The document discusses the Stuxnet computer worm that targeted Iran's nuclear facilities. It describes how Stuxnet infected industrial sites in Iran starting in 2009, including a uranium enrichment plant. It spread through computer networks and used several zero-day exploits to infect systems and remain undetected. Stuxnet is believed to have been created by the United States and Israel to sabotage Iran's nuclear program.
4. Basically Stuxnet is a Computer
worm.
It is discovered in June 2010.
It is believed that STUXNET created
by the United States and Israel to
attack Iran's nuclear facilities.
Roel Schouwenberg spends his days
(and many nights) to creating the
STUXNET.
5. A 500-kilobyte computer worm that
infected the software of at least 14
industrial sites in Iran, including a
uranium-enrichment plant.
A computer virus relies on an
unwitting victim to install it,
a worm spreads on its own, often
over a computer network.
This worm was an unprecedentedly
masterful and malicious piece of
code that attacked in three phases.
6. 2009 June: Earliest Stuxnet seen
◦ Does not use MS10-046
◦ Does not have signed drivers
2010 Jan: Stuxnet driver signed
◦ With a valid certificate belonging to Realtek
Semiconductors
2010 June: Virusblokada reports W32.Stuxnet
◦ Stuxnet use MS10-46
◦ Verisign revokes Realtek certificate
2010 July: Eset identify new Stuxnet driver
◦ With a valid certificate belonging to JMicron
Technology Corp
2010 July: Siemens report they are investigating
malware SCADA systems
◦ Verisign revokes JMicron certificate
7. 2010 Aug: Microsoft issues MS10-046
◦ Patches windows shell shortcut vulnerability
2010 Sept: Microsoft issues MS10-061
◦ Patches Printer Spooler Vulnerability
2010 Sept: Iran nuclear plant hit by delay
◦ Warm weather blamed
◦ Measured temperatures were at historical averages
2010 Oct: Iran arrest “spies”
◦ Spies who attempted to sabotage the country's
nuclear programme
◦ Russian nuclear nuclear experts flee Iran
8. Organization
◦ Stuxnet consists of a large .dll file
◦ 32 Exports (Function goals)
◦ 15 Resources (Function methods)
Stuxnet calls LoadLibrary
◦ With a specially crafted file name that does not
exist
◦ Which causes LoadLibrary to fail.
However, W32.Stuxnet has hooked Ntdll.dll
◦ To monitor for requests to load specially crafted
file names.
◦ These specially crafted filenames are mapped to
another location instead
◦ A location specified by W32.Stuxnet.
◦ Where a .dll file has been decrypted and stored
by the Stuxnet previously.
9. Stuxnet collects and store the following information:
◦ Major OS Version and Minor OS Version
◦ Flags used by Stuxnet
◦ Flag specifying if the computer is part of a
workgroup or domain
◦ Time of infection
◦ IP address of the compromised computer
◦ file name of infected project file
Win 2K
WinXP
Windows 200
Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
10.
11. Iran
◦ Iran blames Stuxnet worm on Western plot (Ministry
of Foreign Affairs)
◦ "Western states are trying to stop Iran's (nuclear)
activities by embarking on psychological warfare
and aggrandizing, but Iran would by no means give
up its rights by such measures,“
◦ "Nothing would cause a delay in Iran's nuclear
activities“
◦ "enemy spy services" were responsible for Stuxnet
(Minister of intelligence)
12. Israel (DEBKA file)
◦ An alarmed Iran asks for outside help to stop
rampaging Stuxnet malworm
◦ Not only have their own attempts to defeat the
invading worm failed, but they made matters
worse:
The malworm became more aggressive and returned to
the attack on parts of the systems damaged in the
initial attack.
◦ One expert said: "The Iranians have been forced
to realize that they would be better off not
'irritating' the invader because it hits back with a
bigger punch.“
◦ These statements were copied verbatim by mayor
13. India 8.31%
Azerbaijan 2.57%
United States 1.56%
Pakistan 1.28%
Others 9.2%
Iran 60%
Indonesia 18.22%
14. Stuxnet represents the first of many milestones in
malicious code history
◦ It is the first to exploit multiple 0-day
vulnerabilities,
◦ Compromise two digital certificates,
◦ And inject code into industrial control systems
◦ and hide the code from the operator.
Stuxnet is of such great complexity
◦ Requiring significant resources to develop
◦ That few attackers will be capable of producing a
similar threat
Stuxnet has highlighted direct-attack attempts on
critical infrastructure are possible and not just
theory or movie plotlines.