آشنایی با stuxnet و نحوه شناسایی و رفع آن
DESCRIPTION
مرکز آپای دانشگاه صنعتی شریف مرکز آپای دانشگاه صنعتی امیرکبیر مرکز ماهر. آشنایی با Stuxnet و نحوه شناسایی و رفع آن. هادی جعفریان آبان 89. سرفصل مطالب. چرا Stuxnet ؟ نحوه عملکرد نحوه شناسایی و رفع نحوه پیشگیری اقدامات لازم. سرفصل مطالب. چرا Stuxnet ؟ نحوه عملکرد - PowerPoint PPT PresentationTRANSCRIPT
Stuxnet
89
Stuxnet
41 / 2 Stuxnet
41 / 3 PLC () SCADA
41 / 4 SCADA SCADA Step7 Siemens PLC (CnC)
41 / 5 SCADA () SCADA .
41 / 6 PLC WinCC Step7 PLC6ES7-4176ES7-315-2 PLC PLC PLC
41 / 7
41 / 8 () : Vba32
41 / 9 IP
41 / 10 IP() . . NAT . . . 6 100 .
41 / 11 30000 6100 402 72000006000000 41 / 12 () 13200000 ()40,000 ()528000000000 ()66000 41 / 13 Stuxnet
41 / 14 (Malware)
41 / 15Software is considered to be malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, spyware, dishonest adware, crimeware, most rootkits, and other malicious and unwanted software. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of several U. S. states, including California and West Virginia.15 41 / 16 Windows RPC Print Spooler Siemens MS10-046 Microsoft Windows Server Service RPC Handling S08-067 Microsoft Windows Print Spooler ServiceMS10-061 MS10-073
41 / 17 WinCC Step7 (1) WinCCServer = .\winccUid = winccconectPwd = 2wsxcder
WinCC 41 / 18 WinCC Step7 (2) DLL Hijacking WinCC WinCC PLC PLC PLC
41 / 19s7otbxdx.dllPLCs7otbxsx.dllModified STL code blockModified STL code blockModified STL code blockRequest code block from PLCShow PLC code blockS7blk_readS7blk_read 41 / 20 PLC OB1 OB35 ProfibusClean OB1Infected OB1 41 / 21 RPC HTTP Peer-to-Peer LAN RPC
41 / 22 RPC 0: returns the version number of Stuxnet installed1: Receive an exe and execute it (via injection)....6: read file7: drop file8: delete file
41 / 23 CnC www.mypremierfutbol.comwww.todaysfutbol.com . SCADA IP 41 / 24 P2P RPC
1 Call RPC 0 Get Version2 Send Installed Ver.3 Call RPC 4 Request latest Ver.4 Send latest Ver.
Server
Client
5 Install latest Ver. 41 / 2525... . Adobe DLL Hijack . Removal . Step7 PLC .
41 / 26 Stuxnet
41 / 27 [HKLM\SYSTEM\CurrentControlSet\Services\MRxNet][HKLM\SYSTEM\CurrentControlSet\Services\MRxCls][HKLM\SYSTEM\CurrentControlSet00X\Services\MRxNet][HKLM\SYSTEM\CurrentControlSet00X\Services\MRxCls] KERNEL32.DLL.ASLR.XXXXX services.exelsass.exesvchost.exe %WinDir%\system32\drivers\mrxnet.sys%WinDir%\system32\drivers\mrxcls.sys
41 / 28 RootkitIF EXIST %windir%\system32\drivers\mrxnet.sys echo FOUND!
TASKLIST /FI MODULE eq KERNEL32.DLL.ASLR.*
41 / 29 41 / 30 Partition Table BIOS 41 / 31 41 / 32 - (1) Section RebootBatch ScriptTASKKILL /F /Fi MODULE eq ERNEL32.DLL.ASLR.*
41 / 33 - (2) Windows Registry Regedit reg cmdreg delete /f HKLM\SYSTEM\CurrentControlSet\Services\MRxNet.
41 / 34 (3) Rootkitmrxnet.sysmrxcls.sys%windir%\system32\drivers\del /F %windir%\system32\drivers\mrxnet.sys
41 / 35 Legacy[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Control].... Log Config% Windir%\inf\mdmcpq3.PNF%Windir%\inf\mdmeric3.PNF%Windir%\inf\oem6C.PNF%Windir%\inf\oem7A.PNF . .41 / 36 TASKLIST /Fi MODULE eq KERNEL32.DLL.ASLR.*
RootkitIF EXIST %windir%\system32\drivers\mrxnet.sys echo FOUND! 41 / 37 Stuxnet
41 / 38 MS10-046MS10-061MS08-067MS10-073 Siemens WinCC Step7
41 / 39 Stuxnet
41 / 40 41 / 41
41 / 42 41 / 43 ...
41 / 44