How Stuxnet works…

How Stuxnet works… – ~WTR4132.tmp – DLL is a CPL applet containing ~12 encoded components in the last .stub section: • 298.000, 7A4E2D2638A454442EFB95F23DF391A1, s7otbxsx.dll. • 145.920, 335707EABBE7FF256E0650432ACCEC9B, svchost.dll • 102.400, F979C6A3E668C5073C4C6506461B034E, svchost.dll • 40.960, A3844A1B6BEA3F6FAF9C276858F40960, - • 26.616, F8153747BAE8B4AE48837EE17172151E, MRXCLS.SYS • 25.720, 37FC7C5D89F1E5A96F54318DF1A2B905, ~WTR4141.TMP • 17.400, ED68775A8E242933403F7791BBA2437A, MRXNET.SYS • 14.848, F9BAE53E77B31841235F698955AECE30, - • 10.240, C1CB4117D9998C79AE10C1B890C23A4D, Executable extracted from CAB • 9.728, 98FBEBD8883021FBE6464C37ACF17938, - • 5.237, D102BDAD06B27616BABE442E14461059, CAB file • 4.171, F58DBFCD6119C139E9E143D3660A1288, LNK template/skeleton

Bypassing Detection • Creates the following mutexes to ensure that only one instance of itself is running in memory: – @ssd[random number] (i.e. “@ssd094”, “@ssd083A1”) – Global\Spooler_Perf_Library_Lock_PID_01F – Global\{CAA6BD26-6C7B-4af0-95E2-53DE46FDDF26} – Global\{4A9A9FA4-5292-4607-B3CB-EE6A87A008A3} – Global\{E41362C3-F75C-4ec2-AF49-3CB6BCA591CA} – Global\{85522152-83BF-41f9-B17D-324B4DFC7CC3} – Global\{B2FAC8DC-557D-43ec-85D6-066B4FBC05AC} – Global\{5EC171BB-F130-4a19-B782-B6E655E091B2}

Page 1 and 2: Attacking Infrastructure Hacking Ex
Page 3 and 4: Evolution: Motivation From Vandalis
Page 5: Evolution: Targets From PCs, modems
Page 8 and 9: Myth #10 Critical infrastructure is
Page 10 and 11: SCADA
Page 12 and 13: NIST SP800-82: Communications
Page 14 and 15: NIST SP800-82: Railway
Page 16 and 17: NIST SP800-82: Manufacturing
Page 24 and 25: Myth #10 Critical infrastructure is
Page 27 and 28: SANS Diary: SCADA (Aug. 22, 2010)
Page 29 and 30: Myth #8 Critical infrastructure is
Page 31 and 32: RTUs/MTUs/PLCs/HMIs/DAS/IED and mor
Page 33 and 34: Myth #8 Critical infrastructure is
Page 35 and 36: Automated Teller Machines Processor
Page 37 and 38: Myth #7 Critical infrastructure run
Page 39 and 40: ATMs: Services Running (edited for
Page 41 and 42: Myth #6 These systems are secure (o
Page 43 and 44: Smart Meters: The OFF Switch July 2
Page 45 and 46: SCADA: Siemens database default pas
Page 47 and 48: 2x the 0-days in 2010 MSIE HTML Obj
Page 49 and 50: Stuxnet: Under the Hood • Discove
Page 51: How Stuxnet works… • When the f
Page 55 and 56: MRXCLS.SYS 0xF8153747BAE8B4AE48837E
Page 57 and 58: MRXNET.SYS 0x1E17D81979271CFA44D471
Page 59 and 60: Stuxnet: Pilfering… • Connects
Page 61 and 62: Stuxnet: Command and Control (C&C/C
Page 63 and 64: Stuxnet: HELP • Siemens UPDATE -
Page 65 and 66: Myth #5 Because they don’t run st
Page 67 and 68: BlackHat 2010 - Las Vegas, NV
Page 69 and 70: ATMs: Vulnerabilities (Cyber) July
Page 71 and 72: BHO DEMO
Page 73 and 74: Myth #3 Whatever problems exist, th
Page 75 and 76: Public Transportation
Page 77 and 78: Biomed: Implantable Medical Devices
Page 79 and 80: Myth #3 Whatever problems exist, th
Page 81 and 82: DOE report • May 2010 Report from
Page 83 and 84: NERC (Project 2008-06 Cyber Securit
Page 85 and 86: Myth #2 There is nothing we can do
Page 87 and 88: BONUS?
Page 89 and 90: Initial screen (blue pill or red pi
Page 91 and 92: PCAP of ownage - User-Agent values
Page 93 and 94: Owned - now grab Cydia, etc

Hacking Exposed

products

Features

Resources

Developer

Company

Pro Features

Help & Support

Integrations

Plans & Pricing

Company

Hacking Exposed

Delete template?

Save as template?

products

Features

Resources

Developer

Company

Pro Features

Help & Support

Integrations

Plans & Pricing

Company