Slashdot Mirror
How Investigators Deciphered Stuxnet
suraj.sun tips a story at Wired that takes an in-depth look into how security researchers tracked down and worked to understand the infamous Stuxnet worm. The article begins:
"It was January 2010, and investigators with the International Atomic Energy Agency had just completed an inspection at the uranium enrichment plant outside Natanz in central Iran, when they realized that something was off within the cascade rooms where thousands of centrifuges were enriching uranium. But when the IAEA later reviewed footage from surveillance cameras installed outside the cascade rooms to monitor Iran's enrichment program, they were stunned as they counted the numbers. The workers had been replacing the units at an incredible rate — later estimates would indicate between 1,000 and 2,000 centrifuges were swapped out over a few months. The question was, why?"
Kiss my shiny metal ass.
The part about the differences in loyalties of the Symantec researchers was telling, though.
"We don't care if this harms something important our country is doing to stop madmen from getting the Fist of God. We have customers to do business with!"
suraj.sun tips a story at Weird that takes an in-depth look into how security researchers tracked down and worked to understand the infamous Frost Post worm. The article begins:
"It was January 2010, and investigators with the International Frosty Agency had just completed an inspection at the goatse enrichment plant outside Christmas Island in Firstpostistan, when they realized that something was off within the cascade rooms where thousands of posters were hitting F5 repeatedly. But when the IFA later reviewed footage from surveillance cameras installed outside the cascade rooms to monitor Christmas Island's goatsex program, they were stunned as they counted the numbers. The workers had been getting first posts at an incredible rate — later estimates would indicate between 1,000 and 2,000 first posts were obtained over a few hours. The question was, why?"
There are green lines and empty white everywhere taking up space
But what does this have to do with the sublime insanity that is Pnårp.com?
...expanding enrichment production because of the influx of tubes was a direct result of this damage...?
Loading...
There was another good article in Vanity Fair
Flexible bare-metal recovery for Linux/UNIX
Someone superimpose Poyots & the CIA seal on trollface!
This is on the front page of wired.com right now:
http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1.
And it's all on 1 page!
Its not what it is, its something else.
Oops, I thought the summary linked elsewhere (had another article open), and linked to the wrong one. Just ignore me please.
Its not what it is, its something else.
That some day...justice can be done and the people who wrote stuxnet end up in an Iranian court some day to face charges for this.
Only fair, if someone released a worm that attacked US or Western European equipment, our governments would demand that the criminals be brought to our justice....I really do hope that we see some turnabout on this play, even if only so I can laugh.
"I opened my eyes, and everything went dark again"
There is an article on the tools used to reverse engineer it
Every hacker should have one of these, I must admit.
There is an article on the tools used to reverse engineer it Every hacker should have one of these, I must admit.
http://www.ted.com/talks/lang/eng/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html
The article says it would be normal to replace 800 centrifuges per year, but they saw between 1000 and 2000 being replaced. If the actual number was closer to 1000, it wasn't really that much of an impact, was it?
http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html
Direct MP4 HD? http://feedproxy.google.com/~r/TEDTalks_video/~5/uLpkPSf1jEc/RalphLangner_2011.mp4
This article is full of interesting content, even for someone who may not be versed in logic controllers and the like, and it was written very well. Full of suspense and intrigue, it definitely holds the reader's attention for a long haul through the article. Like one of TFA's commenters said, it reads like a Tom Clancy novel.
How often do we find extended tech pieces that capture the interest of many non-tech readers?
It's true, I've never seen goatse used like that before!
There is a bit of a flaw in the story. It starts by saying that the worm was clearly designed to spread via USB and local networks because it targetted systems that didn't have an internet connection. But later it says Iran had blocked outgoing internet connections from their nuclear plant and so the systems had stopped "reporting in".
If the plant's systems weren't connected to the internet in the first place, how were they reporting to a remote server in Malaysia? If the worm was saving its reports on the USB drives (which then attempted to upload it from a different location), then why did blocking outgoing connections make any difference to the reports?
And, if the servers were connected to the internet, why was the worm designed to spread via USB? Could the Iranian version of Windows be so well patched that they didn't have any remotely exploitable holes?
Also, this seems like an insane amount of work just to damage a few centrifuges every 27 days. The article says it would be normal to replace around 600 centrifuges a year but they were replacing around 1000. As far as sabotage goes, this seems rather mild. And if they planned to blow up the plant later, then surely the worm wouldn't have risked exposing itself by causing a little damage once a month.
Following the money, I have to wonder if anyone has considered the possibility that the worm was written by the centrifuges' manufacturer, who would obviously know how to write code for the PLCs, and could easily have bought the "0-day" exploits used to spread it on the black market (since it turned out they weren't quite "0-day" and had been used years before).
I'm sure Israel has moles inside the actual Iranian nuclear programme and I'm sure the US could borrow them if they asked nicely (and paid for it). And neither Israel nor the US have ever had any problem with dropping bombs on brownish people.
Courtesy of TED: http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html
In 1993, I was working one Saturday at Pacific Data Images in Sunnyvale. (who later went on to make such classics as "Shrek", but that's another story.) At the time we were one of the leading CG advertising companies in the world.
Anyway, I wandered into the front lobby, and there was a guy there, the husband of the receptionist, that had this very long roll of paper, maybe 20 feet, with a undulating line drawn along it it. He was searching up and down along the line, for quite some time....well, I couldn't help but ask what it was.
He said that it was the fourier transform of the power line going into a plant. He and his company were examining the spectrum to see if they could deduce what was going on inside the plant -- if the machines inside the plant would leak substantial information back onto the power line. Anybody with any electrical engineering experience would know that of course this would be true. I said, OK, that's interesting. What do you see in this spectrum?
And he pointed to a little sinc() shaped (kind of sombrero shaped) area at a particular frequency. And then showed the aliases of that at higher frequencies. He said that these were clearly signatures of many six-pole electrical motors running all at almost exactly the same speed. I looked inquistitive, and he said, "you know, like if you had a bunch of uranium gas centrifuges running." I thought about this for a few minutes....and said, "uhm, OK, but we don't use centrifuges to separate uranium", and he said "no, we don't" and left it at that.
Soon, he was back to Iraq, using a ground-penetrating radar he developed to look for buried weapons. I never saw him again.
I love Mondays. On a Monday, anything is possible.
No one declares anti-semitism, but anti-zionism.
Zionism is the political movement to re-establish the Jewish State, contradicting the scriptures about staying away... (Why keep Sabbath then?).
In any case, the Zionists waged war and won the land by force, then proceed to get rid of locals, who naturally resisted the invasion in any way they could. Lots of slaughtering and struggle in the process; oh yes, the Zionists did started with terrorism when the land was controlled by the UK... Were you not told about King David Hotel bombing?
The methods the Israeli forces use are simply mass murdering people trapped and sieged in ghettos. Sounds familiar doesn't it? Yes, ethnic cleansing it is; and all sorts of air bombardment and land and even sea warfare against civilians, mostly armed with just rocks and pitiful glorified firecrackers. No NATO bombing, or no fly zones there... Thousands of innocent people die in Gaza, the UN doesn't care, even after Israel destroys UN facilities there.
Say what you like about Iran, they haven't dropped white phosphor cluster bombs against civilians, Israel has; everyone watched "Cast Lead". Israel once bombed a Nuclear power plant in Irak, but nothing of the sort has occurred to Israel from Irak. And before there were incidents like the Sabra and Shatilla massacre, guess who was involved? The current Prime Minister... Reality surpasses intentions.
Things like executions occur when you let religious extremists in power. It would be the same if you followed your traditions to the letter. Do not forget both religions have the same root, and Christianity as well. And all of them have committed atrocities in the past, and in that very same patch of land even.
The Islam scripture actually treat Jews (and Christians) with respect, and before the Zionists invaded, local Jews and Christians did live there just like they live in other countries.
You say Israel is "surrounded", No s*** Sherlock, Zionists invaded the land and waged war against all its neighbors (defeating them). Thats when a violent future for Israel was sealed; and you have fanatics killing their own leaders, when daring to reach peace after decades of bloodshed.
Zionists don't care about anything and anyone, they want their conquered land clean of Palestinians and anti-zionists and they don't care about the UN or even if the whole world declared war against them, they have the nukes ready should they ever lose.
"Anti-semitism" is Zionist propaganda against anyone who dares think different.
Artix
Your Linux, your init.
This article was a great read, it reminded me of my own first-hand experience with a time bomb planted in PLC code.
The company I was working for at the time manufactured hydraulic presses, the newest one installed at a long time customer included a touch screen control system running WinCE that was front-ending a PLC to control the machine. We had contracted out the development work on the control system and the owner of the company ended up in a billing dispute with the contractor just as the machine was being brought online. In the days before the dispute came to a head, the contractor had been on-site at the customer "making minor improvements to the interface based on customer feedback".
One day the customer calls and says: "Our brand new hydraulic press has stopped working and the control system guy says he can't fix it until you pay him." After the owner of the company was done swearing at the contractor on the phone and literally kicking a hole in his office door, he calls me in and tells me he needs me to go over to the customer and "undo whatever that a**hole did".
I had a basic understanding of PLC programming and access to a prior version of the touch screen interface and PLC code. It took a few hours of scanning both sets of code by hand on-site at the customer, but I located the very basic checks for system date in the touch screen interface code which would set a value that the PLC would read and trigger a safety interlock which effectively disabled the machine's function. This was easily remedied once discovered.
It was a slightly stressful experience for me as I had no input on this control system until the day it was disabled and I was on the spot to fix it. Once it was resolved, I was quite happy.
I'm pretty sure the billing dispute ended up going to the lawyers.
I know that /. has more than its fair share of America & Israel haters, but infamous??? One has to be totally deranged to think that nukes in the hands of countries like Iran (who are busy trying to hasten the arrival of the Mahdi) or Pakistan (the country that created the Taliban) is a good thing!!!
Thankfully, w/ Stuxnet, Israel managed to delay Iran's acquisition of nukes. Now, if only something could be done about the ones that Pak has...
The problem with the story is the happy little song at the end.
The story attempts to resolve the menace of the Stuxnet worm by suggesting that Iran now knows how to avoid another worm infection.
The competing conclusion is an exceptional piece of software has been described at the design level.
The remaining part of the puzzle is: Did the researchers figure out what linker and what compiler was used to build the darn thing? Have they determined the programming language used from the patterns of data and code? Are the sections of the worm static and fixed in size or are the sizes variable and reached by means of a jump table? Are there pieces of assembly language code present? Does the code have assembly language sequences designed to derail a debugger? Does the worm design show size and configuration changes as the production worm was tweaked?
Finally, are any of the zero day exploits mentioned the result of actions below the level of the operating system? In effect, are there hardware level exploits that can affect any IBM compatible personal computer no matter what operating system it runs? The mention of a computer that repeatedly reboots at the beginning of the article might be just the symptom of the super duper ultra low level exploit, if it exists.
What is really apparent from all the reverse engineering is that it made the method a template. That's more dangerous than most think. It also means that industrial installations must now have more in-depth security to prevent invasive devices/software.
This is not good. Cyberwar is real and dangerous.
Don't be apathetic. Procrastinate!
I'll start by saying this most assuredly was a government job. Either done by the US, Israel or Russia.
1. There's obviously a spy somewhere. Iran isn't going to make public the intimate details of their reprocessing plants, let alone the exact configuration of their control terminals / PLC controllers and centrifuges. You need hard data for that. Who helped Iran build these plants? Who designed this particular cascade process?
2. People who have a seriously intimate knowledge of this type of hardware had to be involved. It's one thing to say "If there's a motor attached, double it's frequency" and then let the thing burn out. It's a whole other thing to say "up the motor by 20mhz for 50 minutes" knowing it would introduce subtle failures that would be argued away as poor components, overuse, etc. Also, what does that do to the quality of the uranium coming out of the process? Maybe the plan was to not only break the plant but corrupt the output as well. I can't imagine this type of knowledge is wide spread...
3. What was/is the end game? Iran (while it'll never say it) wants the bomb. They want parity with Israel or at least the argument of MAD. I think possibly stuxnet might have had some end game, but barring that, it was a delaying tactic.
Yes Francis, the world has gone crazy.
How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History link
"Months earlier, in June 2009, someone had silently unleashed a sophisticated and destructive digital worm that had been slithering its way through computers in Iran with just one aim"
Is there some kind of directive in place that doesn't allow for the mention of MIcrosoft Windows and who in their right mind would be using Windows to control hardware? And that entire report coming from the style of bad journalism, ie. a very bad imitation of Tom Wolf.
"In this case, the exploit allowed the virus to cleverly spread from one computer to another via infected USB sticks. The vulnerability was in the LNK file of Windows Explorer"
Finally, we get to a mention of Windows and what's a browser even doing on a 'computer' controlling a centrefuge? So to recapp, Insert USB device->Windows attempts to to open an icon from a LNK shortcut, the loads a malicious DLL into memory, the DLL is in actuality a rootkit disguised as a digitally signed device driver that gets loaded and run with 'root' privileges, the perps now have full control of your 'computer'.
"When an infected USB stick was inserted into a computer, as Explorer automatically scanned the contents of the stick, the exploit code awakened and surreptitiously dropped a large, partially encrypted file onto the computer, like a military transport plane dropping camouflaged soldiers into target territory"
Ohh for fucks sake !!!
This is the best page-turner/site scroller article I have ever read... period!
Recently, Just Beats Bieber a man walked into my monster turbine pro barbershop asking how much beats pro white for a haircut. "Eight dollars, beats by dr dre solo hd " I answered. "And for a Monster beats by dr dre ferrari limited edition shave?" "Five dollars." "All right," Beats by Dr. Dre Studio he said, settling into the Beats by Dr. Dre Studio Gold barber chair. "Shave my head. lamborghini beats by dre"
Q: Anyone notice a common infection thread here?
A: It starts with Micro and ends with soft.
Why is it that Iran had thousands of replacement centrifuges? Thousands? Of Replacements?