The "Stuxnet" Worm
Post by irondiopriest on Sept 30, 2010, 2:30pm
This comprehensive article from the Weekly Standard will bring you up to speed about this interesting malware worm that seems to be attacking Iran's nuclear facilities...
How Stuxnet is Scaring the Tech World Half to Death
The computer worm Stuxnet broke out of the tech underworld and into the mass media this week. It’s an amazing story: Stuxnet has infected roughly 45,000 computers. Sixty percent of these machines happen to be in Iran. Which is odd. What is odder still is that Stuxnet is designed specifically to attack a computer system using software from Siemens which controls industrial facilities such as factories, oil refineries, and oh, by the way, nuclear power plants. As you might imagine, Stuxnet raises big, interesting geo-strategic questions. Did a state design it as an attack on the Iranian nuclear program? Was it a private group of vigilantes? Some combination of the two? Or something else altogether?
But it’s worth pausing to contemplate Stuxnet on its own terms, and understand why the tech nerds were so doomsday-ish about it in the first place. We should start at the beginning.
A computer worm is distinct from a virus. A virus is a piece of code which attaches itself to other programs. A worm is a program by itself, which exists on its own within a computer. A good (meaning really bad) worm must do several things quite subtly: It must find its way onto the first machine by stealth. While a resident, it must remain concealed. Then it must have another stealthy method of propagating to other computers. And finally, it must have a purpose. Stuxnet achieved all of these goals with astounding elegance.
The Stuxnet worm was first discovered on June 17, 2010 by VirusBlokAda, a digital security company in Minsk. Over the next few weeks, tech security firms began trying to understand the program, but the overall response was slow because Stuxnet was so sophisticated. On July 14, Siemens was notified of the danger Stuxnet posed to its systems. At the time, it was believed that Stuxnet exploited a “zero day” vulnerability (that is, a weak point in the code never foreseen by the original programmers) in Microsoft’s Windows OS. Microsoft moved within days to issue a patch.
By August, the details of Stuxnet were becoming clearer. Experts learned troubling news: The virus sought to over-ride supervisory control and data acquisition (SCADA) systems in Siemens installations. SCADA systems are not bits of virtual ether—they control all sorts of important industrial functions. As the Christian Science Monitor notes, a SCADA system could, for instance, override the maximum safety setting for RPMs on a turbine. Cyber security giant Symantec warned:
Stuxnet can potentially control or alter how [an industrial] system operates. A previous historic example includes a reported case of stolen code that impacted a pipeline. Code was secretly “Trojanized’” to function properly and only some time after installation instruct the host system to increase the pipeline’s pressure beyond its capacity. This resulted in a three kiloton explosion, about 1/5 the size of the Hiroshima bomb.
As the days ticked by, Microsoft realized that Stuxnet was using not just one zero-day exploit but four of them. Symantec’s Liam O’Murchu told Computer World, “Using four zero-days, that’s really, really crazy. We’ve never seen that before.”
Still, no one knew where Stuxnet had come from. A version of the worm from June 2009 was discovered and when the worm’s encryption was finally broken, a digital time stamp on one of the components (the ~wtr4141.tmp file, in case you’re keeping score at home) put the time of compilation—the worm’s birthday—as February 3, 2009.
The functionality of Stuxnet is particularly interesting. The worm gains initial access to a system through a simple USB drive. When an infected USB drive is plugged into a machine, the computer does a number of things automatically. One of them is that it pulls up icons to be displayed on your screen to represent the data on the drive. Stuxnet exploited this routine to pull the worm onto the computer. The problem, then, is that once on the machine, the worm becomes visible to security protocols, which constantly query files looking for malware. To disguise itself, Stuxnet installs what’s called a “rootkit”—essentially a piece of software which intercepts the security queries and sends back false “safe” messages, indicating that the worm is innocuous.
The trick is that installing a rootkit requires using drivers, which Windows machines are well-trained to be suspicious of. Windows requests that all drivers provide verification that they’re on the up-and-up through presentation of a secure digital signature. These digital keys are closely-guarded secrets. Yet Stuxnet’s malicious drivers were able to present genuine signatures from two genuine computer companies, Realtek Semiconductor and JMichron Technologies. Both firms have offices in the same facility, Hsinchu Science Park, in Taiwan. No one knows how the Stuxnet creators got hold of these keys, but it seems possible that they were physically—as opposed to digitally—stolen.
So the security keys enable the drivers, which allow the installation of the rootkit, which hides the worm that was delivered by the corrupt USB drive. Stuxnet’s next job was to propagate itself efficiently, but quietly. Whenever another USB drive was inserted into an infected computer, it becomes infected, too. But in order to reduce visibility and avoid detection, the Stuxnet creators set up a system so that each infected USB drive could only pass the worm on to three computers.
Stuxnet was not designed to spread over the Internet at large. (We think.) It was, however, able to spread over local networks—primarily by using the print spooler that runs printers shared by a group of computers. And once it reached a computer with access to the Internet it began communicating with a command-and-control server—the Stuxnet mothership. The C&C servers were located in Denmark and Malaysia and were taken off-line after they were discovered. But while they were operational, Stuxnet would contact them to deliver information it had gathered about the system it had invaded and to request updated versions of itself. You see, the worm’s programmers had also devised a peer-to-peer sharing system by which a Stuxnet machine in contact with C&C would download newer versions of itself and then use it to update the older worms on the network.
And then there’s the actual payload. Once a resident of a Windows machine, Stuxnet sought out systems running the WinCC and PCS 7 SCADA programs. It then began reprogramming the programmable logic control (PLC) software and making changes in a piece of code called Operational Block 35. It’s this last bit—the vulnerability of PLC—which is at the heart of the concern about Stuxnet. A normal worm has Internet consequences. It might eat up bandwidth or slow computers down or destroy code or even cost people money. But PLC protocols interact with real-world machinery – for instance, turn this cooling system on with a temperature reaches a certain point, shut that electrical system off if the load exceeds a given level, and so on.
To date, no one knows exactly what Stuxnet was doing in the Siemens PLC. “It’s looking for specific things in specific places in these PLC devices,” Digital Bond CEO Dale Peterson told PC World. “And that would really mean that it’s designed to look for a specific plant.” Tofino Security Chief Technology Officer Eric Byres was even more ominous, saying, “The only thing I can say is that it is something designed to go bang.” Even the worm’s code suggests calamity. Ralph Langner is the most prominent Stuxnet sleuth and he notes that one of the last bits of code in the worm is the line “DEADF007.” (Presumably a dark joke about “deadf*ckers” and the James Bond call-sign “007.) “After the original code is no longer executed, we can expect that something will blow up soon,” Langner says dramatically. “Something big.”
The most important question is what that “something big” might be.
But there is another intriguing question: How did Stuxnet spread as far as it did? The worm is, as a physical piece of code, very large. It’s written in multiple languages and weighs in at nearly half a megabyte, which is one of the reasons there are still many pieces of it that we don’t understand. And one of them is how Stuxnet found its way onto so many computers so far away from one another. Iran is the epicenter, but Stuxnet is found in heavy concentrations in Pakistan, Indonesia, and India, too, and even as far away as Russia, Uzbekistan, and Azerbaijan. By the standards of modern worms, the 45,000 computers infected by Stuxnet is piddling. But if Stuxnet really can only propagate via local networks and USB drives, how did it reach even that far?
Stuxnet is already the most studied piece of malware in human history, absorbing the attention of engineers and programmers across the globe, from private companies to academics, to government specialists. And yet despite this intense scrutiny, the worm still holds many secrets.
Re: The "Stuxnet" Worm
Post by libertasinfinitio on Oct 1, 2010, 6:52am
This is very curious. I'm just not sure what to think of who may be behind this. My gut instict says Mossad. Who else would target Busheir? Or was it designed by some peeved geek and the target didn't matter? I dunno...
Re: The "Stuxnet" Worm
Post by irondiopriest on Oct 1, 2010, 7:37am
Oct 1, 2010, 6:52am, libertasinfinitio wrote:
This is very curious. I'm just not sure what to think of who may be behind this. My gut instict says Mossad. Who else would target Busheir? Or was it designed by some peeved geek and the target didn't matter? I dunno...
I think Mossad too. Israel has said repeatedly, with the confidence of a foregone conclusion, that they will not permit Iran to go nuclear.
As techies unwrap this virus, it looks as if there are clues embedded in the code meant to send a message - a reference to the book of Esther, who saved Israel from Persia, and now a reference to the date of the execution of the first Jewish Iranian after the Islamic revolution in 1979. Interesting stuff, right out of a spy thriller.
Quote:
Another Jewish Historical Reference Found In Stuxnet Code
The New York Times reported on a possible reference to the Book of Esther in the Stuxnet code. Queen Esther, of course, saved the Jews of Persia from the evil Haman, as celebrated in the Jewish holiday Purim.
Now, a Symantec researcher has found a reference in the code to an obscure date in 1979 which just happens to be the date on which the Iranian revolutionaries executed a prominent Iranian Jew. As reported at ThreatPost:
A Symantec researcher filled in more critical details about the Stuxnet worm here, demonstrating the worm's ability to take control of programmable logic controllers (PLCs) by Siemens Inc. and disable machinery connected to them.
Liam O'Murchu of Symantec, speaking at the Virus Bulletin Conference here, provided the first detailed public analysis of the worm's inner workings to an audience of some of the world's top computer virus experts. O'Murchu described a sophisticated and highly targeted virus and demonstrated a proof of concept exploit that showed how the virus could cause machines using infected PLCs to run out of control....
As for suggestions that Israeli intelligence may have authored the virus, O'Murchu noted that researchers had uncovered the reference to an obscure date in the worm's code, May 9, 1979, which, he noted, was the date on which a prominent Iranian Jew, Habib Elghanian, who was executed by the new Islamic government shortly after the revolution.
Here is a portion of the Wikipedia entry on Elghanian:
On May 9, 1979, Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community. He was the first Jew and one of the first civilians to be executed by the new Islamic government. This prompted the mass exodus of the once 100,000 member strong Jewish community of Iran which continues to this day.
Was this an Israeli attack with snippets of code manipulated to mock the Iranians, or a false flag operation meant to blame the Israelis?
Somewhere, someplace, someone is laughing. We just don't know who.
I think it's Mossad who's laughing.
Re: The "Stuxnet" Worm
Post by libertasinfinitio on Oct 1, 2010, 7:46am
Boy, I gotta stick with my gut!
And let us not forget, Ahmadisajerk was one of the Ayahtollah's minions back in '79. I think that is a double-tap to 'ol Mahmood!
Heh, this is like a Clancy novel.
More please!
Re: The "Stuxnet" Worm
Post by rocketman on Oct 1, 2010, 5:29pm
This is sooooo f'ing cool.
Smart guys out-smarting the global parasites.
Those biblical references and latest date discovery is making the hackers smile from ear to ear.
I bet they're just dying to tell someone they did it. It's a natural response - BUT I hope they don't.
Besides, the NSA must know who they are by now?
Re: The "Stuxnet" Worm
Post by irondiopriest on Oct 1, 2010, 5:36pm
It really is extremely cool. I could see a feature film surrounding the whole thing being an interesting and entertaining watch - with the right artistic license and dramatic/action enhancements, of course.
Re: The "Stuxnet" Worm
Post by rocketman on Oct 1, 2010, 5:38pm
Oct 1, 2010, 5:36pm, irondiopriest wrote:
It really is extremely cool. I could see a feature film surrounding the whole thing being an interesting and entertaining watch - with the right artistic license and dramatic/action enhancements, of course.
Far out, man.
MISSION IMPOSSIBLE: Iran
LOL
Re: The "Stuxnet" Worm
Post by irondiopriest on Oct 1, 2010, 5:42pm
Oct 1, 2010, 5:38pm, rocketman wrote:
Oct 1, 2010, 5:36pm, irondiopriest wrote:
It really is extremely cool. I could see a feature film surrounding the whole thing being an interesting and entertaining watch - with the right artistic license and dramatic/action enhancements, of course.
Far out, man.
MISSION IMPOSSIBLE: Iran
LOL
As long as the climax is the graphic beheading of Ahmadinejad and the humiliation of the Ayatollahs, I'd put up with Tom Cruise.
Re: The "Stuxnet" Worm
Post by irondiopriest on Jan 17, 2011, 4:56pm
Apparently, it is now emerging that the "Stuxnet" worm that has reportedly disabled the Iranian nuclear program for the time being is an American/Israeli joint operation, thanks to a covert operation initiated under... President George W. Bush.
Re: The "Stuxnet" Worm
Post by johnflorida on Jan 17, 2011, 5:54pm
Jan 17, 2011, 4:56pm, irondiopriest wrote:
Apparently, it is now emerging that the "Stuxnet" worm that has reportedly disabled the Iranian nuclear program for the time being is an American/Israeli joint operation, thanks to a covert operation initiated under... President George W. Bush.
HEH HEH HEH!!
Re: The "Stuxnet" Worm
Post by predatordon on Jan 17, 2011, 6:47pm
Jan 17, 2011, 4:56pm, irondiopriest wrote:
Apparently, it is now emerging that the "Stuxnet" worm that has reportedly disabled the Iranian nuclear program for the time being is an American/Israeli joint operation, thanks to a covert operation initiated under... President George W. Bush.
Ole George....LOL.....Don't ask, don't tell.....
Re: The "Stuxnet" Worm
Post by charlesoakwood on Jan 17, 2011, 7:20pm
Ha! Bush did it. - Again!
Rocketman, it's good to see you.
Re: The "Stuxnet" Worm
Post by irondiopriest on Jan 17, 2011, 7:22pm
Jan 17, 2011, 7:20pm, charlesoakwood wrote:
Ha! Bush did it. - Again!
Rocketman, it's good to see you.
That post from rocketman was from October Charles!
He hasn't been around lately.
Re: The "Stuxnet" Worm
Post by charlesoakwood on Jan 17, 2011, 7:57pm
!
