ACTUSÉCU 27 XMCO
David Helan
STUXNET : ANALYSIS, MYTHS AND REALITIES
CONTENTS Stuxnet: complete two-part article on THE virus of 2010
Keyboard Layout: analysis of the MS10-073 vulnerability used by Stuxnet Current news: Top 10 hacking techniques, zero-day IE, Gsdays 2010, ProFTPD...
Blogs, softwares and our favorite Tweets...
This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [1] Are you concerned by IT security in your company? ACTU SÉCU 27 XMCO Partners is a consultancy whose business is IT security audits.
Services:
Intrusion tests Our experts in intrusion can test your networks, systems and web applications Use of OWASP, OSSTMM and CCWAPSS technologies
Security audit Technical and organizational audit of the security of your Information System Best Practices ISO 27001, PCI DSS, Sarbanes-Oxley
PCI DSS support Consulting and auditing for environments requiring PCI DSS Level 1 and 2 certification.
CERT-XMCO: Vulnerability monitoring Personalized monitoring of vulnerabilities and the fixes affecting your Information System
CERT-XMCO: Response to intrusion Detection and diagnosis of intrusion, collection of evidence, log examination, malware autopsy
About XMCO Partners:
Founded in 2002 by experts in security and managed by its founders, we work in the form of fixed-fee projects with a commitment to achieve results. Intrusion tests, security audits and vulnerability monitoring are the major areas in which our firm is developing.
At the same time, we work with senior management on assignments providing support to heads of information- systems security, in drawing up master plans and in working on awareness-raising seminars with several large French accounts.
To contact XMCO Partners and discover our services: http://www.xmco.fr WWW.XMCO.FR
This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [2] EDITORIAL NUMBER 27 FEB. 2011
We wish you a happy 2011… ACTUSECU This is the first issue of ActuSécu certainly be implementation errors in 2011. As usual, a very busy that may be exploited by pirates, year end made us a little late in especially as these are particularly Editor in chief: writing this issue. ingenious concerning hacking Adrien GUINAULT means of payment. The XMCO team is strengthened Contributors: with the arrival of Florent We hope that you find this issue Charles DAGOUAT Hochwelker, a security consultant interesting and we look forward to Florent HOCHWELKER coming from SkyRecon. The seeing you at Black Hat Stéphane JIN security of the Windows kernel, Barcelona, for which XMCO is a François LEGUE DEP bypass and other tricks for partner. Frédéric CHARPENTIER happily causing memory overflows Yannick HAMON no longer hold any secrets for him. Frédéric Charpentier Florent has also written its first Chief Technology Officer article in this issue. CONTACT XMCO What will 2011 bring us in terms of [email protected] attacks and security? Without [email protected] wishing to gaze into a crystal ball, it is clear, for me, that 2011 will be THE XMCO AGENDA the year of m-payment: contactless mobile payments (by PCI DSS QSA TRAINING NFC or GSM). Although these 7 and 8 March in London technologies are, a priori, new, BLACKHAT EUROPE they are based on existing and 16 and 17 March in Barcelona proven frameworks. There will BLACK HAT
This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [3] STUXNET PART I P. 5 BOOKMARKS AND TOOLS P. 52
P. 13 CONTENTS STUXNET...... PART II
Stuxnet Part I: analysis, myths and realities..5 An examination of THE virus of 2010
Stuxnet Part II: technical analysis...... 13 Propagation, infection and attacks on industrial systems.
Keyboard Layout vulnerability...... 29 Analysis of the "elevation of privileges" vulnerability KEYBOARD used by Stuxnet (MS10-073). LAYOUT P. 29 Current news...... 38 Top Ten hacking techniques, zero-day IE, GS Days, ProFTPD...
Blogs, software and extensions...... 52 IMA, VMware compliance checker, Twitter and the rn_101 blog.
CURRENT XMCO 2011 NEWS P. 38
This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [4] ACTU SÉCU 27 Stuxnet, elected malware of STUXNET PART I : the year HISTORY, MYTHS AND It would have been ACTU SÉCU 27 inconceivable not to devote an article to THE malware of the REALITIES year 2010.
Although nearly everything has already been said on this subject, we could not resist wanting to write an article on Stuxnet several months after the media buzz has subsided.
Much is still obscure concerning this malware, its origins and its developers.
However, we will try to give a summary, also taking an objective view in relation to various papers covering the
subject. Karsten Kneese Karsten
If there is one thing to remember about 2010, it is surely To quickly reach its target, the malware also uses a the case of Stuxnet. This is because this malware, password defined by default within certain SCADA specifically produced to carry out the second highly- (Supervisory Control And Data Acquisition) systems. publicized targeted attack of 2010 (after Aurora) This is based on the Siemens SIMATIC WinCC caused comment for more than six months! This article software. is intended as a summary of this long period, which was punctuated by many new developments. It covers the “Stuxnet is a complex piece of malware development of the discoveries and announcements constructed from many items, intended to that took place during this period and tries to analyze all sabotage the normal functioning of certain the facts in order to draw conclusions. Between reminders on technical matters, genuine rumors and critical systems. ” false realities, this article will appraise the situation as Thanks to all the work performed by various completely as possible. researchers with an interest in malware, the role of Stuxnet has been clarified. The malicious code acts in Preliminary reminders several stages: firstly, a removable item of storage media is used to compromise a system on a local Stuxnet is a complex piece of malware constructed from network. Once present on a network, the malware many items, intended to sabotage the normal replicates, moving towards the discovery of a point of functioning of certain critical systems. In contrast to access to its target: a system on which WinCC is the somewhat indiscreet approach which is used to installed. access these sensitive systems, this sabotage is intended to be very discreet. Secondly, when such a target is discovered, the To approach its target, Stuxnet exploits at least four behavior of the various items controlling the target zero-day vulnerabilities (currently all corrected by architecture is modified in order to physically impair Microsoft) targeting different versions of Windows, as the integrity of the industrial production system. In the well as the famous MS08-067 vulnerability that was case of Stuxnet, this concerns modifying the normal corrected several years ago. function of certain critical systems by manipulating their WWW.XMCO.FR controllers.
This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [5] STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27
History the Metasploit framework. This allowed control of a system to be taken over remotely by exploiting the It is difficult to create a comprehensive history of the security vulnerability through WebDAV sharing. This events relative to Stuxnet because of the numerous code allowed a pirate simply to encourage an Internet new developments and announcements during this long user to visit a web page with Internet Explorer to take period. Limiting ourselves to the dates of the control of the underlying system. The same day discoveries made and publicized by the researchers Symantec renamed W32. Temphid to W32.Stuxnet, and would not really make sense. It is necessary to consider Siemens reported that the company was in the process the period before the media took an interest in this of studying reports referring to the compromise of subject, as this attack is so complex. We are therefore several SCADA systems linked to WinCC. going to try, with hindsight, to trace a history that takes into account the dates before the beginning of the On 20 July, Symantec announced that it had media interest in this sabotage campaign. Also, all this discovered how the malware communicated with its takes into account discoveries made after this attack command and control (C&C) servers, and the meaning attracted media interest. of the exchanged messages.
On 21 July, MITRE assigned reference From Stuxnet CVE-2010-2772 to the security vulnerability present within the Simatic WinCC and PCS 7 software from Everything officially began on 17 June 2010, when the Siemens. A password had been hard-coded and could Belarusian company Virusblokada published a report on be used to access certain components of Siemens the virus RootkitTmphider, mentioning the LNK applications with elevated privileges. security vulnerability. This vulnerability, which was zero-day in June 2010, allows a pirate to execute code Two days afterwards, on 23 July, VeriSign revoked the when opening a directory, whether it is shared (SMB, certificate belonging to JMicron Technology Corp. WebDAV), local or on a mass-storage peripheral (external hard disk, USB drive, portable telephone, MP3 player, etc.). The vulnerability gradually began to “On 17 July, Symantec renamed arouse comment. MITRE dedicated reference "W32.Temphid" as "W32.Stuxnet" and CVE-2010-2568 to it the following 30 June, and on 13 July, Symantec added the detection of this virus under Siemens reported that the company was in the name of W32. Temphid. the process of studying reports referring to the compromise of several SCADA systems The next day, on 14 July, MITRE assigned references linked to WinCC ” CVE-2010-2729 and CVE-201 0-2743 to security vulnerabilities present in the print spooler and in the keyboard management. Two days afterwards, on 16 Then several days passed, during which the July, Microsoft published a security alert referenced researchers and specialists involved in this study KB2286198. This last concerned the security certainly did not stop working. On 2 August, outside its vulnerability exploited by the malware. The "Patch Tuesday" cycle, Microsoft published its security management of LNK files was then clearly identified as bulletin MS10-046 proposing several patches for the problematic by the software publisher. At the same time, LNK vulnerability. On 6 August, Symantec presented VeriSign revoked the certificate belonging to Realtek the method used by Stuxnet to inject and hide code on Semiconductor Corp. This was because it had been a PLC (Programmable Logic Controller). used by pirates to sign certain drivers used by their malware. Symantec subsequently revealed that the first On 14 September, Microsoft published a new security malware, which had a driver signed by the certificate bulletin (MS10-061) and offered a patch for the security and which was identified as coming from the Stuxnet vulnerability present within the print spooler that was family, went back to January 2010. discovered by Symantec in August. The same day, MITRE assigned reference CVE-2010-3338 to the On 17 July, the antivirus publisher ESET detected new "elevation of privileges" vulnerability that was identified malware coming from the Stuxnet family. This used a within the task scheduler. certificate belonging to JMicron Technology Corp. to Just several days afterwards, on 17 September, sign one of its components. On 19 July, a year after Joshua J. Drake (jduck1337) published exploitation ivanlefOu had published a proof of concept, the code within the Metasploit framework. This allowed researcher HD Moore published exploitation code within control to be taken of a system via the security
This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![6] STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27
vulnerability present within the Windows print spooler. knowledge that was necessary, the human and Lastly, to end the month of September, the publishers of material resources necessary and lastly, the cost of the antivirus solutions ESET and Symantec published a such an organization make certain countries ideal first version of their report, on 30 September, suspects. Among the list chosen by the researcher were presenting their almost-complete analyses of the Israel, the United States, Germany and Russia. malware. In fact, both publishers did not wish to disclose information on vulnerabilities that had not yet been corrected by Microsoft. The following month, on 20 November, Joshua J. Drake published new exploitation code within the
Metasploit framework to exploit the vulnerability present RatcliffTrey within the Windows task Scheduler. Finally, to prevent the exploitation of the last security vulnerability exploited by Stuxnet, Microsoft, on its "Patch Tuesday" of 12 October, published its security bulletin MS10-073 that gave a patch for the vulnerability related to the management of the keyboard. Then, after two months of waiting, in its "Patch Tuesday" of 14 December, Microsoft published its security bulletin MS10-092 offering a patch to correct the security vulnerability related to the task scheduler.
The progress made by Ralph Langner
Thanks to the work done by the German researcher Ralph Langner, which began as soon as the media began to take an interest in the malware, it has been possible to identify numerous trails related to the origin of Stuxnet, to its potential targets and to the people who are hiding behind this attack. Of course, all information published by this former psychologist should be treated with caution. Even so, it appears, with hindsight, that many opinions that he gave have been subsequently validated by other researchers (such as Symantec) or by documents coming from third-party sources. On 15 November, Langner presented a technical On 16 September, Langner announced that Iran, and solution allowing the malicious code 315 to destroy particularly the nuclear power station at Bushehr, gas centrifuges. He was then supported by the nuclear which was built in cooperation with Russia, was the specialist from ISIS (Institute for Science and main target. The researcher was also the first to speak International Security), David Albright. On the same day, of cyber war. On each following day, he published new a second announcement gave the details of the attack hypotheses and new discoveries. The researcher performed by the code 417. In the days that followed, approached numerous entities, such as Congress, the numerous details of this second attack were presented DHS and the INL in the United States, and also and a hypothesis concerning the targets was given: appeared on television. On 13 November, Langner according to the researcher, the code 315 targeted the announced, just after Symantec, that he had come to IR-1 centrifuges present in the Natanz enrichment the same conclusions concerning the malicious code centre, while module 417 targeted the steam turbines in 315 and the PLCs targeted. He took advantage of this the electrical power station at Bushehr. A single to present the K-1000-60/3000-3 steam turbines weapon, malware, which contained two payloads: the manufactured by the Russian manufacturer "Power code modules 315 and 417, targeting different PLCs. Machines" which, according to him, equipped the Bushehr nuclear plant. The following day, he presented At the end of November, the former psychologist his analysis concerning the entity that probably ordered announced that Iran and Venezuela had concluded an this attack: for him, only a government could have been agreement in 2008. This alliance allowed Iran to install involved in such a scenario: the complexity of the WWW.XMCO.FR ballistic missiles on Venezuelan territory in exchange for
This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![7] STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27 the help provided by Iran in setting up a nuclear agreement, one month before the end of his term of program in the host country. A situation in which the office in January 2009, to the establishment of a United States would surely not be delighted to find secret program aiming to sabotage the electrical and itself; and therefore, in his opinion, a justification for the computer systems at the main uranium enrichment establishment of this secret program. centre at Natanz. From the beginning of his term of office, Barack Obama, who had been informed of this At the end of December, helped by the publication of before taking office, accelerated this program on the the report from ISIS, which gave an analysis of the advice of those knowledgeable concerning the case of nuclear infrastructure situation reported by the Iran. inspectors from the International Atomic Energy Agency (IAEA ), Langner announced that he had discovered the precise target of the malware, and more precisely, of block 417. This was the safety system associated with cascades of centrifuges used to enrich uranium. In his opinion, the PLCs targeted were used every two years in the functioning of an enrichment centre such as Natanz.
A single weapon, malware, which
“ RatcliffTrey contained two payloads: the code modules 315 and 417, targeting different PLCs ... ”
At the beginning of January, the researcher presented a new hypothesis on the role of blocks 315 and 417. According to him, their main objective was not the destruction of the centrifuges, but rather to make these production systems massively inefficient. By analyzing the data embedded in the code, and theoretical calculations on the yield of uranium production, the researcher discovered that the operations performed by the two blocks of code would drastically reduce the yield of the centrifuges.
To summarize, over the course of these few months, Langner was probably the researcher who communicated most concerning Stuxnet.
Still according to the New York Times journalists, this The "New York Times" theory program was based on work performed at the Idaho National Laboratory (INL) in partnership with the For the first time since the beginning of this scenario, an Department of Homeland Security (DHS) and Siemens. article published by the New York Times on 16 January During 2008, they claim that Siemens requested the described a plausible scenario. Even though this INL to test the security of its Step7 software used to scenario is based more on a correlation between events control a set of industrial systems (tools, probes, etc), and facts, rather than on tangible proof, these authors using controllers such as PCS7 (Process Control have the distinction of being among the first to officially System 7). The results obtained, including numerous name the various protagonists. It should therefore be security vulnerabilities, were presented in July at a taken with caution and is the responsibility only of the conference that was held in Chicago. journalists who wrote the New York Times article. Several months later, American diplomacy succeeded in In this scenario, the United States set up a plan to establishing an embargo on certain components hinder Iran in its quest to produce nuclear weapons. necessary to the correct functioning of a uranium WWW.XMCO.FR According to the journalists, President Bush gave his enrichment centre. According to a diplomatic cable
This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![8] STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27 revealed by Wikileaks, in April 2009, 111 Siemens Israel of having ordered these assassinations. After this controllers necessary to controlling a uranium second suspect event, the Iranians took the decision to enrichment cascade were therefore blocked at the port "hide" Mohsen Fakrizadeh, the third (and last?) of Dubai in the United Arab Emirates. nuclear specialist.
At the end of 2010, the Institute for Science and International Security (ISIS) reported that 984 defective controllers had been replaced at the end of 2009 according to a report by inspectors from the IAEA.
Strangely, this figure exactly corresponds to the number Ludo Benoit of Siemens controllers contained within an enrichment cascade. Nevertheless, what is the relationship between these 984 defective controllers and Stuxnet? These controllers were replaced between the end of 2009 and the beginning of 2010, while Stuxnet made its first public appearance at the beginning of 2010 although it was not yet identified.
The article presents Israel as a principal ally of the United States in manufacturing and testing this malware. This "small" country, which is highly advanced technologically, and particularly in cyber-warfare, is alleged to have built a replica of the Natanz enrichment centre in its own nuclear research centre: Dimona. The journalists gave two reasons for this alliance. Among the Americans' other allies, none of them would be able to make the IR-1 centrifuges work properly. These were derived from the Pakistani P-1, which themselves were copied from plans of the German G-1 stolen by the doctor of physics Abdul Qadeer Khan (father of the Pakistani nuclear bomb and in charge of a network specialized in the sale of nuclear material that helped to spread sensitive technology to Iran, North Korea and Libya). The second reason was that Israel had long been openly seeking to prevent Iran from obtaining Forbes's counter theory nuclear weapons. Another article published by journalists at Forbesʼ the following day strongly criticized this analysis. According In this scenario described by the Times, to them, this was based on no tangible proof. Only “ gestures made by certain diplomats at press the United States is alleged to have set up a conferences and the content of several diplomatic plan to hinder Iran in its attempt to cables revealed by Wikileaks gave any support to the produce nuclear weapons. ” journalists' article. The journalists took advantage of trashing this theory to According to the authors of this article, other information push their own analysis that was published in revealed the magnitude of this American program. December. According to them, the "real" powers behind Massoud Ali Mohammadi, an Iranian nuclear Stuxnet were Finland and China. The reasoning behind specialist, was killed in January 2010 by an explosion this was that Vacon, the Finnish manufacturer of caused by a remotely-triggered bomb fixed to a frequency converters (variable frequency drives) had motorbike. On 29 November 2010, when Iran a manufacturing plant in China. This would mean that recognized for the first time that Natanz had suffered China would know precisely which PLCs to target. damage related to Stuxnet, a second physicist, Majid Furthermore, China is suspected to have access to part Shahriari, was the victim of a second fatal "accident". of the source code of Windows, which could explain the On both of these occasions, president Mahmoud discovery and use of four zero-day vulnerabilities.
Ahmadinejad directly accused the United States and WWW.XMCO.FR
This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![9] STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27
Numerous other details relating China and Finland were and rescue, was controlled by a SCADA system based also revealed by the journalists to support their theory. on Siemens S7-400 and SIMATIC WinCC PLCs. This For example, RealTek Semiconductor, the Taiwanese announcement occurred during a complex period in company whose certificate was stolen to sign the Indo-Chinese relationships, because both countries are drivers, has an establishment in the industrial zone of fiercely competing with each other in the aerospace Suzhou, in China, not far from Vacon. Finally, China sector to be the first Asian country to put a man on the was relatively untouched by the worm. moon.
Although Symantec and other publishers of anti-virus software named Iran as the main victim of Stuxnet, it was not before mid-October that the subject of Stuxnet was publicly mentioned by Iran. During this first speech, the Iranian president simply denied the damage that the worm was supposed to have caused to national infrastructure. A month later, in November, the country recognized for the first time that it had suffered "slight" problems leading to the postponement of the launch of the Bushehr plant. In reaction to this attack, the government arrested some Russian service contractors suspected of being spies. These were subsequently released
Since the beginning of 2011, numerous other events were added to this story. Symantec, by recovering samples obtained from various publishers of antivirus software in the market, was able to make a statistical study of the attacks.
So, thanks to the 3,280 samples recovered from ESET, F-Secure, Kaspersky, Microsoft, McAfee and Trend Micro, Symantec was able to draw the following conclusions: - exactly five organizations were targeted;
Lastly, very many international experts criticized the these five organizations are all present in Iran; Ludo Benoit quality of the code in the malware. Several - most of the 12,000 infections corresponding to the commentators criticized the amateurism of certain 3,280 samples can be traced to these various functionalities of Stuxnet: the very basic component that organizations; communicates with the C&C servers (for example, no - among the victims used as vectors for propagation, communications encryption, the lack of robustness of three were attacked once, one was targeted twice and the control servers, etc), the absence of additional the third was attacked three times; protection (polymorphism, anti-debug and robust - these attacks took place at very precise dates: in June encryption), and finally an indiscreet means of 2009, one month later in July 2009, then at three further proliferation that is unworthy of an attack carried out stages in March, April and May 2010; discreetly by the military, etc. According to these - lastly, three variants of the malware corresponding to commentators, just these observations are evidence the attacks that took place in June 2009, April 2010 and that no government is hiding behind Stuxnet. May 2010 were observed. The existence of a fourth variant is assumed but has not been observed among the samples obtained. According to Symantec, these five companies are The other factors to be remembered suppliers with links to the Natanz enrichment centre.
On 9 July, the Indian satellite INSAT-4B was declared From these samples Symantec was able to produce inoperable. This satellite, which was used for graphs representing the proliferation of the malware. transmitting telecommunications, television For this, the researchers used the information recorded broadcasting, meteorology and for individual search (date and time, for example) by the malware when it WWW.XMCO.FR
This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![10] STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27 infects a new system. These graphs clearly highlight the five dates corresponding to the attacks and the number of targets initially contaminated during each of these events.
“In April 2009, the researcher Carsten Kohler published an article in the magazine Hackin9 presenting a security vulnerability within the Windows print spooler. No one reacted, not even Microsoft, which was clearly concerned. ”
The day after this announcement, several media echoed another announcement that was particularly surprising. During a video shown at a party given in honor of the retirement of general Gabi Ashkenazi, and published by the conservative newspaper Haaretz, it was claimed that the newly-retired general had supervised the creation of Stuxnet. Nevertheless, as no official Israeli source has corroborated this announcement, it must be taken with caution. Lastly, it was in March 2010 that the first malware in the Stuxnet family appeared which exploited the LNK The warning signs vulnerability.
The Stuxnet affair began well before 2010. Thus, Symantec was able to find traces of the malware going back to 2008. On 20 November 2008, Symantec Conclusion observed the exploitation of the LNK vulnerability for the first time. This had not been analyzed at the time Stuxnet has caused a lot of comment and been and we had to wait until the appearance of Stuxnet to highly publicized. The various theories, analyses discover that pirates had known about this vulnerability for more than two years. The virus in question was then and hypotheses made until now do not allow any identified as "Trojan.Zlob" and does not appear to be conclusions to be drawn with certainty, either related to Stuxnet. concerning those ordering the attacks or the targets. However, according to the various In April 2009, the researcher Carsten Kohler published an article in the magazine Hackin9 presenting a discoveries made by several researchers and security vulnerability within the Windows print journalists (Symantec, Langner and the New York spooler. No one reacted, not even Microsoft, which Times), Iran seems to have been targeted, was clearly concerned! Several months later, in June 2009, Symantec detected a new malware that is now especially the nuclear enrichment centre at Natanz. identified as the first version of Stuxnet. This was very Concerning those ordering the attack, and bearing simple and did not carry all of the payloads that we in mind its complexity, the resources used and the know today. According to Symantec, it was in January 2010 that the first malware in the Stuxnet family different information revealed by the journalists, appeared using the certificate from Realtek Israel and the USA appear to have played a role in Semiconductor Corp. to sign one of the components of this affair. We must also bear in mind that all of the the malware. information revealed by the various observers is always subjective…
WWW.XMCO.FR
This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![11] STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27
References
Resources on Stuxnet http://blog.eset.com/2011/01/03/stuxnet-information- and-resources
F-Secure (FAQ) http://www.f-secure.com/weblog/archives/ 00002040.html http://www.f-secure.com/weblog/archives/ 00002066.html