Announcement

Collapse
No announcement yet.

Stuxnet

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Stuxnet

    Wow, I came here hours after reading about Stuxnet and expected there to be a thread already started on this with lots of discussion. Maybe the forums just die down after con.

    I assume most of you have probably already read about Stuxnet:

    http://www.bbc.co.uk/news/technology-11388018

    tl;dr it's a sophisticated piece of multi-layer malware using 4 previously unknown Windows vulnerabilities to propagate between PCs via USB keychain drives. After infecting a Windows host it remains dormant and harmless, until it detects specific pieces of software for industrial equipment manufcatured by Siemens. Once these are identified, a second stage attack begins whereby the malware tries to infect industrial equipment.

    The attack specifically targeted Iran and had a level of sophistication such the BBC suggests it was funded by a "nation-state." So rumor has it this was a little bit of information warfare...

    Obligatory Bruce Schneier post:

    http://www.schneier.com/blog/archive...uxnet_wor.html

    Some quotes from the people who reverse engineered it:

    http://frank.geekheim.de/?p=1189

    After 10 years of reverse-engineering malware daily, I have never ever seen anything that comes even close to this
    This is what nation states build, if their only other option would be to go to war
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
    [ redacted ]

  • #2
    Re: Stuxnet

    Working someplace that has a fairly large SCADA installation, definitely something I've been watching. http://www.symantec.com/connect/blog...ection-process is a pretty good write-up on the PLC attack part of it.
    Aut disce aut discede

    Comment


    • #3
      Re: Stuxnet

      I simply cannot understand the lack of attention to Stuxnet. Could someone explain to me why? Just before the weekend Symantic found out designs of the target system (http://www.symantec.com/connect/blog...t-breakthrough) which appears to confirm the Iranian target speculations ... and still I've heard almost nothing.

      A serious threat to a nuclear facility, and hardly even a squeak. Clocks are going to roll over like a speedometer and everyone thinks planes are going to slam into mountains. My local news station just did a report about how dangerous WiFi is to childrens' health. What is going on here?

      I understand these forums really only pick up around time of the con, but even on other hacker forums there's not much conversation.

      Comment


      • #4
        Re: Stuxnet

        Originally posted by SHA-hi View Post
        I simply cannot understand the lack of attention to Stuxnet. Could someone explain to me why? Just before the weekend Symantic found out designs of the target system (http://www.symantec.com/connect/blog...t-breakthrough) which appears to confirm the Iranian target speculations ... and still I've heard almost nothing.

        A serious threat to a nuclear facility, and hardly even a squeak. Clocks are going to roll over like a speedometer and everyone thinks planes are going to slam into mountains. My local news station just did a report about how dangerous WiFi is to childrens' health. What is going on here?

        I understand these forums really only pick up around time of the con, but even on other hacker forums there's not much conversation.
        Most of it is because the SCADA engineers around the world refuse to admit there's actually a problem. Many of them feel that their networks are islands unto themselves and therefore impenetrable. It's been a slow process trying to get the SCADA people to understand basic security issues.
        A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

        Comment


        • #5
          Re: Stuxnet

          Originally posted by SHA-hi View Post
          I simply cannot understand the lack of attention to Stuxnet.

          [...]

          I understand these forums really only pick up around time of the con, but even on other hacker forums there's not much conversation.
          I am equally perplexed as to the lack of conversation. This is a milestone in the development of malware: rather than one government launching aircraft to bomb a nuclear facility, they decided instead to attack it with malware.

          This is bona fide information warfare and a milestone in the development of malware, if you ask me.

          Of course, I may be biased by where I think malware is going.
          45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
          45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
          [ redacted ]

          Comment


          • #6
            Re: Stuxnet

            I know on Reddit and Slashdot the topic of Stuxnet has been beaten like that dead horse I have buried in my backyard. At one point on /r/netsec every other post was Stuxnet related. I avoided the forums for a few weeks because I'm transitioning to a new job, but I was surprised to log in last week and see maybe 4 new posts. While the forum regulars are always here, I think the community dies around this time of the year after the shine of Defcon has faded and the glint from DC19 is so far on the horizon.

            I tried to not pay too much attention to it because I got wrapped up in the Conficker nonsense (my network at the time did get infected, however) It's interesting to see that it's a much different class of virus and it took a really long time to figure it out. I enjoyed reading the Symantec writeup on it.
            "As Arthur C Clarke puts it, "Any sufficiently advanced technology is indistinguishable from magic". Here is my corollary: "Any sufficiently technical expert is indistinguishable from a witch"."

            Comment


            • #7
              Re: Stuxnet

              Originally posted by bascule View Post
              I am equally perplexed as to the lack of conversation. This is a milestone in the development of malware: rather than one government launching aircraft to bomb a nuclear facility, they decided instead to attack it with malware.

              This is bona fide information warfare and a milestone in the development of malware, if you ask me.

              Of course, I may be biased by where I think malware is going.
              Several times, I've considered posting something about Stuxnet, but most of what's being bandied about is little more than FUD and other misinformation. Aside from the Symantec analysis much of what has been posted on the SCADA security lists has been mainly wild, unsubstantiated speculation with little or no facts.

              So far, the biggest problem that I see with SCADA isn't Stuxnet or another worm, but that the average Process Control/SCADA person is clueless about security. Coupled with the fact that SCADA processes generally required availability above all else, and most SCADA equipment and systems have zero security controls, it makes securing control systems very difficult. The current situation is about equal to 1987 with PC viruses: wide open systems with no security, and clueless users.

              While Stuxnet may be a further step in the direction of information warfare, the real milestone was probably on September 6, 2007, when Israel bombed the suspected nuclear reactor in Aleppo, northern Syria. During the attack, Syrian air traffic control was mysteriously unable to see the Israeli aircraft, while normal ATC functions continued.
              Last edited by Thorn; November 16, 2010, 18:48.
              Thorn
              "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

              Comment


              • #8
                Re: Stuxnet

                Originally posted by Thorn View Post
                While Stuxnet may be a further step in the direction of information warfare, the real milestone was probably on September 6, 2007, when Israel bombed the suspected nuclear reactor in Aleppo, northern Syria. During the attack, Syrian air traffic control was mysteriously unable to see the Israeli aircraft, while normal ATC functions continued.
                Didn't know about that... cool. And what we're seeing here is very similar: Stuxnet has been specifically designed to mitigate collateral damage, looking for very specific types of hardware operating under very specific conditions and then and only then does it attempt its (very subtle) attack.
                45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
                45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
                [ redacted ]

                Comment


                • #9
                  Re: Stuxnet

                  Originally posted by bascule View Post
                  Didn't know about that... cool. And what we're seeing here is very similar: Stuxnet has been specifically designed to mitigate collateral damage, looking for very specific types of hardware operating under very specific conditions and then and only then does it attempt its (very subtle) attack.
                  Do a search on "Operation Orchard", and you'll find a lot of information about it. There are some conflicting reports that indicate that it was a backdoor, or a 'kill switch' worm, some super-sophisticated variation of conventional radar jamming, or a man-in-the-middle attack on the fiber communication lines between the radar transceivers and the operators' workstations. Richard Clark has a good review of what happened and the possible explanations in Chapter 1 (pages 1-8) of Cyber War. Clark opens the book with that situation because he says "This was how war would be fought in the information age, this was Cyber War."

                  The very first incident of this type however, was probably close to three decades ago, when the Trans-Siberian pipeline exploded 1982. The controls reportedly had a CIA-designed flaw in SCADA software was stolen by the KGB. The flaw has been described as both a Trojan-horse and a logic-bomb. Whatever the exact technical specifications, the software allegedly caused various pumps, turbines, and valves to exceed normal operational limits, which in turn caused the pipeline to burst and explode. While the end result was not nearly as subtle as Stuxnet's reported target, it certainly did exactly what you describe, in that it was looking for very specific types of hardware operating under very specific conditions and then and only then did it attempt its attack.
                  Thorn
                  "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

                  Comment


                  • #10
                    Re: Stuxnet

                    Originally posted by Thorn View Post
                    The very first incident of this type however, was probably close to three decades ago, when the Trans-Siberian pipeline exploded 1982. The controls reportedly had a CIA-designed flaw in SCADA software was stolen by the KGB. The flaw has been described as both a Trojan-horse and a logic-bomb. Whatever the exact technical specifications, the software allegedly caused various pumps, turbines, and valves to exceed normal operational limits, which in turn caused the pipeline to burst and explode. While the end result was not nearly as subtle as Stuxnet's reported target, it certainly did exactly what you describe, in that it was looking for very specific types of hardware operating under very specific conditions and then and only then did it attempt its attack.
                    Yeah, I'm well aware of that, but again, that's a trojan, and one which required very specific and purposeful manual actions on the part of the Russians in order to be effective.

                    Stuxnet is multi-layer malware, which propagates with zero knowledge on the part of Iranians and leverages their computer infrastructure along with normal actions and processes. Obviously there was a huge amount of spy work/intelligence that went into its creation, but after that, they turned it loose in selected places and theoretically it just did its thing. That's the unprecedented part here and what really makes Stuxnet so interesting.
                    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
                    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
                    [ redacted ]

                    Comment


                    • #11
                      Re: Stuxnet

                      Perhaps the most detailed analysis of Stuxnet yet:

                      http://www.langner.com/en/2010/11/19/the-big-picture/

                      It contains two different payloads designed to attack two different targets. The first payload was designed to destroy the rotors of uranium centrifuges. The other payload was aimed at the approximately 150 foot wide gas turbine of an Iranian nuclear power plant.

                      "Stuxnet is like the arrival of an F-35 fighter jet on a World War I battlefield."
                      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
                      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
                      [ redacted ]

                      Comment


                      • #12
                        Re: Stuxnet

                        This is a month old, moldy dusty bread of a post but, that wont stop me...

                        "I simply cannot understand the lack of attention to Stuxnet. Could someone explain to me why?"
                        Hmm well do you want everyone in the world to know that it would be possible to control the nuclear centrifuge possibly causing a nuclear meltdown in a foreign nation already in the middle of a bunch of war nations. Dunno about the rest of ya'll but a nuclear winter doesnt seem to appealing...
                        Perhaps they fail to realize the complexities of how hard it is to debug the StuxNet source code...

                        "Most of it is because the SCADA engineers around the world refuse to admit there's actually a problem"
                        This is true... Can you blame em?

                        "The controls reportedly had a CIA-designed flaw in SCADA software was stolen by the KGB"
                        Did ya know the CIA Director was in Nicaragua during the Earthquake in 72...
                        Your Life Is Your Crime, It's Punishment Time

                        Comment


                        • #13
                          Re: Stuxnet

                          Originally posted by JMC31337 View Post
                          Hmm well do you want everyone in the world to know that it would be possible to control the nuclear centrifuge possibly causing a nuclear meltdown in a foreign nation already in the middle of a bunch of war nations. Dunno about the rest of ya'll but a nuclear winter doesnt seem to appealing...
                          Stuxnet can't cause a nuclear catastrophe. The intended target was a gas turbine, centuries old technology which turns steam pressure into torque which in turn drives an electrical generator and produces electrical power.

                          Rather than affecting the nuclear components of the power plant, Stuxnet could theoretically destroy this turbine and thus the plant's ability to produce electrical power.
                          45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
                          45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
                          [ redacted ]

                          Comment


                          • #14
                            Re: Stuxnet

                            Originally posted by bascule View Post
                            Stuxnet can't cause a nuclear catastrophe. The intended target was a gas turbine, centuries old technology which turns steam pressure into torque which in turn drives an electrical generator and produces electrical power.

                            Rather than affecting the nuclear components of the power plant, Stuxnet could theoretically destroy this turbine and thus the plant's ability to produce electrical power.
                            I'd heard that Stuxnet's payload was aimed at modifying the RPMs of nuclear fuel producing centrifuges, rather than a nuke plant's steam turbine. The centrifuges are used to separate U-235 from U-238 for use as fuel (or alternately, bombs.) Apparently, the correct RPMs are critical for both the production of the U-235 and the operation of the centrifuge itself. Incorrect RPMs will cause incorrect fuel extraction and can damage the centrifuge's mechanisms.

                            However, even destroying the centrifuges still wouldn't cause a meltdown according to what I know. Uranium within a centrifuge is in a gaseous form (technically it's gas uranium hexafluoride). For it to go into the superheated, uncontrolled state that causes a meltdown, the U-235 has to be in a solid state. Now, I am not a nuclear scientist (IANANS ), so I could be off base here, but that's my understanding.
                            Thorn
                            "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

                            Comment


                            • #15
                              Re: Stuxnet

                              Originally posted by Thorn View Post
                              I'd heard that Stuxnet's payload was aimed at modifying the RPMs of nuclear fuel producing centrifuges, rather than a nuke plant's steam turbine.
                              See the analysis I linked earlier:

                              http://www.langner.com/en/2010/11/19/the-big-picture/

                              Stuxnet contains two payloads. One indeed is targeted at centrifuges for enriching uranium. The other one appears to target a power plant's turbine.

                              Two birds with one stone, so to speak... and as it were apparently the gas turbine payload is substantially more complex than the one that targeted the uranium centrifuges.
                              45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
                              45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
                              [ redacted ]

                              Comment

                              Working...
                              X