How Stuxnet works… –

Recommendations

Info

How Stuxnet works… – ~WTR4132.tmp – DLL is a CPL applet containing ~12 encoded components in the last .stub section: • 298.000, 7A4E2D2638A454442EFB95F23DF391A1, s7otbxsx.dll. • 145.920, 335707EABBE7FF256E0650432ACCEC9B, svchost.dll • 102.400, F979C6A3E668C5073C4C6506461B034E, svchost.dll • 40.960, A3844A1B6BEA3F6FAF9C276858F40960, - • 26.616, F8153747BAE8B4AE48837EE17172151E, MRXCLS.SYS • 25.720, 37FC7C5D89F1E5A96F54318DF1A2B905, ~WTR4141.TMP • 17.400, ED68775A8E242933403F7791BBA2437A, MRXNET.SYS • 14.848, F9BAE53E77B31841235F698955AECE30, - • 10.240, C1CB4117D9998C79AE10C1B890C23A4D, Executable extracted from CAB • 9.728, 98FBEBD8883021FBE6464C37ACF17938, - • 5.237, D102BDAD06B27616BABE442E14461059, CAB file • 4.171, F58DBFCD6119C139E9E143D3660A1288, LNK template/skeleton
Bypassing Detection • Creates the following mutexes to ensure that only one instance of itself is running in memory: – @ssd[random number] (i.e. “@ssd094”, “@ssd083A1”) – Global\Spooler_Perf_Library_Lock_PID_01F – Global\{CAA6BD26-6C7B-4af0-95E2-53DE46FDDF26} – Global\{4A9A9FA4-5292-4607-B3CB-EE6A87A008A3} – Global\{E41362C3-F75C-4ec2-AF49-3CB6BCA591CA} – Global\{85522152-83BF-41f9-B17D-324B4DFC7CC3} – Global\{B2FAC8DC-557D-43ec-85D6-066B4FBC05AC} – Global\{5EC171BB-F130-4a19-B782-B6E655E091B2}
Page 1 and 2: Attacking Infrastructure Hacking Ex
Page 3 and 4: Evolution: Motivation From Vandalis
Page 5: Evolution: Targets From PCs, modems
Page 8 and 9: Myth #10 Critical infrastructure is
Page 10 and 11: SCADA
Page 12 and 13: NIST SP800-82: Communications
Page 14 and 15: NIST SP800-82: Railway
Page 16 and 17: NIST SP800-82: Manufacturing
Page 27 and 28: SANS Diary: SCADA (Aug. 22, 2010)
Page 31 and 32: RTUs/MTUs/PLCs/HMIs/DAS/IED and mor
Page 35 and 36: Automated Teller Machines Processor
Page 37 and 38: Myth #7 Critical infrastructure run
Page 39 and 40: ATMs: Services Running (edited for
Page 41 and 42: Myth #6 These systems are secure (o
Page 43 and 44: Smart Meters: The OFF Switch July 2
Page 45 and 46: SCADA: Siemens database default pas
Page 47 and 48: 2x the 0-days in 2010 MSIE HTML Obj
Page 49 and 50: Stuxnet: Under the Hood • Discove
Page 51: How Stuxnet works… • When the f
Page 55 and 56: MRXCLS.SYS 0xF8153747BAE8B4AE48837E
Page 57 and 58: MRXNET.SYS 0x1E17D81979271CFA44D471
Page 59 and 60: Stuxnet: Pilfering… • Connects
Page 61 and 62: Stuxnet: Command and Control (C&C/C
Page 63 and 64: Stuxnet: HELP • Siemens UPDATE -
Page 65 and 66: Myth #5 Because they don’t run st
Page 67 and 68: BlackHat 2010 - Las Vegas, NV
Page 69 and 70: ATMs: Vulnerabilities (Cyber) July
Page 71 and 72: BHO DEMO
Page 73 and 74: Myth #3 Whatever problems exist, th
Page 75 and 76: Public Transportation
Page 77 and 78: Biomed: Implantable Medical Devices
Page 79 and 80: Myth #3 Whatever problems exist, th
Page 81 and 82: DOE report • May 2010 Report from
Page 83 and 84: NERC (Project 2008-06 Cyber Securit
Page 85 and 86: Myth #2 There is nothing we can do
Page 87 and 88: BONUS?
Page 89 and 90: Initial screen (blue pill or red pi
Page 91 and 92: PCAP of ownage - User-Agent values
Page 93 and 94: Owned - now grab Cydia, etc

Hacking Exposed

Transform your PDFs into Flipbooks and boost your revenue!

Hacking Exposed

Transform your PDFs into Flipbooks and boost your revenue!

Delete template?

Save as template ?