Stuxnet: An actual Cyber attack weapon

[Nephew Twiddleton]

Well, if it's an actual attack, I would look to Siemens competitors in the PLC market. Trying to sell their PLC's.

DEADFOO7 doesn't sound like an executable command but instead a diagnostic code.

Create a problem, give the solution.

[Disco Pickle]

haven't had a chance to dig through the thread yet as I'm up to my neck in work and just taking a quick break, but I just read an article in Rockwell Automation's trade journal about securing industrial computers and controllers from internal and external threats.  

Any factory worth its salt has a buffer zone in place that forces network traffic to originate or terminate within the network.  Of course, if access is gained to the enterprise network, and someone can get access to a program that's communicating to a computer within the buffer zone, then boom, they have access to an industrial computer that's driving plant equip.

Rockwell is working with Cisco and selling their own security approach, which stinks a bit to me, but then I've always had a suspicion that certain anti-virus companies fund virus creation in order to drive their market.

Not that Rockwell and Cisco necessarily would need to drive this extra market, but I wouldn't be surprised if Rockwell didn't develop technology of this sort internally or that it was derived from their own in house security testing teams.

I'll finish the thread later, but good subject.  It's something my own company may have to begin addressing if certain entities begin to demand stronger security requirements built into their switchgear and power control systems.

[Triple Zero]

The appearance of Stuxnet created a ripple of amazement among computer security experts. Too large, too encrypted, too complex to be immediately understood, it employed amazing new tricks, like taking control of a computer system without the user taking any action or clicking any button other than inserting an infected memory stick. Experts say it took a massive expenditure of time, money, and software engineering talent to identify and exploit such vulnerabilities in industrial control software systems.

It employs the amazing new trick of requiring the victim to physically insert an infected memory stick?

We're screwed.

Heh, yeah. I was feeling kind of double about that quote too.

On the one hand it's a pretty powerful trick, if used right and if it goes undetected for a while. In some companies people plug their USBs in all over the place. An added benefit is that it can work completely quietly, and needs no tricky exploits to execute arbitrary code. Unlike, say, a Flash or Acrobat plugin exploit, which usually need to cause some crazy overflow in order to trip the OS into executing specially crafted code, often crashing something or make the system glitch.

Yet on the other hand, it's hardly new.

Another thing I wonder about is how it can specifically infect industrial control computers. Usually a virus just spreads as far and wide as it can.

foo is a standard generic name in computer science.  So I parse that filename as DEAD+FOO+7, not DEADF+007.

then it spells DEADFOOT? cause the 7 can be a T like in 31337.

[Triple Zero]

Well, if it's an actual attack, I would look to Siemens competitors in the PLC market. Trying to sell their PLC's.

DEADFOO7 doesn't sound like an executable command but instead a diagnostic code.

0xDEADF007 is a hexadecimal number. 3735941127 in decimal.

[Golden Applesauce]

Well, if it's an actual attack, I would look to Siemens competitors in the PLC market. Trying to sell their PLC's.

If the US cyberdefense geeks haven't immediately cracked the virus, I see three possibilities:
1.)  They have the capability to do so, but haven't because either it was either of US Gov't origin or someone we don't want to dick over / get in a fight with publicly.
2.)  They've been trying to crack the virus and have so far failed to do so fully.  This restricts the country of origin to somewhere like Russia or China, who are somewhat ahead of us in the cyber race.  Maybe Israel?  Would they tell the US if they snuck an infected USB drive into Iranian power plants?
3.)  They have in fact cracked the virus, but aren't going to tell everyone (or at least the public) about it because by keeping the originator guessing they gain some national security advantage.

A PLC manufacturer that isn't Siemens probably doesn't have the expertise to pull this off.  Siemens itself probably doesn't have the expertise to pull this off - according to the wiki the attack involves numerous 0-day vulnerabilities in Windows, stolen security certificates, etc.

http://langner.com/en/ seems to have some information about this.  I like his Russian contractor point of infection theory.

[Telarus]

There are only 8 google hits for "pwn the means of production"......

[Golden Applesauce]

The appearance of Stuxnet created a ripple of amazement among computer security experts. Too large, too encrypted, too complex to be immediately understood, it employed amazing new tricks, like taking control of a computer system without the user taking any action or clicking any button other than inserting an infected memory stick. Experts say it took a massive expenditure of time, money, and software engineering talent to identify and exploit such vulnerabilities in industrial control software systems.

It employs the amazing new trick of requiring the victim to physically insert an infected memory stick?

We're screwed.

Heh, yeah. I was feeling kind of double about that quote too.

On the one hand it's a pretty powerful trick, if used right and if it goes undetected for a while. In some companies people plug their USBs in all over the place. An added benefit is that it can work completely quietly, and needs no tricky exploits to execute arbitrary code. Unlike, say, a Flash or Acrobat plugin exploit, which usually need to cause some crazy overflow in order to trip the OS into executing specially crafted code, often crashing something or make the system glitch.

Yet on the other hand, it's hardly new.

Another thing I wonder about is how it can specifically infect industrial control computers. Usually a virus just spreads as far and wide as it can.

The more I think about it, the more a USB attack makes total sense.  Any moron can isolate his plant from the outside web, but stopping USB drives either requires your plant to go completely removable-storage-less or to train all of your employees and all of your contractors against sticking untrusted drives into computers that control nuclear reactors.  What's sad is that the last bit is going to be harder to achieve.  (Especially if a foreign agent infiltrates your contractors.)

As for the specificity, if it were possible to restrict my viruses to only infecting relevant machines, I'd do it - the fewer machines infected, the lower your chances of detection.  If you're only after one plant, then getting extra computers after that benefits you nothing, and only risks your code getting found earlier.

GAs ultimate company-wide firewall:
1.  Find every computer that has access to the company local net.
2.  Chew lots of gum.
3.  Insert chewed gum into every orifice on that computer that can accept arbitrary data.
4.  Use keyboards and mice with the old-style connectors.

[the last yatto]

This kinda reminds me of the files Kevin found on Shimomura's computer.

The toolkit he created to test cities, powerplants are one step up the foodchain

[Requia ☣]

The appearance of Stuxnet created a ripple of amazement among computer security experts. Too large, too encrypted, too complex to be immediately understood, it employed amazing new tricks, like taking control of a computer system without the user taking any action or clicking any button other than inserting an infected memory stick. Experts say it took a massive expenditure of time, money, and software engineering talent to identify and exploit such vulnerabilities in industrial control software systems.

It employs the amazing new trick of requiring the victim to physically insert an infected memory stick?

We're screwed.

Heh, yeah. I was feeling kind of double about that quote too.

On the one hand it's a pretty powerful trick, if used right and if it goes undetected for a while. In some companies people plug their USBs in all over the place. An added benefit is that it can work completely quietly, and needs no tricky exploits to execute arbitrary code. Unlike, say, a Flash or Acrobat plugin exploit, which usually need to cause some crazy overflow in order to trip the OS into executing specially crafted code, often crashing something or make the system glitch.

Yet on the other hand, it's hardly new.

Another thing I wonder about is how it can specifically infect industrial control computers. Usually a virus just spreads as far and wide as it can.

The more I think about it, the more a USB attack makes total sense.  Any moron can isolate his plant from the outside web, but stopping USB drives either requires your plant to go completely removable-storage-less or to train all of your employees and all of your contractors against sticking untrusted drives into computers that control nuclear reactors.  What's sad is that the last bit is going to be harder to achieve.  (Especially if a foreign agent infiltrates your contractors.)

As for the specificity, if it were possible to restrict my viruses to only infecting relevant machines, I'd do it - the fewer machines infected, the lower your chances of detection.  If you're only after one plant, then getting extra computers after that benefits you nothing, and only risks your code getting found earlier.

GAs ultimate company-wide firewall:
1.  Find every computer that has access to the company local net.
2.  Chew lots of gum.
3.  Insert chewed gum into every orifice on that computer that can accept arbitrary data.
4.  Use keyboards and mice with the old-style connectors.

It's possible to turn those things off in BIOS, then password protect the BIOS.  (also get a motherboard that doesn't have a reset jumper).

[Cain]

There is virtually no dividing line between Israeli and US intelligence (or British and American intelligence for that matter) so they are obviously the main suspects.  The only other nations with sufficiently advanced cyberwarfare capabilities either don't involve themselves in the Middle East in that way (Japan, South Korea, Brazil) or are invested in keeping Iran working as well as possible (Russia, China)

[Cain]

And given the code isn't apparently as complex as many in the media are making it, it could even be rogue elements of the aforementioned collaborating with anti-Iranian hacktivists, of which there are plenty.

[Triple Zero]

I'd try sending one of the sysadmins a really good deal for company-branded ("empty") USB sticks.

[Doktor Howl]

Am I the only one that is reminded of The Masque of the Red Death?

[Golden Applesauce]

I don't know how much redundancy something like a nuclear plant would have, but I bet one failed PLC wouldn't do shit.

Once it gets on the local network it spreads to infect all of the PLCs.  Just replacing one PLC wouldn't do any good, because the program would just re-infect it.

[bds]

It seems stupid to me that nuclear computer systems aren't entirely closed. Nothing gets stuck in, nothing gets taken out. Gotta upgrade the system? Buy new computers. Or new hard drives, at least.