Feeds

back to article Mystery lingers over stealthy Stuxnet infection

The infamous Stuxnet worm infected 14,000 systems inside Iran, according to new estimates. The sophisticated and complex malware was tuned to infect supervisory control and data acquisition (SCADA) systems that are used to control power plants and factories. Stuxnet was tuned to attack specific configurations of Siemens Simatic …

COMMENTS

This topic is closed for new posts.
Silver badge
Alien

The Blind leading the BIND

Doesn't Rob Rosenberger realise that SANS haven't a clue about what Stuxnets do. Although that is probably just as IT is supposed to be, and Programmed.

Softly Softly, Catchee Keys .... Take Over Key Market Triggers. ...... and much more Dream Scenario than Ridiculous Overhype.

Do you understand all of that extraterrestrial explanation, or only some of it/a few bits? My word, we are a tad slow, aren't we.

3
8
Welcome

Why the thumbs down ?

I 4 1 welcome the articulate mystical freewheeling meanderings from the am/fm ether(net)

Much more rational than most of what gets posted on these forums !

2
1

Obvious solution

the ayatollahs should switch to Macs heh heh

2
1

Reality check

The comment from Mahmoud Jafari, to the effect that it was discovered merely on "personal computers" at Bushehr, and that no damage was inflicted, is probably inaccurate. The fact that they've been saying it'll take them some time to discover the depth of the infection suggests this is merely propaganda.

0
0
Silver badge
Black Helicopters

Conspiracy theorists' motherlode

"In addition to exploiting four zero-day vulnerabilities, Stuxnet also used two valid certificates (from Realtek and JMicron) and rootlet-style technology, factors that helped the malware stay under the radar for much longer than might normally be the case."

Either RSA has been broken, or some intelligence agency gave a hand in acquiring the private keys. Either way, this ain't the job of your average malware writer. Tinfoil hats, on!

0
0

Not quite

There's a third option, which is another virus was used to pilfer the private keys. There are plenty out there with keyloggers looking for credit card numbers already - adapting one to use a payload designed to intercept calls to a code signing API wouldn't be improbable.

0
0
Pint

If The Technology Exists...

...other entities will attack other SCADA facilities.

Given the pervasiveness of the software, we should be stocking up on candles and drinking water.

And beer, don't forget the beer.

1
0
Gold badge
FAIL

So what's the gain here?

High "Coolness" level? I'm guessing you need to play with a live one of these to get your game down and that seems quite an expensive hobby (unless you bought it with some stolen credit cards of course).

Shut down charging on utilities? Free Gas/electric/water/sewerage for life? Bit small time for the effort.

On demand disruption/destruction of target infrastructure?

Ransom? "This is #1. Unless the sum of xxx million $ in cash/bearer bonds/diamonds/hard drugs is delivered by (very clever but completely mad ransom drop method) by 10am GMT 1 week from today the major cities of these countries will have their toilets simultaneously backed up. Mwowooooohahahahaha."

It's all a bit James Bond for people who just want your credit card details and DoB.

And once again WTF are people hooking SCADA systems up to the internet or letting unauthorized insecure USB drives be connected to specialized control systems?

2
0
Anonymous Coward

"some intelligence agency gave a hand in acquiring the private keys."

If you're a network card vendor and you've picked an overseas company to design and test the silicon (and maybe also the card it sits on), then obviously part of the testing process involves testing the driver. That needs the card vendor's digital certificate.

Are readers aware that Israel has for many years had its own local equivalent of Silicon Valley?

Just askin, like.

8
0
Black Helicopters

The pointy end of the spear

It seems that much of what's been discussed are related to the many ways it spreads in Windoze machines, exploiting several zero-day exploits & 'fake' certificates, etc..

While the PC infections have caused much teeth-gnashing & inconvenience, it seems that all of this is is just an avenue to get it to the one or few PC's that are connected to a particular subset of PLCs. Windoze just happens to be insecure, and is the type of computer most often used to work with PLCs.

Stuxnet then hides itself in the PLC so that the connected PC & its operator can't easily tell that the PLC has been altered. This too is likely not the ultimate purpose.

Of the billons of PLCs that are used, in your automobile & nuclear plant & elsewhere, why infect this particular subset of PLCs? What is the infection designed to do to the machinery that is controlled by the PLC?

I wonder if anyone has hooked up an infected PC to a mimic of the intended PLC (with the correct characteristics that stuxnet is looking for) as an experimental system, and systematically injecting various commands & / or data into the PLC, coupled with memory dumps, to see what stuxnet is really aiming to do. Another approach might be to have an uninfected PLC in parallel, and compare its input / out with that of the infected PLC.

3
0
Coat

The Rest of the Story is Probably Still Out There.

For additional mystery-clue background, one might have a gander @

http://www.dailytech.com/Israel+Suspected+in+Worm+Sabotage+of+Irans+First+Nuclear+Plant/article19726.htm and the Wikileaks link therein.

Mine's the one with the Mad Magazine in the pocket, opened to the Spy-Versus-Spy 'toon page.

1
0

Its true ...

If true this is a lot more human friendly than a "surgical" air strike".

What would convince me that this is military grade is if great care was taken to prevent the malware from being studied, subverted and or modified and then turned against its creators.

No matter what the facts ... the upside is that this could shift the focus of the computing world from innovating and adding new features to going back and recoding their old software in a more secure fashion.

I'd love to see Windows XP SE (Security Edition), doesn't do one thing more than the old XP, doesn't do anything better than the old XP, but every component has been rebuild from the ground up with security and stability in mind and those that couldn't be secured were jettisoned.

And its not just windows .. every complex piece of software out there is riddled with upatched security vulnerabilities both known and unknown.

1
0
Linux

"Stuxnet then hides itself in the PLC"

"Stuxnet then hides itself in the PLC"

Not exactly it doesn't. Maybe you didn't type what you meant. Maybe you didn't understand. Go back to Langner's work and read it again.

http://www.langner.com/en/index.htm

The Stuxnet payload hides itself in the PLC programming tools on the host PC, and corrupts the program which is downloaded from PC to PLC. It's not really "hidden" at that stage, but if you don't look for it you don't see it.

"all of this is is just an avenue to get it to the one or few PC's that are connected to a particular subset of PLCs."

Now we're talking. With most viruses to date, the aim of the malware has been to knacker the PC, or to get info off the PC or money off its user.

With Stuxnet, it seems like the Window box vulnerabilities are simply a delivery mechanism. The actual payload is intended to do something unwanted to a non-Windows box - the PLC. Again, Langner has the details.

"to see what stuxnet is really aiming to do."

To do that properly you'd have to know what program was meant to be in the target PLC. Not many people have access to that information. Langner makes some educated guesses.

The bigger message here is that there is now no valid reason not to ditch Windows as a platform for stuff that can control critical real world kit. That applies as much to Windows for Warships as it does to tools used to develop and manage aircraft control systems or electricity generation/distribution or whatever.

PHBs wake up, you have nothing to lose but your MCP certifications.

5
1
Boffin

One wonders

I can see the purpose of leaving infections active after the virus determines that the specific PC it is on is not connected to any Siemens Simatic WinCC SCADA systems. But you'd think that for the infections that can actually access the correct Siemens Simatic WinCC SCADA systems and reprogram their PLC's, would then be programmed to uninstall themselves as part of covering their tracks.

The other interesting issue arises from the the geographical dispersion of the virus. The fact that Kaspersky Labs says that there are far more infections in India (86,000) and Indonesia (34,000) than in Iran (14000) is very interesting, as it suggests that there is far more information flow between facilities in India, Iran and Indonesia than there should be, considering the UN sanctions on Iran.

1
0
Go

Windows XP SE = NT 3.x for Alpha, MIPS, or PowerPC ?

As per title.

NT was conceptually secure when it arrived. Gates wanted more and more performance, and more and more user friendliness, requirements which rather inevitably are not entirely compatible with security (a DLL to display a pretty icon for each kind of file can't possibly be a security hole, says Bill. Too much code in kernel mode doesn't increase the attack surface, says Bill. Yes Bill says anyone who wants a pay cheque next month).

So get out those NT 3.x CDs, preferably the ones for non x86 architectures, and you're all set.

You won't be able to run any of the usual Windows apps though. so actually you might as well just switch to a different more secure OS that does run on existing hardware (even though hardware is often the cheapest part of this picture) and do the job properly. Which is the proper answer anyway.

One size does not fit all, one OS does not suit all, and it is clear from this and high profile examples elsewhere (e.g. London Stock Exchange drops Windows adopts Linux) that the Windows-dependency in various IT departments and their business contacts has resulted in Windows being force-fitted into places where it is not really appropriate.

0
0
Bronze badge
WTF?

How do the Iranians get Windows in the first place?

This from http://www.microsoft.com/exporting/basics.htm :

<quote>Without limitation, parties acquiring software from Microsoft are responsible for obtaining all licenses or other approvals necessary for downloading or transfer of the software or use of the service. A party may not transfer the software or services without U.S. Government permission to (a) anyone on the U.S. Treasury Department’s lists of Specially Designated Nationals (including the Government of Iran, Government of Sudan, Government of Cuba, prohibited members of the Cuban Communist Party), or on the U.S. Commerce Department’s Denied Persons List, Entity List, or Unverified List, or on the U.S. State Department’s Debarred List or Nonproliferation List (see Commerce Lists to Check); or (b) for use with chemical or biological weapons, sensitive nuclear end-uses, or missiles to deliver them.</quote>

That means that the Iranian nuclear facilities shouldn't be running Microsoft software, I should think. I wouldn't if I were them...

0
0
Bronze badge
FAIL

So not the work of script kiddies then?

The ayatollahs are now threatening the world with destruction (once they get their Windows NT systems working again).

And yes, it is ironic (Iranic?) that they've gotten their operating system from the Great Satan.

Iran, land of mystery.

0
0

Digital fortress

"Only the truth will save you now."

Enter passcode:

0
0
Gold badge
Joke

*four* zero day vulns

"Spooks" (or MI5 to readers in Merkin land) only allowed 1 to take over the fire control system of a rogue Russian submarine.

Looks like someone has been hoarding them.

0
0
Anonymous Coward

Israel? or maybe not?

I wonder if it can check the wind direction before it triggers a meltdown?

1
1
Gold badge
Grenade

Oh yeah?

"We believe this type of attack could only be conducted with nation-state support and backing,"

Yes, 'cos no l33t d00d h4x0r has ever produced a cunningly crafted worm using Windows exploits to target a specific software landscape in the past, have they?

I suggest that Kaspersky give up the day job and go over full time to writing for the Daily Mail.

I'd suggest that an alternate view here would be that Kaspersky found that it was yet another Russian cybercrime gang behind it and the Russian government told 'em in no uncertain terms to cover this up to avoid souring their relations with Iran. If it were thought to be a "nation state", it'll take all of five minutes for the finger to be pointed at Israel and the US*, which will suit the Russians quite nicely.

I can haz conzpirasy yes?

*'Cos everyone'll see "Iran" and conveniently overlook both all the other places hit and that Iran weren't even the first on the receiving end. Can't let pesky facts get in the way of a good conspiracy now, can we?

0
0
This topic is closed for new posts.