Hacking Exposed

Attacking Infrastructure 

Hacking Exposed - Australia 

Stuart McClure 

GM/SVP 

Risk and Compliance BU 

McAfee, Inc.

Attacks and Headlines 

Threats: Opportunity Meets Motivation Meets Ability… 

PDA, 

cell phone, 

wireless 

Bots, Botnets 

DDOS networks 

User-propagated 

viruses, Trojans, 

PW stealers 

Targeted 

attacks 

MISUSED 

FUNCTIONALITY 

MALICIOUS 

INTENT 

USERS’ POOR 

COMMON SENSE 

Social 

Engineering, Privacy 

Breaches, Collusion 

DESIGN 

FLAWS 

Spam, mass-mailers, 

phishing, pharming 

Vulnerabilities, 

Exploits, 

Scripted attacks 

Spyware, 

Adware, PUPs

Evolution: Motivation 

From Vandalism… …To Financial Gain 

Nation State Intelligence 

Intellectual Property Exfiltration 

Cyberterrorism

Evolution: Techniques 

From Viruses and Trojans… 

…To Advanced 

Persistent 

Threats (APTs)

Evolution: Targets 

From PCs, modems, Mainframes… …To Infrastructure

Myths of 

Infrastructure 

Security

Myth #10 

Critical infrastructure is complex 

and only understood by the 

most elite propeller heads…

SCADA 

• SCADA stands for supervisory control and data acquisition. It 

generally refers to an industrial control system: a computer system 

monitoring and controlling a process. The process can be industrial, 

infrastructure or facility-based as described below: 

• Industrial processes include those of manufacturing, production, power 

generation, fabrication, and refining, and may run in continuous, batch, 

repetitive, or discrete modes. 

• Infrastructure processes may be public or private, and include water 

treatment and distribution, wastewater collection and treatment, oil and 

gas pipelines, electrical power transmission and distribution, Wind 

Farms, civil defense siren systems, and large communication systems. 

• Facility processes occur both in public facilities and private ones, 

including buildings, airports, ships, and space stations. They monitor 

and control HVAC, access, and energy consumption. 

Source: wikipedia.org

SCADA

NIST SP800-82: Guide to ICS Security (Sept 08)

NIST SP800-82: Communications

NIST SP800-82: Full SCADA Implementation

NIST SP800-82: Railway

NIST SP800-82: DCS

NIST SP800-82: Manufacturing

SCADA

Myth #10 

Critical infrastructure is complex 

and only understood by the 

most elite propeller heads…

Myth #9 

Critical infrastructure is 

firewalled off from the rest of 

the world, especially the 

Internet…

SANS Diary: SCADA (Aug. 22, 2010)

Myth #9 

Critical infrastructure is 

firewalled off from the rest of 

the world, especially the 

Internet…

Myth #8 

Critical infrastructure is difficult 

to obtain and only certified 

approved individuals can obtain 

them.

ATMs

RTUs/MTUs/PLCs/HMIs/DAS/IED and more…

Biomedical

Myth #8 

Critical infrastructure is difficult 

to obtain and only certified 

approved individuals can obtain 

them.

Myth #7 

Critical infrastructure runs only 

on tightly controlled operating 

systems and platforms 

unknown by the bad guys…

Automated Teller Machines 

Processor : 1 

Processor Name : Intel(R) Pentium(R) 4 CPU 2.80GHz 

Vendor : GenuineIntel 

CPU Speed : 2814 MHz 

Identifier : x86 Family 15 Model 2 Stepping 9 

C:\ (NTFS, Size 80024M, Free 70449M) 

Microsoft Windows XP-Professional--Service Pack 3- (Build 2600) 

Installed in C:\WINDOWS. 

Arch: 32 bit

ATMs and SCADA

Myth #7 

Critical infrastructure runs only 

on tightly controlled operating 

systems and platforms 

unknown by the bad guys…

Myth #6 

These systems are secure (or 

at least very limited in 

functionality) leaving only the 

smallest openings for an 

attacker.

ATMs: Services Running (edited for your protection) 

Application Layer Gateway Service 

COM+ Event System 

Cryptographic Services 

DCOM Server Process Launcher 

DHCP Client 

Distributed Link Tracking Client 

DNS Client 

Domain Time Client 

Event Log 

IPSEC Services 

Vendor Specific Apps (30+) 

Net Logon 

Network Connections 

Network Location Awareness (NLA) 

Plug and Play 

Print Spooler 

Protected Storage 

Remote Access Connection Manager 

Remote Procedure Call (RPC) 

Secondary Logon 

Security Accounts Manager 

SNMP Service 

System Event Notification 

Task Scheduler 

TCP/IP NetBIOS Helper 

Telephony 

Endpoint Management Apps (2) 

Windows Audio 

Windows Firewall/Internet Connection Sharing 

(ICS) 

Windows Management Instrumentation 

Wireless Zero Configuration 

Workstation

ATMs: Listening Services 

Active Connections 

Proto Local Address Foreign Address State Proto Local Address Foreign Address State 

• TCP 0.0.0.0:135 0.0.0.0:0 LISTENING • UDP 0.0.0.0:135 *:* 













• TCP 172.19.127.84:1112 x.x.x.x:445 TIME_WAIT 


• TCP 172.19.127.84:1118 172.19.19.44:443 TIME_WAIT 




• TCP 172.19.127.84:1138 x.x.x.x:135 ESTABLISHED 




• TCP 172.19.127.84:1143 x.x.x.x:1025 ESTABLISHED

Myth #6 

These systems are secure (or 

at least very limited in 

functionality) leaving only the 

smallest openings for an 

attacker.

Myth #5 

Because they don’t run 

standard software and 

operating systems, they don’t 

really have vulnerabilities…

Smart Meters: The OFF Switch 

July 2010, Two Cambridge researchers 

analyze the “off switch”: 

1. Non-payment 

2. Energy “rationing” 

Source: http://www.cl.cam.ac.uk/~rja14/Papers/meters-offswitch.pdf

ATMs: Default Passwords

SCADA: Siemens database default passwords 

• CVE-2010-2772 

• Siemens Simatic WinCC SCADA system 

– Uses hardcoded database username and password 

– Allows WinCC to interface with the SQL database 

• uid=WinCCConnect; 

• pwd=2WSXcder; 

• Then attached to specific databases: 

– use master select name from master..sysdatabases where filename like 

N'%s' 

– exec master..sp_attach_db 'wincc_svr',N'%s',N'%s' 

– exec master..sp_detach_db 'wincc_svr' 

– use wincc_svr

SCADA: Default Passwords…

2x the 0-days in 2010 

MSIE HTML Object Memory Corruption Vulnerability (Jan. 14) 

CVE-2010-0249 (MS10-002) 

MSIE Dynamic OBJECT tag and URLMON sniffing Vulnerabilities (Feb. 3) 

CVE-2010-0255 (MS10-035) 

Adobe Acrobat, Reader, Remote Code Execution Vulnerability (Feb. 11) – 5 days 

CVE-2010-0188 (APSB10-07) ALL PLATFORMS 

MSIE Uninitialized Memory Corruption Vulnerability (Mar. 9) 

CVE-2010-0806 (MS10-018) 

Adobe Flash/Reader/Acrobat authplay.dll code execution (June 4) – 24 days* 

CVE-2010-1297 (APSA10-01) ALL PLATFORMS 

Windows Shell .lnk Vulnerability (July 16) – 16 days 

CVE-2010-2568 (MS10-046) – Active exploitation with Stuxnet worm, many more… 

Apple iPhone/iPad/iPod Code Execution and Sandbox Bypass (Aug. 3) – 8 days 

CVE-2010-1797/CVE-2010-2972/CVE-2010-2973 – Active exploitation jailbreakme.com 

Adobe Reader, Acrobat, Remote Control Vulnerability (Sept. 7) – 7 days and counting 

CVE-2010-2883 (APSA10-02) - Active embedded PDF exploitation ROP to bypass ASLR/DEP

Stuxnet: “The most 

sophisticated 

publicly sourced 

worm ever seen…” 

Me, July 30, 2010

Stuxnet: Under the Hood 

• Discovered in July 2010 by VirusBlokAda company in Minsk, Belarus 

• Affecting 14 plants to-date in Iran, Indonesia, India, UK, North America, Korea 

• Targets Siemens WinCC and SIMATIC Process Control System (PCS7) 

• Using four 0-day vulnerabilities plus Conficker (MS08-067) * 

– Design flaw in Print Spooler (MS10-061/CVE-2010-2729) (patched on Tues) 

– LSASS Privilege Escalation Heap Overflow (MS10-068/MS09-066) (patched 

on Tues) 

• Specially crafted LDAP messages to listening LSASS service 

– Shortcut icon vulnerability (CVE-2010-2568/MS10-046) – affecting every 

version of Windows since Windows 2000 (even Win95) (patched Aug. 2) 

– One privilege escalation exploit (yet to be patched) * 

• A user opens a folder that contains the .lnk template files 

• Rootkit drivers signed with valid certificates (Realtek and Jmicron) 

• UPX packed, XOR encoded everywhere 

• Once loaded, queries Siemens database with known default password 

• Connected to C&C servers, sending sensitive data 

• Manipulating the database to control the HMI output and manipulating the PLC’s

How Stuxnet works… 

• Original strain created four .lnk files on disk/USB key: 

– LNK file name: "Copy of Shortcut to.lnk" 

– MD5: CD4AAEF95C7E26A4A8188C0F19A1E612) 

– Executes: 

– “\\.\STORAGE#Volume#_??_USBSTOR#Disk&Ven_&Prod_USB_FLASH_DRIVE&Rev_PMAP#079801835673 

4E4F&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~WTR4141.tmp” 

– LNK file name: "Copy of Copy of Shortcut to.lnk" 

– MD5: F96B219DF8B3EEDF3591373F9EDD3CFD) 

– Executes: 

– “\\.\STORAGE#Volume#1&19f7e59c&0&_??_USBSTOR#Disk&Ven_&Prod_USB_FLASH_DRIVE&Rev_PMAP 

#0798018356734E4F&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#{53f5630d-b6bf-11d0-94f2- 

00a0c91efb8b}\~WTR4141.tmp“ 

– LNK file name: "Copy of Copy of Copy of Shortcut to.lnk" 

– MD5: F291DC2BD652D47C611C8024B593B1A2) 

– Executes: 

– “\\.\STORAGE#RemovableMedia#8&[ID]&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~WTR4141.tmp” 

– LNK file name: "Copy of Copy of Copy of Copy of Shortcut to.lnk" 

– MD5: C93EDA637AB1DD5B2D7001E07B53D3E4) 

– Executes: 

– “\\.\STORAGE#RemovableMedia#7&[ID]&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~WTR4141.tmp”


• When the folder is opened in Explorer.exe (or Total Commander), the 

.lnk files exploit the 0-day vulnerability to silently load the first file 

~WTR4141.tmp (a DLL file) into memory and pass control to it 

(execute it) in Explorer.exe address space 

– Once running, the worm’s rootkit features hide all files names ending in 

*.lnk and starting with ~wtr (including the the above files) by hooking the 

following APIs: 

– FindFirstFileW 

– FindNextFileW 

– FindFirstFileExW 

– NtQueryDirectoryFile 

– ZwQueryDirectoryFile 

• Then it loads the 2 nd .tmp file, ~WTR4132.tmp file


– ~WTR4132.tmp – DLL is a CPL applet containing ~12 encoded components in 

the last .stub section: 

• 298.000, 7A4E2D2638A454442EFB95F23DF391A1, s7otbxsx.dll. 

• 145.920, 335707EABBE7FF256E0650432ACCEC9B, svchost.dll 

• 102.400, F979C6A3E668C5073C4C6506461B034E, svchost.dll 

• 40.960, A3844A1B6BEA3F6FAF9C276858F40960, - 

• 26.616, F8153747BAE8B4AE48837EE17172151E, MRXCLS.SYS 

• 25.720, 37FC7C5D89F1E5A96F54318DF1A2B905, ~WTR4141.TMP 

• 17.400, ED68775A8E242933403F7791BBA2437A, MRXNET.SYS 

• 14.848, F9BAE53E77B31841235F698955AECE30, - 

• 10.240, C1CB4117D9998C79AE10C1B890C23A4D, Executable extracted 

from CAB 

• 9.728, 98FBEBD8883021FBE6464C37ACF17938, - 

• 5.237, D102BDAD06B27616BABE442E14461059, CAB file 

• 4.171, F58DBFCD6119C139E9E143D3660A1288, LNK template/skeleton

Bypassing Detection 

• Creates the following mutexes to ensure that only one instance of itself 

is running in memory: 

– @ssd[random number] (i.e. “@ssd094”, “@ssd083A1”) 

– Global\Spooler_Perf_Library_Lock_PID_01F 

– Global\{CAA6BD26-6C7B-4af0-95E2-53DE46FDDF26} 

– Global\{4A9A9FA4-5292-4607-B3CB-EE6A87A008A3} 

– Global\{E41362C3-F75C-4ec2-AF49-3CB6BCA591CA} 

– Global\{85522152-83BF-41f9-B17D-324B4DFC7CC3} 

– Global\{B2FAC8DC-557D-43ec-85D6-066B4FBC05AC} 

– Global\{5EC171BB-F130-4a19-B782-B6E655E091B2}

Rootkit Drivers and Registry Keys… 

• Drops 2 malicious rootkit drivers into %Systemroot%\drivers\ folder 

and runs them: 

File name: mrxnet.sys 

MD5: CC1DB5360109DE3B857654297D262CA1 

Payload: Hides the files ending with "*.lnk" and beginning with "~wtr". Monitors system events and 

activities, i.e. new program loading. 

File name: mrxcls.sys 

MD5: F8153747BAE8B4AE48837EE17172151E 

Payload: Injects malicious code to system processes (services.exe, svchost.exe, lsass.exe) 

• SYSTEM\CurrentControlSet\Services\MRxCls 

• SYSTEM\CurrentControlSet\Services\MRxNet 

These two indicators are definitive ways to detect the malware running.

MRXCLS.SYS 

0xF8153747BAE8B4AE48837EE17172151E 

• Injects malicious code into existing processes (services.exe, svchost.exe, 

lsass.exe) 

• Creates HKLM\System\CurrentControlSet\Services\Services\MRxCls registry 

key

MRXNET.SYS 

0xCC1DB5360109DE3B857654297D262CA1 

• Monitors system events and activities (i.e. – new program loading, hides *.tmp 

files) 

• Creates HKLM\System\CurrentControlSet\Services\Services\MRxNet registry 

key

MRXNET.SYS 

0x1E17D81979271CFA44D471430FE123A5

Stuxnet: Propogating… 

• Spreads to removable drives and network shares: 

– Attempts to access $ADMIN and $IPC 

• Checks whether SCADA software is installed on the 

infected machine by checking following registry keys: 

– SOFTWARE\SIEMENS\STEP7 

– SOFTWARE\SIEMENS\WinCC\Setup

Stuxnet: Pilfering… 

• Connects to the Siemens database using default 

credentials, pulls data 

• Searches for files on the Siemens systems: 

– GracS\cc_tlg7.sav 

– GracS\cc_alg.sav 

– GracS\db_log.sav 

– GracS\cc_tag.sav 

– s7tgtopx.exe (used to recompile the Safety Program) 

– Many more…

Stuxnet: Command and Control (C&C/C2) 

• Worm checks internet connectivity by accessing two legitimate sites: 

– www.windowsupdate.com (65.54.221.118) 

– www.msn.com (65.55.17.25) 

• Malware sends current IP address as well as following information to 

the C2 server: 

– GetUserNameW() – Retrieves the name of the user associated with the 

current thread (Explorer or Total Commander processes). 

– GetComputerNameW() - Retrieves the NetBIOS name of the local 

computer established at system startup. If the caller is running under a 

client session, this function returns the server name. 

– NetGetJoinInformation() - Retrieves join status information for the 

specified computer (NetBIOS name of the domain or workgroup to which 

the computer is joined)

Stuxnet: Command and Control (C&C/C2) 

• Stuxnet attempts to access following C&C servers: 

– www.mypremierfutbol.com 

– www.todaysfutbol.com 

• The data is encrypted and sent: 

– http://mypremierfutbol.com/index.php?data=66a96e2888c9bb53f503e334d5d775e9 

9b7905ac6e541529e2dadd4640fa3f995391d36ff2a7c058a21d699d2fb4a875ec1ce 

7a0f9e7dd11b6bfa1fe5377d602c39621b7f329 

• Malware uses RPC protocol for requesting a service from the client 

(compromised machine) over the network. 

• 

• Following actions may be executed as a response to RPC calls: 

– create process, terminate process, read file, write file, delete file, set file 

attribute, inject file to a system process

STUXNET REVERSING 

DEMO

Stuxnet: HELP 

• Siemens UPDATE - 

http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang= 

en&siteid=cseus&aktprim=0&extranet=standard&viewreg=WW&objid=108055 

77&treeLang=en 

• Siemens Security Whitepaper 

http://cache.automation.siemens.com/dnl/jE/jE2MjIwNQAA_26462131_HB/ 

wp_sec_b.pdf 

• Countermeasures 

– Tool to detect the malware 

– SIMATIC Security Update (checks if the Microsoft update is present) 

• Process for removing malware 

– Apply Microsoft patches to your systems 

– Harden your systems 

• Apply a security template 

• Disable USB ports 

– Firewalls and AV, etc.

Iran – Bushehr Nuclear Power, Persian Gulf (Feb.09) 

Source: United Press International

Myth #5 

Because they don’t run 

standard software and 

operating systems, they don’t 

really have vulnerabilities…

Myth #4 

No one is that bored to target 

these systems.

BlackHat 2010 – Las Vegas, NV

ATMs: Vulnerabilities (Physical) 

July 2010 – Barnaby Jack (Triton) 

• Use generic ATM key purchased online 

for $10US 

• Open the front cover with key, insert 

USB key with customized Windows CE 

firmware 

• Rebooting to USB key boots off of the 

customized firmware which empties the 

ATM of cash – Jackpot!!

ATMs: Vulnerabilities (Cyber) 

July 2010 – Barnaby Jack (Tranax) 

• Bypass vulnerability in Remote Management 

Authentication (Tranax fixed in Nov. 2009) 

• Allows for uploading of firmware (with rootkit) 

and reboot 

• Once running the new firmware allows: 

– Upload Rootkit, Reset to Default, Get Track 

Data, Get ATM Settings, Jackpot! 

• Rootkit also provides: 

– Backdoor menu from keypad sequence

Infrastructure Hacks - Missouri

BHO 

DEMO

Myth #4 

No one is that bored to target 

these systems.

Myth #3 

Whatever problems exist, they 

can’t really do any real 

damage…

Bakery

Public Transportation

Diesel Generator: This is just a test… 

(the Original “Operation Aurora”) 

• DHS exercise demonstrated the link between cyber and physical on 

CNN…

Biomed: Implantable Medical Devices 

• FDA has issued 23 recalls on IMDs in 

2010 – six caused by software defects. 

• In 2008, three Universities came together 

to RE 2003 IMD’s – they were able to: 

– Extract private data 

– Reprogram the therapy 

settings 

– Keep the device “awake” 

to run out the battery quicker 

– Disable the “shocking” mechanism to 

regulate beat 

– Introduce additional “shock” to produce 

fibrillation 

Source: http://www.secure-medicine.org/icd-study/icd-study.pdf 

• FDA in 2010 initiated to “Reduce Infusion 

Pump Risks”…but nothing related to security.

Avionics: Spanair Flight 5022 

• Aug. 2008 crash killed 154 

• Malware on diagnostic systems implicated 

• Full report comes out in Dec. 2010

Myth #3 

Whatever problems exist, they 

can’t really do any real 

damage…

Myth #2 

There is nothing we can do…it 

is hopeless…

DOE report 

• May 2010 Report from Idaho National Laboratory 

– http://www.fas.org/sgp/eprint/nstb.pdf 

• Top Vulnerabilities in Industrial Control Systems (ICS) 

• Most Likely Access Vector: 

Unpatched Vulnerabilities

Infrastructure Control Frameworks 

• NIST SP 800-82 (requirements) Guide to ICS Security 

Sept. 2008 

– 4.2.6 Perform Risk and Vulnerability Assessment 

– 5.1 Firewalls 

– 5.3 Network segregation 

– 5.6 Firewall rules 

– 5.11 Preventing man-in-the-middle attacks 

– 6 ICS Security Controls 

• NISTIR 7628 (guidelines) – Smart Grid Cyber Security 

Aug. 10, 2010 

– CIA model measurements 

– SG.CA-1 Security Assessment and Authorization Policy and 

Procedures

NERC (Project 2008-06 Cyber Security Order 706) 

• North American Electric Reliability Council (NERC)’s 

Critical Infrastructure Protection (CIP) initiatives cover: 

– CIP-002-2 – Critical Cyber Asset Identification 

– CIP-003-2 – Security Management Controls 

– CIP-004-2 – Personnel and Training 

– CIP-005-2 – Electronic Security Perimeter(s) 

– CIP-006-2a – Cyber Security (Physical Security) 

– CIP-007-2 – Systems Security Management 

– CIP-008-2 – Incident Reporting and Response Planning 

– CIP-009-2 – Recovery Plans for Critical Cyber Assets 

http://www.nerc.com/files/CIP-003-1.pdf 

http://www.nerc.com/files/CIP-004-2.pdf

SCADA: SANS Handler’s Diary 

Manuel Humberto Santander Pelaez (working @ Utility Company) 

8/22/10 

“The corporate antivirus didn't work because it 

consumed all the resources of the DAS and the 

HMI. Same happened with the Host IPS. The 

solution we found for the problem was SolidCore 

S3 product 

(http://www.solidcore.com/products/s3control.html), 

as it was non-intrusive, did not add 

extra layers and virtual devices to the operating 

system and controlled very good the zero-day 

problems.”

Myth #2 

There is nothing we can do…it 

is hopeless…

Myth #1 DENIAL WORKS… 

“According to Chris King, Chief Strategy and Regulatory 

Officer at eMeter Corporation…when asked about security 

threats within the Smart Grid, King noted that the Smart 

Grid does not present any new security threats and 

highlights that technologies today are more secure than 

ever.” 

Sept. 2010

BONUS?

Apple and Jailbreakme.com 

• jailbreakme.com web site checks user-agent and other values to 

determine appropriate response 

• If non-iPhone OS device - post informational page (browser-side 

JavaScript checking) 

• If iPhone/iPod/iPad, PDF is served up 

• PDF contains FreeType CFF Font exploit that owns MobileSafari 

(~userland only) 

• IOSurface kernel mode exploit is used to own base OS 

• Cydia is d/l’d and installed 

• Complete control of device is obtained, and package management is 

provided

Initial screen (blue pill or red pill ? )

iPad being owned

PCAP of ownage – User-Agent values checked

First request is for wallpaper

Owned – now grab Cydia, etc

Thank you! 

stuart_mcclure@mcafee.com 

www.hackingexposed.com

Hacking Exposed

Create successful ePaper yourself

Delete template?

Save as template?