STUXNET virus PLCyi tekrar programlayabilecek kapasitededir.
Özelikle şu plc modelleri mesela: The PLC type/family: only CPUs 6ES7-
417 and 6ES7-
315-2 are infected.
CP 342-5 kullanılmışmı onu kontrol ederek başka PLClere profibus ile yayılıyor.
ayrıca BKNZ.
oluşturdugu FC ve DB LER
"As well as infecting OB1, Stuxnet also infects OB35 in a similar fashion. It also replaces the standard coprocessor DP_RECV code block with its own, thereby hooking network communications on the Profibus (a standard industrial network bus used for distributed I/O).
The overall process of infection for methods A/B is as follows:
Check the PLC type; it must be an S7/315-2
Check the SDB blocks and determine whether sequence A or B should be written
Find DP_RECV, copy it to FC1869, replace it with a malicious copy embedded in Stuxnet
Write the malicious blocks (in total, 20 blocks) of the sequence, embedded in Stuxnet
Infect OB1 so that the malicious code is executed at the start of a cycle
Infect OB35, which will act as a watchdog
3. Infection code
The code inserted into the OB1 function is responsible for starting infection sequences A and B. These sequences contain the following blocks:
Code blocks: FC1865 though FC1874, FC1876 through FC1880
(Note that FC1869 is not contained within Stuxnet but is instead a copy of the original DP_RECV block found on the PLC)
Data blocks: DB888 through DB891.
Sequences A and B intercept packets on the Profibus by using the DP_RECV hooking block. Based on the values found in these blocks, other packets are generated and sent on the wire. This is controlled by a complex state machine (implemented in the various FC blocks mentioned above). This machine can be partially controlled by the DLL via the data block DB890.
Under certain conditions the sequence C is written to a PLC. This sequence contains more blocks than A/B:
FC6055 through FC6084
DB8062, DB8063
DB8061, DB8064 through DB8070, generated on the fly
Sequence C is meant to read and write I/O information (Input/Output) to the memory-mapped I/O areas of the PLC, as well as the peripheral I/O.
The control flow for program A/B is shown below, which is partially shown in the screen shot from the Step7 editor shown above (code block FC1873):"
FAZ A ve B
FAZ C
KAYNAK: SYMANTEC