Slashdot Mirror
How Investigators Deciphered Stuxnet
suraj.sun tips a story at Wired that takes an in-depth look into how security researchers tracked down and worked to understand the infamous Stuxnet worm. The article begins:
"It was January 2010, and investigators with the International Atomic Energy Agency had just completed an inspection at the uranium enrichment plant outside Natanz in central Iran, when they realized that something was off within the cascade rooms where thousands of centrifuges were enriching uranium. But when the IAEA later reviewed footage from surveillance cameras installed outside the cascade rooms to monitor Iran's enrichment program, they were stunned as they counted the numbers. The workers had been replacing the units at an incredible rate — later estimates would indicate between 1,000 and 2,000 centrifuges were swapped out over a few months. The question was, why?"
The part about the differences in loyalties of the Symantec researchers was telling, though.
"We don't care if this harms something important our country is doing to stop madmen from getting the Fist of God. We have customers to do business with!"
There are green lines and empty white everywhere taking up space
...expanding enrichment production because of the influx of tubes was a direct result of this damage...?
Loading...
There was another good article in Vanity Fair
Flexible bare-metal recovery for Linux/UNIX
Someone superimpose Poyots & the CIA seal on trollface!
This is on the front page of wired.com right now:
http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1.
And it's all on 1 page!
Its not what it is, its something else.
Oops, I thought the summary linked elsewhere (had another article open), and linked to the wrong one. Just ignore me please.
Its not what it is, its something else.
That some day...justice can be done and the people who wrote stuxnet end up in an Iranian court some day to face charges for this.
Only fair, if someone released a worm that attacked US or Western European equipment, our governments would demand that the criminals be brought to our justice....I really do hope that we see some turnabout on this play, even if only so I can laugh.
"I opened my eyes, and everything went dark again"
http://www.ted.com/talks/lang/eng/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html
The article says it would be normal to replace 800 centrifuges per year, but they saw between 1000 and 2000 being replaced. If the actual number was closer to 1000, it wasn't really that much of an impact, was it?
http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html
Direct MP4 HD? http://feedproxy.google.com/~r/TEDTalks_video/~5/uLpkPSf1jEc/RalphLangner_2011.mp4
This article is full of interesting content, even for someone who may not be versed in logic controllers and the like, and it was written very well. Full of suspense and intrigue, it definitely holds the reader's attention for a long haul through the article. Like one of TFA's commenters said, it reads like a Tom Clancy novel.
How often do we find extended tech pieces that capture the interest of many non-tech readers?
Very high userid. You created your account today?
It's true, I've never seen goatse used like that before!
Courtesy of TED: http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html
In 1993, I was working one Saturday at Pacific Data Images in Sunnyvale. (who later went on to make such classics as "Shrek", but that's another story.) At the time we were one of the leading CG advertising companies in the world.
Anyway, I wandered into the front lobby, and there was a guy there, the husband of the receptionist, that had this very long roll of paper, maybe 20 feet, with a undulating line drawn along it it. He was searching up and down along the line, for quite some time....well, I couldn't help but ask what it was.
He said that it was the fourier transform of the power line going into a plant. He and his company were examining the spectrum to see if they could deduce what was going on inside the plant -- if the machines inside the plant would leak substantial information back onto the power line. Anybody with any electrical engineering experience would know that of course this would be true. I said, OK, that's interesting. What do you see in this spectrum?
And he pointed to a little sinc() shaped (kind of sombrero shaped) area at a particular frequency. And then showed the aliases of that at higher frequencies. He said that these were clearly signatures of many six-pole electrical motors running all at almost exactly the same speed. I looked inquistitive, and he said, "you know, like if you had a bunch of uranium gas centrifuges running." I thought about this for a few minutes....and said, "uhm, OK, but we don't use centrifuges to separate uranium", and he said "no, we don't" and left it at that.
Soon, he was back to Iraq, using a ground-penetrating radar he developed to look for buried weapons. I never saw him again.
I love Mondays. On a Monday, anything is possible.
No one declares anti-semitism, but anti-zionism.
Zionism is the political movement to re-establish the Jewish State, contradicting the scriptures about staying away... (Why keep Sabbath then?).
In any case, the Zionists waged war and won the land by force, then proceed to get rid of locals, who naturally resisted the invasion in any way they could. Lots of slaughtering and struggle in the process; oh yes, the Zionists did started with terrorism when the land was controlled by the UK... Were you not told about King David Hotel bombing?
The methods the Israeli forces use are simply mass murdering people trapped and sieged in ghettos. Sounds familiar doesn't it? Yes, ethnic cleansing it is; and all sorts of air bombardment and land and even sea warfare against civilians, mostly armed with just rocks and pitiful glorified firecrackers. No NATO bombing, or no fly zones there... Thousands of innocent people die in Gaza, the UN doesn't care, even after Israel destroys UN facilities there.
Say what you like about Iran, they haven't dropped white phosphor cluster bombs against civilians, Israel has; everyone watched "Cast Lead". Israel once bombed a Nuclear power plant in Irak, but nothing of the sort has occurred to Israel from Irak. And before there were incidents like the Sabra and Shatilla massacre, guess who was involved? The current Prime Minister... Reality surpasses intentions.
Things like executions occur when you let religious extremists in power. It would be the same if you followed your traditions to the letter. Do not forget both religions have the same root, and Christianity as well. And all of them have committed atrocities in the past, and in that very same patch of land even.
The Islam scripture actually treat Jews (and Christians) with respect, and before the Zionists invaded, local Jews and Christians did live there just like they live in other countries.
You say Israel is "surrounded", No s*** Sherlock, Zionists invaded the land and waged war against all its neighbors (defeating them). Thats when a violent future for Israel was sealed; and you have fanatics killing their own leaders, when daring to reach peace after decades of bloodshed.
Zionists don't care about anything and anyone, they want their conquered land clean of Palestinians and anti-zionists and they don't care about the UN or even if the whole world declared war against them, they have the nukes ready should they ever lose.
"Anti-semitism" is Zionist propaganda against anyone who dares think different.
Artix
Your Linux, your init.
Read the arstechnica article, then reread it again
This article was a great read, it reminded me of my own first-hand experience with a time bomb planted in PLC code.
The company I was working for at the time manufactured hydraulic presses, the newest one installed at a long time customer included a touch screen control system running WinCE that was front-ending a PLC to control the machine. We had contracted out the development work on the control system and the owner of the company ended up in a billing dispute with the contractor just as the machine was being brought online. In the days before the dispute came to a head, the contractor had been on-site at the customer "making minor improvements to the interface based on customer feedback".
One day the customer calls and says: "Our brand new hydraulic press has stopped working and the control system guy says he can't fix it until you pay him." After the owner of the company was done swearing at the contractor on the phone and literally kicking a hole in his office door, he calls me in and tells me he needs me to go over to the customer and "undo whatever that a**hole did".
I had a basic understanding of PLC programming and access to a prior version of the touch screen interface and PLC code. It took a few hours of scanning both sets of code by hand on-site at the customer, but I located the very basic checks for system date in the touch screen interface code which would set a value that the PLC would read and trigger a safety interlock which effectively disabled the machine's function. This was easily remedied once discovered.
It was a slightly stressful experience for me as I had no input on this control system until the day it was disabled and I was on the spot to fix it. Once it was resolved, I was quite happy.
I'm pretty sure the billing dispute ended up going to the lawyers.
The problem with the story is the happy little song at the end.
The story attempts to resolve the menace of the Stuxnet worm by suggesting that Iran now knows how to avoid another worm infection.
The competing conclusion is an exceptional piece of software has been described at the design level.
The remaining part of the puzzle is: Did the researchers figure out what linker and what compiler was used to build the darn thing? Have they determined the programming language used from the patterns of data and code? Are the sections of the worm static and fixed in size or are the sizes variable and reached by means of a jump table? Are there pieces of assembly language code present? Does the code have assembly language sequences designed to derail a debugger? Does the worm design show size and configuration changes as the production worm was tweaked?
Finally, are any of the zero day exploits mentioned the result of actions below the level of the operating system? In effect, are there hardware level exploits that can affect any IBM compatible personal computer no matter what operating system it runs? The mention of a computer that repeatedly reboots at the beginning of the article might be just the symptom of the super duper ultra low level exploit, if it exists.
What is really apparent from all the reverse engineering is that it made the method a template. That's more dangerous than most think. It also means that industrial installations must now have more in-depth security to prevent invasive devices/software.
This is not good. Cyberwar is real and dangerous.
Don't be apathetic. Procrastinate!
I'll start by saying this most assuredly was a government job. Either done by the US, Israel or Russia.
1. There's obviously a spy somewhere. Iran isn't going to make public the intimate details of their reprocessing plants, let alone the exact configuration of their control terminals / PLC controllers and centrifuges. You need hard data for that. Who helped Iran build these plants? Who designed this particular cascade process?
2. People who have a seriously intimate knowledge of this type of hardware had to be involved. It's one thing to say "If there's a motor attached, double it's frequency" and then let the thing burn out. It's a whole other thing to say "up the motor by 20mhz for 50 minutes" knowing it would introduce subtle failures that would be argued away as poor components, overuse, etc. Also, what does that do to the quality of the uranium coming out of the process? Maybe the plan was to not only break the plant but corrupt the output as well. I can't imagine this type of knowledge is wide spread...
3. What was/is the end game? Iran (while it'll never say it) wants the bomb. They want parity with Israel or at least the argument of MAD. I think possibly stuxnet might have had some end game, but barring that, it was a delaying tactic.
Yes Francis, the world has gone crazy.
How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History link
"Months earlier, in June 2009, someone had silently unleashed a sophisticated and destructive digital worm that had been slithering its way through computers in Iran with just one aim"
Is there some kind of directive in place that doesn't allow for the mention of MIcrosoft Windows and who in their right mind would be using Windows to control hardware? And that entire report coming from the style of bad journalism, ie. a very bad imitation of Tom Wolf.
"In this case, the exploit allowed the virus to cleverly spread from one computer to another via infected USB sticks. The vulnerability was in the LNK file of Windows Explorer"
Finally, we get to a mention of Windows and what's a browser even doing on a 'computer' controlling a centrefuge? So to recapp, Insert USB device->Windows attempts to to open an icon from a LNK shortcut, the loads a malicious DLL into memory, the DLL is in actuality a rootkit disguised as a digitally signed device driver that gets loaded and run with 'root' privileges, the perps now have full control of your 'computer'.
"When an infected USB stick was inserted into a computer, as Explorer automatically scanned the contents of the stick, the exploit code awakened and surreptitiously dropped a large, partially encrypted file onto the computer, like a military transport plane dropping camouflaged soldiers into target territory"
Ohh for fucks sake !!!
This is the best page-turner/site scroller article I have ever read... period!
Q: Anyone notice a common infection thread here?
A: It starts with Micro and ends with soft.
Why is it that Iran had thousands of replacement centrifuges? Thousands? Of Replacements?