Default environment - Eindhoven University of Technology MASTER Knowledge needed to develop mal

a. execute the malware once from command line or by double click or

b. insert a USB drive. If autoplay is not configured, navigate with explorer to the root of the drive.

No further user-interaction with the system is performed after one of the scenarios is initiated.

4. The systems is monitored according to how the malware is supposed to behave.

(a) If the USB drive is used as an infection medium we check if the malware launches using the shortcut exploit. If the malware launches, payload PAY-1 is successful.

(b) We check if the malware executes the remote exploit (PAY-2) to propagate to the HMI.

(d) The malware is supposed to choose and execute one of its payloads.

• If the malware terminated the HMI process, payload PAY-8 has executed successfully.

• The malware should able to modify the PLC address(es) used by the actuator(s). Payloads PAY-3, PAY-4 and PAY-5 are successful if the state of at least one actuator is changed.

• Payloads PAY-6 and PAY-7 execute successfully if the HMI displays the PLC state that spoofed by the malware (and the response from the PLC is discarded or no response from the PLC is received).

The results of these tests can be found in Section 4.2.

When we determine if an environmental changes reduced or diminishes the impact of the malware we perform the steps mentioned above. We execute step 2 to change the environment before we test the effect of the malware.

For some environmental changes we felt the need to perform multiple tests. For some environmental changes we needed to perform up to four tests to learn the effect of the environmental change on the malware. For every additional test we either modified the environment or malware and the changes were documented. If the malware could not (completely) adapt it often meant new system knowledge was needed. We noted if the malware did not behave exactly as in the clean environment.

Several payloads are considered successful under the same conditions. Therefor we will not test all payloads when we test the effect of the environmental changes. For every environmental change we check if the malware;

1. can spread using both infection methods; with the HMI exploit (PAY-2) and the USB exploit (PAY-1);

2. can modify the state of the actuators (PAY-3);

3. is able to perform a MITM attack (PAY-7) and

4. can terminate the process of the HMI repeatedly (PAY-8).

For some environmental changes we felt the need to test more or all payloads. We have noted which additional payloads are tested. This way we can reduce a big amount of tests in a way that will not influence our results.

Now that we have defined our tests, we can start performing them.

4.2 Default environment

Eight payloads were developed to infect and impact the security of the system. The effect of the execution of each payloads will be discussed here.

RESULT-1. Payload PAY-2 scans for USB drives and network shares and infects them with crafted shortcuts. The exploit is triggered if a user views the contents of the infected folder and the malware is executed.

When an infected folder is accessed through command line it will not trigger the exploit since no graphical information is processed.

Chapter 4. Results §4.2. Default environment

RESULT-2. Payload PAY-2 exploits the vulnerable services of the HMI by coping and executing itself to another machine. The exploited services can not be disabled in the HMI interface. Several services can be enabled and disabled in the project properties. The exploited services are listed there, but can not be disabled since they are checked and their checkbox is disabled. If the services are manually terminated, they are restarted automatically by the HMI master program. During our tests, there was not a single instance when the HMI service exploits failed. These properties combined make the infection phase of this exploit very reliable.

RESULT-3. Payload PAY-3, fills and overflows all drums. The payload keeps writing a harmful state to the PLC.

It will open the ‘in-valve’, close the ‘out-valve’ and manipulate the pumps. This state is graphically represented in Figure 4.1. This state will fill every drum simultaneously to the rim and eventually overflow.

Figure 4.1: A state where all drums are filled until they overflow.

RESULT-4. Payload PAY-4, has a similar logic but will try to empty all drums. The state it will try to maintain can be found in Figure 4.2.

Figure 4.2: A state where all drums are emptied.

RESULT-5. Payload PAY-5 overflows the fullest drum as fast as possible. It will read the chemical level in all drums, choose the fullest one, open the in-valve and close the out-valve. For example, if we would

Chapter 4. Results §4.2. Default environment

want to overflow drum 3, we would turn pumps 1, 2 and 4 on and pump 3 off. This example is shown in Figure 4.3. It will also rewrite the harmful state to the PLC if it detects user-intervention in the

On Pump 2

Pump 3

In-valve Out-valve

Drum 1 Drum 2

Drum 3 Drum 4

Pump 1

Pump 4 On

Off

Open Closed

Figure 4.3: The state where drum 3 is filled as quickly as possible.

same manner as the previous payloads.

RESULT-6. Payload PAY-6 contains a MITM attack and is generally used in combination with PAY-3 or PAY-4.

It also responds to the HMI’s request. If the malware responds faster than the PLC, then the PLC’s response is treated as a replay and therefore discarded. The simulator used for the PLC has an option to specify the response latency. If the response latency is set to 0ms it will respond faster than the malware. If the response latency is increased to 10 - 16ms then the malware will gain a better chance to successfully spoof responses. A response latency greater than 35ms is enough to let the malware spoof responses faster than the PLC for over an hour. It should be noted that the simulated environment has a low network latency (of less than 1ms).

RESULT-7. Payload PAY-7 contains a MITM attack based on ARP-spoofing and can be used in combination with the overflow of all drums or empty all drums payloads, PAY-3 or PAY-4 respectively. Since this attack poisons the ARP cache, it effectively leaves the HMI machine unable to communicate with the real PLC until the spoofed ARP cache entry times-out. New entries to the ARP cache are timestamped and will timeout if not reused for 2 minutes. If an entry is used, it receives two more minutes of lifetime.

When this payload is used alone, it is an availability type of attack because even if the malware does not respond or exits then the HMI will have to wait until its ARP cache entry times-out. During that time it is not possible to supervise or control the system.

RESULT-8. Payload PAY-8 executes the killigss.exe program every second. This is an availability attack (DoS) on the HMI software. The HMI software process is terminated before it is able to load the HMI. When this payload runs it is not possible to supervise or control the plant. A restart of the infected machine will make the HMI usable again. But the malware is able to create an entry in one of the startup registries to start every time the computer is turned on.

In the previous tests, we have used quite some system knowledge during the implementation. This means we will not be able to reliably determine which knowledge is needed. We change the environment to determine if the malware can adapt to those changes. System knowledge is needed if the malware can not adapt to the environmental change because the developer lacked system knowledge rather than due to a design decision. An overview of the results is given in the next section.

In document Eindhoven University of Technology MASTER Knowledge needed to develop malware to infect and impact industrial control systems van de Wouw, D.A. (pagina 35-38)