Analyzing TRISIS - the first Safety Instrumented System malware: Struggles in Reverse Engineering

Presented at REcon 2018, June 17, 2018, 2 p.m. (60 minutes).

Discovery of TRISIS/TRITON was a landmark event in the Industrical Control Systems (ICS) security community. It is the the fifth known ICS-specific malware (following STUXNET, HAVEX, BLACKENERGY2, and CRASHOVERRIDE), and the first such malware to specifically target safety instrumented systems. Since identification and public disclosure in early December 2017, much has been written on TRISIS and its implications, but technical deep-dives of TRISIS, specifically the binary payloads are scarce.

TRISIS is a complex piece of malware and analyzing the attack requires a blend of both hardware and software reverse engineering. In this discussion, we will explain our approach to analyzing this sample and at the same time, provide a detailed walkthrough of TRISIS with a focus on the PowerPC payloads and relevant portions of the Triconex firmware. Further, we will discuss the impact


Presenters:

  • K. Reid Wightman
    Reid Wightman is a Vulnerability Analyst at Dragos. He most enjoys tearing apart embedded system firmwares to hunt for new security issues. He has spent over ten years of his career laser-focused on industrial systems security, including analyzing embedded industrial controllers, industrial network protocols, SIL-certified compilers, and engineering and HMI software. In 2012, he spearheaded Project Basecamp, which enumerated security issues in critical infrastructure controllers. In 2016, he was awarded EnergySec's Cyber Security Professional of the Year award for his research efforts in protecting electric grids across the globe. His Twitter account is @ReverseICS.
  • Jimmy Wylie
    Jimmy Wylie is a Senior Adversary Hunter at Dragos who spends his days (and nights) searching for and tearing apart threats to critical infrastructure. Starting as a hobbyist in 2009, he has over 9 years experience with reverse engineering and malware analysis. As a professional in the U.S. Intelligence Community, he utilized a wide range of skills against national level adversaries, including network analysis, dead disk and memory forensics, in-depth malware analysis, and software development supporting the detection, analysis and classification of malware in a variety of programming languages. Before joining Dragos, he was a course developer and instructor at Focal Point Data Risk, teaching a wide range of malware analysis techniques starting with beginner behavioral analysis and ending with kernel driver analysis. He can be found on Twitter @mayahustle.

Links:

Similar Presentations: