Mystery lingers over stealthy Stuxnet infection The infamous Stuxnet worm infected 14,000 systems inside Iran, according to new estimates. The sophisticated and complex malware was tuned to infect supervisory control and data acquisition (SCADA) systems that are used to control power plants and factories. Stuxnet was tuned to attack specific configurations of Siemens …
Doesn't Rob Rosenberger realise that SANS haven't a clue about what Stuxnets do. Although that is probably just as IT is supposed to be, and Programmed.
Softly Softly, Catchee Keys .... Take Over Key Market Triggers. ...... and much more Dream Scenario than Ridiculous Overhype.
Do you understand all of that extraterrestrial explanation, or only some of it/a few bits? My word, we are a tad slow, aren't we.
The comment from Mahmoud Jafari, to the effect that it was discovered merely on "personal computers" at Bushehr, and that no damage was inflicted, is probably inaccurate. The fact that they've been saying it'll take them some time to discover the depth of the infection suggests this is merely propaganda.
"In addition to exploiting four zero-day vulnerabilities, Stuxnet also used two valid certificates (from Realtek and JMicron) and rootlet-style technology, factors that helped the malware stay under the radar for much longer than might normally be the case."
Either RSA has been broken, or some intelligence agency gave a hand in acquiring the private keys. Either way, this ain't the job of your average malware writer. Tinfoil hats, on!
High "Coolness" level? I'm guessing you need to play with a live one of these to get your game down and that seems quite an expensive hobby (unless you bought it with some stolen credit cards of course).
Shut down charging on utilities? Free Gas/electric/water/sewerage for life? Bit small time for the effort.
On demand disruption/destruction of target infrastructure?
Ransom? "This is #1. Unless the sum of xxx million $ in cash/bearer bonds/diamonds/hard drugs is delivered by (very clever but completely mad ransom drop method) by 10am GMT 1 week from today the major cities of these countries will have their toilets simultaneously backed up. Mwowooooohahahahaha."
It's all a bit James Bond for people who just want your credit card details and DoB.
And once again WTF are people hooking SCADA systems up to the internet or letting unauthorized insecure USB drives be connected to specialized control systems?
If you're a network card vendor and you've picked an overseas company to design and test the silicon (and maybe also the card it sits on), then obviously part of the testing process involves testing the driver. That needs the card vendor's digital certificate.
Are readers aware that Israel has for many years had its own local equivalent of Silicon Valley?
Just askin, like.
It seems that much of what's been discussed are related to the many ways it spreads in Windoze machines, exploiting several zero-day exploits & 'fake' certificates, etc..
While the PC infections have caused much teeth-gnashing & inconvenience, it seems that all of this is is just an avenue to get it to the one or few PC's that are connected to a particular subset of PLCs. Windoze just happens to be insecure, and is the type of computer most often used to work with PLCs.
Stuxnet then hides itself in the PLC so that the connected PC & its operator can't easily tell that the PLC has been altered. This too is likely not the ultimate purpose.
Of the billons of PLCs that are used, in your automobile & nuclear plant & elsewhere, why infect this particular subset of PLCs? What is the infection designed to do to the machinery that is controlled by the PLC?
I wonder if anyone has hooked up an infected PC to a mimic of the intended PLC (with the correct characteristics that stuxnet is looking for) as an experimental system, and systematically injecting various commands & / or data into the PLC, coupled with memory dumps, to see what stuxnet is really aiming to do. Another approach might be to have an uninfected PLC in parallel, and compare its input / out with that of the infected PLC.
For additional mystery-clue background, one might have a gander @
http://www.dailytech.com/Israel+Suspected+in+Worm+Sabotage+of+Irans+First+Nuclear+Plant/article19726.htm and the Wikileaks link therein.
Mine's the one with the Mad Magazine in the pocket, opened to the Spy-Versus-Spy 'toon page.
If true this is a lot more human friendly than a "surgical" air strike".
What would convince me that this is military grade is if great care was taken to prevent the malware from being studied, subverted and or modified and then turned against its creators.
No matter what the facts ... the upside is that this could shift the focus of the computing world from innovating and adding new features to going back and recoding their old software in a more secure fashion.
I'd love to see Windows XP SE (Security Edition), doesn't do one thing more than the old XP, doesn't do anything better than the old XP, but every component has been rebuild from the ground up with security and stability in mind and those that couldn't be secured were jettisoned.
And its not just windows .. every complex piece of software out there is riddled with upatched security vulnerabilities both known and unknown.
"Stuxnet then hides itself in the PLC"
Not exactly it doesn't. Maybe you didn't type what you meant. Maybe you didn't understand. Go back to Langner's work and read it again.
http://www.langner.com/en/index.htm
The Stuxnet payload hides itself in the PLC programming tools on the host PC, and corrupts the program which is downloaded from PC to PLC. It's not really "hidden" at that stage, but if you don't look for it you don't see it.
"all of this is is just an avenue to get it to the one or few PC's that are connected to a particular subset of PLCs."
Now we're talking. With most viruses to date, the aim of the malware has been to knacker the PC, or to get info off the PC or money off its user.
With Stuxnet, it seems like the Window box vulnerabilities are simply a delivery mechanism. The actual payload is intended to do something unwanted to a non-Windows box - the PLC. Again, Langner has the details.
"to see what stuxnet is really aiming to do."
To do that properly you'd have to know what program was meant to be in the target PLC. Not many people have access to that information. Langner makes some educated guesses.
The bigger message here is that there is now no valid reason not to ditch Windows as a platform for stuff that can control critical real world kit. That applies as much to Windows for Warships as it does to tools used to develop and manage aircraft control systems or electricity generation/distribution or whatever.
PHBs wake up, you have nothing to lose but your MCP certifications.
I can see the purpose of leaving infections active after the virus determines that the specific PC it is on is not connected to any Siemens Simatic WinCC SCADA systems. But you'd think that for the infections that can actually access the correct Siemens Simatic WinCC SCADA systems and reprogram their PLC's, would then be programmed to uninstall themselves as part of covering their tracks.
The other interesting issue arises from the the geographical dispersion of the virus. The fact that Kaspersky Labs says that there are far more infections in India (86,000) and Indonesia (34,000) than in Iran (14000) is very interesting, as it suggests that there is far more information flow between facilities in India, Iran and Indonesia than there should be, considering the UN sanctions on Iran.
As per title.
NT was conceptually secure when it arrived. Gates wanted more and more performance, and more and more user friendliness, requirements which rather inevitably are not entirely compatible with security (a DLL to display a pretty icon for each kind of file can't possibly be a security hole, says Bill. Too much code in kernel mode doesn't increase the attack surface, says Bill. Yes Bill says anyone who wants a pay cheque next month).
So get out those NT 3.x CDs, preferably the ones for non x86 architectures, and you're all set.
You won't be able to run any of the usual Windows apps though. so actually you might as well just switch to a different more secure OS that does run on existing hardware (even though hardware is often the cheapest part of this picture) and do the job properly. Which is the proper answer anyway.
One size does not fit all, one OS does not suit all, and it is clear from this and high profile examples elsewhere (e.g. London Stock Exchange drops Windows adopts Linux) that the Windows-dependency in various IT departments and their business contacts has resulted in Windows being force-fitted into places where it is not really appropriate.
This from http://www.microsoft.com/exporting/basics.htm :
<quote>Without limitation, parties acquiring software from Microsoft are responsible for obtaining all licenses or other approvals necessary for downloading or transfer of the software or use of the service. A party may not transfer the software or services without U.S. Government permission to (a) anyone on the U.S. Treasury Department’s lists of Specially Designated Nationals (including the Government of Iran, Government of Sudan, Government of Cuba, prohibited members of the Cuban Communist Party), or on the U.S. Commerce Department’s Denied Persons List, Entity List, or Unverified List, or on the U.S. State Department’s Debarred List or Nonproliferation List (see Commerce Lists to Check); or (b) for use with chemical or biological weapons, sensitive nuclear end-uses, or missiles to deliver them.</quote>
That means that the Iranian nuclear facilities shouldn't be running Microsoft software, I should think. I wouldn't if I were them...
"We believe this type of attack could only be conducted with nation-state support and backing,"
Yes, 'cos no l33t d00d h4x0r has ever produced a cunningly crafted worm using Windows exploits to target a specific software landscape in the past, have they?
I suggest that Kaspersky give up the day job and go over full time to writing for the Daily Mail.
I'd suggest that an alternate view here would be that Kaspersky found that it was yet another Russian cybercrime gang behind it and the Russian government told 'em in no uncertain terms to cover this up to avoid souring their relations with Iran. If it were thought to be a "nation state", it'll take all of five minutes for the finger to be pointed at Israel and the US*, which will suit the Russians quite nicely.
I can haz conzpirasy yes?
*'Cos everyone'll see "Iran" and conveniently overlook both all the other places hit and that Iran weren't even the first on the receiving end. Can't let pesky facts get in the way of a good conspiracy now, can we?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
