stuxnet（震网）的详细分析_震荡波蠕虫病毒资源-CSDN文库

4星 · 超过85%的资源需积分: 48 136 浏览量 2013-06-12 17:33:53 上传评论 5 收藏 2.48MB PDF 举报

震网（Stuxnet）蠕虫病毒是网络安全史上一个里程碑式的恶意软件，它首次出现在2010年，并迅速引起了全球安全专家的关注。震网病毒被认为是历史上第一种专门针对工业控制系统（ICS）编写的恶意软件，其攻击目标是用于控制重要工业基础设施的可编程逻辑控制器（PLC）。震网病毒的设计目的非常明确：重写PLC中的代码，使其按照攻击者的意图执行操作，并且对操作员隐藏这些改变。震网病毒的复杂性和其对现实世界工业系统的潜在危害使其成为了信息安全领域研究的重点。该病毒的传播和攻击过程涉及多个阶段，包括感染、传播、安装、载入点设置、命令与控制、以及其核心功能的实现等。以下是对震网病毒分析的主要知识点： 1. 攻击场景（Attack Scenario）：震网病毒的设计者利用了工业控制系统在安全防护上的脆弱性，通过物理接触或者网络连接传播到目标系统，然后通过精心设计的攻击场景来实现其最终目的。 2. 时间线（Timeline）：震网病毒的发展和演变经过了精心设计，攻击者花费了大量时间和精力来研究目标系统的弱点，并设计出了一系列的攻击步骤。 3. 感染统计（Infection Statistics）：文档提供了关于震网病毒感染的统计数据，这有助于了解病毒的传播范围和影响程度。 4. 震网架构（Stuxnet Architecture）：病毒的架构设计非常复杂，包含了多个模块和功能组件，能够实现复杂的攻击流程和对目标系统的深入控制。 5. 安装（Installation）：病毒的安装过程涉及到绕过安全检测，以及利用系统漏洞在目标计算机上植入恶意代码。 6. 载入点（Load Point）：震网病毒必须在目标系统中找到一个合适的载入点，以此来启动其核心功能并开始对PLC的攻击。 7. 命令与控制（Command and Control）：震网病毒具备与攻击者通信的能力，能够接收来自外部的指令并上传收集到的数据，实现远程操控。 8. Windows根工具包功能（Windows Rootkit Functionality）：震网病毒包含了一个高级的Windows根工具包，它能够隐藏病毒文件和进程，躲避安全软件的检测。 9. 震网传播方法（Stuxnet Propagation Methods）：病毒采用了多种传播机制，包括USB驱动器传播、网络共享传播等，以便更高效地感染目标系统。 10. 修改PLC（Modifying PLCs）：这是震网病毒攻击的最终环节，病毒通过修改PLC程序代码，实现对工业控制系统的控制。 11. 载荷导出（Payload Exports）和载荷资源（Payload Resources）：震网病毒包含了多种载荷，这些载荷能够对不同类型的PLC进行特定操作。 12. 变种（Variants）：震网病毒在传播过程中出现了多个变种，这些变种可能是为了更好地适应不同环境或者提高传播效率。 13. 摘要（Summary）：对整个分析文档进行了概括，总结了震网病毒的主要特点和攻击手段。震网病毒的出现是网络安全领域的一个重要事件，它标志着网络攻击技术和目标已经扩展到关键基础设施的安全防护。对于安全专家而言，理解和分析震网病毒不仅是为了防范未来的威胁，也是为了推动工业控制系统安全防护技术的进步。通过对震网病毒的研究，能够更好地了解网络攻击者如何设计和实施针对物理基础设施的网络攻击，进而采取相应的防护措施。

资源推荐

资源详情

资源评论

Security Response

Contents

Introduction ....................................................... 1

Executive Summary ........................................... 2

Attack Scenario .................................................. 3

Timeline .............................................................. 4

Infection Statistics ............................................. 5

Stuxnet Architecture.......................................... 8

Installation ....................................................... 12

Load Point ........................................................ 16

Command and Control ......................................17

Windows Rootkit Functionality ....................... 20

Stuxnet Propagation Methods......................... 21

Modifying PLCs ................................................ 32

Payload Exports ............................................... 39

Payload Resources ........................................... 40

Variants ............................................................ 42

Summary .......................................................... 45

Appendix .......................................................... 46

While the bulk of analysis is complete, Stuxnet is an incredibly large and

complex threat. The authors expect to make revisions to this document

shortly after release as new information is uncovered or may be publicly

disclosed. This paper is the work of numerous individuals on the Syman-

tec Security Response team over the last three months well beyond the

cited authors. Without their assistance, this paper would not be possible.

Introduction

W32.Stuxnet has gained a lot of attention from researchers and me-

dia recently. There is good reason for this. Stuxnet is one of the

most complex threats we have analyzed. In this paper we take a de-

tailed look at Stuxnet and its various components and particularly

focus on the final goal of Stuxnet, which is to reprogram industrial

control systems. Stuxnet is a large, complex piece of malware with

many different components and functionalities. We have already

covered some of these components in our blog series on the top-

ic. While some of the information from those blogs is included here,

this paper is a more comprehensive and in-depth look at the threat.

Stuxnet is a threat that was primarily written to target an industrial con-

trol system or set of similar systems. Industrial control systems are

used in gas pipelines and power plants. It’s final goal is to reprogram

industrial control systems (ICS) by modifying code on programmable

logic controllers (PLCs) to make them work in a manner the attacker in-

tended and to hide those changes from the operator of the equipment.

In order to achieve this goal the creators amassed a vast array of com-

ponents to increase their chances of success. This includes zero-day

exploits, a Windows rootkit, the first ever PLC rootkit, antivirus evasion

Nicolas Falliere, Liam O Murchu,

and Eric Chien

W32.Stuxnet Dossier

Septermber 2010, version 1.0

W32.Stuxnet Dossier

Page 2

Security Response

techniques, complex process injection and hooking code, network infection routines, peer-to-peer updates, and

a command and control interface. We take a look at each of the different components of Stuxnet to understand

how the threat works in detail while keeping in mind that the ultimate goal of the threat is the most interesting

and relevant part of the threat.

Executive Summary

Stuxnet is a threat targeting a specific industrial control system likely in Iran, such as a gas pipeline or power

plant. The ultimate goal of Stuxnet is to sabotage that facility by reprogramming programmable logic controllers

(PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries.

Stuxnet was discovered in July, but is confirmed to have existed at least one year prior and likely even before.

The majority of infections were found in Iran. Stuxnet contains many features such as:

Self-replicates through removable drives exploiting a vulnerability allowing auto-execution. •

Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732)

Spreads in a LAN through a vulnerability in the Windows Print Spooler. •

Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073)

Spreads through SMB by exploiting the • Microsoft Windows Server Service RPC Handling Remote Code Execu-

tion Vulnerability (BID 31874).

Copies and executes itself on remote computers through network shares.•

Copies and executes itself on remote computers running a WinCC database server.•

Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is •

loaded.

Updates itself through a peer-to-peer mechanism within a LAN.•

Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulner-•

abilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be

disclosed.

Contacts a command and control server that allows the hacker to download and execute code, including up-•

dated versions.

Contains a Windows rootkit that hide its binaries.•

Attempts to bypass security products.•

Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabo-•

tage the system.

Hides modified code on PLCs, essentially a rootkit for PLCs.•

W32.Stuxnet Dossier

Page 3

Security Response

Attack Scenario

The following is a possible attack scenario. It is only speculation driven by the technical features of Stuxnet.

Industrial control systems (ICS) are operated by a specialized assembly like code on programmable logic control-

lers (PLCs). The PLCs are often programmed from Windows computers not connected to the Internet or even the

internal network. In addition, the industrial control systems themselves are also unlikely to be connected to the

Internet.

First, the attackers needed to perform reconnaissance. As each ICS is quite custom, the attackers would first

need design documents. These design documents may have been stolen by an insider or even retrieved by an

early version of Stuxnet or other malicious binary. Once attackers had the design documents and potential

knowledge of the computing environment in the facility, they would develop the latest version of Stuxnet. Each

feature of Stuxnet was implemented for a specific reason and for the final goal of potentially sabotaging the ICS.

Attackers would need to setup a mirrored environment that would include the necessary ICS hardware, such as

PLCs, modules, and peripherals in order to test their code. The full cycle may have taken six months and five to

ten core developers not counting numerous other individuals, such as quality assurance and management.

In addition their malicious binaries contained driver files that needed to be digitally signed to avoid suspicion.

The attackers compromised two digital certificates to achieve this task. The attackers may have compromised

these digital certificates by physically entering the premises of the two companies and stealing them as the two

companies are in close physical proximity.

To infect their target, Stuxnet would need to be introduced into the target environment. This may have occurred

by infecting a willing or unknowing third party, such as a contractor who perhaps had access to the facility, or an

insider. The original infection may have been introduced by removable drive.

Once Stuxnet had infected a computer within the organization it began to spread in search of Field PGs, which

are typical Windows computers but used to program PLCs. Since most of these computers are non-networked,

Stuxnet would first try to spread to other computers on the LAN through a zero-day vulnerability, a two year old

vulnerability, infecting Step 7 projects, and through removable drives. Propagation through a LAN likely served

as the first step and propagation through removable drives as a means to cover the last and final hop to a Field

PG that is never connected to an untrusted network.

While attackers could control Stuxnet with a command and control server, as mentioned previously the key com-

puter was unlikely to have outbound Internet access. Thus, all the functionality required to sabotage a system

was embedded directly in the Stuxnet executable. Updates to this executable would be propagated throughout

the facility through a peer-to-peer method established by Stuxnet.

When Stuxnet finally found a suitable computer, one that ran Step 7, it would then modify the code on the PLC.

These modifications likely sabotaged the system, which was likely considered a high value target due to the large

resources invested in the creation of Stuxnet.

Victims attempting to verify the issue would not see any rogue PLC code as Stuxnet hides its modifications.

While their choice of using self-replication methods may have been necessary to ensure they’d find a suitable

Field PG, they also caused noticeable collateral damage by infecting machines outside the target organization.

The attackers may have considered the collateral damage a necessity in order to effectively reach the intended

target. Also, the attackers likely completed their initial attack by the time they were discovered.

W32.Stuxnet Dossier

Page 4

Security Response

Timeline

Table 1

W32.Stuxnet Timeline

Date Event

November 20, 2008 Trojan.Zlob variant found to be using the LNK vulnerability only later identified in Stuxnet.

April, 2009 Security magazine Hakin9 releases details of a remote code execution vulnerability in the Printer Spooler

service. Later identified as MS10-061.

June, 2009 Earliest Stuxnet sample seen. Does not exploit MS10-046. Does not have signed driver files.

January 25, 2010 Stuxnet driver signed with a valid certificate belonging to Realtek Semiconductor Corps.

March, 2010 First Stuxnet variant to exploit MS10-046.

June 17, 2010 Virusblokada reports W32.Stuxnet (named RootkitTmphider). Reports that it’s using a vulnerability in the

processing of shortcuts/.lnk files in order to propagate (later identified as MS10-046).

July 13, 2010 Symantec adds detection as W32.Temphid (previously detected as Trojan Horse).

July 16, 2010 Microsoft issues Security Advisory for “Vulnerability in Windows Shell Could Allow Remote Code Execution

(2286198)” that covers the vulnerability in processing shortcuts/.lnk files.

Verisign revokes Realtek Semiconductor Corps certificate.

July 17, 2010 Eset identifies a new Stuxnet driver, this time signed with a certificate from JMicron Technology Corp.

July 19, 2010 Siemens report that they are investigating reports of malware infecting Siemens WinCC SCADA systems.

Symantec renames detection to W32.Stuxnet.

July 20, 2010 Symantec monitors the Stuxnet Command and Control traffic.

July 22, 2010 Verisign revokes the JMicron Technology Corps certificate.

August 2, 2010 Microsoft issues MS10-046, which patches the Windows Shell shortcut vulnerability.

August 6, 2010 Symantec reports how Stuxnet can inject and hide code on a PLC affecting industrial control systems.

September 14, 2010 Microsoft releases MS10-061 to patch the Printer Spooler Vulnerability identified by Symantec in August.

Microsoft report two other privilege escalation vulnerabilities identified by Symantec in August.

September 30, 2010 Symantec presents at Virus Bulletin and releases comprehensive analysis of Stuxnet.

剩余48页未读，继续阅读

评论收藏

内容反馈

xiaoru806

2015-01-12

权威的分析报告
哈哈11222

2018-05-15

权威的分析报告
asxzasxzasxzasxz

2015-04-08

不知道是哪个地方出的报告，希望楼主说明一下

valiant1ster

粉丝: 7
资源: 8

stuxnet（震网）的详细分析

【多芬诺白皮书】Stuxnet（震网）攻击分析报告.zip

对Stuxnet蠕虫攻击工业控制系统事件的综合分析报告.pdf

震网事件（真实背景、攻击细节、关键技术解读）.txt

wooyun.7z乌云数据库

wyquery:Wooyun查询系统

WooyunDrops, Wooyun知识库，乌云知识库，https.zip

wooyun drops乌云知识库全部文章.zip

精防wooyun程序源码加数据库

震网与SWIFT事件回顾_从威胁框架看超高能力网空威胁行为体的两种作业模式.pdf

网络空间安全发展分析.docx

工控安全职业证书技能实践：攻击事件技术实现及检测特征分析.pptx

电力系统正向隔离装置漏洞分析与防御.pdf

工业控制系统网络攻击事件.docx

乌云内部漏洞扫描工具.zip

猪猪侠BuildYourSSRFExploitFramework——一个只影响有钱人的漏洞.pdf

乌云文章Drops离线版打包大全

wooyun_search：从wooyun.org搜索

乌云漏洞库/知识库离线下载-附件资源

物理隔离内网面临的安全威胁.docx

南开21春学期《计算机病毒分析》在线作业.docx

论文研究-工业控制系统安全综述.pdf

2017年度公需科目大数据时代的互联网信息安全考试答案98分.docx

基于数据流分析的PLC恶意代码检测技术.pdf

stuxnet, stuxnet/myrtus的开源反编译.zip

震网超级工厂专杀程序

Stuxnet病毒引发的嵌入式系统安全性

零日漏洞：震网病毒全揭秘.pdf

Stuxnet_Malware_Analysis_Paper.pdf

可编程逻辑控制器网络安全测试研究.pdf

最新资源