and you want to attack a nuclear plant, what are your motives, right? So what motives would someone have to do something of this caliber? So first thing is prevent creation of weapons of mass destruction. This is an actual view from Google Maps of the lieutenant's plant. If you ever want to visit there, there's the geocordinates. Just keep in mind that these here things will kill you when you visit there. Don't want to step there too. going with this, there are two lock them for sure. So the dilemma is too many weapons

at the facility and the need to prevent a conventional strike. So it'd make a lot of noise in the media if you go ahead and drop bombs on all those guns. Someone's got to hear about it, right? So with all the war on terrorism and everything else going on, maybe a really bad PR stunt is go out and blow up a bunch of other stuff. So the solution, what's the solution to this problem? So to develop a much less obvious attack, developing an advanced cyber word to sabotage their critical systems. So main word is, and I wouldn't hit the news necessarily on its part, but it did eventually hit the news anyway, so it passes the intended target. The next question is, how do

you distribute something like this? The answer to that is quite simple. So, in order to cross the paragraph, the substantive argument was distributed and it was deflashed by. Now, I say that really strongly because the evidence really points towards that. And again, we'll get more into why this particularly is. So, believe it or not, in 2018, this year, this vulnerability came back. Curiosity really does fully pass. So if you look at the statistics from Stanford's computer science department, roughly 45 to 95 percent, so 45 percent being the worst case scenario of 297 drives, people inserted them in executed stuff. So one of every two drives that you just buy for really cheap and just throw on the ground, someone's going

to plug them in and run executables.

So, quite an interesting study there. So, a subset, you know, gets on that network, they're going to have to move through some kind of model to get through the network on its own. Someone got in there, say, through a sneaker net, right, with the USB. You want to go further than that and, you know, compromise this entire AeroCAP environment. So the first vulnerability here is called the weakest link. So you may or may not get that reference. But this was a vulnerability from 2010, which came along with SnapseNet, obviously. This is the one that allowed people to extricate the LOK files that were not properly handled to obtain access to a given

He used another one called a schooler alert because it involves printers. Spoiler alert is the plain words there for those who do not get that. So when printer sharing is enabled, which most of our items would, Windows did not properly validate schooler access permissions. So essentially There could be execution in the system directory, in the system32 folder. R3 file can be uploaded or executable, which would later then get executed as the payload. And it all happens due to a crafted RPC package. Even we had this one here from 2008, and we'll get into these years and why they're important later, but Basically, this allows you to execute any code that you want essentially remotely. And

you don't have to wait for a file to be executed, but just you have a very good execution already. So it's a lot more reliable, especially when the moving library is quite a summons environment. There is another one. So don't be surprised that sucks that in half. Some people say four, but I'm going to tell you now This one here is 2010. We'll go into why this number up here is garbage. And then later on we'll see why it's good. In regards to the ear. But C-Metabensis C. and PCI-7's data systems, they all use hard-coded passwords which allow local users to gain access to back-end databases and get privileges for their central archive server for this data system. So, not too great. And we'll

go into why some of the downfalls in which how this happens. I found some new information in some of their old documentation from NCCS 6.2 that I think was maybe quite interesting. And if you weren't for students, I would do a follow-up. So to display the gravity of some of these, sometimes it helps to show what they reflect. So I have a bit of a demo here of a 2010. I'm just going to put this back up here for a moment. Okay, so this is my box here that I'm essentially doing some testing on. And essentially I'll just add in the file here where you can actually see some of the payload. I want to

put it smaller to see, but essentially it's just a path. a network share path that's quite different from what you would get in a formal algorithm key from mail. So this is the special practice with that. So here I actually need directly to use Ruby service pack 2. This is service pack 3. But with service pack 2, it has the auto run feature for USB. So if I plug this in, essentially, and I'm in service pack 2, the auto run on that file will actually execute that file that's there. But if I run that, I can notice that remotely, based on that, script which runs that shortcut it'll actually go ahead and pass back a shell to my interpreter because I've inspected

the console there I get a interpreter shell session, and then I'll be able to actually drop right into a shell there. So you can imagine, like, handing someone at this point in time, in the early 2000s, just pass someone a USB, you plug it in, nothing else, no other interaction. You immediately get a shell back with full access to your system as a regular user.

And here I'm essentially trying to confirm that it's the same box. So you all can essentially believe what I wrote there. So if I start a calculator, you'll see that we have definitely access to my machine. And this is not from the feds, so don't worry, it was a joke. The next one actually is a little bit more interesting, is that it requires There's absolutely no interaction whatsoever from the user, period. You just have to have the RPC port open, which is what we're doing. And essentially from there, it will just go ahead. You have work-free code execution. You're going to be able to acknowledge whatever you essentially need. So, this one. Here you actually see, on the PC, at this point,

I actually used Windows Service Pack 2. And what I do is I essentially set the payload and everything I need of the horse there. I'm going to just pull through this. You actually can see the IP up here for the machine which we're attacking at the time. And once everything is set, you just set your target. You set the port you want to listen back on. You set what your IP is. You run your exploits, it sends a payload, it's executed, you get your shell back. You don't have to, nothing has to go to that user at all, other than that packet. So, here at our exploits, you notice no interaction at all from the user up here, only interaction down

here, and you're already into a shell in that remote machine with no access involved. This guy up here did nothing. You just ran over a RODAX plane and you have that obsessed. So this was how a SNUX guy was essentially able to just go ahead and traverse through that network and move wirelessly. Not only through USB sticks, but people moving them around. Because every time one of these machines got infected, it would push it up to USBs when it saw them. And then that person would go from one machine to another machine, and that would run a whole other subnet completely separate from everything else. That's essentially how it goes through the entire autonomous network.

So now that you have a basic concept or idea of how these sort of operate, right? So you're able to see how it moves naturally through the network, or you're just plugging the speed in, and then you have access as well as if you ran the exploit on whatever host that run the network, you would get access as well. So now you have a whole entire network essentially, but now we're going to get a look into a little bit of Suxnet itself. So here is the actual USB crafted data file. So you can see here that it's essentially storage volume, and this one here is a sample of a Kingston data trial that we're in, and it's

quite fascinating. And this is crafted to execute the payload called this temp file here. So in 2018 guess what? That LMP file exploit is back. I think some of you may have heard of it. But it's back out there again. So that's back which is quite funny. So now this is even affecting Windows 10 and Windows 10 servers. So different practice. So, first thing on this piece of garbage, right down your desk, this is what you get. You get a dot stub string, and that is the only string that you see in the entire binary. So, can you guys perhaps guess what that one string may perhaps mean? Probably not. Well, let's have a look. So, some people may

think of, you know, stub beside your toe and it hurts kind of thing. A sub's kind of hurts a lot more than this one. Let's look a little deeper. So what do you guys see here? Well, I can tell you is I'm not sure what it is quite yet. I can just do it away. So let's see here. So up here, you'll see that the PE structure on the right here has a section called dot stub, which is this which is all of this stuff here. Then you'll notice entropy in the middle, which is high, 0.8. And all this seems to be mostly this color, which is attributed to the dot stuff section. So, I ask you again, what do you think that dot stuff is going

to mean? Okay, we'll keep moving forward and we'll see. Don't let it walk by. So, first thing, so I can start out with a bit of fingerprinting. So, it actually runs, this is a main dropper, so it's version EX and W for Y, so Unicode. You'll notice kind of in the dump that actually the spacing in the text is a little bit interesting there, which is easy to go right. So, basically, you're out of the version of the operating system, match writing, things like that. So, then you see there's the ductal stat lines down there, two, five, and six, specifically. What those essentially mean is that where 6 is the new 7, these are obviously pre-processor defined

values that you can take from. So where 6 is the new 7, 5 is the new 6, the platform ID refers to the version platform made 32 in T, so 32-bit systems. So they essentially did not want Substance to run on anything other than the next version of Windows and it all must be 32 bit. So they wanted to actually target in and make sure that this ran only on these machines for this given time frame. So they wanted to be quite specific with that. So here we have the beginning of the subtype proper here. So the first function I've got here in mind is actually called findStub. The next one there is a first stage sub-encryptor. It's decryptor sucks in the

payload itself. And then we have the memory injection method function, which is down there. And then after which it goes ahead, grabs, hit-crop, and then executes the function So you can see everything in Subset is very beautiful and organized. So find the data that you need to encrypt. Go ahead, decrypt it, inject it, execute. Very clean, very simple, very straightforward. And so these guys, you know, they knew what they wanted to do, really the question of doing it. Not as messy as some other malware that I've used before. So next year, obviously the first option looking for stub, so we're comparing these stub screens with our data. So it's essentially going to be a loop over all these stub, sorry,

not all the stub, all the sections in the library, looking for where that section is. So here I can see our data and some other sections here, as well as stub. So it's looking through these offsets in order to find its encrypted payment. So once it actually finds that cryptic payload, what's it going to do? It's going to jump. So here it does the experiment here. It found stuff and stuff, which means it found the data which it is looking for. And it will go ahead and jump into its next section of code, which is out of the market for what it would do normally if it wasn't a correct match. So Stuxnet is packing

some serious heat here. So this is Stuxnet. But if it was in the military, you can see all of these guns there, totally necessary. So now what SCUBSCAD does is it calculates the offset, the flange of entry points, and the offset to the SCUB, which is that data section with high entropy in which we were talking about, to obfuscate what it's actually doing.

And then what it's going to do is it's going to pass those brain from straight into its decryption routine. Pretty straightforward, right? So, who wants to see Suxnet decrypt itself in memory? Me. Alright, so, in order to clarify here, this is, we're now into the first stage decryptor of Suxnet, and I'll actually tell you that there's actually three stages to it. and it's one move forward going over the entire section of stuff, the stuff data section. And then you see the high-intensity data here is changing each time I pass one of these breakpoints essentially. And that's performing these interesting ZOR operations which actually depend on the iterators of the for loop itself. So they actually developed their own algorithm to actually go

ahead and run ZOR algorithm to go ahead and make the correct natural payload in your memory convention. And I started putting this back into its original C code and I'll showcase some of that actually a little bit later. So here, now you can see that we're successful. We actually go ahead and get MZ here, which is this program that can be executed in DOS mode. And I'll tell you right now, this file that I've here extracted from memory is actually dynamically library. So you're not done yet. Stuxnet is the name of the bug. So as about we're in, so you look here and you're like, okay, there's UPX sections there. Anyone familiar with UPX? So, except that, Robert has another set of directions that

you have to do real good. And we'll go over to how Rick is essentially moving forward. So moving on to its injection method, it actually goes ahead and creates the name kernel32dll.nsur.someoffset which points to where it needs to be for the injection out of this dynamic environment which it wants to execute. Here are some terms that I thought were quite interesting which were happy about this thing is so different. So then it starts doing some things that we find really shady inside of our security in regards to those 32-day deadlines. Which is actually it just goes ahead and, you know, it does page execute, write, copy, page execute, rewrite, which is actually a fault tolerance that they built in for some of these code executions that we want

to do. And then it sets different regions of memory as the execute will read and writeable. which is class A, you know, injection, right? So here you can actually see an item that looks like where it's doing these behaviors, very, you know, inject to read, right? And as well where it's kind of fault tolerant there. So one virtual attack fails, it's going to try another one, right? So you want to be really explicit in what you're doing. They want it to be successful. So here is some basic code, essentially what that kind of looks like. Not the full picture, but some. And then further on in the case injection method, it actually goes ahead and pulls out these hidden functions. There's

actually, I didn't actually reverse the string director itself, but yeah, they have encrypted strings in there. And these are the ones that I was able to uncover. But already you can see virtual query, virtual protect, get progress as well, create threads. It's all these essentially going to one thing. We're setting up some kind of dynamic inquiry injection, right? So it then wraps itself handle to NTDLM and it moves forward from there. And they are actually so smart that they decided to patch an undocumented function of the Windows UPI called "zw-open-file" from the NTDLL library in memory, and actually load that DLL file from memory instead of from an actual file which it was originally intended to. Only then will it actually un-UPX itself and decrypt that

second state.

And here, moving forward as well, we see that ZW3 section, which is HHQ, right copy, HHQ3, S-flat. Smells like injection, right? So again, you have the mask that they had there, all of these, it's here, all of the XQ, YQ, YQ, everything is smelling like injection. And some of these UW functions aren't documented, so these guys are in their shit, right? So, you know, clipping is not all you need here. You know what? You need to look at this yourself. And what's great is, since we've got the payload, it's for clipping, we're going to actually just, you know, take that payload, that section where we have to worry about all this complicated injection, and just get that first payload and un-crop that action on its own. So,

we can take a look at UPX there. So here you can see the entropy for UPX slammed against the wall, so this is definitely a no one knows already bypassing UPX. You have a push AD instruction here which essentially pushes all general purpose registers to the stack. Simply just follow your XN stack pointer there into the memory dump and then set your hardware array points from that. After you do that, you can just go ahead and execute and continue and actually get to this stage and then there's a little loop here that just runs, just go to this jump that's right here with almost every UPX standard communication so you can modify it. You can actually get to where

the actual entry point of the Omnicarctic code actually is. So after that, you jump to the new point key which stands for in our terminology is the original entry point. for that malware, which is the unencrypted section where that payload is that you want to extract. What you have to do is simply go ahead and export that. Now, with NukeDX, you're going to have to rebuild all your imports. Luckily, there's a tool to rebuild imports for these executables for you. This one's called Simica, and I really like, personally, the x64 GBT for Windows debugging. And now you can see our entropy looks a lot better. Saying it's not packed anymore, right? It looks a little bit more normal. And now we can

actually start seeing what's actually in the sub-snet finally. Exhausting, right? So here you can see all these RPC calls. Did we talk about RPC? So these are likely the setup for some of the X-Points that we were actually seeing down was up, weren't they? And here you can actually see the graph. And you can clean up the UPX section, but I was a bit lazy there. So if you're using UPX to hide your secrets, don't. It's broken. Do you want to see the second stage of the correction? I have a video of that too. Here's mine. It's too deep for me. So here I'm just opening it up. Can you go here? And we're just going to run this. This is after we

extracted the first one. So here we're going to follow that ESP valley and the dock here. Those four bites specifically. And we're going to set the hardware break point. So after you run there, after setting the hardware break point, brings it here. And you want to essentially get to this jump that I was mentioning. Once you get to that jump, Now you're the new OEP. So that's my comment there. And then we're going to go ahead and simply rebuild the imports and exports from where we are currently into its own binary so that we can better look at it via any other static analysis tool. So here, I've opened up the first sample. Notice it's packed. And

again, go ahead, put it inside again, our unpacked version, and we're pretty done. So we're good. We've given up that sample W, and I also uploaded that sample to RSTribble, and that's what we get. Stuxnet. Stuxnet all across the board. So we did a really good job. So Stuxnet also wrote its own host functionality on WinCC, which is used to monitor and manage the schema machines. This is kind of what the interface would look like in regards to this. You will see during the day, you know, there are 18,000 and so there are more printer plants. So Stuxnet needed to have access to scale-edit plant machines in order to access the SAS or SimpleRx server. This was accomplished using that CD we mentioned about to make the credentials.

It also went ahead and looked specifically for these particular frequency converters which were connected to the nuclear sub-fusions. And the reason that most of the stuff that I didn't bother turning over places was because one of these frequency converters associated values was very specific and was only made in Iran. So that's why you see most of the concentration of the infection, not for which guy had So anyway here There is a WinCC hard-coded in here, that password. This is Stuxnet itself and it strings in everything that we completely want to correct by using a password to that specific SaaS server. All of the SQL associated queries and so DBS and so on and so on.

More interestingly, Listen to this. This is from the NCC documentation 6.2. If the server fails to construct the alarm time, how will failure disconnection power plug? It's possible that the NCC installation is damaged. As a result, the SQL server can no longer access the OSC home master database following a restart. Does any security professional know what that means? Your binary gets corrupt? What happens to your hard-coded password? It's gone. It's just gone. So someone knew about it. So WinCC communicates scores, something essentially called pro-fibus, to its associated PLC controller. That's essentially just how it communicates to the machines. That's all. More interesting here, you can actually see this here asking for our local system highest privileges

Here. So how is that going to install the truth kits? Everyone forgets about those exploits called privilege escalation. So this is one of those. I did this thing on here where I did a bit more and found some interesting stuff there. Digital International Firmware. That's what they make. Serial servers. One of those is nuclear power plants. And here we actually see the interesting MROXnet and these Sysfiles. Those here are actually the rootkits. Cool. Next we're going to climb up the DLH. That's the actual PLC that they were looking for. And this is how it was configured when they were looking at it. So frequency converters, six modules, frequency converters that they were looking for to screw up the centrifuges

as well. It is replacing of DLLs with DLL hijacking public information sources. So how can you defend from something like this? Antibiotics, sex network removal tool, that's already done. Behavioral analysis, network monitoring, segmentation, routine patching of ARAC machines to the secure manner. Assuming you were the hack at some point, because, you know, well, the biggest thing you bring up is network monitoring. You saw this EBE from 2008. What if you were monitoring your network with Sorter-Sherkada at the time? Which you probably saw that and had it fixed faster than two, not have your whole nuclear program set back at least two years. You think two years at a nuclear plant, how expensive that is. If you're

monitoring your nuclear air cap systems on your local network, you're doing your due diligence but here all those drops you know they didn't discover that even though one of those cvs was from 2000 so two years of headache so questions you may have i'm going to give you one here so here is the stub and with x net so stub plus mri set equals you match those two things together you get sex man and that's where that name comes from So where can you find the slides and all the associated information here today? So on my GitHub, /stuxnet-history, you can find it there. This is essentially just a C code that I did with. You can find me

after to have, obviously, if you have questions about it, and how it goes through these decorators and does its masking associated things.

Since we're running a bit difficult on time. This is question time. This is question time. So I placed for the last bit there. So the whole floor is open to questions. Embarrassing. Does anyone have any specific questions about how I finished the bathroom service? I'm running the mic. Here. So during the decryption process, I think it was stage one, you got to a MZ header, correct? Yeah. So is that a typical planning effect for decrypting, just looking for the MZ header? Yeah, so we've seen others as well, so typically you'll see you'll see the MC header. Obviously there's different kinds of injection and execution and decryption techniques. Mostly what you're looking for is the MC header

that's there. You've got to be really careful that you don't extract the wrong thing because sometimes you can extract actually dynamic libraries that have everything to do with what's there and it's not actually there. So... Yeah, we were discussing that earlier. Yeah, totally. Extracting dynamic conclibrary that's native to the system, you know, we're a beginner, that's what I used to do, and the foods grow up, right? Just look for those techniques that are out there in the log, in the document, process hollowing, injection, virtual protects, DLL injection. If you look up those techniques and that you guys associate with them for your particular symptom, you can find most malware One interesting one I found was from

Fancy Bear, which they actually load .NET unmade HTML into memory and actually the C++ code actually launches this new instance of the .NET framework and loads that and executes things of the functionality of the specific offsets that it needs when it's big. Which is, you know, I haven't had a whole lot of time. Thank you very much for that. It was very informative. I had a good history of studying.