Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stuxnet Worms On

Posted by CmdrTaco on from the squirmy-squirmy dept.

Numerous Stuxnet related stories continue to flow through my bin today, so brace yourself: Unsurprisingly, Iran blames Stuxnet on a plot set up by the West, designed to infect its nuclear facilities. A Symantec researcher analyzed the code and put forth attack scenarios. A Threatpost researcher writes about the sophistication of the worm. Finally, Dutch multinationals have revealed that the worm is also attacking them. We may never know what this thing was really all about.

32 of 141 comments (clear)

  1. Never thought I would defend Iran, but... by elrous0 · · Score: 3, Insightful

    I don't think this is just one of those "Look at Iran, making some outlandish crazy new allegation!" thing (like it was when Ahmadinejad tried to claim there were no homosexuals in Iran or blamed the U.S. Government for 9-11). Considering the very disproportionate hit they took of these infections, the obvious suspects (those who would benefit most from their nuclear program taking a hit), the precision of the targeting of the virus (two very specific models of Seimens PLC's), the impressive sophistication of the worm, etc. I hardly think it's some tin-foil hat conspiracy theory for them to assert that it was a "western power" (most likely Israel or the U.S.) behind this worm.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
    1. Re:Never thought I would defend Iran, but... by Ender_Wiggin · · Score: 3, Interesting

      I don't think he said there are no homosexuals in Iran, he said "We don't have gay people the way you do in America." I think he means they don't really have openly gay people in society like you find in New York. It's interesting because Iran actually allows and pays for sex-change surgeries.

    2. Re:Never thought I would defend Iran, but... by MozeeToby · · Score: 2, Insightful

      It's worth noting that although many systems have been compromised worldwide, the only reports of equipment actually being damaged are apocryphal reports of 'nuclear accidents' at Iran's centrifuge facilities. The international community has assumed that those accidents were caused by the worm, and Iran calling the worm an attack on their nuclear ambitions seams to support that claim. Personally, I find the second wave of infections more likely to be someone modifying the payload and basic parameters for their own ends, it seems quite different from the mindset that drove the first set of attacks.

    3. Re:Never thought I would defend Iran, but... by TheCarp · · Score: 4, Interesting

      Thats pretty much what he said. Actually, homosexuality in their culture is a whole topic unto itself. What was interesting to me was the way he seemed to imply that there is a difference between "public morality" and "private". Have you ever seen how many "witnesses" are required to accuse someone of certain things (like being a homosexual) under sharia law, for example?

      What he seemed, to me, to be espousing was the idea that "what you do in private is between you and god, but, what other people see you do, is another matter". In some ways it reminds me of a japanese woman who was interviewed for the book "Lust in Translation" (never read it, but heard several stories about it) who was not mad at her husband for having an affair, as she had her own, but was mad that he was careless and allowed her to find out about it.

      Having known a few Iranian ex-pats, I must say, they have a fascinating culture, and one thats very different from our own in many ways.

      -Steve

      --
      "I opened my eyes, and everything went dark again"
    4. Re:Never thought I would defend Iran, but... by LWATCDR · · Score: 3, Informative

      I wouldn't even say most likely the US or Israel. I don't think there are many nations that want a Nuclear Iran.
      The list should include.
      China
      Russia
      India
      All of the EU
      Egypt
      Most of the Middle East.
      I mean really this list is long and while this worm is probably outside the limits for some guy with a grudge it isn't outside the limits for any nation with a large university with a good CS department.

      --
      See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
    5. Re:Never thought I would defend Iran, but... by gad_zuki! · · Score: 2, Insightful

      >they have a fascinating culture, and one thats very different from our own in many ways.

      Finding a death penalty for homosexuality fascinating? It should be horrifying. Same thing for atheism or denying Islam.

      >Thats pretty much what he said.

      Err, transsexualism and homosexuality are two very different things. Iran has a lot of social pressures to force homosexuals into subsidized transsexual treatment, which does nothing but victimize and humiliate homosexuals who have no problem with their gender, its what they want to have sex with that has the theocracts running scared. Theocracy is not a valid form of government. Stop defending it as fascinating. Its victimizing and horrible.

    6. Re:Never thought I would defend Iran, but... by Dr.+Evil · · Score: 2, Informative

      Russia does a lot of business with Iran. Ditto for Germany and the E.U. Where do you think they got all the Siemen's hardware and how do you think they flew it in?

    7. Re:Never thought I would defend Iran, but... by at_slashdot · · Score: 2, Insightful

      >they have a fascinating culture, and one thats very different from our own in many ways.

      Finding a death penalty for homosexuality fascinating?

      Since when the legal system, especially in a religious autocratic regime, is part of "culture".

      --
      "It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore
    8. Re:Never thought I would defend Iran, but... by elrous0 · · Score: 2, Insightful

      I think Occam's Razor usually applies to suspects too. And in this case the most obvious suspect, with the most to gain by far, is Israel. There is even some evidence in the code that this is the case, and the Israeli government itself has openly acknowledged that it has extensive cyber-warfare plans.

      Now of course, there are any number of ways to dismiss this if you REALLY want to believe that Israel wasn't involved (and it's always possible that they weren't). But you can do that with any case, no matter how clear-cut. I can make the same argument that O.J. Simpson never killed anyone (maybe it was just someone making it LOOK like he did it, there were probably other people with some reason to kill Ron and Nicole too). But is that the logical conclusion or just wishful thinking on my part because I don't want to believe that O.J. did it?

      --
      SJW: Someone who has run out of real oppression, and has to fake it.
  2. Re:Iran should all buy Macs by MrEricSir · · Score: 5, Funny

    And yet, Macs *are* capable of uploading viruses to alien ships.

    --
    There's no -1 for "I don't get it."
  3. We may never know? We DO know! by interkin3tic · · Score: 4, Funny

    I for one feel it's safe to assume Iran is right, that this is a nefarious plot by unnamed western nations to stop Iran's glorious peaceful nuclear power program, but that absolutely no computers controlling the nuclear program were infected. After all, Iran is completely trustworthy and it's nuclear scientists are smart enough not to use control computers to check their e-mail and click on random links from random people.

    I'm also going to assume that fake first post was part of a nefarious plot by unnamed western nations to tarnish Iran's glorious image as first posters.

  4. Might not be the West... by SuperKendall · · Score: 4, Interesting

    I'm pretty sure Stuxnet is in fact a sophisticated attack worm created by a government to slow or halt Iran in producing nuclear weapons.

    There are plenty of candidates beyond the U.S. and Israel - Saudi Arabia for one, would be another country really not happy with a nuclear Iran, though certainly the U.S. or Israel seems most likely.

    But lets consider the most intriguing possibility - a country with tons of expertise in developing advanced malware already, and one with incredibly detailed knowledge of Iranian systems.

    Of course, I'm speaking of Russia.

    At first it sounds crazy because Russian scientists are helping Iran build a reactor in the first place. But perhaps that help was lined up long before, and Russia has decided Iran is too crazy now to be allowed to have The Bomb, so they activated Stuxnet, prepared in advance for such an eventuality. Or perhaps they simply wanted to get money from the help and then the cleanup...

    Russian scientists have been fleeing Iran because Iran is now going after guys in cubicles and saying they are spies. So perhaps even there, they know something most of us do not...

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Might not be the West... by moderatorrater · · Score: 2, Interesting

      Consider this possibility: the last time people were accusing a government of being behind an attack, it was someone with a grudge but no government connection. Considering how hard it is (or even impossible) to tell the difference between a talented amateur and a professional when it comes to computers, why is everyone jumping on the government bandwagon? Maybe it's some college buddies in Tel Aviv who decided that they wanted to target Iran, or maybe Stuxnet was just a worm of the week from blackhats (many of which are getting ridiculously complex) that just happened to get into the Iranian facilities.

    2. Re:Might not be the West... by perpenso · · Score: 2, Insightful

      ... Maybe it's some college buddies in Tel Aviv who decided that they wanted to target Iran, or maybe Stuxnet was just a worm of the week from blackhats (many of which are getting ridiculously complex) that just happened to get into the Iranian facilities ...

      They needed a lot of expensive industrial control equipment to develop and test on.

    3. Re:Might not be the West... by znerk · · Score: 2, Interesting

      I estimate a budget of one million dollar to create this thing

      [citation needed]

      If I were to pull a number out of my ass on what it would take to create any virus-like program, I would set the budget at:
      (1) extremely dedicated individual with internet access and some time on his/her hands.

      The information required for attacking practically anything is available online. Yes, looking for the information might raise some red flags, and accessing it could most certainly do so, but if the person perpetrating said attack is clever and careful (and maybe lucky, as well), there won't be anything pointing at a specific person for accessing that information (Public access (libraries, netcafes), wardriving, etc can all be used for misdirection).

      TL;DR: Once you have the plans for the death star, it just takes a bit of time to figure out where the reactor core is, and noticing the exhaust vent that goes straight to it.

      Pointing fingers should be reserved until after some facts have been found.
      --
      No, I didn't read the article; I still I believe my logic is sound.

      --
      This work is licensed under a Creative Commons Attribution 3.0 Unported License.
  5. More details needed in story summary by Ender_Wiggin · · Score: 4, Interesting

    Despite the numerous slashdot articles and buzz about it, I'm seeing scant actual details.

    How was it delivered? Via Internet? Botnet? Unknown at this time? According to the article it "can spread using several vectors."
    It also says 2 of the 4 zero-day vulnerabilities have been patched by MS.

    The article about a possible attack scenario leads more credibility to the claim that there had to be inside help. You need people on the inside for Reconnaissance and deployment. Even if it was spread from the internet, someone had to get ahold of the security certificates to crack them and know the specific types of PLCs in use. The arrests that recently took place in Iran are making a lot more sense, despite all the knee-jerk condemnation from the /. posters.

    1. Re:More details needed in story summary by MozeeToby · · Score: 3, Informative

      Speculation/rumor is that the attack vector was USB drives used by Russian contractors. That is also it's primary method of spread, but it may be able to spread over networks as well (reports that I've seen seem contradictory on that one). Further speculation/rumor has it that a possible "nuclear accident" at Iran's centrifuge facility last year may have been caused by this worm, if that is the case it is the only report of actual hardware being damaged that I've heard of and would 100% support the idea that the worm was targeted at Iran's nuclear facilities. Given the number of infections in Iran and the artificial three hop limit that the worm's writers gave it, it would seem the attack originated there.

      I think it's likely that the writers never planned on having the worm escape the target's network, I'm guessing someone at the nuke facility broke security protocol and took home a thumb drive that they weren't supposed to and it spread from there. The worm doesn't do much except take up cycles on systems that don't match the fingerprint that it is looking for, a fingerprint only makes sense if you're looking to take down a lot of identical systems, which lines up nicely with the centrifuge theory. Basically, it's highly likely that this was a government job, targeting Iran's centrifuges, done with inside knowledge of what systems they were using, and delivered using some pretty basic social engineering (leaving infected USB drives on the ground in the parking lot for instance).

    2. Re:More details needed in story summary by AHuxley · · Score: 2, Informative

      http://www.csmonitor.com/USA/2010/0921/Stuxnet-malware-is-weapon-out-to-destroy-Iran-s-Bushehr-nuclear-plant
      You have a USB device talking to Microsoft connecting to Siemens "something" then to some industrial system that has to work really well 24/7 and or to exact tolerances.
      Microsoft is the way in, at it seem to be looking for something, like a key and a lock.
      When it finds a match, interesting a 'new' things may happen over time to some industrial system.
      Phone home and uninstaller seem to be part of the deal http://defense-update.com/wp/20100930_stuxnet-under-the-microscope.html
      Security certificates would be floating around the web or could be stolen, bought.

      --
      Domestic spying is now "Benign Information Gathering"
  6. Any one has more details on the plc payload ? by JonySuede · · Score: 2, Insightful

    Any one has more details on the PLC payload ? I want to know what kind of changes it makes to the plc software.

    --
    Jehovah be praised, Oracle was not selected
  7. Target is still speculation by Animats · · Score: 2, Interesting

    This attack is aimed at a very specific PLC configuration, and does nothing unless it finds that configuration. Until someone who has the matching PLC configuration admits it, speculation as to the target remains speculation.

    1. Re:Target is still speculation by sapphire+wyvern · · Score: 2, Interesting

      Not necessarily. The "P" in PLC stands for programmable. PLCs have a large amount of generic physical I/O (relay outputs, 4-20mA inputs, etc etc). From looking at the Stuxnet code, you *might* be able to tell that a particular output is being turned on - but without knowing what's wired into that output, you still haven't learned much. And that's a fairly blatant scenario (where Stuxnet is directly controlling PLC I/O),

      If Stuxnet is doing something more subtle, it could be doing something like patching the PLC code to silently disable safety interlocks, by replacing the results of a logic calculation with a different value. It's similar to installing a NoCD crack in a game executable so that the check_for_valid_disk() function call return value is always set to TRUE, and the disk checking code never even runs. If we can only see the patch (Stuxnet's observable behaviour) but not the original executable (the PLC code) there's no way to tell exactly what Stuxnet's payload is. Even Siemens wouldn't be able to figure it out unless they had a copy of the code put into the PLC by its owners.

  8. Re:Iran should all buy Macs by LaminatorX · · Score: 2, Informative

    Only if the ships have certain specific PLCs.

  9. World-wide distribution by Black+Parrot · · Score: 2, Informative

    Dutch multinationals have revealed that the worm is also attacking them.

    The Wikipedia article has a table of purported number of infections in various countries. Indonesia and India have the worst problem after Iran. Over six thousand in the Anglophone countries. If this is in fact only spreading via USB sticks, we've got some really promiscuous behavior going on.

    (You may well be skeptical of the six million reported for China. It's not a defacement; there's a link to an article that quotes someone actually making the claim. But the quote makes it sound like the speaker doesn't know what he's talking about.)

    --
    Sheesh, evil *and* a jerk. -- Jade
  10. Re:We may never know? We DO know! by Anonymous Coward · · Score: 2, Insightful

    Oh geez. Iran is the same nation where beheadings are common (as is cousin and even double-cousin marriage), women have to be kept in beekeeper outfits for fear some Iranian neanderthal male will see an ankle and go on a rampage of rape and destruction...

    Yes, we know, you hate Iran and Iranians, but don't you get sick of posting the same troll again and again on every article that has to do with Iran? You knew parent's post was tongue-in-cheek, but you still took the time to make it known how much you hate Iran before going "oh, it was tongue-in-cheek" ha ha ha. So clever.

    This is what Iran looked like in the 1970s before the revolution -- none of these people were "neanderthals". It's not the people who want their women to dress up in "beekeper outfits", it's the tyrannous government. I take it you were born after 1979? Please, get some perspective.

  11. That's what it was about! by John+Hasler · · Score: 2, Informative

    The Earth was under attack by alien ships controlled by Siemens PLCs. Stuxnet was released to repel them and they all blew up and vanished into hyperspace. The whole thing was hushed up, of course, and what we are seeing is just the collateral damage.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  12. Re: The US by John+Hasler · · Score: 3, Informative

    Bullshit. The intelligence agencies never do anything without implicit authorization from the White House. They just sometimes find plausible deniability convenient. Occasionally they find it necessary to drive out a scapegoat.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  13. "Friendly" nations engage in espionage too by perpenso · · Score: 2, Interesting

    I wouldn't even say most likely the US or Israel. I don't think there are many nations that want a Nuclear Iran. The list should include. China Russia India All of the EU Egypt Most of the Middle East. I mean really this list is long and while this worm is probably outside the limits for some guy with a grudge it isn't outside the limits for any nation with a large university with a good CS department.

    Russia does a lot of business with Iran. Ditto for Germany and the E.U. Where do you think they got all the Siemen's hardware and how do you think they flew it in?

    So some of these "friendly" countries had the best access to the iranian nuclear infrastructure, that's enough to warrant their inclusion on the list. Given that stuxnet was "dormant" and not attempting to damage anything it may have been more of an insurance policy and not so much of an active weapon. Any of these countries would love to monitor and have a remote off switch should Iran begin to act against their interests at some future date. Now is this the most likely scenario, no. However it is still highly plausible.

  14. Intriguing. by jd · · Score: 2, Informative

    Those marking me "troll" for having said earlier that other, definitely and unquestionably innocent, victims could happen, and then marked me "troll" for noting that the protections against such accidents didn't mean they wouldn't happen anyway, will doubtless ignore the fact that the Dutch are (a) not Iranian nuclear weapons scientists, and (b) that the only Iranian victims so far have been moderates who might have kept the program somewhat sane have now been arrested as spies. Iran is not known for treating those they suspect of spying very nicely.

    It is indeed unclear who the worm was aimed at, but I'm confident that it wasn't the Dutch and I'm now more certain than ever that other innocent victims will turn up. We have proof now that the safeguards (however well-intentioned) did not work. Which is no great surprise - it's hard to have a failsafe weapon as there are so few scenarios in which you need a weapon that badly and have it be safe if it fails.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  15. Obligatory William Gibson by lennier · · Score: 2, Interesting

    Someone had reprogrammed the DNA synthesizer, he said. The thing was there for the overnight construction of just the right macromolecule. With its in-built computer and its custom software. Expensive, Sandii. But not as expensive as you turned out to be for Hosaka.
    I hope you got a good price from Maas.
    The diskette in my hand. Rain on the river. I knew, but I couldn't face it. I put the code for that meningial virus back into your purse and lay down beside you.
    So Moenner died, along with other Hosaka researchers. Including Hiroshi. Chedanne suffered permanent brain damage.
    Hiroshi hadn't worried about contamination. The proteins he punched for were harmless. So the synthesizer hummed to itself all night long building a virus to the specifications of Maas Biolabs GmbH. Maas. Small, fast, ruthless -- All Edge.

    New Rose Hotel, 1981.

    Wonder if we'll ever find out what Stuxnet did in 2010, and if it did what its designers hoped.

    --
    You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
  16. Re:We may never know? We DO know! by fishbowl · · Score: 2, Informative

    I had a friend who would respond to the knee-jerk attacks about Iran by showing his vacation pictures. My favorites were from the ski resort outside Tehran. It's really amusing, because nobody expects to see *really good alpine skiing* in Iran, let alone pictures of Iranian ski bunnies. This stuff isn't supposed to exist, in their world where all of the Middle East is a barren wasteland...

    --
    -fb Everything not expressly forbidden is now mandatory.
  17. Also by network shares by Sinn3d · · Score: 2, Informative

    It also spreads through network shares, so once inside it can quickly get around. Still, F-Secure has a nice Q&A bit up on StuxNet + demo vid.

    http://www.f-secure.com/weblog/archives/00002040.html

  18. Re:Skynet by Hardtrance · · Score: 2, Funny

    ICBM, actually.

    --
    This post is LAW where prohibited by VOID. Prosecutors will be violated.