GreatDismal
RT @doranb: FBI says it has arrested Iserdo, creator of the Butterfly bot kit responsible for infecting millions of PCs. http://is.gd/dNtuT

with thanks, Mr G

I almost cross-posted this to the "Gibsonian" thread...

The Stuxnet worm
The quick version is, someone created an extremely sophisticated, slick piece of malware targeted at computer controlled industrial machinery. Two things make Stuxnet stand out:

1) The software used four different unpatched vulnerabilities and two stolen security certificates to infiltrate systems, and was made to show as few external signs of infiltration as possible. (No crashes, no spamming the network it was on to infect other computers.) Security vulnerabilities tend to be fixed quickly after they are discovered, so attackers typically use them one by one, to avoid playing all their cards at once.

2) The payload was a set of instructions that would only be injected if the PC it was on was running a specific set of industrial control processes. Industrial control systems allow PCs to control external hardware such as machinery in industrial plants. The software could cause physical damage or disruption to these systems.

What does this mean? Whoever built Stuxnet was extremely sophisticated and had a specific end state in mind. The sophistication of the attack means that not only were a lot of resources put into creating the program itself, but that the creator had taken the time to gather insider knowledge of the target. Something like this is almost certainly beyond the scope of typical cybercriminals. Currently there is speculation that it was designed to disrupt Iran's nuclear program.

Articles:
In Stuxnet the 'best' malware ever?
Was Stuxnet built to attack Iran's nuclear program?
Stuxnet spyware targets industrial facilities, via USB memory stick
Stuxnet malware is 'weapon' out to destroy ... Iran's Bushehr nuclear plant?
stuxnet: targeting the iranian enrichment centrifuges in Natanz?

Considering the sophistication and target of this attack, there could only be one source.

And given the clumsiness and the potential for collateral damage, I agree, Boog.

quote:

The software could cause physical damage or disruption to these systems.

quote:

Currently there is speculation that it was designed to disrupt Iran's nuclear program.

Because another faulty/exploded nuclear facility is just what the world needs...

excellent observations Blue Shift and thanks for the links - i'm concious this is all public domain, but i guess you still need to be careful when posting such info. Watch your back, eh.

quote:

Originally posted by ArkanGL:
Because another faulty/exploded nuclear facility is just what the world needs...

Stalling Iran's nuclear power/weapons development, even at the cost of some Three Mile Island event may be worthwhile for certain neighbors, if they are behind this. Banking on possible revolts from some sectors of the population, already at odds with the regime.
On the other hand, if actions like this help prevent full-fledged military actions, we should welcome the new cyberwarriors. Until they attack the 'wrong' side, of course...

Unless the worm gets in to a German nuclear power plant, which would, in all likelihood, be running Siemens gear.

Then again, I'm sure those neighbours wouldn't mind. At all.

quote:

Then again, I'm sure those neighbours wouldn't mind. At all.

Radioactive clouds cannot cross the French border.
It's a well known fact.
They stop there.

They fucking well will if they're German radioactive clouds.

You say "collateral damage", I say "spectacle".

The Stuxnet outbreak

A worm in the centrifuge

An unusually sophisticated cyber-weapon is mysterious but important

Sep 30th 2010 | From The Economist print edition



IT SOUNDS like the plot of an airport thriller or a James Bond film. A crack team of experts, assembled by a shadowy government agency, develops a cyber-weapon designed to shut down a rogue country’s nuclear programme. The software uses previously unknown tricks to worm its way into industrial control systems undetected, searching for a particular configuration that matches its target—at which point it wreaks havoc by reprogramming the system, closing valves and shutting down pipelines.

This is not fiction, but fact. A new software “worm” called Stuxnet (its name is derived from keywords buried in the code) seems to have been developed to attack a specific nuclear facility in Iran. Its sophistication suggests that it is the work of a well-financed team working for a government, rather than a group of rogue hackers trying to steal secrets or cause trouble. America and Israel are the obvious suspects. But Stuxnet’s origins and effects are unknown.

Stuxnet first came to light in June, when it was identified by VirusBlokAda, a security firm in Belarus. The next month Siemens, a German industrial giant, warned customers that their “supervisory control and data acquisition” (SCADA) management systems, which control valves, pipelines and industrial equipment, were vulnerable to the worm. It targets a piece of Siemens software, called WinCC, which runs on Microsoft Windows.

For security reasons SCADA systems are not usually connected to the internet. But Stuxnet can spread via infected memory sticks plugged into a computer’s USB port. Stuxnet checks to see if WinCC is running. If it is, it tries to log in, to install a clandestine “back door” to the internet, and then to contact a server in Denmark or Malaysia for instructions. (Analysis of traffic to these servers is continuing, and may offer the best chance of casting light on Stuxnet’s purpose and origins.) If it cannot find WinCC, it tries to copy itself on to other USB devices. It can also spread across local networks via shared folders and print spoolers.

Initially, Stuxnet seemed to be designed for industrial espionage or to allow hackers to blackmail companies by threatening to shut down vital systems. But its unusual characteristics suggest another explanation. WinCC is a rather obscure SCADA system. Hackers hoping to target as many companies as possible would have focused on more popular systems. And Stuxnet searches for a particular configuration of industrial equipment as it spreads. It launches an attack only when it finds a match. “The bad news is that the virus is targeting a specific process or plant,” says Wieland Simon of Siemens. “The good news is that most industrial processes are not the target of the virus.” (Siemens says it knows of 15 plants around the world that were infected by Stuxnet, but their operations were unaffected as they were not the intended target.)

Another odd feature is that Stuxnet uses two compromised security certificates (stolen from firms in Taiwan) and a previously unknown security hole in Windows to launch itself automatically from a memory stick. The use of such “zero-day vulnerabilities” by viruses is not unusual. But Stuxnet can exploit four entirely different ones in order to worm its way into a system. These holes are so valuable that hackers would not normally use four of them in a single attack. Whoever created Stuxnet did just that to boost its chances. They also had detailed knowledge of Siemens’s industrial-production processes and control systems, and access to the target plant’s blueprints. In short, Stuxnet was the work neither of amateur hackers nor of cybercriminals, but of a well- financed team. “Behind this virus there are experts,” says Mr Simon. “They need money and know-how.”

So what was the target? Microsoft said in August that Stuxnet had infected more than 45,000 computers. Symantec, a computer-security firm, found that 60% of the infected machines were in Iran, 18% in Indonesia and 8% in India. That could be a coincidence. But if Stuxnet was aimed at Iran, one possible target is the Bushehr nuclear reactor. This week Iranian officials confirmed that Stuxnet had infected computers at Bushehr, but said that no damage to major systems had been done. Bushehr has been dogged by problems for years and its opening was recently delayed once again. Given that history, the latest hitch may not have been Stuxnet’s work.

A more plausible target is Iran’s uranium-enrichment plant at Natanz. Inspections by the International Atomic Energy Agency, the UN’s watchdog, have found that about half Iran’s centrifuges are idle and those that work are yielding little. Some say a fall in the number of working centrifuges at Natanz in early 2009 is evidence of a successful Stuxnet attack.

Last year Scott Borg of the United States Cyber-Consequences Unit, a think-tank, said that Israel might prefer to mount a cyber-attack rather than a military strike on Iran’s nuclear facilities. That could involve disrupting sensitive equipment such as centrifuges, he said, using malware introduced via infected memory sticks.

His observation now looks astonishingly prescient. “Since the autumn of 2002, I have regularly predicted that this sort of cyber-attack tool would eventually be developed,” he says. Israel certainly has the ability to create Stuxnet, he adds, and there is little downside to such an attack, because it would be virtually impossible to prove who did it. So a tool like Stuxnet is “Israel’s obvious weapon of choice”. Some have even noted keywords in Stuxnet’s code drawn from the Bible’s Book of Esther—in which the Jews fight back to foil a plot to exterminate them.

DailyTech: U.S. DoD Expands Effort to Defend U.S. Public From Cyber Threats

Note the lead-in, "Much as the prescient 1984 science fiction classic Neuromancer predicted..."

Assange better have a very secure 'undisclosed location' and multiple-redundant servers at the ready if he goes against the russian kleptocracy.

He'd better be on another planet.

The Stuxnet worm

Yet to turn

New twists in the story of a mysterious and sophisticated cyber-weapon

IS THE price of second-hand computers about to plunge in Iran? Those in its nuclear facilities have been infected by the Stuxnet worm, an ingenious cyber-weapon seemingly designed specifically to sabotage uranium-refining by disrupting centrifuges’ industrial-control systems. On November 29th President Mahmoud Ahmadinejad admitted Stuxnet had hit “a limited number” of the centrifuges. He had previously said that only administrative machines at nuclear facilities had been infected. The International Atomic Energy Agency reported a few days earlier that engineers at Iran’s Natanz plant had stopped feeding uranium into its centrifuges, but Iran said it restarted the process six days later. IAEA figures also showed the refining was less productive.

This is just what a Stuxnet attack would look like. According to Symantec, a computer-security company, the worm performs an inventory of the systems it is running on, looking specifically for “frequency converter drives” made by two firms, one Iranian and the other Finnish, running at speeds between 807 Hz and 1210 Hz. (These high frequencies correspond to the rotation speeds of centrifuges; America tightly controls the export of frequency converter drives able to operate at frequencies above 600 Hz.)

If it finds the right configuration, Stuxnet sabotages it by making subtle changes to the speeds of the centrifuges over several weeks, while displaying normal readings to cover its tracks.

That is not all. Ralph Langner, a German researcher, says Stuxnet has a “second warhead”. It targets a different industrial-control system that just happens to be used at Bushehr, Iran’s much-delayed nuclear-power station, replaying previously recorded normal readings as it causes havoc. Mr Langner likens its complexity to “the arrival of an F-35 fighter jet on a World War I battlefield.”

Mr Ahmadinejad has said that Stuxnet is no longer causing problems. But Mr Langner says eradicating it would take a year without access to top-notch security experts and tools. Iran has few of these, especially since Majid Shahriari, one of its best nuclear scientists, was killed in Tehran on November 29th by a bomb stuck to his car by assassins on motorbikes. Debka, an Israeli website that specialises in security news, says he was leading the effort to eradicate Stuxnet.

A new security patch from Microsoft, released this week, plugs the last of the four security holes that Stuxnet uses to spread itself, but it cannot be used on older systems, widely used in Iran. Mr Langner says it may be easier simply to junk all the worm-struck computers and start again.

Dec 16th 2010 | From The Economist print edition

quote:

Originally posted by Black Jacque:
DailyTech: U.S. DoD Expands Effort to Defend U.S. Public From Cyber Threats

Note the lead-in, "Much as the prescient 1984 science fiction classic Neuromancer predicted..."

If I were WG, I'd head on down to the Pentagon, and just stand outside, screaming "HAHAHHA!! I TOLD YOU SO!"

China's Cyberassault on America, article by the Wall Street Journal

quote:

If we discovered Chinese explosives laid throughout our national electrical system, we'd consider it an act of war. China's digital bombs pose as grave a threat.

...

Senior U.S. officials know well that the government of China is systematically attacking the computer networks of the U.S. government and American corporations. Beijing is successfully stealing research and development, software source code, manufacturing know-how and government plans. In a global competition among knowledge-based economies, Chinese cyberoperations are eroding America's advantage.

...

Recently the computer-security company RSA (a division of EMC) was penetrated by an intrusion which appears to have stolen the secret sauce behind the company's SecureID. That system is widely used to protect critical computer networks. And this month, the largest U.S. defense contractor, Lockheed, was subject to cyberespionage, apparently by someone using the stolen RSA data. Cyber criminals don't hack defense contractors—they go after banks and credit cards. Despite Beijing's public denials, this attack and many others have all the hallmarks of Chinese government operations.

...

You can read the full article here.

Lulzsec, Anonymous team up, target banking, government sectors.

I feel this is perversely like Wintermute/Neuromancer merging.

Promises to retaliate against censorship with "cannonfire anointed with lizard blood."