Ralph Langner’s Stuxnet Deep Dive is the definitive technical presentation on the PLC attack portion of Stuxnet. He did a good job of showing very technical details in a readable and logical presentation that you can follow in the video if you know something about programming and PLC’s.
The main purpose of Ralph’s talk was to convince the audience with “100% certainty” that Stuxnet was designed specifically to attack the Natanz facility. He does this at least four different ways, and I have to agree there is no doubt.
This video represents exactly what we are trying to accomplish at S4. Ralph is speaking in front of a very experienced and knowledgeable ICS security audience, and he doesn’t waste any time on what Stuxnet 101. Instead, he dives right into the S7 code and walks the audience through, line by line, some of the most interesting FC’s. This level of detail has never been seen before. It likely would bore or be lost on most audiences, but the S4 crowd was spellbound.
It’s high quality video so expand to full screen to see the code.
The video shows the level of effort Langner’s team put into analyzing Stuxnet as there comments are throughout the S7 Stuxnet code. Many in the audience remarked that it was probably much better documented than the Stuxnet author’s version.
I’m tempted to try to excerpt the most interesting points of the presentation, but if you want to know about Stuxnet’s PLC code you should just watch it.
Can’t resist; I found
- encryption routine in the wrapper with hard coded key
- the mysterious DB 8061
- all of the Natanz numerology
- the strike condition
- FC 6065 manipulate outputs, FC 6079 replay recorded data
- Design flaws not vulnerabilities, “this is how the pro’s do it”
- Zero chance of Stuxnet working without a test facility
and much more fascinating even after a second viewing.