Stuxnet amazes me. My first tech job was (in part) installing anti-virus on every computer in the Univ KS Library system, 1989-90. MS-DOS days. I've been an avid watcher (not expert) of malware since. I've watched the Internet arrive and embedded computer/automation revolutions. This 20yr perspective brings me to the following conclusion.
Other than "jacking in" and other fluff Stuxnet does pretty much exactly the kinds of things that CyberPunk Sci-fi described a decade ago.
This reads like a section from a sci-fi novel. Once more reality is catching up with cyberpunk.
I'd love to know what it's supposed to do when it reaches its target. Surely the creator would have had to have some sort of blueprints for the target system to successfully set it up to create more than collateral damage.
I'm very curious about what it's supposed to do as well. I work with SCADA systems, and I can confirm that it would be difficult/impossible to tell without knowing exactly what system it's targeting. SCADA systems are often controlled by writing to "points," which typically have numeric addresses. So point 35 might control the valve position in one installation, but it could control something totally different in another. You'd need to know the layout of the targeted system to know what parameters are controlled by what points.
I'm under the (mistaken?) impression it uses the SCADA system to actually modify some of the low-level PLC library code. If so, I'd be looking for code likely to be used (by the actual plant PLC program) to stabilize a very high speed centrifuge (servo routines maybe), and introduce slight instabilities, or even better, excite a resonance.
"Hey, the VFDs are programmed to skip through this frequency band during the accel ramp to 25k RPM, but every once in a while they hickup and then the bearings rub. What's up with that?"
Q: What does it do with Simatic?
A: It modifies commands sent from the Windows computer to the PLC. One running on the PLC, it looks for a specific factory environment. If this is not found, it does nothing.
So it seems that there is one factory layout Stuxnet is looking for. I.e. it will know what point 35 is.
is it possible to determine which factory environment you're in? maybe it just tries the same combination in each and every one environment it gets to?
Considering the size of the file, (and the fact I have not examined StuxNet), I'd assume that there is a good chance it has enough logic to determine which factory it is in by pure brute force.
If the main fan control gives a fairly standard reading, it shouldn't be too difficult figuring out what the particular factory it has infiltrated has wired that point to, for example.
Also, I haven't heard any definitives on what kind of factory this is targeting. I do know that there aren't many companies that develop and design high tech industrial facilities. Despite StuxNet having infected thousands (millions) of personal PCs, it really is only looking for maybe a few dozen or so in the world that are of the right type. Combine that with a low number of factory designs, and it could very well have a pre-determined database of how its intended targets are wired.
It said the registry key Stuxnet plants to indicate whether a system is already infected has the value 19790509. Then it said an Iranian Jewish business man was executed on that date for spying. Also the home directory where the virus was originally compiled was called Myrtus. Which may contain another clue...
I'm not really buying this. You're making a lot of assumptions. That Iran is the target, that the number is a date, that the date refers to that particular event, etc.
The link between the word "Myrtus" and the Old Testament seems really strained. It's the name of a plant. It features prominently in Greek mythology -- maybe the Greeks did it?
Chances are that if you pick a date at random, there will be some heinous crime that the Iranian regime has committed on that day. As to myrtus. Even if we assume that whoever did this knew that myrtus=hadas, very few Israelis who aren't biblical scholars would associate the name Hadas with queen Esther.
I would say that if this is the best we have, then it's pretty certain it's not the Israelis who did this.
To the best of my knowledge, no. One of the reasons for the ISO date standard being YYYY-MM-DD is that there is no country in which the interpretation of a date given that way is at all ambiguous.
There are countries with DD-MM-YYYY or MM-DD-YYYY, so you really do have to put the year first to avoid ambiguity. However the 79 in 1979 cannot be a month or a day.
"Siemens announced last year that Simatic can now also control alarm systems, access controls and doors. In theory, this could be used to gain access to top secret locations. Think Tom Cruise and Mission Impossible."
I've been reading pretty much everything I can find about Stuxnet so far, but haven't heard this before. If it's true Stuxnet might really be living up to the hype that it's the "first malware of it's kind."
I've read that there are three stolen Microsoft Authenticode certificates being used by stuxnet authors to sign the malware. I've used these sort of certs myself to sign executables. They require passphrases to use. I could believe that they cracked one passphrase to use one cert, but three? All from different companies too.
Yes, but the point is that in order to use a stolen cert, you need the passcode and the cert. They somehow got three certs and three passcodes from three different companies.
Sometimes companies embed the passcode in the build script to automate the build process. Having to type in the passcode every time to build a release can become a chore.
That's right. However, I think that if I were in a position to steal a certificate, it'd be trivial to also get the pass[code|phrase|whatever], assuming there even was one to begin with. ;-)
While it is pretty difficult to answer what a piece of code written by a government would look like, a useful piece of information is also that the code targeted 4 different 0-day bugs [1].
If we consider previous reports on 0-day pricing [2], this alone could put the cost fo the worm at over $200000 making it more likely to be built by a well funded adversary.
It really doesn't matter if they bought the 0days or researched them themselves - either way they either spent the cash or gave up the opportunity to earn the cash from them, which is equivalent. They still put ~$200,000 worth of resources into the worm.
Agreed, but I think the best evidence of large sponsorship is in that factory system recognition and parameter modification code. We don't really understand the sophistication until it actually chooses to execute, but access to those kind of specifications would require some fairly extensive research resources, someone that an individual or small team would have trouble getting alone.
yes, but a talented individual would probably sell those vulnerabilities since they worth so much, rather then use them for some obscure, probably not money earning, goal.
That's just moving one layer of indirection. If vulnerabilities are worth money, presumably so they can be exploited, then why isn't it possible for someone to be motivated to use vulnerabilities and also having the talent to discover them?
You're making the assumption that a government would not pay for the development and exploitation of those vulnerabilities, which is de facto false considering the current "cyberdefense" capabilities of developed countries.
If it's indeed created by Israeli Intelligence, then at least R&D costs will be close to nothing.
Israeli military has mandatory service. 18-21 years old programmers/hackers work day and night almost for free.
I think there's some very experienced, very talented people working on this. Security is one area where I believe that the older you are and the more hours you've clocked and exploits you've thoroughly understood, the better you are.
Our defense budget is 7% of our GDP, which is the 5th highest rate in the world (according to wiki). I would hardly call that free. Also, there is a shortage of tech talent here and the salaries are quite high. So there are also hidden costs with the military getting people to work for "free".
First it's 8.5% of GDP in 2009, but in absolute numbers it's only $14.3B (including US aid, which has to be spent in US).
This peanuts for being a regional superpower.
About half of the budget goes to salaries of officers, permanent servicemen and civilian contractors.
The danger there is the "common thinking" that this puts it squarely in the realm of governments.
However, at such a price point you're still well within the remit of organised gangs; they, for example, will spend a fortune on viruses and other malware - it's big big business.
Isn't the question better posed as was it funded by a government? And how did they choose whom to hire? Maybe the private armies are getting into cyberwarfare...
Wait, since when have governments been better at writing code than small groups of talented amateurs? Have I fallen through a portal into mirror-universe HN?
One of the arguments for it being a government is the unusual size and complexity of the code. A large piece of code speaks against a small group. It also speaks against a group with an ethos of producing something simple and elegant, which talented amateurs would be likely to feel.
This is the stuff of movies, but do you think its very wise to write this kind of software for a government? Perhaps if you can somehow stay anonymous..
You're assuming that a bunch of suits pulled some hackers out of their parent's basement and told them to write a virus.
I can only comment on the US Government's NSA, which has thousands of highly trained and highly intellectual programmers already under their employ. These are people that do their job to protect and assist in the affairs of the government. Probably already under highly classified labels. For some, it is just another job assignment.
However, I am also speculating. The truth: No one capable of telling the truth knows.
I could see a lot of nefarious individuals learning from this and using it to cause tragedies for short-term gain (i.e. shorting a stock). It does seem quite stupid to open up the door on something that could cause so much harm.
Even when autorun is disabled, Windows will parse through the autorun.inf file. This should have been patched with KB967715.
U3 enabled devices have been known to override the default settings in order to emulate CD-ROM drives.
Double clicking the flash-drive icon can also force execution of binaries, but I am unsure of how that works and if it is related to the user's autorun settings or not.
Ok, actually I do retract that. It's an excellent overview - I just didn't like the small pieces of speculation they did drop in without marking them as such ;)
Other than "jacking in" and other fluff Stuxnet does pretty much exactly the kinds of things that CyberPunk Sci-fi described a decade ago.
I flippin love living in the future.