Dec
07

2010

Siemens discovers 417 attack code

We have always said that Stuxnet can only be understood based on hard lab work. So it does not surprise  us at all that when we sent our fellow researchers from Siemens back to their lab on November 11 in response to their meager “official Siemens communication” on Stuxnet, success was waiting right around the corner. Only eleven days later, they finally did discover the 417 attack code. Read more »

Dec
06

2010

Mitigation tool for post-Stuxnet malware: The Langner Controller Integrity Checker

We are proud to announce the first hardcore mitigation tool for post-Stuxnet malware: The Langner Controller Integrity Checker, or CIC. CIC is a software solution that checks the integrity of network-attached S7 controllers. Changes in code, data, and configuration will be detected and reported automatically. CIC is a small-footprint command line tool that can be called from existing monitoring applications, such as Nagios, from user-created scripts, or from the Windows task scheduler. This allows for user-configurable intervals of integrity checks, leaving it up to the user how closely individual controllers need to be monitored. Since CIC does not download the controller’s complete code and data blocks, controller and network load is minimal, allowing for check intervals down to one minute without negative effects on CPU cycle time or network interface load. Read more »

Nov
29

2010

Life as a Stuxnet expert can be dangerous

If you trust DEBKA, the Iranian nuclear scientist that was murdered today was Iran’s top Stuxnet expert.

Nov
28

2010

Geo-strategic backgrounder: Iranian nukes in America’s backyard

What’s worse than Iranian nuclear warheads? If you are a US citizen, you may answer: Iranian nuclear warheads within 1500 miles of US homeland.

No, Iran didn’t move. It’s the warheads that will move, along with ballistic missiles. At least that’s the idea behind recently signed treaties between Iran and Venezuela that go back to at least 2008. Venezuela is another oil-producing nation that sits on more oil than the country can consume in the next 100 years, but is eager to develop a nuclear program – strictly for peaceful purposes, comprende. What else. Venezuela and Iran have a deal that allows Iran to install a missile base in Venezuela, along with strategic weapons (that’s where the nukes come in once that they have them). In turn, Iran helps Venezuela build up a missile and nukes program. Read more »

Nov
27

2010

Stuxnet makes its way into exploit tools

First parts of Stuxnet’s attack technology have found their way into exploit tools, a.k.a. penetration testing frameworks. Core impact has added some of the exploits, Immunity’s canvas even more. So far, no tool seems to offer Stuxnet’s PLC exploits. People who attended WeissCon 2009 or one of our control system security training seminars will remember our fully-functional proof of concept software that manipulates controllers without any insider knowledge. If we wanted to, we could implement a configurable controller exploit framework that includes Stuxnet’s more nasty attack technology within four weeks. We won’t do it. But others probably will. They may need longer, but we don’t know if they haven’t started already.

Nov
24

2010

Vulnerable

Let’s go ahead after all these technicalities and try to explain conceptually what Stuxnet exploits on controllers, and what that means for all of us who are somehow using such controllers, or depending on them in one or another way.

Exploits

The main thing to understand when looking at how Stuxnet takes over control is that Stuxnet doesn’t exploit bugs. It exploits legitimate product features of modern controllers which can be found in more than one brand of controller. In detail: Read more »

Nov
24

2010

MITM continued

Here are some details for those who have decrypted Stuxnet code and can’t make sense out of it. The recorder function for recording inputs is located in FC 6069, which is called at the beginning of FC 6070, which is called from FC 6082 in states 2, 3, 4, 5, and 6. (Ok, this gives everybody a feeling of the code complexity we’re talking about.) Here’s what FC 6069, the recorder, looks like in STL: Read more »

Nov
22

2010

How cyber forensics works

If you have followed the Stuxnet saga for several weeks, you will probably have heard that it would be impossible to determine Stuxnet’s targets, just because the automation products in question and the attack strategy used could target any process. That’s nonsense. Let’s look how we can narrow down the targets by forensic analysis. Step with us into the crime scene and let’s imagine we have just found Stuxnet and have been able to extract the payload – the two digital warheads that run on the PLCs. Read more »

Nov
21

2010

Attention to detail

To give you an idea how carefully the man-in-the-middle attack on the 417 is crafted, let’s focus on one specific detail. Just one out of many. (Note: You probably won’t be able to understand the following without very good knowledge of controller architecture.)

As outlined before, a controller holds a memory image of the physical inputs and physical outputs. This is what the controller program, or ladder logic, usually operates on. Stuxnet disables automatic updates of physical and logical I/Os by the execution environment, exploiting a legitimate configuration setting. During the attack, it feeds fake input data to the input process image. (By the way, did you know that the input process image was not read-only? As a matter of fact, it can even be manipulated via the network, but that’s another story, and not exploited by Stuxnet.) Read more »

Nov
20

2010

MITM implications

The man-in-the-middle attack on the 417 has some very important aspects that cannot be overemphasized:

1. The attack combines denial-of-control and denial-of-view.

The legitimate program on the controller is no longer in control, WITHOUT RECOGNIZING. Same for operators looking at HMI screens. Alarms, bells, whistles don’t go off while rogue code on the controllers manipulates output at will. Read more »

Older posts «

» Newer posts