Stuxnet - cyber weapon

[FluffyMcDeath]

Have you heard about this worm?
There is not much mainstream news about it judging from google's news search but the BBC carries a story.

The main points are that it seems to have been quite sophisticated. It involves multiple exploits. It makes use of stolen keys. It is meant to spread to machines that aren't connected to the net. It inspects the machine it is running on to make sure it is sitting on the right target. It takes over industrial control systems to do real damage AND the epicenter of infection is Iran.

So, if we speculate, might we wonder if there is any installation in Iran that a nation state might want to quietly disable?

Well, I can think of one thing that was meant to be up and running quite a while ago but seems to have had some problems. Here's the Bushehr reactor having a software moment

 

[the_leander]

Tbh given the sophistication of Storm, I figured it was only a matter of time before something new and big began to make the rounds.

I used to enjoy tracking these things once upon a time. It really was fascinating seeing how quickly they spread and the patterns that developed as they went from network to network.

One of these days running in both a software and desktop hardware arch monoculture when it comes to computing is going to cost us all dearly. Given the increasing complexity and capabilities of these new forms of malware, I wouldn't say we have all that long left.

 

[Glaucus]

This was perhaps the first case ever of a worm exploiting more then one zero-day exploit. It exploited 4 zero-day exploits. Most worms have no zero-day exploits and most security experts consider it a waste to have more then one. It's a waste unless you're not planning to make more worms or are confident that you can find more zero-day exploits. I certainly don't believe some nerd came up with this on his own. I know at least one worm that made it's way to the international space station, but this worm seems to be targeting specific systems. We'll probably never figure out who created it or even what they're targeting specifically, but it will at least keep bloggers busy for some time.

 

[Glaucus]

Well, I can think of one thing that was meant to be up and running quite a while ago but seems to have had some problems. Here's the Bushehr reactor having a software moment

It's my understanding that the Siemens software that Iran has was never licensed. That error message on the screen is probably not a result of the worm.

 

[the_leander]

I certainly don't believe some nerd came up with this on his own.

If you know where to look, you can get hold of malware construction kits.

Just add your own exploit code and the rest can be rigged up in minutes.

And whilst they may well have been zeroday to the rest of the world, chances are in the deepest recesses of the hacking community, they've probably been known about for a while.

 

[ilwrath]

And whilst they may well have been zeroday to the rest of the world, chances are in the deepest recesses of the hacking community, they've probably been known about for a while.

Yeah, and software for controls systems often isn't as strictly reviewed and aren't as widely released and published because the implementations are not as common or widespread. Plus, security models are somewhat different at production locations, anyhow. The dirty secret is that most of these systems are typically held together with duct tape and prayers. The mentality is that once it's running, just run, baby, run. If stability upgrades aren't worth taking the line down for, security ones REALLY aren't. About the only time there's a chance of applying an upgrade is if the line is in a major shutdown changeover.

But, still, Stuxnet has a level of detail and attention that has not been seen in previous code. I agree it was likely assembled by more than one person, and someone had to have extensive controls experience. Possibly an ex-contractor or ex-employee?

I know I was alarmed when I read it attacks Siemens' controls. My current employer has several machines out on the floor that use this stuff.

 

[FluffyMcDeath]

Well, I can think of one thing that was meant to be up and running quite a while ago but seems to have had some problems. Here's the Bushehr reactor having a software moment

It's my understanding that the Siemens software that Iran has was never licensed. That error message on the screen is probably not a result of the worm.

But is an indication of how cavalier (and naive) the builders of that system were about software. Not only does it tell just anyone what software you are running the reactor on (by putting a picture on the web) but also it gives you an idea about what potential targets there are in the system. These are freebies to potential hackers.
Of course, there is nothing definitive to say that this was the target, though it would make for a good one.

 

[Glaucus]

I certainly don't believe some nerd came up with this on his own.

If you know where to look, you can get hold of malware construction kits.

Just add your own exploit code and the rest can be rigged up in minutes.

And whilst they may well have been zeroday to the rest of the world, chances are in the deepest recesses of the hacking community, they've probably been known about for a while.

You may be correct about that, however, it's still considered a waste to include more then one zero-day exploit - all of which were Windows zero-day exploits btw. To use 4 means who ever wrote this really wanted the worm to propagate long and far. Most other worms are considered disposable as once the exploit is patched a variant is released. This one doesn't seem as disposable. And by the sounds of it, this worm isn't just a new version of storm or conficker or whatever, it's new from the ground up. It's pretty heavy duty and with a peculiar payload. If this was backed by organized crime it probably would not target industrial hardware but stick to scamming credit cards or passwords. This worm has a totally different payload and thus is not likely to have originated out of organized crime.

 

[the_leander]

You may be correct about that, however, it's still considered a waste to include more then one zero-day exploit - all of which were Windows zero-day exploits btw.

Considered a waste by whom? You would be in grave error to presume that the hacker community is some static, unchanging culture or even a cohesive one.

Also with regard this being aimed at Windows... Well duh?

This thing first showed up in Europe and spread out like a wave, the only reason Iran and other poorer nations have been crippled is thanks to their complete lack of security and endemic piracy rates.

It also doesn't help when the vendor for the targeted software recommended specifically not changing the default password even though it had been put on the net some time before. I knew industrial software was pretty piss poor when it came to security - mainly because no one in their right mind would ever put a system vital to production in the internet, or even likely on an internal network unless ridiculously locked down. But Siemens really did take the piss with this one..

In Iran this worm found the perfect hunting ground: Minimal security, legitimate copies of windows in the tens and updates blocked by the religious zealots who run the place.

Chances are that short of disconnecting Iran entirely from the net and wiping pretty much every computer in there at the same time, they will never get this out of their networks. This thing now has a permanent base from which it's authors can do whatever they want.

And it's not the only country either.

If ever there was a prime example of why monocultures were inherently bad for computing, this would be it.

And by the sounds of it, this worm isn't just a new version of storm or conficker or whatever, it's new from the ground up.

So were Storm and Cornflicker once. Some of the holes, such as the password for the database the industrial software uses has been known about for quite a while.

Looking back at Storm, consider that it was one of the first to use P2P as part of it's command and control system. There has been massive innovation within the malware sector over the years.

Yes, having all this stuff combined into one package is a new development, but seriously, think about it, how long really was it before someone targeted a soft spot like the industrial sector, or developed a worm that could use multiple vectors?

The answer is as with anything: It was only a matter of time.

And of course, now that it has been shown just how effective this technique is, especially within countries with high rates of piracy + little/no security as the default... It's really only a matter of time before this kind of thing gets fired again. Hell it wouldn't surprise me in the slightest if after a set amount of time this worm used something else to spread out even further.

This worm has a totally different payload and thus is not likely to have originated out of organized crime.

Has anyone actually worked out what the payload was?

 

[FluffyMcDeath]

Has anyone actually worked out what the payload was?

More or less.

Of course, it could just be an attack against Siemens. That would implicate a disgruntled employee or a competitor. The two problems with this scenario are that discovery would be eminently possible and getting fingered for the crime would have a bigger downside than the upside. The perpetrator was either highly confident that he/she/they wouldn't be discovered or they have been immunized against prosecution if they are.

Parts can be found and assembled but the more unique ports, the more development (which implies development resources) and for a proper attack against infrastructure there should be testing and that implies availability of a system to test on or detailed knowledge to create a simulation or a licensed simulation and if such a thing exists then it would have to be purchased (if these things follow along with the way the rest of the industry charges for dev tools then it's way outside of the budget of script kiddies) or stolen (which implies that someone knows someone).

Assembling the parts de novo for such an attack is a fair effort - unless someone can show that all the parts were out there fully developed and ready to be integrated - but it doesn't look like that's what happened.

 

[FluffyMcDeath]

Speculation that "myrtus" could be an allusion to the book of Esther.

 

[Glaucus]

Clues suggest Stuxnet Virus was built for subtle nuclear sabotage

The malware, however, doesn’t just sabotage any frequency converter. It inventories a plant’s network and only springs to life if the plant has at least 33 frequency converter drives made by Fararo Paya in Teheran, Iran, or by the Finland-based Vacon.

Even more specifically, Stuxnet targets only frequency drives from these two companies that are running at high speeds—between 807HZ and 1210Hz. Such high speeds are used only for select applications. Symantec is careful not to say definitively that Stuxnet was targeting a nuclear facility, but notes that “frequency converter drives that output over 600Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment.”

“There’s only a limited number of circumstances where you would want something to spin that quickly—such as in uranium enrichment,” said O Murchu. “I imagine there are not too many countries outside of Iran that are using an Iranian device. I can’t imagine any facility in the U.S. using an Iranian device,” he added.

I think that removes any doubt about it's true purpose. Welcome to the new battlefield.

 

[FluffyMcDeath]

I think that removes any doubt about it's true purpose. Welcome to the new battlefield.

That explains why my centrifuges went screwy. Damn script kiddies.

Somehow I don't expect to see anyone arrested for this bit of malicious code. Only question left is who commissioned it but there are only two likely suspects (and for all intents and purposes, one, since they tend to work together quite a lot anyway.

 

[the_leander]

I think that removes any doubt about it's true purpose. Welcome to the new battlefield.

Been here for a while. Maybe now people will start to look at moving away from the current monoculture.

That's a pretty spiffy design though, it'll be interesting to see if they have actually managed to disinfect their systems yet.

 

[metalman]

Iranian nuclear scientist killed and another wounded in separate bomb attacks

Photos seems to show the car was machine gunned rather than a bombed.

Prof. Majid Shahriari, who died when his car was attacked reportedly headed the team for combating the Stuxnet virus. Prof. Shahriari was the Iranian nuclear program's top expert on computer codes and cyber war.

That Stuxnet virus sure has some never seen before levels of defense against removal.

North Korea Trumpets Advanced Nuclear Facilities

Seems North Korea and Iran buy from the same centrifuge vendors, and share technology, ... hmmm

 

[FluffyMcDeath]

confirmation?

 

[Glaucus]

Kinda looks that way. I believe the NYT did not reveal their source so this is not an official admission, but possibly the closest we'll ever get. Could also just be a lie but probably not.

 

[cecilia]

interesting. I have mixed feelings. this is WAY better than dropping bombs and killing people. but I don't like anyone making computer bugs. creepy

of course, who knows how true any of this is.

 

[FluffyMcDeath]

Iranian nuclear scientist killed and another wounded in separate bomb attacks

[youtube:2ftwyvgu]N1MNgfA4yWI[/youtube:2ftwyvgu]

Israel seems to have supplied the guys to get rid of the Iraqi scientists too.

 

[cecilia]

Israel = creepy