Prof casts doubt on Stuxnet's accidental 'great escape' theory An expert has challenged a top theory on how the infamous Stuxnet worm, best known for knackering Iranian lab equipment, somehow escaped into the wild. New York Times journalist David Sanger wrote what's become the definitive account of how Stuxnet was jointly developed by a US-Israeli team. The sophisticated malware was …
This post has been deleted by its author
According to one of the technical descriptions I've read of how stuxnet infected target PLC's, it replaced certain elements of Siemens compiler on the infected P.C so that what was compiled and sent to the PLC was not what the source code (ladder logic etc.) actually specified. The 'modified' compiler would only inject/change anything if it detected certain high speed motor drives on the PLC's fieldbus (or detected source code for those devices when compilation was started). Therefore the prof is right to assert that the method of delivery, or even the 'payload' of stuxnet never resided on the PLC, it just got a modified control program downloaded to it from a compromised compiler.
Yes, and in order to compromise the Step7 software it first had to infect the host PC.
How did it do that? Infected USB keys and a Windows print spooler vulnerability. Oh, and a couple of privilege escalation vulnerabilities too. And to top it off, it was able to infect a server shared by Step7 database users, so that any PLC that connected to the server was infected too...
So is the prof being overly-simplistic?
I think the one weakness in both stories is:
Do we have the original infection virus? And how does it change over time?
At some point, even if you're a patriotic American, you have to assume the Iranians will realize something is happening to their network and go looking for it. At that point they WILL be able to capture a sample of it for analysis, re-engineer part of it, and fire it back at you. When they fire it back, do they:
a) have the resources to make it narrowly targeted like the initial release
b) care whether or not it is narrowly targeted
If the answers to either of those is 'no' then an internet vector is a logical choice for the re-engineered malware.
So, it could only propogate by file shares, printer q's and removeable media. So every system that was hit after that had to have either been in contact with someone that worked at the Iranian centrifuge plants or the systems at the Iranian centrifuge plants. What better way for the Yanks and the Israelis to map out everyone involved in the Iranian venture?
" ." . . the data has shown that there are approximately 100,000 infected hosts... We have observed over 40,000 unique external IP addresses, from over 155 countries." "
40,000 IP addresses isn't exactly a lot, is it?
'Infected hosts' - how many is that per building?
I can't get the 'Widespread' thing.
Its an evolution. Related projectes have been named stars, stuxnet, duqu, flame, gauss.
There is noway anyone caught anything from a plcc. This professors story checks out with the technical analysis ive read.
http://www.securelist.com/en/blog/208193182/The_Mystery_of_Duqu_Part_One
http://www.securelist.com/en/blog/208193568/Back_to_Stuxnet_the_missing_link
etc etc. There is a lot of good technical info on the above site for those who want detailed analysis.
The USA and Israel have engaged in an act of hostility on another country. They have caused real damage and show no contrition at all. I doubt that the are going to even think about bringing those responsible for this outrage to book - in spite of their indignant expostulations when they think that someone has attacked them -- think Gary McKinnon.
This is highly hypocritical of the likes of Hilary Clinton. They have, in effect, started an undeclared war.
What is their justification ? Iran might make bombs and that Iran might start a war. If you look at the history of the USA in the last 50 years you will rapidly realise that this is the pot calling the kettle black.
Iran is big on rhetoric but there's no way the government or the ruling council there are stupid enough to actually START a war. They're just using Porcupine mode because they feel threatened - with enough recent history to justify it.
The boogeyman of hostile foreign governments, with a proven history of aggression(*) is more than enough for the iranian govt to keep a tight grip on internal power and in return the USA has a boogeyman of its own to conveniently jump up and down about in order to distract from other issues elsewhere (Such as the large number of "military advisors" still in the Southern Philippines, helping the govt there perpetuate a war with poorly armed separatists that's been happening on and off ever since the Spanish laid claim to the area in the 1600s)
(*) FWIW the last war Iran had to face was an invasion by a tin-pot dictator by the name of "Saddam Hussain" (remember him?) - heavily backed by USA money, armour, "military advisors" and technology, so the iranians have good reason to be pissed off.
You seem to have your Iran & Iraq mixed up - Iran had all the US tech courtesy of the US involvement with the Shah's regime. Iraq was a client of those peace loving Soviets. Unless of course US factories were pumping out AK47's, T72's and MiGs during the 1980's
"The USA and Israel have engaged in an act of hostility on another country."
Allegedly. I guess the Iran government is free to complain to an international court and provide proof of who was responsible for introducing a trojan to software which (according to Siemens) was never sold to or licensed for use in Iran. i guess they would go on to complain that the trojan subsequently caused damage to centrifuges, components of which were dual-use items, which Iran is banned from purchasing under UN sanctions. The centrifuges were/are being used to enrich uranium to a purity in a manner also prohibited for Iran, under the terms of the NPT which they chose to sign.
Once Iran has developed a nuclear weapon, it will be fairly difficult to dissuade others in the region from matching the Iranian threat: Turkey and Saudi Arabia are likely candidates. Once a few of them get going, we might as well forget the NPT altogether.
how fucking stupid are they?
Putting software like this out in the really wild and then having the deluded arrogance to assume the Iranians wouldn't go 'Oh what about if we modify this bit here, and this bit there...'. Or perhaps they'll go completely crazy and put it in a flash of justin beiber.
I bet there some pretty damp collars around.
"...40,000 unique external IP addresses, from over 155 countries."
and
"...blocked at the firewall......(of)......any sensible home user."
So 40,000 idiot users with their knickers down required globally then to account for this. I think that there are rather more than that.
Easily.
Look at any computer game forum, you'll see users asking why they can't connect because of NAT problems and when the user can't figure out port forwarding then it's usually suggested to put the computer in the DMZ.
What irks me is the people suggesting using DMZ's are considered to be experts and suggesting that doing so might be a bit dangerous is a bit unpopular.
If we assume LAN is devices on the same subnet, that doesn't mean it cannot affect devices far and wide. A layer 2 link can exist between very distant places (either direct or L2overL3) so it is most certainly possible that the virus could have spread over a wide distance to a device and then that device was moved to a different "LAN" etc.etc.
Given that it did spread I don't buy his "restricted to LAN" though
LAN extension is quite common method of delivering Internet in the 3rd world and ex-Soviet block.
Plug a cheap switch in the basement of the apartment block, everyone gets a Cat5, all flat, virus paradise (most people do not run CPEs either).
Cheap as chips too - costs per sub is a few $.
So if the virus was designed to stick to LAN and an infected machine was connected to one of these Internet networks it would have escaped same as on LAN.
"Prof Constantine asserted that the specialised payload hidden away in the control systems was incapable of infecting a Windows PC, thus it is impossible for the Iranian technician's laptop to have picked up the worm from the uranium enrichment machinery."
Is any sensible person claiming that the worm *was* picked up from a Siemens PLC controlling the enrichment centrifuges?
I hope not. On the other hand, there are generally Window boxes associated with those PLCs, and we know that to be the case in this picture.
"It is not known exactly how the engineer's portable PC was infected."
What a silly thing to say.
Even Symantec have a half decent account of this one; their writeups demonstrate how this thing could (and almost certainly did) propagate itself from Window box to Window box, all the while looking for relevant bits of Siemens software to infect.
It's not a simple story, and if it's been simplified for a podcast, important details have probably been omitted. And then simplify it again for this El Reg report?
Sorry, to understand this one anything like properly you need LOTS of details, and you can't leave out many of them before the story doesn't make sense.
He knows more about Siemens kit than Siemens do.
let's see if the mods inexplicably delete this one too
I can only assume my post about Constantine/Samson was deleted because someone took offence to my doubting his impartiality and/or being J****h...
After all, an expert wouldn't write a work of fiction called Web Games which appears to be a case or art imitating life - published six months after Stuxnet appeared on the scene.
"He knows more about Siemens kit than Siemens do."
Maybe. Siemens make a lot of kit. Herr Langner certainly revealed more about what was going on in the Stuxnet picture than Siemens public spokesmen were willing to admit (and, occasionally, the Siemens story didn't seem plausible, and some time later we do now know that some of what Siemens were saying *wasn't* plausible).
I hadn't come across, and therefore won't comment on, Web Games.
I have been working in networked IT, including IT security, and with industrial automation (including Siemens kit) for long enough for my BS detector to be reasonably finely tuned for this subject. I see lots of BS around re Stuxnet, and quite a lot of what might be misreporting or maybe just excessive oversimplification. It doesn't come from Herr Langner.
There is all that chatter of Iran closing its networks or denying internet access to its residents. What if someone else was doing the denying and it was released through the restricted traffic within Iran after a bit of doctoring to the code to spread it amongst the population? Perhaps the intent was to suggest that Iran did it to its own people as clearly those who created the worm did not step up to claim credit for it until practically forced.
In addition, the explanation offered in his book and in his article is that Stuxnet escaped because of an error in the code, with the Americans claiming it was the Israelis' fault that suddenly allowed it to get onto the internet because it no longer recognised its environment. Anybody who works in the field knows that this doesn't quite make sense, ..
Others working in innovative virtual field would recognise it as making quite perfect sense and be fully prepared to advise and/or provide Israelis the intelligence they are missing for environments they are unfamiliar with nowadays …… for they are considerably and even quite catastrophically disadvantaged in such a position/condition/vulnerability for exploitation and/or monetization.
But it is not something that will be broadbandcast by them and it may not even be plausibly denied by them either but it will always remain a colossal security breach in their system defences, and to such an extent as to render them both virtually and practically non-existent.
"Prof Constantine asserted that the specialised payload hidden away in the control systems was incapable of infecting a Windows PC, thus it is impossible for the Iranian technician's laptop to have picked up the worm from the uranium enrichment machinery. It is not known exactly how the engineer's portable PC was infected."
I think that's rather simplistic. The centrifuge(s) are very very likely to be connected to a PC/server running a quite sophisticated HMI and historical data aquisition system. ALL of the systems I work in these days (in the SCADA field) are based upon Windows operating systems.
Centrifuge instrumentation --> profibus/fieldbus --> PLC --> Siemens IMS/HMI/DCS (windows based) --> Engineering workstation (windows based).
It's quite easy to see how an engineer, plugging his engineering station into the same LAN could be infected.
I'm sorry, but the LAN only thing does not fly with me. LAN's today are not simply limited closed pools we reside. Devices enter and leave the LAN, and the LAN intersects across WAN technology everywhere. And as everyone wants everything, security has been watered down to never watered down to this level before levels.
I looked at these vulns, and they were brutally ugly. End users who took a misstep were owned. The coverage viewing these vulns were ballpark correct at how effective they were, and its stupid and childish to think that if this thing surfaced on some other LAN that it would not spread. Its windows vulnerability attacks were effective.
Given its multiple vectors covering USB insertion vulns as well, thinking this think was boxed in is wrong headed.
Why do so many people insist on writing the Internet in lower case? It's a proper noun damnit, and should be written with a capital I, as the good prof himself did (once anyway). As any fule on here know, an internet is entirely different from the Internet. Can someone let the Beeb know this too please?
I am delighted by the discussion here, since bringing these issues into the open was my immediate agenda. Understand, a podcast interview is not conducive to the most precise semantics or the finest technical details. I want to apologize if I left some unnecessary ambiguities in my ad hoc answers. I turned to that forum (thank you, Steven Cherry) because none of the mainstream media--print or electronic--would touch the story, a curious matter in itself.
As to how wild or widespread the infection was, what I was trying to highlight was that there was never any worldwide indiscriminate spread of Stuxnet by email or Web, as with much malware, but something much more limited based on direct system-to-system connection or sneakernet communication through removable media. As some of the experts here have pointed out, there are some holes (e.g., VPN) that might have allowed Stuxnet to reach beyond the LAN to infect other LANs. In any case, whether 100,000 is a lot of infections or small compared to many other worms, the analysis shows a small number of very tight clusters tied closely to initial points of infection.
I concur that Ralph Langner, a colleague of mine, is probably one of the go-to guys on the PLC side of Stuxnet. And I will underscore, that all my sources are secondary, as I was not directly involved in the forensic analysis.
My main point is that Sanger's narrative is flawed. Whether it is a journalistic failure, sloppy semantics, or disinformation is not for me to say, as I have no access to Sanger or his sources. But the fact that his reporting is being accepted so credulously and that the press is not taking on the story of flaws in his articles and book is troubling.
As to the actual initial infection and route into the facilities at Natanz, my understanding had been that the point of entry was not by directly carrying a doctored USB drive into this highly secure plant, but by infection of adjacent or closely related facilities, with the software then spreading itself as it could until it found the right installation of STEP 7 with precisely the right project files representing the particular frequency-controlled motor configuration. On the other hand, Raviv and Melman, who have sources inside Mossad and the IDF, suggest that the patient-zero USB was carried into the plant by Siemens maintenance engineers under direction of German intelligence (BND) collaborating with HaMossad. I cannot say. What we do know is that in one version of Stuxnet, the first infection (not at Natanz) was within 12 hours of the last compilation timestamp. If accurate, it does suggest that versions might have been hand delivered to specific targets. And it has already been established that Mossad operatives were in Iran at the time.
Perhaps we will someday know the real story, but it is not the one Sanger told, at least on some pivotal details.
--Prof. Larry Constantine (pen name, Lior Samson)
I haven't read Sanger's book, and not many of us will ever know the real story, so it's hard for most people to understand just how flawed Sanger's narrative might be.
One person better qualified than most to comment is, obviously, Herr Langner and [1] below is a necessarily brief extract from one of his comments on Sanger's book. There's much much more from Langner, interested readers are recommended to go read it (or watch his TED session, or whatever else takes your fancy), without anyone filtering it, misrepresenting it or whatever. (NB I am not suggesting the Professor has done that, but others may well have, intentionally or otherwise. Me included.).
Most things are flawed. Doubtless Sanger's book is flawed, but the current WIndows-dependence and associated levels of (in)competence and complacency in most of the IT world is surely a much bigger and more important flaw?
Who is addressing that, in language such that the average corporate Board of Directors and the average computer user at home will understand without being blinded by the Windows-dependent people in the IT department and the Windows ecosystem in general?
"Several people asked me to comment on Confront and Conceal as there appear to be some more or less obvious technical inaccuracies in the book’s much-qouted Stuxnet chapter. However, exposing those would be nitpicking and misleading. In respect to Confront and Conceal, the question is not what experts in critical infrastructure protection can tell journalism; it’s what we can learn from the latter. The impact of David Sanger’s book is equivalent to an earthquake shaking the supposedly solid ground that the industry used to operate upon. (continues)"
From http://www.langner.com/en/2012/07/07/the-contractor/
I would enjoy getting into the dialogue, but the moderators seem not to have accepted my post in response to the various comments. I would humbly request the moderators restore/allow my responses.
I do not think being Jewish or not is germane to the discussion; Jews in and out of Israel have many different positions on Middle East politics and are as capable of impartiality (or not) as any other ethnic/religious group.
To Ross K, whether art imitated life or life art is a bit messy in this case. In 2003, I designed a Stuxnet-style attack on U.S. infrastucture as part of my notes for Web Games. It took me 7 years to write the novel, but I finished the manuscript just before Stuxnet was reported in summer of 2010. It took another 5 months for the book to go through editing and revision to make it into print. Bad timing on my part, but again, it hardly relates to expertise or its absence. In any case, I am not trying to tout my expertise, but attempting to argue that there is a reasonable technical basis for questioning Sanger or his sources or both.
I am sorry if some of the technical details are muddled by the format of a live podcast interview. I intend to get a more properly argued and annotated piece published. I did try to clarify some of my intent in the deleted earlier comment. If the moderators do not release it, I will attempt to reconstruct and re-post later.
In any case, my real agenda is to stir up enough discussion that mainstream media begin a closer examination of all of Sanger's claims. I can only comment with any confidence on this one small matter.
--Larry Constantine (pan name, Lior Samson)
You've established it has connections with conficker with its included exploits.
You've established it somehow gained ability to spread through infecting ip addresses.
Therefore what makes the internet so unique?
Why does politics (particularly with academics) need to get involved? It could be a 'teenager in a bedroom' type scenario!
Or even a severely disgruntled ex-employee, track it back to its original first detection spot... track physically from there, you've got the culprit...
Its likely the attacker would have infected a machine he was close to or had sufficient access to... but by now I'm almost certain that would be long gone? --- That is the result of political war...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
