Buggy Win 95 Code Almost Wrecked Stuxnet Campaign

mask.of.sanity writes: Super-worm Stuxnet could have blown its cover and failed its sabotage mission due to a bug that allowed it to spread to ancient Windows boxes, malware analysts say. Stuxnet was on the brink of failure thanks to buggy code allowing it to spread to PCs running older and unsupported versions of Windows, and probably causing them to crash as a result. Those blue screens of death would have raised suspicions at the Natanz nuclear lab.

funny...

[garyisabusyguy]

because it is buggy code that is written with poor security that allows things like this to spread in the first place

Re: funny...

I'm shocked that your obviously high level of intellect and professionalism did not allow them to overlook your refusal to commit a felony on their behalf by lying to the FBI. Those bastards at MS are just so set in their evil ways.

Re:funny...

lets see, huge anti M$ bias, supposedly still has to share a room despite being good enough that 20 years ago they worked for MS and admits online to commiting felonies. More likely you are still living with your mother and I would be shocked if you are even 15.

Re:funny...

[Zontar+The+Mindless]

He did say, "my old roommate", which could be taken to mean he doesn't have one any longer. And one might have a roommate for any numbers of reasons. Not that any of this makes me any more inclined to believe him, just that you seem to pick an odd point to dwell upon.

Windows !!!

[denisbergeron]

WTF anti-american country use a OS developed in the US ?
Why they didn't use Linux, BSD, even the Russia or RedFlag version ?

Re:Windows !!!

[Shakrai]

Why they didn't use Linux, BSD, even the Russia or RedFlag version ?

Ask Siemens. They designed the equipment the Iranians are using and wrote most of the control software to operate in a Windows environment. Not that it would have mattered, once you've got an agency with the resources of CIA or Mossad after you it's only a matter of time before they find a way in. Linux is not proof against malware delivered via HUMINT assets.

Re:Windows !!!

Why would anybody use a windows OS?

Re:Windows !!!

I don't like the United States of America, yet I still use Windows.

Re: Windows !!!

They're on Windows because the customer knows best and the customers for SCADA systems demand Windows. The vast majority of players in that business are primarily targetting Windows.

Re:Windows !!!

They're mentally deficient?

Re:Windows !!!

[cheater512]

On Linux the attack would have faced a lot more challenges though.
No autoplay (which was the core attack vector) and you'd hope the SCADA software would run as it's own user under Linux which isn't possible with Windows.

Re:Windows !!!

Because their engineers were too stupid to write their own SCADA system in linux or BSD.

Nuclear Scientists are pretty much retards when it comes to programming software.

Re:Windows !!!

What a typical American reaction. You guys want to rule the world but of course that doesn't include the bad guys. The US uses 90% Chinese hardware and last time I looked, rightwing rednecks weren't particularly enthusiastic about communists either.

Re:Windows !!!

[Shakrai]

No autoplay (which was the core attack vector) and you'd hope the SCADA software would run as it's own user under Linux which isn't possible with Windows.

???

Re:Windows !!!

I'm confused as well. This is especially so given that it possible. The problem is that it isn't the easiest or most obvious thing to do.

Re:Windows !!!

and you'd hope the SCADA software would run as it's own user under Linux which isn't possible with Windows.

This is trolling, right? It's trivially easy to run software under it's own reduced permission user account.

Re:Windows !!!

[Shakrai]

The problem is that it isn't the easiest or most obvious thing to do.

Yeah, it's like three or four whole mouse clicks to make it happen....

C'Mon people, Microsoft does enough shit wrong, we don't need to make crap up.

Re:Windows !!!

[Fire_Wraith]

No, you're thinking solely from a security perspective as a coder/engineer, and you're not the type that gets to make the decision of what to purchase. It's because their executives/managers were too cheap, and wanted the "cheap/easy" solution.

Cost is a huge driver for these things, and is a large part of why Siemens and other SCADA/ICS manufacturers moved from entirely proprietary systems of the past, to using commercial off the shelf hardware for the Human-Machine Interface (HMI) and such.

And what's the most common OS in business, the one that corporate is most familiar with, and the most likely for them to choose to put into pretty much anything? Why, Microsoft Windows.

Re:Windows !!!

[Baloroth]

Stuxnet used multiple zero-day flaws across several different kinds of hardware (not all of which were even PCs). Once you get into that advanced an attack, the underlying OS becomes much less important: all software has flaws in it, and if you know where the flaws are, you can exploit them. And those flaws are there (remember Shellshock, anyone?), except in the most basic purpose-specific programming (and even then, there are often flaws). Using Windows opens you up to more generic attacks, especially if you deliberately lower (or don't use) Window's defenses for ease of use (much as using root for everything in Linux does), but against targeted well-funded attacks you should assume they're more or less equally vulnerable.

Re:Windows !!!

[Lunix+Nutcase]

Right click->Run as different user. Yeah, real difficult.

Re:Windows !!!

[Lunix+Nutcase]

It's impossible? So when I right click and choose "Run as different user" do I have some magical version of Windows?

Re: Windows !!!

In Windows 95 it wasn't.

Re:Windows !!!

Different AC.

The previous one mentioned that it wasn't "the easiest or most obvious" and you retorted with "three or four mouse clicks." What method were you referring to that he or she missed?

Re: Windows !!!

The post only said an unqualified "Windows" not "Windows 95". Windows 95 also didn't have Autoplay, it was a Win98 feature, so if that person were really only referring to Win95 then the whole premise of their comment is wrong. Now Autorun was in Win95, but it is not the same thing as Autoplay.

Re:Windows !!!

[Lunix+Nutcase]

The one where you Right click the application and it's like the 3rd option in the context menu?

Re:Windows !!!

[garyisabusyguy]

To be perfectly honest I spent most of the 90's installing software in Unix as root because, well, it eliminated any issues with permissions

It wasn't until the late nineties that I had an employer who demanded that we build out implementation plans for each install that followed their tight security guidelines

I would bet that more than a few *nix admins just do everything as root to avoid any hassle during install

Re:Windows !!!

In order: open, run as administrator, troubleshoot compatibility, pin to taskbar, pin to start menu, restore previous versions, send to, cut, copy, create shortcut, delete, rename, properties. Am I missing something?

Re:Windows !!!

[garyisabusyguy]

This^ ++isTrue

Re:Windows !!!

[MobileTatsu-NJG]

Why they didn't use Linux, BSD, even the Russia or RedFlag version ?

For the same reason nobody wants to use Linux or OSX. Software.

Re:Windows !!!

[Lunix+Nutcase]

Sorry it's shift right-click in Windows 7.

Re:Windows !!!

Yes, you are missing the part where the context menu they refer to exists in one of three circumstances. First is if you are running XP. Second is if you are logged in as the Administrator user (not any old user with admin privileges) on Vista and maybe 7. Third, is if you reenable it in the registry. Your run of the mill install of Windows Vista and above do not have that option enabled; hence, the "it isn't the easiest or most obvious thing to do." because you either enable the context menu or use the runas command in a shortcut.

Re:Windows !!!

Wow, Thanks! That is really neat. I googled to see what the other command that showed "copy as path" does and discovered that also adds a ton of options to the "send to" menu as well.

Re:Windows !!!

Oops, wrong comment. I meant to attach it to http://tech.slashdot.org/comments.pl?sid=7314661&cid=49549269

Re:Windows !!!

I'm really bad at this....

Re: Windows !!!

he might be talking about the ability to programatically add/drop privileges for security, and in a Windows environment most programs run with the privilege of the user running it and its not as straight forward to change around permissions.

Re:Windows !!!

[hairyfeet]

Sigh...Linux has more vulnerabilities than Windows by 3 to 1 in 2014, Windows beats iOS, OSX, and Linux in least number of vulnerabilities in 2014, and how to write a Linux virus in 5 easy steps targeting the same weakness that more than 90% of malware target, the user...HAND.

Re:Windows !!!

[Gavagai80]

In the 90s, when you actually had to switch users to root to do any GUI root actions, I can see that happening. But these days few distros even allow a GUI login as root and sudo is the norm.

Re:Windows !!!

[Opportunist]

I'd deem it unlikely that they're too stupid. But nobody pays a few millions for your team to spend 2 years to build a SCADA system which is then not even on par with one that they could simply buy.

If you look for the reason for this failure, don't look at the engineers. They're not the one making economy decisions.

Re:Windows !!!

[Opportunist]

But ... but ... IT'S CHEAP!

Hard economy trumps sentimentalist patriotism any time. Or when did you see the last US-Flag-flying, "U - S - A" chanting redneck reach for something "made in the U.S.A" when there's a Chinese knockoff available that's 10 cents cheaper?

Re:Windows !!!

[drinkypoo]

C'Mon people, Microsoft does enough shit wrong, we don't need to make crap up.

Ever enabling autorun was something they did wrong. And disabling it should have been a simple checkbox in the drive properties where it would make sense.

Re: Windows !!!

If you managed to build anything remotely resembling a SCADA system with a few million and 2 years, it would be swiss cheese security wise. Hiwever before stuxnet ever hit your plant, it would blow itself up

Re:Windows !!!

Well, I'm not anti-American, but I don't like M$ (they're prepping a new hardware DRM as we speak), I don't like cyberattacking others -- everybody complains about the Russians and Chinese doing it, but the USA is somehow entitled to use it... hint: we're not finding that funny anymore, USA people. You have to learn to avoid double standards in order to gain credibility.

I find nevertheless important to avoid the proliferation of nuclear weapons -- even if just because of the unavoidable accidents (like having an atomic vessel sank near your coast). But if we resort to violence to solve such things, there will be a day where two countries will finding themselves "defending" from each other. And sometimes defense will be seen as an attack.

Alas, defense mechanisms should be evaluated and downgraded according to their offensive character. The best defense is one that is not an offense.

But I'm sure there are most of the guys in USA, Russia and China are quite reasonable and fairly sophisticated. So I'm not anti-American, anti-Russia or anti-China.

Yet, when I despise M$, people say I'm "anti-American", "biased", "childish"... the only mature response is actually enduring such practical-minded (i.e. moronic) people and pay more attention to others who are not so prone to label others.

The problem with Windows is not just the OS -- itself a brain-damaged thing when you know how things like the registry. The problem is the low quality of the immediately available software, like Windows Explorer, Notepad, Paint, Access... you have to resort to a few third-party alternatives. The problem is that in some places (for security reasons) installing such 3rd party tools is prohibited.

None of the excellent software we can use in Linux (and that is made available by the distros themselves) -- none of that is available. It's a very poor application ecosystem. One has for instance to use a DOS cmd window to view a file with "more" because Notepad takes eons to open a big text file.

One feels very dumb in Windows compared to how much Linux empowers its user.

Re:Windows !!!

Oh, cheap / easy is great.

But the hard part is evaluating what is cheap: sometimes there are hidden costs which make the cheap choice actually more expensive, as the owners of some centrifuge might attest now.

There's also the issue of dumbing down of the workforce because the tools are not conducive to good analysis and don't foster creative thinking.

On the whole, I'd say Windows -- albeit cheap to acquire -- is actually more expensive than some other solutions. This is even more evident now that interface, applications and paradigms are changing faster in the M$ world.

But, yes, execs will still buy it if the upfront costs are smaller, because such indirect costs will probably be SEP... (someone else's problem)

Re:Windows !!!

Yep, tell that to the legions of hordes running androids, smart tvs and cable boxes. Idiot.

Re:Windows !!!

[MobileTatsu-NJG]

Heh. You supported my point but phrased it as a rebuttal. Nice.

Re:Windows !!!

Wasn't this in Windows 95? How exactly do you plan to do that in Windows 95?

Re:Windows !!!

[BadDreamer]

If we are talking found and reported vulnerabilities, then yes, Linux has more. Although notably, even grouping together all Linux kernel vulnerabilities regardless of version the number of HIGH vulnerabilities is not higher than the number of HIGH vulnerabilities in Windows 8.1.

But then, it's a lot easier to get fewer vulnerabilities when dropping support for one of the most used OS'es on the planet. Although XP is only on about 14% of all PC's now, it appears. And now support for Windows 8.1 is dropped as well. That seems to be the way Microsoft keeps vulnerabilities in supported systems down; by simply dumping older OS'es.

Re:Windows !!!

[Jack+Griffin]

Why they didn't use Linux, BSD, even the Russia or RedFlag version ?

Because their UI is shit? I mean it's 2015, and Linux still hasn't made any headway onto the desktop...

Re:Windows !!!

[cheater512]

Which is not how system services are designed to be invoked at all.

Re:Windows !!!

[cheater512]

You are clearly clueless about how Linux does it, and yes Windows can not do it.

On my servers, the DNS server runs under it's own user. It can't touch anything it isn't supposed to. The mail server runs under it's own. The web server runs under it's own. Hell even the server monitoring software runs under it's own user.

This is by default with nothing further to do - No service can muck with stuff it isn't allowed to, and even if there was autoplay on USB sticks, nothing on that USB stick could touch any of the services.

How does Windows compare again?

Re:Windows !!!

[hairyfeet]

How many vulnerabilities is there in Ubuntu 6? Debian Sid? Windows XP is FIFTEEN YEARS OLD and was designed to run on a Pentium II 400MHz with 128MB of RAM. If they are too damned cheap to upgrade or replace a PC that is a decade plus old why should that be MSFT's problem? Apple doesn't support the G3s and G4s either but you don't see anybody trying to claim that as any "proof" of anything.

As for your other point its nothing but moving the goalposts and therefor meaningless, because we both know if the numbers were reversed the FOSSies wouldn't be arguing about what "level" the vulnerability is, which just FYI means exactly jack and shit as we have seen with tricks like the "WTF" virus you can use a low level vulnerability (in that case unprivileged user ID spoofing allowing the attacker to send a message) to then effect a higher level attack (user thinks message is legit, clicks on link provided which takes user to a page filled with zero day attacks) so the idea of "levels" really doesn't mean shit anymore.

Re:Windows !!!

[BadDreamer]

How many vulnerabilities is there in Ubuntu 6?

39 total vulnerabilities, 7 high severity, 27 medium severity, 5 low severity.

http://www.gfi.com/blog/most-v...

Debian Sid?

Couldn't find that. It's in NVD though, if you're really interested.

https://nvd.nist.gov/

Windows XP is FIFTEEN YEARS OLD

No it's not. It's still under development, and there is almost nothing left of the codebase from the original XP when you have patched up an XP install.

Otherwise Linux is TWENTYFOUR YEARS OLD, but you know, writing that in all caps as if it means something just seems silly. Because it is.

And hardly any of the Linux vulnerabilities allow a web client attack, like a whole slew of the Windows ones do. Because Linux does not have a web browser with kernel access. Therefore, the low level vulnerabilities in Linux are not like the low level vulnerabilities you are used to.

Re:Windows !!!

Reported is the key, at least publicly available. Also note that vulnerabilities not just linux but all apps in supported distro. For average Windows user, this is OS and probably Office.

Bigger question is what is being patched. On an normal month, may see 15-30 vulnerabilities patched in Windows/Office. I've seen this many a day in Linux and its supported distro. Sometimes critical, other times obscure. I've also seen critical vulnerabilities patched in hours, no need to wait till patch Tuesday like Microsoft.

So yeah, 3 to 1 in favor of Windows WAY misleading. Unless of course you include every piece of software that runs on Windows as well.

Re:Windows !!!

[denisbergeron]

Do you consider the Windows interface with 2 desktops paradigm better than Mate or Cinnamon than have ± the same interface of XP or do you consider the OsX with a dock copied from early Sun/CDE desktop better, design retaked by Gnome or Unity but with a better use of the wide screen ?

Re:Windows !!!

[toddestan]

As compared to the UI regressions on the Windows and Mac side over the past few years? Granted, some of the popular Linux desktops also have similar problems, but at least in the Linux world you have a choice as to what desktop you want to use.

Holy redundancy, Batman!

Buggy Win95 code

Isn't that a redundant statement? That fact that it was Windows code already implies it's buggy.

Re:Holy redundancy, Batman!

[redwraith94]

It's also a misnomer; 'code' is being rather generous.

Re:Holy redundancy, Batman!

[Opportunist]

It makes sense if you read it as a German. "Code" is a homonym for the German "Kot". And that makes a LOT of sense.

Re:Holy redundancy, Batman!

[redwraith94]

Yes, that makes only sense ;)

Bug in their bug

[tomhath]

We've noticed that the slide showing the Stuxnet disassembly doesn't support Werner and Leder's comments regarding the worm and Windows 9x

It appears they misunderstood the code they were looking at. But another quote earlier in the story is more relevant anyway:

either the worm couldn't find any old Windows boxes, or perhaps the Iranian boffins were used to Windows 95 and 98 falling over anyway

Really, who would be surprised by a blue screen from a Windows 95 box?

Re:Bug in their bug

[Shakrai]

Really, who would be surprised by a blue screen from a Windows 95 box?

The giveaway was probably when the blue screen was replaced with CIA's logo and the text "All your base are belong to us."

Re:Bug in their bug

There's ever been a time that someone was surpised by Windoze crashing? Isn't that just SOP for a Windoze box?

Re:Bug in their bug

[Zero__Kelvin]

I remember W95 well, and I can tell you it would raise a lot more suspicions if it didn't bluescreen regularly. Serioulsy, I recall having to recover from BSODs multiple times per day (no exaggeration.)

Re:Bug in their bug

[Smask]

You could lower the crashiness in Win95 by removing everything, hardware and software, marked with "Creative Labs". My last sound card made by Creative was Soundblaster 16.

Re:Bug in their bug

"Buggy Win 95 Code Almost Wrecked Stuxnet Campaign"

The code wasn't buggy, but functioned as intended, keeping it off Win 9x.

It wasn't Win 95 code, it was Stuxnet code.

The Stuxnet "campaign" wasn't wrecked.

So in other words, no part of the title is correct!
And why has no update been added to the summary? Even el Reg has been able to somehow find the decency.

Re:Bug in their bug

[Cro+Magnon]

Yeah, I remember. At one point, it got so bad I counted the BSODs. The record was 15, in an 8 hour day.

Re:Bug in their bug

[r_jensen11]

Really, who would be surprised by a blue screen from a Windows 95 box?

The giveaway was probably when the blue screen was replaced with CIA's logo and the text "All your base are belong to us."

Ah yes, the precursor to "I'm all about that bass." Damn you - now I can't get that techno out of my head!

Less buggy than Windows 7

In my experience Windows 7 is the buggiest Windows software yet. I'm forced to use it at work. What crappy software.

Re:Less buggy than Windows 7

[jones_supa]

Generally Windows 7 is extremely stable, so let's see if you are not bullshitting. Can you tell how to reproduce those bugs?

Re:Less buggy than Windows 7

1) Install a profilic driver
2) plugin a serial device that transmits data (for example arduino)
3) try to monitor the data with different settings than the device is sending data with
4) POOOOF, BSOD Windows 7

Re:Less buggy than Windows 7

[jones_supa]

And what is this "profilic driver"?

Re:Less buggy than Windows 7

a usb to serial converter driver from the company "prolific"

Canary in a coal mine

[roc97007]

That hadn't occurred to me before -- keep a Windows 95 box on the network as a canary, expecting it to crash if there is an intruder on the network.

Only problem might be too many false positives.

Re:Canary in a coal mine

But BSODs are normal for Win95. You'd know for sure there was a virus if it ever stopped crashing.

Re:Canary in a coal mine

Get Windows 3.11 then. It's still on MSDN!
Don't forget DOS 6.22 to go with it.
Relive the wonders of AUTOEXEC.BAT and CONFIG.SYS hell.

Opera 3 works as a browser.

Re:Canary in a coal mine

[cnettel]

My attacker is very regular. He kicks my canary machine down every 49.7 days.

Re:Canary in a coal mine

That's probably the shittiest "security regime" I've ever heard of being thought up out loud, er, as loud as ASCII is.

Re:Canary in a coal mine

Or more like security through obscurity. That's the single answer Life uses to survive. Diversity, acquires through random mutations, most of which 99.9% is garbage(you belong into that 99.9% category btw, you yourself are just one big sequence of garbage DNA mutation that finally went haywire) while what makes it is that 0.1% or even less that is a better adaptation to the circumstances (of course sometimes there is something wrong with the artificial circumstances, such as trying to run a welfare state fairly and without anyone taking advantage of it where diverse ethnic groups are fighting each other instead of living in racial and ethnic harmony). Monocultures are always vulnerable to sudden, massive scale extinction event, and in diversifying your portfolio it never hurts running even obsolete versions of Windows that Microsoft so desperately wants to kill, along with some old school Sun or BSD or Linux without the latest and greatest features that also convey the security issue payload, and you can pick them up really cheap on ebay these days when people dump them as obsolete, but they perform many computing jobs fairly well, such as even run Office 97 on Win95 at very decent speed, or Win2K, or NT4, and while they have their own vulnerabilities, they are different than the latest and not so greatest coming fresh off the press these days. Like in warfare, what stopped the Mongol supermobile horse archer invasions of Europe was mountaneous Terrain in Croatia, where they clearly lost a pitched battle where they were forced to get off their horses, and fight an uphill, or more like an upmountain battle crawling and climbing up the rocks. They were also stopped by forts, in Eastern Austria, where there was plenty of food and water lasting for years, and they set around outside putting it under siege, but after like 3 months they got bored of it and picked up and left. Silent victory for the fort, that is not to say that they are a cure for all, as the Siege of Tyre by Alexander shows, or the ramp built to Masada by the Romans, but diversity in anything helps, and even through the Russian steppes that the Mongols overran and killed everybody that moved, they could have tried using forts. That's what the Chinese did when building their great wall where millions must have died during construction, they were trying to turn the whole country into one big fort, or at least put up walls to delay the speed of the invasion and constant harassment they had to endure. But the general guiding principle in fighting is always "combined arms" or combined forces, meaning internal variety and diversity at all times. Similar principles should apply to cyber warfare, and what Microsoft is doing dropping support to oldschool stuff, and making oldschool stuff actively not function, such as XP will not run without online activation if a hardware or multiple hardware items fail and need replacement, also embrace extend extinguish killing of competition, and if anything, if the government wants more secure computing, how about some welfare to corporations and resurrecting things like SGI, DEC VAX, Sun Microsystems, BEOS, etc, or more like supporting at least a pilot flame diversity in the computing environment as much as possible by paying welfare to such corporations that have a devoted fan base, like BEOS, or even VAX, or even TSENG Labs PCI graphics cards Made in USA, continuing to manufacture actual tangible cost on a pilot scale via government funding, because your whole winning or being defeated in a war may come down to having a 2MB PCI video card available manufactured domestically. And no, merely supporting Linux variations is not the answer to the military as they are fighting down Microsoft wanting monoculture of their products in there, but they need everything: macs, linux, dos, win95, beos, sun, bsd's, and even provide support to these fanbases, like also providing support to amateur radio groups, which would be welfare money much better spent than letting inner city urban retards breed out of control paying 1800/mo in rent i

bottle deposit machines

[roc97007]

This hadn't occurred to me before. I wonder if viruses are the reason those stupid bottle deposit machines are always out of order. I swear to Fudd, I've seen them reboot, usually just as I'm dumping in the last bag of soft drink cans, and they display the Windows 98 splash screen.

BSOD "would have raised suspicions"?!?!?!

[B]lue screens of death would have raised suspicions at the Natanz nuclear lab

Huh?

What version of Windows was this? Windows-Pie-in-the-Sky?

America!

America, fuck yeah! We're coming to save the mother fucking day now... America ... Hell Yeah! Fuck yeah!!!!!!

Context, friend

No no, you see Windows 9X only crashes under *observation.* In front of the press, for example, or during unveilings. So long as its secure in a secret lab, it is the very God of Stability that gives us mass, matter, and the universe.

An alternate headline

"DID a code gaff nearly make stuxnet suxnet by infecting win 9x machines? No."

They have this backwards

[hyades1]

If a Win 95 box failed to produce at least a few BSODs a week, especially when something really important was being done with it...now that would have been suspicious.

Funny word for a "cyberattack"

[TheCarp]

Its the term the people who did this would use if it happened to them.... funny calling it a campaign when, by their own definitions, it was an attack. Shit, if they did similar, it might even be trumped up as an act of war.

Suspicions?

I had BSODs for years with Win95 and wasn't suspicious. I thought it was normal.

misleading much

Seems to me the headline and summary are trying for "OMG buggy win95" when the actual fact is much less interesting.

The article seems to imply that, because stuxnet wasn't intended to run on older systems, it could have caused a crash on win95 if it was installed. As it is, a bug in the stuxnet code allowed for that possibility. There's nothing to indicate that it did indeed infect any win95 systems; that, if it did, that they crashed; and, if that happened, that it raised any suspicion...

Hmmm

[Hognoxious]

If it's the choice between a blue screen and a brown mushroom...