Thursday, September 23, 2010

ESET Whitepaper: Stuxnet Under the Microscope

This report is devoted to the analysis of the notorious Stuxnet worm (Win32/Stuxnet) that suddenly attracted the attention of virus researchers this summer. This report is primarily intended to describe targeted and semi-targeted attacks, and how they are implemented, focusing mainly on the most recent, namely Stuxnet. This attack is, however, compared to the Aurora attack, outlining the similarities and differences between the two attacks.

The paper is structured as follows. In the first section we introduce the targeted attacks and their common characteristics and goals. In this section we present comparison of two attacks: Stuxnet vs. Aurora. The second section contains some general information on SCADA (Supervisory Control And Data Acquisition) systems and PLCs (Programmable Logic Controllers) as Stuxnet’s primary targets of. The third section covers the distribution of the Stuxnet worm. Here we describe vulnerabilities that it exploits to infect the target machine. The next section describes the implementation of Stuxnet: user- mode and kernel-mode components, RPC Server and their interconnection. We also describe the remote communication protocol that it uses to communicate with the remote C&C.

No comments:

Post a Comment