Feeds

back to article Missing piece completes Stuxnet jigsaw

Security researchers have found an important missing piece in the Stuxnet jigsaw that provides evidence that the malware was targeted at the types of control systems more commonly found in nuclear plants and other specialised operations than in mainstream factory controls. It was already known that the highly sophisticated …

COMMENTS

This topic is closed for new posts.
Silver badge

"spreading using either unpatched Windows vulnerabilities or from infected USB sticks"

Windows? In a nuclear power plant? Anywhere near anything important?

Are these people insane?

9
1
Grenade

No Tit Required

Did you realise it's used in ATMs?

Grenade, the quickest way to get the money out.

5
0

SCADA

Whilst sharing your thoughts on the (un)suitability of Windows to anything mission critical, it is important to remember that these SCADA systems aren't the last line of control, but more akin to a front end onto the system.

Generally speaking, a SCADA system always refers to a system that coordinates, but does not control processes in real time. e.g. you can turn off and bin the SCADA and the plant should operate safely or gracefully shutdown.

2
1
Happy

OS/2

Last ATM I saw that crashed was running OS/2 Warp - only a year or two ago!

1
0
Silver badge
Gates Horns

Yes...

"A SCADA system always refers to a system that coordinates, but does not control processes in real time"

Yes. It's like the SNMP jazz for op-amp and motor-oriented people. Though it's sometimes based on Microsoft OLE (HURL!)

0
0
Alert

@Tigra 07

ATMs run by banks use hardware such as IBM's 4758. The idea being that, even if the host OS is ridden with malware, sensitive data such as your PIN remain secure.

http://en.wikipedia.org/wiki/IBM_4758

(of course, those kiosk ATMs in newsagents are an entirely different matter....)

0
1

What ATMs run

Even way back when a lot of ATMs had their own custom hard wired FSM logic I remember seeing IBM ones running the FSM on top of OS/2, so I wouldn't assume that no mainstream ATMs run Windows. Doing so may not be bullet-proof, but at least its cheap.

0
0
Linux

WIndoz

Windows 98?

0
0

Having actually read a previous article in detail...

It seems that the programming of these systems is done by a Windows machine.

The virus intercepts communication with the system while being programmed and changes it to insert its own piece of code. (And obfuscates it when you try to read it back from the PLC apparently)

from the description given in the earlier article, The siemens system itself seems to run its own OS. Which is why this virus is so unusual, because it involves someone having written something in at least two languages, the one for the PLC and the one for the programmer.

Heck, most programming is done using Windows machines, because sadly, whatever the drawbacks of it, it is still the OS most people are most confortable with.

3
0
Gates Halo

RE: AC

I was not dissing Microsoft, i think they do good work and get a lot of undeserved stick.

I was merely pointing out the irony of seeing "Windows is shutting down" on an ATM i was waiting to use for 10 minutes outside ASDA

2
1
Anonymous Coward

OS/2 -> XP

Since the support for OS/2 expired, many ATMs have been switched to XP from what I read/understand. Seen many an ATM already with an XP screensaver, one even with a bsod.

Here's one in North London, running WinXP Pro

http://sphotos.ak.fbcdn.net/hphotos-ak-snc1/hs206.snc1/7331_127576067842_586802842_2574558_6349698_n.jpg

Kinda ironic is the sticker above "Best practices" ^^

1
0

Looks clear to me

So this code targets a specific type of motor controller that is known to be used in uranium enrichment, and specifically two particular makes (one from Iran). It then makes changes that will affect the controlled process over the course of several months.

I wonder what could be the target of such an attack?

http://en.wikipedia.org/wiki/Nuclear_program_of_Iran#Second_enrichment_plant

3
0
Silver badge
Thumb Up

This bit..

"The malware is designed to change the output frequencies of drives, and therefore the speed of associated motors, for short intervals over periods of months. This would effectively sabotage the operation of infected devices while creating intermittent problems that are that much harder to diagnose"

No matter what you think of VX'ers, you cannot but admire the specifics and mechanics of this.

Its a disruption virus, a clever and neat way to stall a project...

Brilliant..

4
0
Gold badge
Boffin

@cornz 1

"No matter what you think of VX'ers, you cannot but admire the specifics and mechanics of this.

Its a disruption virus, a clever and neat way to stall a project..."

But not (perhaps) entirely original...

There is a story about a programmer who coded the IO Channel firmware for a new model of reel to reel tape drive for a large mainframe mfg (Think 2001 or Journey to the Far Side of the Sun. Yes it's *that* long ago).

Each previous attempt had been crashed by the companies internal test or "Black" team.

The latest version was passing all previous tests and he though he was home and dry.

Then the loaded tape started being searched forward. Then backward. Faster and faster. But the drive was *rocking*

The tester had hit *one* of the tape drives physical resonant frequencies.

Not very fair I grant you but (in principle) *legitimate* input commands which the system should behave safely to. I'm no expert but I got the impression these puppies were *heavy* and one falling over would probably go through the floor panels (and do something pretty nasty to anyone underneath it).

0
0
IT Angle

Follow the green

Of course, if one of the coders was on the team, making $500 an hour as a consultant... you can see the monetization potential of stalling for another 2 months in no time. Especially if they can become the hero when they find a fix, after 500 billable hours of double-overtime work (nearly all of which was spent on facebook and hacking forums).

The subsequent spread and discovery probably put the kibosh on that plan.

0
0
Anonymous Coward

on a related note

Search for "multics" "walking drives". Very similar.

Reminds me of the test routines for the band printers on the old Honeywell CP-6 systems. About a minute after the alignment job started, the printer would start playing the theme to The Lone Ranger...

0
0
Silver badge

Easy Money, Honey.

"The appearance of the malware has provoked talk of cyberwar in some quarters and certainly done a great deal to raise the profile of potential attacks on power grid and utility systems in the minds of politicians. This is regardless of the potential likelihood of such an attack actually being successful, which remains unclear even after the arrival of Stuxnet."

These false flag alerts are absolutely brilliant at raising crazy amounts of slush funding for spending against nothing in particular. It's a Dream Scenario in IT circles.

6
2
Silver badge
Big Brother

I second the motion.

Ticks all the boxes under the "how does this make sense" header.

0
0

Centrifuges

As GettinSadda says: it looks to me as if Stuxnet is targeting the centrifuges. Data from a very old design (Wikipedia) says 1,500 Hz. Introducing it into the civil nuclear plant would be a good way of getting it to spread through the whole Iran industry.

Intermittent changes of speed over months will wreck the bearings and motors too, as well as driving the engineers crazy.

3
0
Anonymous Coward

I can't wait

For the scam antivirus vendors to start cold calling the Iranian government.

"hullo my brother. this is Microsoft. We have detected a virus in some of your PCs......"

6
0
Happy

The future

I can just see the future. A message is displayed at some nuclear power plant "We have just

found 384 viruses on your computer" and they make you go to their page to pay $50 to get rid

of those viruses.

0
0
Gates Halo

"spending against nothing in particular"

How is this a "nothing in particular" attack?

At very least, it's another wake-up call to the half-awake folks who have been thinking that their critical Window boxes would be OK if they didn't connect to the Internet and did run a nice expensive corporate "end point protection solution".

It's also a wake-up call to the similarly dumb folks who believed that their critical Window boxes would be OK so long as their critical systems were airgapped and any data transferred to or from them went via a "sheep dip" with up to date anti-malware.

Both of those nice comfortable beliefs have been demolished by Stuxnet, but many industry insiders haven't yet woken up to this. Stuxnet 2.0 just needs to find a different set of zero-day (unpublicised, unpatched) Windows exploits. There's plenty left.

Minimising the risk of repeat attacks along similar lines doesn't need massive government spending (except maybe to rip out stuff like Windows for Warships ASAP). It does need a massive change in the mindset of the IT and Engineering departments and those who should be holding them accountable; "one size fits all, Windows is for everything" is no longer justifiable.

I've worked on leading edge automation technology, not from Siemens but from a comparable vendor, and with various high-end automation systems integrators and end users, for two decades. Based on that, neve mind Symantec (though they have a nice writeup and a nice publicity machine but they are Windows dependent and therefore compromised), the stuff which Herr Langner has been reporting at www.langner.com is entirely plausible from a Windows point of view and from an automation point of view. Serious respect is due.

"potential attacks on power grid and utility systems "

Windows-managed PLC systems are in loads of places, not just power grid and utility systems. E.g. Earlier this year there was a contract out to replace the Thames flood barrier SCADA system. That'll have PLCs in it, and traditionally they'd have had Window boxes as the programming environment and as the pretty pictures and datalogging boxes. Is that still what we want? After all, the malware couldn't sit undetected for months, and then disable the SCADA on demand att a critcial moment, could it? Flooding central London wouldn't do much damage. Would it?

2
0
Silver badge

Windows in Meltdown to Protect and Prevent Waning $ Interests is a Heavy ZerodDay Trade

"How is this a "nothing in particular" attack?" ... Anonymous Coward Posted Monday 15th November 2010 23:54 GMT in "spending against nothing in particular"

AC,

Whenever you realise that "nothing in particular" means everything peculiar, then are we in agreement.

Oh, and that entitled particular and peculiar Heavy ZerodDay Trade is counter productive and self defeating and one hell of a vulnerability to exploit, and a lucrative golden diamond mine of a system to protect against catastrophic attacks with irregular market activity unveilings.

Be careful out there, IT is a crazy jungle .... :-) where Sanity rules in Safe Harbours and Perfect Covens/Immaculate Havens.

0
2
Grenade

You forgot the "I" in tirade

Just thought you might like to know.

0
0
Silver badge
Grenade

The target could be China

China is planning on deployng _hundreds_ of pebblebed reactors over the next 2 decades and these require the same kinds of control motors (the entire system is vibrated) as enrichment processes.

This could explain the prevalence of the Vx in SE asia.

1
0
WTF?

Not Bushir --Natanz

Iran has a gas centrifuge uranium enrichment facility in Natanz. THAT is the likely target of Stuxnet. No nuclear power plant has a use for dozens of high speed drives. But the gas centrifuges would definitely need them.

2
0
Grenade

Ouch

"Stuxnet changes the output frequency for short periods of time to 1410Hz and then to 2Hz and then to 1064Hz" according to the Symantec article.

So, if that was a 90,000RPM centrifuge then this code would randomly speed it up to nearly 120,000RPM before (attempting to) bring it to a sudden halt.

Yep, that'd break it. And you'd have absolutely no clue why it happened.

Very clever.

2
0
Black Helicopters

"... Russian contractors at ... Bushehr ... introduced the malware, ... (... likely) deliberately."

Sure.

If Iran can't enrich its own uranium, it would be forced to buy enriched uranium from someone else.

What better way to ensure a customer's loyalty, than to sabotage said customer's quest for market independence?

0
0
Bronze badge

Surprised

Symantec can detect a bit of code that does this, but it can't detect or stop ThinkPoint?

3
0
Gold badge
Unhappy

Note also it's the *long* term continuous running

While lots of industrial plant *likes* to be run continuously (fewer thermal cycles) few bits of kit are as sensitive as a centrifuge farm to speed and environmental conditions. Most stuff with motors will have at *least* a yearly overhaul. Centrifuges are expected to run continuously for a *decade*.

Of course the Iranians could not *possibly* identify the perpetrators (or even devise a list of suspects) and are far too stupid to mount a counter attack.

*Anyone* who actually *believes* that last paragraph would have to be either very stupid or very ignorant.

This is the same school of thought that believed sending video feeds as an *unencrypted* stream was perfectly safe as "They aren't smart enough to figure out how to decode it."

That's what we call an "assumption."

This is not over and there will be tears before bedtime.

2
0
Anonymous Coward

Russian?

I still smell gefilte fish...

0
0
Silver badge
FAIL

It's all very well bugging the Iranians, the West won't feel so smug when it happens here!

So often what started out with one, not necessarily good, intent turns out to be an own goal as miscreants will, as sure as Hell, use this type of technology against others.

Bet the Iranians are as happy as can be knowing that they have circumvented yet another US inspired attempt to stop them doing what other sovereign nations have done.

If the US doesn't want to incur the wrath of people, it should keep it's nose out of other people's business.Mind you we all end up paying by way of intrusive security and added expenses.

I guess that Iran will switch to Linux, as many countries are doing, as a national policy, and that North Korea is busy running-anti-virus software.

3
0
FAIL

This was a targetted virus.

So therefore, if Iran did shift to Linux, Suxnet 2.0 would target Linux.

While i am a linux person and biased to thinking its safer, I am not stupid enough to think that Linux is immune to viruses.

BTW, While US involvement is a good bet, its hardly certain. Personally i would have put the Israilis higher on the list of suspects, especially with their large pool of technical knowhow.

Also, as someone else pointed out, Russia could be responsible as well. The current administration there has a track record of playing dirty to get its way, and they have made it clear they want to be the iranians first port of call for Uranium. I can see why the Iranians dont really want anything to do with that. After all the russian Stranglehold on Gas has worked so well for us in Europe...

And.. you think Ahmadinejad speaks for the *peoples* wishes?

HAHAHAHAHA.....

2
0
Pirate

Windows in Iran

And how come they are using Windows in Iran as it is prohibited by the US Regulations? I think the uranium enrichment facility needs a visit from the BSA.

0
0
Terminator

Windows in IRAN

BSA = Boy Scouts of America ??

I would be more afraid if they girl scout cookies on the console.

0
0

Windows in Iran.

Software is a lot easier to smuggle than physical things. Heck, Iran has connection to the internet. They could have downloaded it.

I would imagine if the software was legitimate, the state department could have ordered microsoft to disable it using that that software vaidation tool thing your forced to run. therefore there probably using a Pirate bay special.

1
0
Stop

Centrifuges

I read an article a while ago positing the theory that it was the centrifuges that were targeted, and it brought up the issue that on the last check, more than 2/3rds of the centrifuges were out of action, and no explanation was given.

1
0
Anonymous Coward

SCADA isn't really scary compared to..

EMR systems, Point of Care systems, Physician order entry systems, RIS, PACS, Ambulance fleet control systems and all sorts of programmable hardware including defibrilators.

Combined with a predominantly windows-environment and a non-techy, non-security-conscious user base.

Joy.

2
0
Bronze badge

One more post

In ALL nuclear plants in the US, ALL systems related to nuclear are on a closed system and are non Windows based. Yes, they do have Windows PCs on networks, but these systems and their network are in NO WAY connected to ANYTHING that controls any system in the nuclear cycle.

The only problem we've had is with administrators not wiping data from the drives and people buying the obsolete systems from the government and finding data on the drives themselves.

I think that problem was resolved by removing all storage components and having them destroyed or just destroying the PCs totally.

I was very surprised when we had the oil leak from the oil rig that exploded and the survivor stated that they were using a Windows based PC to monitor stuff and that it had "blue screened" prior to the explosion.

2
1
Anonymous Coward

"NO WAY connected to ANYTHING"

"these systems and their network are in NO WAY connected to ANYTHING that controls any system in the nuclear cycle."

In no way? Ever? Not even via sneakernet?

Sorry, don't believe you (and I've worked with PLCs and computers on everything from the Magnox refurb through to electricity distribution and factory automation and...).

The Stuxnet technology doesn't need a *permanent* connection, it just needs (e.g.) to have infected the box (almost certainly a Window box) which is connected to the automation LAN when the PLC programs need updating. And that's all. Job done, automation knackered.

2
0
Silver badge

Maybe even Sneaker-proof.

If ALL externally-accessible drives are disabled during normal operation, then not even Sneakernets can break through. IOW, these are SEALED SYSTEMS whose operational files cannot be modified in any way, shape, or form.

To update or otherwise repair the system, it has to be taken out of the loop and worked at in isolation, and I would think that it would have to pass a thorough acid test on an isolated test network before it's RE-SEALED re-introduced to the loop.

0
0
Pirate

XP at Walmart self-checkout too, not just ATMs

"Since the support for OS/2 expired, many ATMs have been switched to XP from what I read/understand. Seen many an ATM already with an XP screensaver, one even with a bsod."

Last year I managed to crash (bsod) a Walmart self-checkout stand (evidently by pounding on the screen because it pissed me off when it wouldn't recognize a lighter touch), and its crash screen showed that it was running Windows XP.

I was not impressed - I mean I know everyone says Walmart is lame, but I would have expected them to use something a bit more non-mainstream than frickin' XP, for christ's sake.

I wonder if Walmart's XP also has access to the PINs that customers type in when using a debit/credit card at that same self-checkout? Not that I distrust XP or anything ;)

0
0

Inside Information

As someone else said ,the windows interface is engineers /programmers terminal .

You would require very detailed inside information on the control system and logic for this

type of attack to work ,the attack vectors are many ,this wouldnt work without inside help

and bypassing of other logical and integrity layers ( not $windows ) .

For stux to work to security would have to be pathetic and also the control logic and safety controls not in place .

A tiny wake up call for systems managers ,but the likelihood of actually working in a standardised environment is VERY LOW .

http://www.theregister.co.uk/Design/graphics/icons/comment/grenade_32.png

0
0
Anonymous Coward

"detailed inside information "

"You would require very detailed inside information on the control system and logic for this type of attack to work ,the attack vectors are many ,this wouldnt work without inside help"

Depends whether the aim is destruction or disruption. Stuxnet came close to destruction and a follow-on based on a Stuxnet-style toolkit could very easily cause disruption.

"For stux to work to security would have to be pathetic and also the control logic and safety controls not in place ."

Naive at best. You've already made clear that you know what an engineer/programmer box is. Today, they still run Windows, and therefore security *is* pathetic. If "stux to work" means "cause massive disruption", then we're all set.

There's more to be said, but Herr Langner at www.langner.com has already said it, so read it there instead.

0
0
This topic is closed for new posts.