The Stuxnet Malware

[Paslode]

http://news.yahoo.com/s/csm/327178

Quote:

Stuxnet malware is 'weapon' out to destroy ... Iran's Bushehr nuclear plant?
By Mark Clayton Mark Clayton Tue Sep 21, 3:08 pm ET

Cyber security experts say they have identified the world's first known cyber super weapon designed specifically to destroy a real-world target – a factory, a refinery, or just maybe a nuclear power plant.

The cyber worm, called Stuxnet, has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet's arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world – to destroy something.

At least one expert who has extensively studied the malicious software, or malware, suggests Stuxnet may have already attacked its target – and that it may have been Iran's Bushehr nuclear power plant, which much of the world condemns as a nuclear weapons threat.

The appearance of Stuxnet created a ripple of amazement among computer security experts. Too large, too encrypted, too complex to be immediately understood, it employed amazing new tricks, like taking control of a computer system without the user taking any action or clicking any button other than inserting an infected memory stick. Experts say it took a massive expenditure of time, money, and software engineering talent to identify and exploit such vulnerabilities in industrial control software systems.

Unlike most malware, Stuxnet is not intended to help someone make money or steal proprietary data. Industrial control systems experts now have concluded, after nearly four months spent reverse engineering Stuxnet, that the world faces a new breed of malware that could become a template for attackers wishing to launch digital strikes at physical targets worldwide. Internet link not required.

"Until a few days ago, people did not believe a directed attack like this was possible," Ralph Langner, a German cyber-security researcher, told the Monitor in an interview. He was slated to present his findings at a conference of industrial control system security experts Tuesday in Rockville, Md. "What Stuxnet represents is a future in which people with the funds will be able to buy an attack like this on the black market. This is now a valid concern."

A gradual dawning of Stuxnet's purpose

It is a realization that has emerged only gradually.

Stuxnet surfaced in June and, by July, was identified as a hypersophisticated piece of malware probably created by a team working for a nation state, say cyber security experts. Its name is derived from some of the filenames in the malware. It is the first malware known to target and infiltrate industrial supervisory control and data acquisition (SCADA) software used to run chemical plants and factories as well as electric power plants and transmission systems worldwide. That much the experts discovered right away.

But what was the motive of the people who created it? Was Stuxnet intended to steal industrial secrets – pressure, temperature, valve, or other settings –and communicate that proprietary data over the Internet to cyber thieves?

By August, researchers had found something more disturbing: Stuxnet appeared to be able to take control of the automated factory control systems it had infected – and do whatever it was programmed to do with them. That was mischievous and dangerous.

But it gets worse. Since reverse engineering chunks of Stuxnet's massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown.

"Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world," says Langner, who last week became the first to publicly detail Stuxnet's destructive purpose and its authors' malicious intent. "This is not about espionage, as some have said. This is a 100 percent sabotage attack."

A guided cyber missile

On his website, Langner lays out the Stuxnet code he has dissected. He shows step by step how Stuxnet operates as a guided cyber missile. Three top US industrial control system security experts, each of whom has also independently reverse-engineered portions of Stuxnet, confirmed his findings to the Monitor.

"His technical analysis is good," says a senior US researcher who has analyzed Stuxnet, who asked for anonymity because he is not allowed to speak to the press. "We're also tearing [Stuxnet] apart and are seeing some of the same things."

Other experts who have not themselves reverse-engineered Stuxnet but are familiar with the findings of those who have concur with Langner's analysis.

"What we're seeing with Stuxnet is the first view of something new that doesn't need outside guidance by a human – but can still take control of your infrastructure," says Michael Assante, former chief of industrial control systems cyber security research at the US Department of Energy's Idaho National Laboratory. "This is the first direct example of weaponized software, highly customized and designed to find a particular target."

"I'd agree with the classification of this as a weapon," Jonathan Pollet, CEO of Red Tiger Security and an industrial control system security expert, says in an e-mail.

One researcher's findingsLangner's research, outlined on his website Monday, reveals a key step in the Stuxnet attack that other researchers agree illustrates its destructive purpose. That step, which Langner calls "fingerprinting," qualifies Stuxnet as a targeted weapon, he says.

Langner zeroes in on Stuxnet's ability to "fingerprint" the computer system it infiltrates to determine whether it is the precise machine the attack-ware is looking to destroy. If not, it leaves the industrial computer alone. It is this digital fingerprinting of the control systems that shows Stuxnet to be not spyware, but rather attackware meant to destroy, Langner says.

Stuxnet's ability to autonomously and without human assistance discriminate among industrial computer systems is telling. It means, says Langner, that it is looking for one specific place and time to attack one specific factory or power plant in the entire world.

"Stuxnet is the key for a very specific lock – in fact, there is only one lock in the world that it will open," Langner says in an interview. "The whole attack is not at all about stealing data but about manipulation of a specific industrial process at a specific moment in time. This is not generic. It is about destroying that process."

-Contd-

[Paslode]

Quote:

So far, Stuxnet has infected at least 45,000 industrial control systems around the world, without blowing them up – although some victims in North America have experienced some serious computer problems, Eric Byres, a Canadian expert, told the Monitor. Most of the victim computers, however, are in Iran, Pakistan, India, and Indonesia. Some systems have been hit in Germany, Canada, and the US, too. Once a system is infected, Stuxnet simply sits and waits – checking every five seconds to see if its exact parameters are met on the system. When they are, Stuxnet is programmed to activate a sequence that will cause the industrial process to self-destruct, Langner says.

Langner's analysis also shows, step by step, what happens after Stuxnet finds its target. Once Stuxnet identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the giant industrial controls company, the malware takes control. One of the last codes Stuxnet sends is an enigmatic “DEADF007.” Then the fireworks begin, although the precise function being overridden is not known, Langner says. It may be that the maximum safety setting for RPMs on a turbine is overridden, or that lubrication is shut off, or some other vital function shut down. Whatever it is, Stuxnet overrides it, Langner’s analysis shows.

"After the original code [on the PLC] is no longer executed, we can expect that something will blow up soon," Langner writes in his analysis. "Something big."

For those worried about a future cyber attack that takes control of critical computerized infrastructure – in a nuclear power plant, for instance – Stuxnet is a big, loud warning shot across the bow, especially for the utility industry and government overseers of the US power grid.

"The implications of Stuxnet are very large, a lot larger than some thought at first," says Mr. Assante, who until recently was security chief for the North American Electric Reliability Corp. "Stuxnet is a directed attack. It's the type of threat we've been worried about for a long time. It means we have to move more quickly with our defenses – much more quickly."

Has Stuxnet already hit its target?It might be too late for Stuxnet's target, Langner says. He suggests it has already been hit – and destroyed or heavily damaged. But Stuxnet reveals no overt clues within its code to what it is after.

A geographical distribution of computers hit by Stuxnet, which Microsoft produced in July, found Iran to be the apparent epicenter of the Stuxnet infections. That suggests that any enemy of Iran with advanced cyber war capability might be involved, Langner says. The US is acknowledged to have that ability, and Israel is also reported to have a formidable offensive cyber-war-fighting capability.

Could Stuxnet's target be Iran's Bushehr nuclear power plant, a facility much of the world condemns as a nuclear weapons threat?

Langner is quick to note that his views on Stuxnet's target is speculation based on suggestive threads he has seen in the media. Still, he suspects that the Bushehr plant may already have been wrecked by Stuxnet. Bushehr's expected startup in late August has been delayed, he notes, for unknown reasons. (One Iranian official blamed the delay on hot weather.)

But if Stuxnet is so targeted, why did it spread to all those countries? Stuxnet might have been spread by the USB memory sticks used by a Russian contractor while building the Bushehr nuclear plant, Langner offers. The same contractor has jobs in several countries where the attackware has been uncovered.

"This will all eventually come out and Stuxnet's target will be known," Langner says. "If Bushehr wasn't the target and it starts up in a few months, well, I was wrong. But somewhere out there, Stuxnet has found its target. We can be fairly certain of that."

*

[JJ_BPK]

Quote:

But if Stuxnet is so targeted, why did it spread to all those countries? Stuxnet might have been spread by the USB memory sticks used by a Russian contractor while building the Bushehr nuclear plant, Langner offers. The same contractor has jobs in several countries where the attackware has been uncovered.

"This will all eventually come out and Stuxnet's target will be known," Langner says. "If Bushehr wasn't the target and it starts up in a few months, well, I was wrong. But somewhere out there, Stuxnet has found its target. We can be fairly certain of that."

IF,,, If this code is to be effective, it must be very very specific in nature. The code would need to "look" for the exact make & model of a PLC, and also the exact function it is to FU, But it can and will look anywhere it is inserted..

I would think that the only way to make it work would be to create the code as the target code is written..

In other words,, The developer is the destroyer..



It will be interesting to watch this roll out..

"At a nuclear power plant, in the control room, they sense an over heating scenario, and trip the emergency shut down process,, Stuxnet reverses the core rods direction"



Ba Da Bing,
Ba Da Boom...

[CSB]

The malware was targeted toward an exact configuration.

In lay words, suppose you intecepted communications to an unknown agent that said:

INSTRUCTIONS FOR BOMBING MISSION

1 - Enter the building through the blue door on the east side. If there is no door on the east side of the building, or if it is not blue, go home and forget the mission.

2 - Look at the clock, if it is after 3:00 am and before 4:00 am, travel 20 meters down the hallway and turn right, entering through the green door. If it is not after 3:00 am and before 4:00 am, wait, and check your watch again in ten minutes.

3 - When you enter through the green door you should be in an office. If you
are not in an ofice, go home and forget the mission.

3 - Look to the left. There should be a brown desk against the wall. If there is no desk against the wall, or if it is not brown, go home and forget the mission.

4 - Look at the top of the brown desk against the wall. It should have a telephone number of 555-1212. If there is no telephone, or if the number is not 555-1212, go home and forget the mission.

5 - Go to the desk and open the second drawer on the right.
If there is no drawers on the right, go home and forget your mission.

6 - If there is a piece of yellow paper in the bottom of the desk, put your bomb in the drawer, set the timer for ten minutes, and exit the building. If there is no piece of paper in the bottom of the drawer, or if it is not yellow, go home and forget your mission.


===

Obviously, whoever wrote those instructions was specifically targeting one particular drawer in one particular desk, in one particular office in one particular building in the world. The instructions may have been openly printed in the Wall Street Journal, the New York Times, and the Times of London, but that still doesn't tell you who/what the target is, or the source of the instructions. If every single agent began checking every single building worldwide, all but one will end up "going home and forgetting the mission" because something won't be right. But the one who succeeds with each step to the end, will plant the bomb.

It's impossible to tell who, or what, the target is. A factory? A warehouse? A hospital? A university? A power plant?

But you can bet that worldwide intelligence agencies are looking at building after building, looking at east doors, painted blue, with 20 meter hallways, and green doors, with a desk, etc.


The actual "steps" are certain Programable Logic Controllers that have been assigned certain network addresses and accept and execute certain functions as specified by certain hexadecimal codes. Some of the actual digits being sought, as well as the digits to be (falsely) transmitted once "inside" are encrypted within the malware, making it even more difficult to determine the steps being researched to qualify the target and the digits to be sent to execute the mission. Just getting to the plain text of the malware is itself an NSA level codebreaking operation.

In the example above, the color of the doors, or the piece of paper, would be encrypted so only the agent knows what he is looking for. So first you have to uncrypt the colors, THEN use logic and brute force comparisons, to figure out the target.

Clever stuff. I hope it is one of ours, and a nuclear scramble in Iran would be fine with me.

[JJ_BPK]

Quote:

Originally Posted by CSB

The malware was targeted toward an exact configuration.

Clever stuff. I hope it is one of ours, and a nuclear scramble in Iran would be fine with me.

After thinking about this for a couple minutes...

If you set aside the nuclear plausibilities,, and look at a different angle...

Suppose this was just some kid that wanted to be a hot-shot and prove his worth in the company???

You figure you can be a STAR IF you guarantee that your company receives the support contract for the project..

After you received said the contract and because of "problems" you discovered in the initial design,, you suggest a need for a re-design the product??

Of course this would be a very expensive re-write, but you COULD guarantee customer satisfaction,,

Because you have the fix in your pocket,, you designed it that way??

This could be a geek to geek thing..

Purpose built back-door coding is not new... A lot of 60t'ys & 70t's systems were built with hard wire back-doors that allowed designers access to de-bug and fix hex level coding.

One I remember well was the FF0F check point re-start for the S360 model 65 system. The dam thing locked up 2-3 times a night when running engineering designs. System looked like it was running fine but was actually in a redundant binary loop.

Early PC's had a set of jumper pins on the mobo that allowed a configuration reset..

Until someone can find the target, you will not know the intended results..

So The hunt is on Doctor..

Quote:

Inspector Lestrade: In another life, Mr. Holmes, you would have made a excellent criminal.

Sherlock Holmes: Yes, and you an excellent policeman.

[Paslode]

This gets more interesting by the day.

Quote:

Iran's Nuclear Agency Trying to Stop Computer Worm
TECHNOLOGY, INTERNET, CYBER ATTACKS, TERRORISM, IRAN NUCLEAR PLANT, COMPUTER WORM, STUXNET
The Associated Press
| 25 Sep 2010 | 09:51 AM ET

Iran's nuclear agency is trying to combat a complex computer worm that has affected industrial sites throughout the country and is capable of taking over power plants, Iranian media reports said.

Experts from the Atomic Energy Organization of Iran met this week to discuss how to remove the malicious computer code, or worm, the semi-official ISNA news agency reported Friday.

The computer worm, dubbed Stuxnet, can take over systems that control the inner workings of industrial plants. Experts in Germany discovered the worm in July, and it has since shown up in a number of attacks — primarily in Iran, Indonesia, India and the U.S.

The ISNA report said the malware had spread throughout Iran, but did not name specific sites affected. Foreign media reports have speculated the worm was aimed at disrupting Iran's first nuclear power plant, which is to go online in October in the southern port city of Bushehr.

Iranian newspapers have reported on the computer worm hitting industries around the country in recent weeks, without giving details. Friday's report also did not mention Bushehr.

The Russian-built plant will be internationally supervised, but world powers remain concerned that Iran wants to use its civil nuclear power program as a cover for making weapons.

Iran denies such an aim and says its nuclear work is solely for peaceful purposes.

While there have been no reports of damage or disruption at any Iranian nuclear facilities, Tuesday's meeting signaled a high level of concern about the worm among Iran's nuclear officials.

The destructive Stuxnet worm has surprised experts because it is the first one specifically created to take over industrial control systems, rather than just steal or manipulate data.

The United States is also tracking the worm, and the Department of Homeland Security is building specialized teams that can respond quickly to cyber emergencies at industrial facilities across the country.

© 2010 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

URL: http://www.cnbc.com/id/39355692/

[CSB]

Remember this destroyed power generation unit at the Sayano-Shushenskaya Dam in Russia?

In that case the official reason for the destruction was a simple "overspeed" of one of the turbines. When there is the mass of five or six M1 tanks spinning over 200 rpm, it has to be perfectly balanced and well lubricated. If malware were to shut off the lubrication, vary the loads and get the generator out of phase with the other transformers, or even close the water valves too quickly (creating a water hammer) the result would be equally destructive. It would be destroyed without a blasting cap, or a single block of C4. In fact, it would be almost impossible after the fact to reconstruct exactly what caused the turbine to break loose.

[Dusty]

http://www.foxnews.com/scitech/2011/...ran-atom-woes/

WASHINGTON -- Israel has tested a computer worm believed to have sabotaged Iran's nuclear centrifuges and slowed its ability to develop an atomic weapon, The New York Times reported Saturday.

In what the Times described as a joint Israeli-U.S. effort to undermine Iran's nuclear ambitions, it said the tests of the destructive Stuxnet worm had occurred over the past two years at the heavily guarded Dimona complex in the Negev desert.

The newspaper cited unidentified intelligence and military experts familiar with Dimona who said Israel had spun centrifuges virtually identical to those at Iran's Natanz facility, where Iranian scientists are struggling to enrich uranium.

"To check out the worm, you have to know the machines," an American expert on nuclear intelligence told the newspaper. "The reason the worm has been effective is that the Israelis tried it out."

Western leaders suspect Iran's nuclear program is a cover to build atomic weapons, but Tehran says it is aimed only at producing electricity.

Iran's centrifuges have been plagued by breakdowns since a rapid expansion of enrichment in 2007 and 2008, and security experts have speculated its nuclear program may have been targeted in a state-backed attack using Stuxnet.

In November, Iranian President Mahmoud Ahmadinejad said that malicious software had created "problems" in some of Iran's uranium enrichment centrifuges, although he said the problems had been resolved.

The Times said the worm was the most sophisticated cyber-weapon ever deployed and appeared to have been the biggest factor in setting back Iran's nuclear march. Its sources said it caused the centrifuges to spin wildly out of control and that a fifth of them had been wiped out.

It added it was not clear the attacks were over and that some experts believed the Stuxnet code contained the seeds for more versions and assaults.

The retiring chief of Israel's Mossad intelligence agency, Meir Dagan, said recently that Iran's nuclear program had been set back and that Tehran would not be able to build an atomic bomb until at least 2015. U.S. officials, including Secretary of State Hillary Clinton, have not disputed Dagan's view.

Neither Clinton nor Dagan mentioned Stuxnet or any other cyber-warfare possibly used against the Iranian program.

Israel has voiced alarm over a nuclear Iran and Israeli Prime Minister Benjamin Netanyahu has said only the threat of military action will prevent Iran from building a nuclear bomb.

Israel itself is widely believed to have built more than 200 atomic warheads at its Dimona reactor but it maintains an official policy of "ambiguity" over whether it is a nuclear power.

Any delays in Iran's enrichment campaign could buy more time for efforts to find a diplomatic solution to its stand-off with six world powers over the nature of its nuclear activities.

U.S. and Israeli officials refused to comment officially on the worm, the newspaper said.

(You don't say...)

[badshot]

Too bad there aren't a couple guys on motorbikes for the idiots who talk to feel important.

Note to self: Be scared if the emergency room equipment has the Windows logo on it.

[Pete]

Stuxnet Worm Was Weapon, Report Says

http://www.pcworld.com/article/21685...ys.html?tk=rss

"...........According to both Symantec and Langner, Stuxnet was most likely designed to infiltrate Iran's nuclear enrichment program, hide in the Iranian SCADA (supervisory control and data acquisition) control systems that operate its facilities, then force gas centrifuge motors to spin at unsafe speeds . Gas centrifuges, which are used to enrich uranium, can fly apart if spun too fast.................."