Sign in / up

back to article Win 95 code gaffe nearly made Stuxnet Suxnet, say infosec blokes

[Please see the bootnote on this story, which we've added post-publication. The code shown at the conference does not appear to marry up with the claims made by the speakers. – ed.] Super-worm Stuxnet could have blown its cover and failed its sabotage mission due to a bug that allowed it to spread to ancient Windows boxes, …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Electron Shepherd

    Luck, or Unicode?

    If the screenshot is correct, it's calling GetVersionExW, which is the wide-character version.

    It's been a few years, but from memory, support for the wide-character functions was limited on Windows 95/98, and for a program calling GetVersionExW to even get loaded on those operating systems would require the application to have beeen explicitly built with support for Microsoft Layer for Unicode, and the UNICOWS.DLL file either on the system or "installed" at the same time.

    Seems unlikely that whoever built it would have added MSLU support. It's not generally something you do by accident - you need to change the default link libraries for the compiler - so my money's on it not running on the Win95/98 systems, not that it did run and no-one noticed.

    4 0 Reply
    1. Electron Shepherd
      Reply Icon

      Re: Luck, or Unicode? Neither - just accurate coding to the API.

      (Look, it was niggling at me - I had to find out...)

      And if you're wondering, yes, I do have much better things to do.

      If the code in the screenshot is correct, it wouldn't have detected Windows 95 / 98, due to the test for VER_PLATFORM_WIN32_NT. For Win 95 / 98, dwPlatformID is VER_PLATFORM_WIN32_WINDOWS. See http://web.archive.org/web/20050407002111/http://msdn.microsoft.com/library/en-us/sysinfo/base/getting_the_system_version.asp for an old example.

      2 0 Reply
      1. Stefan Smietanowski
        Reply Icon

        Re: Luck, or Unicode? Neither - just accurate coding to the API.

        I actually took it one step further and looked at the assembly itself, thinking it was their translation from assembly to C that was the culprit but no, the assembly says the same as the screenshot.

        I had already mailed about this correction, but thought I'd post it here as well.

        And yes, I have better things to do as well :)

        3 0 Reply
        1. Trygve Henriksen
          Reply Icon

          Re: Luck, or Unicode? Neither - just accurate coding to the API.

          Yes, but...

          On which platform does the code run?

          On the already-infected machine, scanning for other victims, or on the target during the infection process?

          Just curious.

          (Haven't programmed directly on a Winblows platform since 3.0. )

          0 0 Reply
          1. charlesy
            Reply Icon

            Re: Luck, or Unicode? Neither - just accurate coding to the API.

            Well, the code tests the platform on which it running. So, if it is running on an already infected machine, and that machine is a Windows 9x box, the infection will spread no further.

            Stuxnet, we are told, is a very complex piece of software, and the claim that this would have led to a BSoD on Windows 9x (an OS routine that hooks into CPU-level faults - e.g., double faults) suggests that it is low-level code (i.e. Kernel mode on an NT-based system). My expectation would be that the code probably wouldn't run at all on anything but an NT kernel, so the issue would never arise anyway on a 9x box.

            If you haven't used Windows since the early 90s, you may not be aware that 'Windows' confusingly refers to three distinct and very different operating systems (we won't mention Windows CE). It is a very common and understandable confusion amongst Unix and Linux developers. The long-obsolete 9x and NT families share similar 32-bit APIs and could run a fair number of common 32-bit applications back in the 1990s. However, they have (wildly) different kernel architectures written by entirely different teams. David Cutler, who originally wrote VMS and went on to lead the NT effort at Microsoft never worked on 9x, to the best of my knowledge. The Stuxnet code tests the platform to make sure it is running on just one of those families - NT - which has evolved into the only Windows codebase Microsoft now maintains and evolves.

            1 0 Reply
        2. itzman
          Reply Icon

          Re: Luck, or Unicode? Neither - just accurate coding to the API.

          Odd that the assembler says the same - I would have thought that that was exactly the sort of thing an optimising compiler would have eliminated - an expression that always evaluates to 'true' ...

          1 0 Reply
      2. charlesy
        Reply Icon

        Re: Luck, or Unicode? Neither - just accurate coding to the API.

        Yes, I spotted that as well! What a strange mistake for the presenter to make. This code would never install on Windows 95, 98 or Millennium. It would not install on Windows 3.1 either. The bug with the version numbers means that it would, however, install on later versions of Windows (e.g., Windows 8 or Windows Server 2012), which was presumably not intended.

        1 0 Reply
        1. Stefan Smietanowski
          Reply Icon

          Re: Luck, or Unicode? Neither - just accurate coding to the API.

          Small clarification however:

          Windows 8.1 is still major version 6, so even the "fixed" code would run on it, ie if the code was "&& (OsVersion.dwMajorVersion >=5 && OsVersion.dwMajorVersion <= 6))" (which I'm sure was the intended code) would have run on anything from 2000 to 8.1. Only NT3.1-NT4.0 and Windows 10 would have been spared had the code not been buggy.

          Windows 2000-2003 r2 = Major Version 5.

          Windows Vista - Windows 8.1 = Major Version 6.

          Windows 10 = Major Version 10.

          1 0 Reply
          1. diodesign (Written by Reg staff) Silver badge
            Reply Icon

            Re: Re: Luck, or Unicode? Neither - just accurate coding to the API.

            Sure, but the point is: we were told this worm would try to install itself on Windows 9x, when the shown dwPlatformId check clearly stops that.

            C.

            1 0 Reply
          2. Electron Shepherd
            Reply Icon

            Re: Luck, or Unicode? Neither - just accurate coding to the API.

            Windows 10 = Major Version 10.

            This is only the case on Windows 8 / Server 2012 / Windows 10 if the application has been manifested for the relevant operating system. Without a manifest, it returns a lower version.

            1 0 Reply
    2. diodesign (Written by Reg staff) Silver badge
      Reply Icon

      Re: Luck, or Unicode?

      Thanks, fellas. We took a closer look at the code – and something's not right. We've added a bootnote.

      C.

      3 0 Reply
  2. Steve Knox
    Facepalm

    Interesting bug. Too bad it wouldn't have had the results described.

    && OsVersion.dwPlatformID == VER_PLATFORM_WIN32_NT

    means that the code will only continue on Windows NT-based machines. To install on Windows 95 or 98, it'd have to read

    && (OsVersion.dwPlatformID == VER_PLATFORM_WIN32_NT || OsVersion.dwPlatformID == VER_PLATFORM_WIN32_WINDOWS)

    So it may have installed on NT 3.51 or 4, but not on 95 or 98.

    3 0 Reply
    1. diodesign (Written by Reg staff) Silver badge
      Reply Icon

      Re: Interesting bug. Too bad it wouldn't have had the results described.

      Indeed – we've added a bootnote.

      C.

      1 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    Er, guys?

    should you really be trying to debug viruses to make them better?

    Next thing we'll know is El Reg will go dark, an a small puff of smoke will emanate from the virus testing lab..

    I can handle nuke plants going down, but not The Register!

    0 0 Reply
  4. VeganVegan

    The objective evidence

    Is the windows version stuxnet actually infected at the time.

    If I recall correctly, there was a very large number of infections reported, e.g., in South Asia, and only when the PLC wrangling came to light that people put 2x2 together.

    Maybe someone has the time to go back to reports at the time, 2007-2010, and see if anyone reported on the so version, as versus just reporting a generic windows machine.

    0 0 Reply
  5. jake Silver badge

    I'm pretty certain ...

    ... that anyone interested in actual corporate security stopped using anything Redmond or Cupertino in the security chain long before the Y2K non-issue.

    Folks not interested in security? Maybe not so much.

    0 3 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like