Stuxnet: An actual Cyber attack weapon

[Jasper]

But it's not beyond imagining that script kiddies will have this sort of weapon in a few years?

[Triple Zero]

But it's not beyond imagining that script kiddies will have this sort of weapon in a few years?

Yeah.

I mean, I doubt "They" will let it happen, or like that without some sort of "catch", I dunno, plus even if you do make it point-and-click the actual "malfunction/crash/trash the industrial facility part" will always require some inside knowledge of the control systems involved since I suppose they are specific to a facility. Plus, the spreading-via-USB trick, while clever, still requires some social engineering. And of course I suppose that industrial facilities will improve their computer security cause I can understand if they're scared shitless now

BUT

It is totally not beyond imagining, in the sense of an awesome and believable near-future cyberpunk spy-thriller story.

They don't call these things "movie plot threats" for nothing

[Jasper]

Okay posit just one talented rat-bastard of a programmer.  He attempts to make a software suite that has libraries of all the commands for common industry PLCs, whose goal is to make it easy for non-programmers to sabotage all manner of industry.

What are the odds of his success, do you think?

[Doktor Howl]

Okay posit just one talented rat-bastard of a programmer.  He attempts to make a software suite that has libraries of all the commands for common industry PLCs, whose goal is to make it easy for non-programmers to sabotage all manner of industry.

What are the odds of his success, do you think?

In my case, he couldn't do anything at all, as our logic is entirely off line for that very reason.

[Jasper]

I think the way old Stuxnet works is, it enters a system through a USB stick.  No internet required.

[Doktor Howl]

I think the way old Stuxnet works is, it enters a system through a USB stick.  No internet required.

Our computers don't accept USB sticks, so we can't haul off company data to sell to competitors.

We're actually covered, here.

ETA:  Also, we only have one laptop that can access the plant logic.

[Jasper]

That's good then.  Does any Fucking Stupid person have access to the laptop?

ETA: You needn't answer that out loud, but it's worth looking into.

[Doktor Howl]

That's good then.  Does any Fucking Stupid person have access to the laptop?

ETA: You needn't answer that out loud, but it's worth looking into.

No, not ANY stupid person.  Just the engineer, who is like a human Stuxnet.  Also, myself and the I&E techs, who definitely don't want anything to go wrong.

[Jasper]

This engineer fellow sounds like a character.

[Triple Zero]

I think the way old Stuxnet works is, it enters a system through a USB stick.  No internet required.

Our computers don't accept USB sticks, so we can't haul off company data to sell to competitors.

We're actually covered, here.

ETA:  Also, we only have one laptop that can access the plant logic.

Sounds like you're doing it right.

I wasn't surprised to find there are apparently plants that are doing it wrong (useful assumption in computer security), it was more an "either they do or they don't" kind of thing. I could imagine IT being rather old in some places and therefore not having modern computer security strategies, but then there's probably those that do secure their stuff properly (like yours)--I wouldn't dare guess how many though.

(umm that's like a really long way of saying I don't know anything about the state of IT in industrial facilities )

[Triple Zero]

(*except for botnets which run on hacked computers in Africa running unlicensed windows versions which are a lot harder to patch--I'm not making this up but most African Windows machines have "computer AIDS" )

Well this is odd:

http://biztechafrica.com/section/security/article/africa-web-surfing-safe/171/

Seems I was wrong about that, according to an AVG survey Africa is in the top 10 of "safest" web surfing countries.

I'm pretty sure that I read somewhere that large botnets 0wn a lot of computers in Africa because they run old unpatched versions of Windows ... Either that changed, AVG measured somethting else, or maybe they are so infected it's no use to target them again



In other Stuxnet news, they think it's from Israel now, because there's a string "Myrtel"--or something.. Myrtus? I forgot--inside the code which is a biblical reference, as well as a magical number that signifies "dont hax0r this box" which is actually a date in 1979 of a terrorist assassination something or other: http://www.telegraph.co.uk/news/worldnews/middleeast/israel/8034987/Israeli-cyber-unit-responsible-for-Iran-computer-worm-claim.html (not the best article, but quickest i could find)

[Cain]

Asia Times Online also talks about the Biblical references in the code here http://www.atimes.com/atimes/Global_Economy/LJ02Dj03.html

Over the past week, security companies have been dissecting the malware code in an effort to reveal clues about its creators. Feeding conjecture that is spreading across the Internet and media are obscure biblical references discovered hidden in the code.

The word "Myrtus" offers an ephemeral reference to an Old Testament tale in the Book of Esther, depicting a story about a pre-emptive move by the Jews against a Persian plot to destroy them. The Hebrew word for myrtle, "Hadassah", was the birth name of Esther, a Jewish queen of Persia.

Other cryptic messages include the date "05091979" which refers to May 9, 1979 - the day Jewish Iranian businessman and philanthropist Habib Elghanian, who played a significant role in bringing Western technology to Iran in the 1960s and 1970s, was executed in Tehran.

The digital calling cards in the code could be red herrings designed to flummox investigators or, as many suspect, they could be confirmation of an Israeli effort to thwart Iranian nuclear ambitions.

Israel has never hidden its intentions to undermine the computer systems that manage Iran's large uranium-enrichment plant at Natanz, but the malware has also appeared in other countries, including China, India and Indonesia.

It has been reported that Iranian engineers have been struggling to control the huge centrifuges at Natanz that are required for uranium enrichment. The emergence of Stuxnet at another plant only adds to their suspicions.

Israel's secret cyberwar division, Unit 8200, has received huge resources in recent times so it is entirely possible that the Stuxnet attack on Bushehr - which does not process uranium - was a warm-up for something bigger.

Cyber warfare stakes have now moved up a level, to one that leaves it highly unlikely Iran will be able to retaliate through USB sticks and computer code.

[Cain]

Note: in most of the world, the date apparently hidden in the code would be read as September 5th 1979.  I'm not the only one to have noticed this, fortunately, but the speculation based on it is pretty weak.  I'm having trouble finding anything related to Israel that happened on that day, and I'm not sure of Israeli date-writing conventions.

[Adios]

http://news.yahoo.com/s/ap/20101009/ap_on_re_mi_ea/iran_nuclear

On Tuesday, Foreign Ministry spokesman Ramin Mehmanparast said Iran believed the computer worm was part of a Western plot to sabotage its nuclear program.

Who created the Stuxnet code and what its precise target is, if any, remains a mystery.

The web security firm Symantec Corp. has said Stuxnet was likely spawned by a government or a well-funded private group. It was apparently constructed by a small team of as many as five to 10 highly educated and well-funded hackers, Symantec says.

As Iran battled the computer worm over recent weeks, the intelligence minister announced authorities had arrested two nuclear spies. He did not, however, reveal their identities or clearly link them to the Stuxnet problem.



So they were infected. Interesting.

[Triple Zero]

Via http://www.f-secure.com/weblog/archives/00002040.html . Good stuff, answers the right questions. Visit the link which also has a few diagrams, and a demo video or something, but here I copypasted the Q & A :

Stuxnet continues to be a hot topic. Here are answers to some of the questions we've received.

Q: What is Stuxnet?
A: It's a Windows worm, spreading via USB sticks. Once inside an organization, it can also spread by copying itself to network shares if they have weak passwords.

Q: Can it spread via other USB devices?
A: Sure, it can spread anything that you can mount as a drive. Like a USB hard drive, mobile phone, picture frame and so on.

Q: What does it do then?
A: It infects the system, hides itself with a rootkit and sees if the infected computer is connected to a Siemens Simatic (Step7) factory system.

Q: What does it do with Simatic?
A: It modifies commands sent from the Windows computer to the PLC. Once running on the PLC, it looks for a specific factory environment. If this is not found, it does nothing.



Q: Which factory is it looking for?
A: We don't know.

Q: Has it found the factory it's looking for?
A: We don't know.

Q: What would it do if it finds it?
A: It makes complex modifications to the system. Results of those modifications can not be detected without seeing the actual environment. So we don't know.

Q: Ok, in theory: what could it do?
A: It could adjust motors, conveyor belts, pumps. It could stop a factory. With right modifications, it could cause things to explode.

Q: Why is Stuxnet considered to be so complex?
A: It uses multiple vulnerabilities and drops its own driver to the system.

Q: How can it install its own driver? Shouldn't drivers be signed for them to work in Windows?
A: Stuxnet driver was signed with a certificate stolen from Realtek Semiconductor Corp.

Q: Has the stolen certificate been revoked?
A: Yes. Verisign revoked it on 16th of July. A modified variant signed with a certificate stolen from JMicron Technology Corporation was found on 17th of July.

Q: What's the relation between Realtek and Jmicron?
A: Nothing. But these companies have their HQs in the same office park in Taiwan. Which is weird.

Q: What vulnerabilities does Stuxnet exploit?
A: Overall, Stuxnet exploits five different vulnerabilities, four of which were 0-days:

LNK (MS10-046)
Print Spooler (MS10-061)
Server Service (MS08-067)
Privilege escalation via Keyboard layout file
Privilege escalation via Task Scheduler

Q: And these have been patched by Microsoft?
A: The two Privilege escalations have not yet been patched.

Q: Why was it so slow to analyze Stuxnet in detail?
A: It's unusually complex and unusually big. Stuxnet is over 1.5MB in size.

Q: When did Stuxnet start spreading?
A: In June 2009, or maybe even earlier. One of the components has a compile date in January 2009.

Q: When was it discovered?
A: A year later, in June 2010.

Q: How is that possible?
A: Good question.

Q: Was Stuxnet written by a government?
A: That's what it would look like, yes.

Q: How could governments get something so complex right?
A: Trick question. Nice. Next question.

Q: Was it Israel?
A: We don't know.

Q: Was it Egypt? Saudi Arabia? USA?
A: We don't know.

Q: Was the target Iran?
A: We don't know.

Q: Is it true that there's are biblical references inside Stuxnet?
A: There is a reference to "Myrtus" (which is a myrtle plant). However, this is not "hidden" in the code. It's an artifact left inside the program when it was compiled. Basically this tells us where the author stored the source code in his system. The specific path in Stuxnet is: \myrtus\src\objfre_w2k_x86\i386\guava.pdb. The authors probably did not want us to know they called their project "Myrtus", but thanks to this artifact we do. We have seen such artifacts in other malware as well. The Operation Aurora attack against Google was named Aurora after this path was found inside one of the binaries: \Aurora_Src\AuroraVNC\Avc\Release\AVC.pdb.

Q: So how exactly is "Myrtus" a biblical reference?
A: Uhh... we don't know, really.

Q: Could it mean something else?
A: Yeah: it could mean "My RTUs", not "Myrtus". RTU is an abbreviation for Remote Terminal Units, used in factory systems.

Q: How does Stuxnet know it has already infected a machine?
A: It sets a Registry key with a value "19790509" as an infection marker.

Q: What's the significance of "19790509"?
A: It's a date. 9th of May, 1979.

Q: What happened on 9th of May, 1979?
A: Maybe it's the birthday of the author? Then again, on that date a Jewish-Iranian businessman called Habib Elghanian was executed in Iran. He was accused to be spying for Israel.

Q: Oh.
A: Yeah.

Q: Is there a link between Stuxnet and Conficker?
A: It's possible. Conficker variants were found between November 2008 and April 2009. First variants of Stuxnet were found shortly after that. Both exploit the MS08-067 vulnerability. Both use USB sticks to spread. Both use weak network passwords to spread. And, of course, both are unusually complex.

Q: Is there a link to any other malware?
A: Some Zlob variants were the first to use the LNK vulnerability.

Q: Disabling AutoRun in Windows will stop USB worms, right?
A: Wrong. There are several other spreading mechanisms USB worms use. The LNK vulnerability used by Stuxnet would infect you even if AutoRun and AutoPlay were disabled.

Q: Will Stuxnet spread forever?
A: The current versions have a "kill date" of June 24, 2012. It will stop spreading on this date.

Q: How many computers did it infect?
A: Hundreds of thousands.

Q: But Siemens has announced that only 15 factories have been infected.
A: They are talking about factories. Most of the infected machines are collateral infections, i.e. normal home and office computers that are not connected to SCADA systems.

Q: How could the attackers get a trojan like this into a secure facility?
A: For example, by breaking into a home of an employee, finding his USB sticks and infecting it. Then wait for the employee to take the sticks to work and infect his work computer. The infection will spread further inside the secure facility via USB sticks, eventually hitting the target. As a side effect, it will continue spread elsewhere also. This is why Stuxnet has spread worldwide.

Q: Anything else it could do, in theory?
A: Siemens announced last year that Simatic can now also control alarm systems, access controls and doors. In theory, this could be used to gain access to top secret locations. Think Tom Cruise and Mission Impossible.


Image Copyright (c) Paramount Pictures

Q: Did Stuxnet sink Deepwater Horizon and cause the Mexican oil spill?
A: No, we do not think so. Although it does seem Deepwater Horizon indeed did have some Siemens PLC systems on it.

Q: Does F-Secure detect Stuxnet?
A: Yes.

Note: We have learned many of the details mentioned in this Q&A in discussions with researchers from Microsoft, Kaspersky, Symantec and other vendors.