Moderators: Alyrium Denryle, Edi, K. A. Pital
Lots of people didn't notice that. Just pointing that out to those who skimmed the original article.Stark wrote:Thanks Shep, but the article already said that.
Your average criminal? Nope. But operatives of a national intelligence agency? They'd at least know what to look for.It's not, however, the first thing someone breaking in would think to steal (even if they knew where it was).
First, the attackers needed to conduct reconnaissance. As each PLC is configured in a unique manner, the attackers would first need the ICS’s schematics. These design documents may have been stolen by an insider or even retrieved by an early version of Stuxnet or other malicious binary. Once attackers had the design documents and potential knowledge of the computing environment in the facility, they would develop the latest version of Stuxnet. Each feature of Stuxnet was implemented for a specific reason and for the final goal of potentially sabotaging the ICS.
Attackers would need to setup a mirrored environment that would include the necessary ICS hardware, such as PLCs, modules, and peripherals in order to test their code. The full cycle may have taken six months and five to ten core developers not counting numerous other individuals, such as quality assurance and management.
In addition their malicious binaries contained driver files that needed to be digitally signed to avoid suspicion. The attackers compromised two digital certificates to achieve this task. The attackers would have needed to obtain the digital certificates from someone who may have physically entered the premises of the two companies and stole them, as the two companies are in close physical proximity.
...
In addition to this, Stuxnet also uses another trick to enhance the chances that it will be executed. The autorun commands turn off autoplay and then add a new command to the context menu. The command that is added is found in %Windir%\System32\shell32.dll,-8496. This is actually the “Open” string. Now when viewing the context menu for the removable device the user will actually see two “Open” commands.
One of these Open commands is the legitimate one and one is the command added by Stuxnet. If a user chooses to open the drive via this menu, Stuxnet will execute first. Stuxnet then opens the drive to hide that anything suspicious has occurred.
If you can't answer who "they" is, guess what: "they" got away with it. The two most likely candidates have deniability--the digital signatures were stolen by unknown parties from two Taiwanese companies, and the update servers were in neutral countries. Without proof, there's jack-shit Iran can do, given its limited retaliatory options.Spoonist wrote:What I don't get is how they thought that they would get away with itwithout making a mess? The likelyhood of things like this to spread is of course great. So then its only a question of time before someone else detects it, like the russians did.
Yeah, and know where and what to look for. I doubt this is something that that is just lying around the office, and then you need to cover up your tracks so no one even suspects you have been there (or at least that you were not intrested in those codes). It is starting to grow once you think about it...MKSheppard wrote:Actually, it appears that both companies whose digital signatures were stolen, resided in the same building. So all you had to do was send someone in to physically raid the offices after hours.
Ah, wrong implication, sorry. I said without making a mess. Even if the makers get away scot free there will be a mess out of this. From other malware copycats or from foreign services. I mean those fourRedImperator wrote:If you can't answer who "they" is, guess what: "they" got away with it. The two most likely candidates have deniability--the digital signatures were stolen by unknown parties from two Taiwanese companies, and the update servers were in neutral countries. Without proof, there's jack-shit Iran can do, given its limited retaliatory options.Spoonist wrote:What I don't get is how they thought that they would get away with itwithout making a mess? The likelyhood of things like this to spread is of course great. So then its only a question of time before someone else detects it, like the russians did.
It's much more likely that they just bribed employees of these companies to steal them a copy. These companies aren't government agencies with tightly defined security protocols.CJvR wrote:Yeah, and know where and what to look for. I doubt this is something that that is just lying around the office, and then you need to cover up your tracks so no one even suspects you have been there (or at least that you were not intrested in those codes). It is starting to grow once you think about it...MKSheppard wrote:Actually, it appears that both companies whose digital signatures were stolen, resided in the same building. So all you had to do was send someone in to physically raid the offices after hours.
Did you ever wonder why Intel bought McAfee? That's why.Sarevok wrote:So what are the chances future micro-controllers, FPGAs, PLAs etc are going to come with "security" features reminiscent of consumer personal computing world ? The days of just plugging in some ICs into a board and hooking it up to a motor or something without regard of cyberpunkish hackers might be over ?
Depending on the level of security you probably wouldn't need to do it after hours. Follow someone through a security door, find an unattended PC and look like you're supposed to be there. Hell, just stand outside a security door and look despondent, someone will let you in.MKSheppard wrote:Actually, it appears that both companies whose digital signatures were stolen, resided in the same building. So all you had to do was send someone in to physically raid the offices after hours.
Then you're missing something. It spread throughout an ENTIRE dedicated secure military network. Even if it gets out, so what? That just means whoever is running the show gets extra data they don't need, but they can just ignore that. In the meanwhile, Iran has found out that it has serious holes in its' nuclear security and is going to have to stop everything while they upgrade the security and triple-check everything they've done so far for bugs.Spoonist wrote:Maybe I'm missing something but to me it looks like they did not think through the results if it spread as much as it did.
So what? Well its like giving away trade secrets for free. Now everyone who wants to have access to it and can analyze it.CaptainChewbacca wrote:Then you're missing something. It spread throughout an ENTIRE dedicated secure military network. Even if it gets out, so what?Spoonist wrote:Maybe I'm missing something but to me it looks like they did not think through the results if it spread as much as it did.
Its lost up there a couple a posts ago. It was just an observation so no biggie.Skgoa wrote:Seriously, whats your point, here?
F-Secure Weblog wrote:Stuxnet continues to be a hot topic. Here's an updated set of Questions and Answers on it.
Q: What is Stuxnet?
A: It's a Windows worm, spreading via USB sticks. Once inside an organization, it can also spread by copying itself to network shares if they have weak passwords.
Q: Can it spread via other USB devices?
A: Sure, it can spread anything that you can mount as a drive. Like a USB hard drive, mobile phone, picture frame and so on.
Q: What does it do then?
A: It infects the system, hides itself with a rootkit and sees if the infected computer is connected to a Siemens Simatic (Step7) factory system.
Q: What does it do with Simatic?
A: It modifies commands sent from the Windows computer to the PLC (Programmable Logic Controllers, i.e. the boxes that actually control the machinery). Once running on the PLC, it looks for a specific factory environment. If this is not found, it does nothing.
Q: Which plant is it looking for?
A: We don't know.
Q: Has it found the plant it's looking for?
A: We don't know.
Q: What would it do if it finds it?
A: The PLC modification searches for specific high-frequency converter drives (AC drives) and modifies their operation.
Q: What's a high-frequency converter drive?
A: Basically, it's a device that can control the speed of a motor. Stuxnet searches for specific AC drives manufactured by Vacon (based in Finland) and Fararo Paya (based in Iran).
Q: So does Stuxnet infect these Vacon and Fararo Paya drives?
A: No. They drives do not get infected. The infected PLC modifies how the drives run. The modification happens only when very specific conditions are all true at the same time, including an extremely high output frequency. Therefore, any possible effects would concern extremely limited AC drive application areas.
Q: What are those application areas? What are AC drives used for?
A: They are used for various purposes, for example for efficient air pressure systems.
Q: Any other examples?
A: Well yes, they are also used for enrichment centrifuges.
Q: As in?
A: As in Uranium enrichment where centrifuges spin at a very high speed. This is why high-frequency drives are considered dual-use technology and are under the IAEA export restriction list.
Q: Would the Stuxnet code cause centrifuges to disintegrate into projectiles traveling at around Mach 2?
A: It's more likely the modifications would cause the centrifuges to produce bad-quality uranium. The changes could go undetected for extended periods of time.
Q: Have you been in touch with Vacon?
A: Yes. They have been investigating the matter and they are not aware of any instances where Stuxnet would have created problems in the operations of Vacon's customers.
Q: Some suggest the target of Stuxnet was the Natanz enrichment facility in Iran. Are there Vacon AC drives in these facilities?
Q: According to Vacon, they are not aware of any Vacon drives in use in the Iranian nuclear program, and they can confirm that they have not sold any AC drives to Iran against the embargo.
Q: Have you been in touch with Fararo Paya?
A: No.
Q: What do you know about this company?
A: Nothing. It doesn't seem to be very well known outside of Iran. We're not aware of any AC drive customers they would have outside of Iran.
Q: That would indicate what the target country was, wouldn't it?
A: Next question.
Q: Could there be collateral damage? Could Stuxnet hit another plant that was not the original target?
A: It would have to be very similar to the original target.
Q: Do you know of any plants that would be similar to Iran's uranium enrichment plant?
A: Turns out North Korea seems to have a plant that shares the same design.
Q: Why is Stuxnet considered to be so complex?
A: It uses multiple vulnerabilities and drops its own driver to the system.
Q: How can it install its own driver? Shouldn't drivers be signed for them to work in Windows?
A: Stuxnet driver was signed with a certificate stolen from Realtek Semiconductor Corp.
Q: How do you steal a certificate?
A: Maybe with malware looking for certificate files and using a keylogger to collect the passphrase when it's typed in. Or breaking in and stealing the signing gear, then brute-forcing the passphrase.
Q: Has the stolen certificate been revoked?
A: Yes. VeriSign revoked it on July 16th. A modified variant signed with a certificate stolen from JMicron Technology Corp was found on July 17th.
Q: What's the relation between Realtek and Jmicron?
A: Nothing. But these companies have their HQs in the same office park in Taiwan… which is weird.
Q: What vulnerabilities does Stuxnet exploit?
A: Overall, Stuxnet exploits five different vulnerabilities, four of which were 0-days:
• LNK (MS10-046)
• Print Spooler (MS10-061)
• Server Service (MS08-067)
• Privilege escalation via Keyboard layout file (MS10-073)
• Privilege escalation via Task Scheduler
Q: And these have been patched by Microsoft?
A: All but one of the two Privilege escalations has been patched. A public exploit for the last remaining vulnerability was released in November.
Q: Did the Stuxnet creators find their own 0-day vulnerabilities or did they buy them from the black market?
A: We don't know.
Q: How expensive would such vulnerabilities be?
A: This varies. A single remote code execution zero-day in a popular version of Windows could go for anything between $50,000 to $500,000.
Q: Why was it so slow to analyze Stuxnet in detail?
A: It's unusually complex and unusually big. Stuxnet is over 1.5MB in size.
Q: When did Stuxnet start spreading?
A: In June 2009, or maybe even earlier. One of the components has a compile date in January 2009.
Q: When was it discovered?
A: A year later, in June 2010.
Q: How is that possible?
A: Good question.
Q: How long did it take to create Stuxnet?
A: We estimate that it took over 10 man-years to develop Stuxnet.
Q: Who could have written Stuxnet?
A: Looking at the financial and R&D investment required and combining this with the fact that there's no obvious money-making mechanism within Stuxnet, that leaves only two possibilities: a terror group or a nation-state. And we don't believe any terror group would have this kind of resources.
Q: So was Stuxnet written by a government?
A: That's what it would look like, yes.
Q: How could governments get something so complex right?
A: Trick question. Nice. Next question.
Q: Was it Israel?
A: We don't know.
Q: Was it Egypt? Saudi Arabia? USA?
A: We don't know.
Q: Was the target Iran?
A: We don't know.
Q: Is it true that there's are biblical references inside Stuxnet?
A: There is a reference to "Myrtus" (which is a myrtle plant). However, this is not "hidden" in the code. It's an artifact left inside the program when it was compiled. Basically this tells us where the author stored the source code in his system. The specific path in Stuxnet is: \myrtus\src\objfre_w2k_x86\i386\guava.pdb. The authors probably did not want us to know they called their project "Myrtus", but thanks to this artifact we do. We have seen such artifacts in other malware as well. The Operation Aurora attack against Google was named Aurora after this path was found inside one of the binaries: \Aurora_Src\AuroraVNC\Avc\Release\AVC.pdb.
Q: So how exactly is "Myrtus" a biblical reference?
A: Uhh… we don't know, really. (However, reader Craig B. left a comment in an earlier version of this post.)
Q: Could it mean something else?
A: Yeah: it could mean "My RTUs", not "Myrtus". RTU is an abbreviation for Remote Terminal Units, used in factory systems.
Q: How does Stuxnet know it has already infected a machine?
A: It sets a Registry key with a value "19790509" as an infection marker.
Q: What's the significance of "19790509"?
A: It's a date. 9th of May, 1979.
Q: What happened on 9th of May, 1979?
A: Maybe it's the birthday of the author? Then again, on that date a Jewish-Iranian businessman called Habib Elghanian was executed in Iran. He was accused to be spying for Israel.
Q: Oh.
A: Yeah.
Q: Obviously the attackers had lots of inside information of the target plant and possibly had a mole inside. Why did they use a worm at all? Why couldn't they just have their mole do the modifications?
A: We don't know. For deniability? Maybe the mole had no access to the key systems? Maybe the mole was not at the plant but had access to the design plans? Maybe there was no mole?
Q: Is there a link between Stuxnet and Conficker?
A: It's possible. Conficker variants were found between November 2008 and April 2009. The first variants of Stuxnet were found shortly after that. Both exploit the MS08-067 vulnerability. Both use USB sticks to spread. Both use weak network passwords to spread. And, of course, both are unusually complex.
Q: Is there a link to any other malware?
A: Some Zlob variants were the first to use the LNK vulnerability.
Q: Disabling AutoRun would have stopped Stuxnet, right?
A: Wrong. Stuxnet used a zero-day. When it was new, it would have infected your Windows box even if you were fully patched, had AutoRun disabled, were running under a restricted low-level user account and had disabled execution of programs from USB drives.
Q: But in general, disabling AutoRun in Windows will stop USB worms, right?
A: Wrong. There are several other spreading mechanisms USB worms use, such as companion infections. It is still a good idea to disable it, but it's not a cure-all.
Q: Will Stuxnet spread forever?
A: The current versions have a "kill date" of June 24, 2012. It will stop spreading on this date.
Q: How many computers did it infect?
A: Hundreds of thousands.
Q: But Siemens has announced that only 15 factories have been infected.
A: They are talking about factories. Most of the infected machines are collateral infections, i.e. normal home and office computers that are not connected to SCADA systems.
Q: How could the attackers get a trojan like this into a secure facility?
A: For example, by breaking into a home of an employee, finding his USB sticks and infecting it. Then wait for the employee to take the sticks to work and infect his work computer. The infection will spread further inside the secure facility via USB sticks, eventually hitting the target. As a side effect, it will continue spread elsewhere also. This is why Stuxnet has spread worldwide.
Q: Did Stuxnet sink Deepwater Horizon and cause the Mexican oil spill?
A: No, we do not think so. Although it does seem Deepwater Horizon indeed did have some Siemens PLC systems on it.
Q: Is it true that the US Senate held hearings on Stuxnet?
A: Yes, in November.
Q: Does F-Secure detect Stuxnet?
A: Yes.
Iran cannot really compete in military R&D against either Israel or the United States. A delay of a decade means that they will be WAY behind the curve and considering recent breakthroughs in missile interception technologies, the hope might well be that even if Iran eventually manages to get nukes by the time they do they won't be able to use them offensively.cosmicalstorm wrote:I risk sounding like an idiot now, but the end result will still be Iranian nuclear weapons within a decade or so, the difference being that it will have cost them more money and pride than they originally planned. Is this a correct analysis of the situation?
