Schneier on Security
A blog covering security and security technology.
« The Politics of Allocating Homeland Security Money to States |
| Hacking Trial Breaks D.C. Internet Voting System »
October 7, 2010
Computer security experts are often surprised at which stories get picked up by the mainstream media. Sometimes it makes no sense. Why this particular data breach, vulnerability, or worm and not others? Sometimes it's obvious. In the case of Stuxnet, there's a great story.
As the story goes, the Stuxnet worm was designed and released by a government--the U.S. and Israel are the most common suspects--specifically to attack the Bushehr nuclear power plant in Iran. How could anyone not report that? It combines computer attacks, nuclear power, spy agencies and a country that's a pariah to much of the world. The only problem with the story is that it's almost entirely speculation.
Here's what we do know: Stuxnet is an Internet worm that infects Windows computers. It primarily spreads via USB sticks, which allows it to get into computers and networks not normally connected to the Internet. Once inside a network, it uses a variety of mechanisms to propagate to other machines within that network and gain privilege once it has infected those machines. These mechanisms include both known and patched vulnerabilities, and four "zero-day exploits": vulnerabilities that were unknown and unpatched when the worm was released. (All the infection vulnerabilities have since been patched.)
Stuxnet doesn't actually do anything on those infected Windows computers, because they're not the real target. What Stuxnet looks for is a particular model of Programmable Logic Controller (PLC) made by Siemens (the press often refers to these as SCADA systems, which is technically incorrect). These are small embedded industrial control systems that run all sorts of automated processes: on factory floors, in chemical plants, in oil refineries, at pipelines--and, yes, in nuclear power plants. These PLCs are often controlled by computers, and Stuxnet looks for Siemens SIMATIC WinCC/Step 7 controller software.
If it doesn't find one, it does nothing. If it does, it infects it using yet another unknown and unpatched vulnerability, this one in the controller software. Then it reads and changes particular bits of data in the controlled PLCs. It's impossible to predict the effects of this without knowing what the PLC is doing and how it is programmed, and that programming can be unique based on the application. But the changes are very specific, leading many to believe that Stuxnet is targeting a specific PLC, or a specific group of PLCs, performing a specific function in a specific location--and that Stuxnet's authors knew exactly what they were targeting.
It's already infected more than 50,000 Windows computers, and Siemens has reported 14 infected control systems, many in Germany. (These numbers were certainly out of date as soon as I typed them.) We don't know of any physical damage Stuxnet has caused, although there are rumors that it was responsible for the failure of India's INSAT-4B satellite in July. We believe that it did infect the Bushehr plant.
All the anti-virus programs detect and remove Stuxnet from Windows systems.
Stuxnet was first discovered in late June, although there's speculation that it was released a year earlier. As worms go, it's very complex and got more complex over time. In addition to the multiple vulnerabilities that it exploits, it installs its own driver into Windows. These have to be signed, of course, but Stuxnet used a stolen legitimate certificate. Interestingly, the stolen certificate was revoked on July 16, and a Stuxnet variant with a different stolen certificate was discovered on July 17.
Over time the attackers swapped out modules that didn't work and replaced them with new ones--perhaps as Stuxnet made its way to its intended target. Those certificates first appeared in January. USB propagation, in March.
Stuxnet has two ways to update itself. It checks back to two control servers, one in Malaysia and the other in Denmark, but also uses a peer-to-peer update system: When two Stuxnet infections encounter each other, they compare versions and make sure they both have the most recent one. It also has a kill date of June 24, 2012. On that date, the worm will stop spreading and delete itself.
We don't know who wrote Stuxnet. We don't know why. We don't know what the target is, or if Stuxnet reached it. But you can see why there is so much speculation that it was created by a government.
Stuxnet doesn't act like a criminal worm. It doesn't spread indiscriminately. It doesn't steal credit card information or account login credentials. It doesn't herd infected computers into a botnet. It uses multiple zero-day vulnerabilities. A criminal group would be smarter to create different worm variants and use one in each. Stuxnet performs sabotage. It doesn't threaten sabotage, like a criminal organization intent on extortion might.
Stuxnet was expensive to create. Estimates are that it took 8 to 10 people six months to write. There's also the lab setup--surely any organization that goes to all this trouble would test the thing before releasing it--and the intelligence gathering to know exactly how to target it. Additionally, zero-day exploits are valuable. They're hard to find, and they can only be used once. Whoever wrote Stuxnet was willing to spend a lot of money to ensure that whatever job it was intended to do would be done.
None of this points to the Bushehr nuclear power plant in Iran, though. Best I can tell, this rumor was started by Ralph Langner, a security researcher from Germany. He labeled his theory "highly speculative," and based it primarily on the facts that Iran had an unusually high number of infections (the rumor that it had the most infections of any country seems not to be true), that the Bushehr nuclear plant is a juicy target, and that some of the other countries with high infection rates--India, Indonesia, and Pakistan--are countries where the same Russian contractor involved in Bushehr is also involved. This rumor moved into the computer press and then into the mainstream press, where it became the accepted story, without any of the original caveats.
Once a theory takes hold, though, it's easy to find more evidence. The word "myrtus" appears in the worm: an artifact that the compiler left, possibly by accident. That's the myrtle plant. Of course, that doesn't mean that druids wrote Stuxnet. According to the story, it refers to Queen Esther, also known as Hadassah; she saved the Persian Jews from genocide in the 4th century B.C. "Hadassah" means "myrtle" in Hebrew.
Stuxnet also sets a registry value of "19790509" to alert new copies of Stuxnet that the computer has already been infected. It's rather obviously a date, but instead of looking at the gazillion things--large and small--that happened on that the date, the story insists it refers to the date Persian Jew Habib Elghanain was executed in Tehran for spying for Israel.
Sure, these markers could point to Israel as the author. On the other hand, Stuxnet's authors were uncommonly thorough about not leaving clues in their code; the markers could have been deliberately planted by someone who wanted to frame Israel. Or they could have been deliberately planted by Israel, who wanted us to think they were planted by someone who wanted to frame Israel. Once you start walking down this road, it's impossible to know when to stop.
Another number found in Stuxnet is 0xDEADF007. Perhaps that means "Dead Fool" or "Dead Foot," a term that refers to an airplane engine failure. Perhaps this means Stuxnet is trying to cause the targeted system to fail. Or perhaps not. Still, a targeted worm designed to cause a specific sabotage seems to be the most likely explanation.
If that's the case, why is Stuxnet so sloppily targeted? Why doesn't Stuxnet erase itself when it realizes it's not in the targeted network? When it infects a network via USB stick, it's supposed to only spread to three additional computers and to erase itself after 21 days--but it doesn't do that. A mistake in programming, or a feature in the code not enabled? Maybe we're not supposed to reverse engineer the target. By allowing Stuxnet to spread globally, its authors committed collateral damage worldwide. From a foreign policy perspective, that seems dumb. But maybe Stuxnet's authors didn't care.
My guess is that Stuxnet's authors, and its target, will forever remain a mystery.
This essay originally appeared on Forbes.com.
My alternate explanations for Stuxnet were cut from the essay. Here they are:
- A research project that got out of control. Researchers have accidentally released worms before. But given the press, and the fact that any researcher working on something like this would be talking to friends, colleagues, and his advisor, I would expect someone to have outed him by now, especially if it was done by a team.
- A criminal worm designed to demonstrate a capability. Sure, that's possible. Stuxnet could be a prelude to extortion. But I think a cheaper demonstration would be just as effective. Then again, maybe not.
- A message. It's hard to speculate any further, because we don't know who the message is for, or its context. Presumably the intended recipient would know. Maybe it's a "look what we can do" message. Or an "if you don't listen to us, we'll do worse next time" message. Again, it's a very expensive message, but maybe one of the pieces of the message is "we have so many resources that we can burn four or five man-years of effort and four zero-day vulnerabilities just for the fun of it." If that message were for me, I'd be impressed.
- A worm released by the U.S. military to scare the government into giving it more budget and power over cybersecurity. Nah, that sort of conspiracy is much more common in fiction than in real life.
Note that some of these alternate explanations overlap.
EDITED TO ADD (10/7): Symantec published a very detailed analysis. It seems like one of the zero-day vulnerabilities wasn't a zero-day after all. Good CNet article. More speculation, without any evidence. Decent debunking. Alternate theory, that the target was the uranium centrifuges in Natanz, Iran.
Posted on October 7, 2010 at 9:56 AM
• 150 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I wonder what else will happen on June 24, 2012?
"You are in a maze of twisty passages, all alike."
0xDEADF007 is probably just an easy number to find in a hex editor, not a secret message. If you're smashing the stack or the heap, it's useful to be able to see quickly where your payload ends up. You drop something like that in while developing your exploit, you get it working, and then you forget to take it out.
Whoever wrote this obviously didn't care about making it a clean attack. Why should we suspect one hex value has some profound meaning?
> very expensive message
In military budget terms it's very cheap.
4-5 man-years, even at contractor rates, is peanuts compared to bombing nuclear reactors and starting a war
The commercial effect, if any of the conspiracies are true, are interesting.
If you think the zero day exploit in Windows was made available to some 3letter agency or deliberately not fixed - you might decide that American Windows doesn't have a place in your country's government.
But it does prove that the particular Seimens PLC doesn't have a secret backdoor, if they had to go to all this trouble - so you might want to choose that model to control the monorail in your evil villains lair.
What if attacking the target directly would make the attacker obvious? That would make the "leftover 3 target and 21 day" code make sense, the first iteration was supposed to be more direct, but someone higher up decided that it was too risky and had the coders widen the attack.
Stuxnet worm + Iran + mainstream media = Global nuclear meltdown
"Keep an open mind. Realize that the computer malware industry feeds on speculation and fear -- and the journalism industry isn't exactly beyond reproach. Many of the articles you'll see will come from writers who don't know C++ from STEP 7. A healthy dose of skepticism and an advanced BS detector will serve you well."
"...and a country that's a pariah to much of the world..."
Clever. We're left to guess exactly which country is meant here.
I agree with Ryan C above - DEADFOO7 is probably just a "constant" the programmer used that can be easily checked. I know some programmers who like to use the word "deadbeef", spelled with letters from the hexidecimal numeric "alphabet" (a-f) as a constant where they need one.
While it probably isn't a message to the world about the intent of the worm, one might be able to use this value to validate the identity of a possible author by showing that he had the knowledge to pull off the worm, as well as having the habit of using DEADFOO7 as a constant in his code. Quick - someone check the open source code sites for a match...
I recall, several years back, a story in Analog which labelled such software worms / virii as "commando programs".
It looks like Stux (not to be confused w/ Tux) might be the first obvious example of malware that tries to effect things in the physical world.
Mind you, this might drive more critical apps that manipulate objects in the real world to run on, say, Linux... or SELinux... or AIX...
Either that or we'll need some CyberDiversity.
Maybe someone wanted to scare people into patching several security vulnerabilities in industrial control software.
I agree with Don B and Ryan Cunningham. 0xDEADF007 is just a convenient constant that pops out at you when you're looking through memory dumps to debug your code. I use things like 0xA550FACE and 0xBEEFCAB5 all the time when I'm writing assembly code or low-level C.
I wonder if "1979 05 09" (May 9 1979) is native date format for some countries? Apparently it's neither European nor American, software developers sometime use year-month-day for benefits of sorting, but apparently this is not the case.
Raw data dump, October 5, 2010:
"Stuxnet was developed in different parts of the world by a variety of people we believe, and the people developing it weren't told what they were working on. Each part of the code was developed in different parts of the world, so entities weren't aware of the purpose of the project. It is also the reason nobody can take responsibility for the worm, because the people who developed it weren't told what they were working on. Only one or two people knew what was being assembled and they aren't part of the various dev teams. This prevents other countries to learn of cyber weapons before they're deployed. If a code base is distributed and only assembled at the last minute, its helpful to counter-intelligence. There was no dev team inside a fancy HQ. The people behind it know infiltration of technical agencies is highly likely. If the code was sitting out in its complete format, spies could easily have tipped off people. Different keys were used to bring the project together. While in development, the code was distributed throughout the world in pieces. A coordination tool was used to bring it all together, last minute from the different devs. The people behind, for instance the zero-days were under the secrets act. They are specialised teams who regularly don't know what they are working on and don't want to know. It's their operational environment, they get handed a brief and thats it."
Presentation, October 7, 2010:
"What is known is that a lot of thought was taken to counter-intelligence.
* Stuxnet was developed by a variety of people.
* Each part of the code was developed in different parts of the world.
* The people who developed it weren't told what they were working on.
* Only one or two people knew what was being assembled and they weren't part of the dev teams.
The code was developed in sections, and was assembled by a dedicated software tool by automation.
* Different keys were used to bring the project together.
* While in development, the code was distributed throughout the world in pieces.
* Code base was assembled at the last minute, to counter-intelligence.
* A coordination tool was used to bring code together, last minute from the different devs.
Cyber and physical domain human intelligence asset teams did reconnaissance.
* The people behind, for instance the zero-days were under the secrets act.
* Documents of control systems were obtained to help the developers.
* Specialised teams who regularly don't know what they are working on and don't want to know.
Some of the people responsible were tracked down, and handed to the authorities.
* The investigation continues by multi-national cyber security partnerships.
* More people involved are likely to be detained and more details made available."
See, maybe it's just something to scare the world. It's about time people wake up. Perhaps a security firm is looking to boost the revenue of the security industry as a while. Perhaps someone is trying to say "See, you shouldn't use Windows in an mission critical environment". Or perhaps it's a contractor, hurting from the global recession. He hired some hackers, knows what controllers they use, and wants to destroy the power plant mentioned. Then, he comes to the rescue! I don't know, just speculation. Like Bruce said, once you head down that road...
the date format YYYYMMDD is commonly used in the US Defense Department; however I do not see any significance in the date that way.
of course, I have no idea how computer programmers do anything, much less how they write dates
i like to speculate on the ego of the authors and how they are reacting to all of our media coverage andn speculation
Has no one else considered that Siemens themselves might have done this? Perhaps it was meant to look like an attack in order to encourage some upgrades? I'm sure Siemens would like to boost their bottom line in this present economy? I haven't researched how feasible this theory might be, but it seems pretty obvious to me since Siemens would have an obvious motive. The way the thing was designed, they can point all the blame at Microsoft, but still come out of the deal with some sales, or at least consulting dollars. Just a thought.
Check out Symantec's analysis. If someone wanted to send a message, they could have stopped far short of where they did. Someone invested a lot of time and money to break something, most likely in Iran, Indonesia or India. I guess Iceland and Indiana got off easy.
Interesting analysis, although there are more possible motives: Third parties wanting to increase tension, industrial sabotage, discrediting of the particular PLC hardware, or others.
Thank you for this essay, I feel like I know 100x more about this worm!
This format is what computers and programmers use in pretty much every country internally.
It's as obvious as counting from 0, and considering powers of 2 "round numbers".
Oh, come on. The 0xDEADF007 ending in "007" is clearly a reference to the greatest super-spy of all time.
This worm was written by MI-6.
"The markers could have been deliberately planted by someone who wanted to frame Israel. Or they could have been deliberately planted by Israel, who wanted us to think they were planted by someone who wanted to frame Israel."
Truly, you have a dizzying intellect.
Mr Schneier wrote: "(All the infection vulnerabilities have since been patched.)"
Sir, don't you really mean to say "Patches have since been made available for all the infection vulnerabilities." ?? Beeeg deeeferance
@atis and Noble_Serf
the date format YYYYMMDD (and variants with hyphens, etc) is an international standard, ISO 8601.
This may be my ignorance of Assembly language speaking, but if you took any given binary of a decent size and started with a theory about "what it really means," couldn't you find numerous numbers and strings that you could read special meanings into? Sort of like drawing constellations between the stars.
Once again, they could have achieved that goal with far less effort. Nothing presented so far is enough to beat Occum's Razor (the attacker wrote a program that break PLCs to break a PLC).
According to Mikko Hypponen, the word "myrtus" may actually be "My RTUs". It seems to make much more sense than obscure historical metaphors... :)
True, but in this case DEADF007 is specifically written as the final value in a process .
The paranoid in me wants to suppose that the PLCs it is designed to infect are those which are used in the factories which produce PLCs. That seems like the most intelligent target, if you have this level of resources and patience, and are interested in gaining more resources and/or power, rather than accomplishing a specific goal.
Conspiracy Theory #3 doesn't really matter that much - even if someone else developed the worm, you can be sure that the U.S. Security people are already talking about how this 'demonstrates a very clear threat to our SCADA infrastructure we need more resources to defend against.'
So stupid question, I'm fairly certain that online criminals have tools that can assemble worms out of program fragments - why couldn't this be the work of a single person who just used an off-the-black-market-shelf tool to assemble something from multiple kiddie scripts out there? These people also have ready access to multiple zero-day vulnerabilities, they're spread across the globe, and often they don't understand the tools they're working with. That seems to fit all the above criteria...
0xDEAD 0xBEEF 0xBABE
So many theories so little time.
Siemens defective F007
I think you misread the Wired story, Bruce, and you've equated what a source is quoted as speculating (not insisting), with what Wired is saying. In fact, the Wired piece is quite skeptical of the speculation. See the headline and re-read the story.
BP lobbied for the release of the Lockerbie bomber, and the people responsible for Stuxnet wanted to make sure they paid.
To make sure the oil deal from releasing the bomber, BP couldn't make a profit from.
Stuxnet targeted the oil well.
There were a lot of unhappy people after the release of Abdelbaset Ali al-Megrahi.
Abdelbaset Ali al-Megrahi was convicted for blowing up Pan Am Flight 103 over Lockerbie, Scotland, on December, 21, 1988.
He was freed on compassionate grounds by the Scottish government on August, 20, 2009.
The claim was he had terminal prostate cancer and was expected to have less than three months to live.
It was a lie and he is still alive living the life of riley in Libya.
What about industrial sabatoge? What if someone decided to teach industrial spies a lesson and had them steal infected plans? We've already seen this during the Capacitor Plague, so we know espionage and reprisal happen.
Just a few points about PLCs.
* Siemens is the biggest company in the PLC market. You will find their stuff everywhere. You can walk into a Siemens dealer in most cities (in industrial areas at least), plunk some money down on the counter and buy all this hardware and software off the shelf.
* The particular models of PLC targeted are big sellers for Siemens. The S7-315 in particular is very common. Typical Siemens customers would have more of this model than any other PLC. You can walk into a factory anywhere in the world and have a very good chance of finding this specific hardware. These are Siemens's top selling industrial automation products.
* The Step-7 software is the development IDE for Siemens S7 programs. You use it to write, download, and debug programs. Everyone who has Siemens PLCs will have this software. You can't do anything useful with the PLC without it. You would run it on your laptop (it's an MS Windows program) and connect to the PLC with a cable (Profibus, MPI, or Ethernet). You can write the PLC program at your desk in the office, and then download the program to the PLC when you are ready to install and test it.
* WinCC is Siemens software which runs on a PC (with MS Windows) and is used to monitor the process, change set points, log trends, events and alarms, etc. It does this by communicating with the PLC(s). This would typically be called a "SCADA" system.
* PLC programs get changed quite frequently to fix bugs and improve the production process. This is particularly the case during the start up phase of new equipment. Customers and suppliers / consultants e-mail PLC programs back and forth to each other a lot (e.g. "try this version and see if it fixes the bug"). Since according to various reports (e.g. from Symatec) the virus embeds itself in Step-7 programs, this is probably a primary if not *the* primary means of this virus spreading. One supplier with the virus could spread it to numerous customers.
* A lot of designers and programmers re-use pieces of their designs and programs over and over again. Many programmers also leave a lot of unused "junk" in their programs that they copied from other projects (unless they are short on memory, but that isn't a common problem on modern PLCs). You can't rely on finding a unique "signature" to know that you have found a specific machine. At best someone could hope to attack that one machine while also causing a lot of collateral damage elsewhere in the world.
* This virus may have been quite complicated, but there are a lot of very simple things you can do to a PLC to disrupt it that would be very difficult to trace. Someone who intended to cause general disruption rather than target a specific installation would not have to go to any great lengths beyond what is required to create a standard virus. What is more, PCs used to monitor control applications are rarely kept up to date on patches, so you could probably re-use old viruses provided you can find a way of getting the virus to the machine. There are a lot of HMI and SCADA systems running on Windows 2000 that haven't been updated since the day they were installed.
Critique @ Bruce Schneier
That essay was essentially a rehash of all the news reports and our commentary on your blog. It makes for a nice summary. It's seriously deficient for one reason: you didn't mention Natanz.
Natanz plant is where Iran's enrichment centrifuges are located. One researcher showed that the number of centrifuges in operation decreased during a time when Stuxnet was in the area and someone resigned for unknown reasons. You provided a link to this blog in your original post on Stuxnet. It's the most likely target, as actual damage was done and Israeli news reported infected USB sticks there.
So, after linking to this article, why didn't your essay mention the most likely target as at least a potential target? And why are you claiming no damage has been caused by the worm aside from maybe an Indian satellite? Seems like a major oversight for such a thorough essay. Link is below.
Link from Bruce's last post on centrifuge targeting
"A worm released by the U.S. military to scare the government into giving it more budget and power over cybersecurity. Nah, that sort of conspiracy is much more common in fiction than in real life."
I see a future Hollywood movie, here. :)
This puts me in mind of the "descolada" (a directed physical virus that infected humans) in the "Ender's Game" series of books by Orson Scott Card.
The indian satellite speculation is nonsense, you won't find a run-of-the-mill PLC in space. It wouldn't work reliably due to high radiation, and that's just one of many reasons.
Personally I think the target was the Natanz nuclear enrichment plant, because it is of much higher value as a target than a civilian reactor like Bushehr.
Interesting story over at DebkaFile -- "Russian experts flee Iran's dragnet for cyber worm smugglers " (http://debka.com/article/9061/)
Its hard to say if this is due to the publicity Stuxnet has created or if it is actually because of something they know (or think they know).
Yes, I know, "you keep using that word, but I do not think it means what you think it means". [Response to "truly you have a dizzying intellect" above.] -- apologies to "The Princess Bride"
A theory that looks extreamly implausible but rather elegant:
The authors of the worm knew that they can not reach the target because of its good security. But they knew that if they unleash a realistically looking worm, it will make the target's management sufficiently nervous to look for external security audit, to check that they are still safe. And they knew where they will go. To them.
s/Ralph Lagner/Ralph Langner/
@J: "The indian satellite speculation is nonsense, you won't find a run-of-the-mill PLC in space."
I don't think anyone implied that the PLC in question was on the satellite. It's highly unlikely that a satellite would come into contact with an infected USB drive while in orbit. Bruce was probably referring to an earthbound PLC involved with, for example, aiming an antenna.
occam's razor dictates that "19790509" is the birthdate of one of the virus creators.
Whatever ;-) it's all fun and games until someone loses a kilogram of plutonium ;-)
Personally I'm inclined to go with the "Israeli attack on Iran (or ALL Muslim countries - and the hell with the collateral damage)" theory since it fits the Israeli attitude and intentions.
In fact, the one thing we can conclude from this event is that the instigator doesn't care about collateral damage despite the apparent careful targeting of the malware to a specific PLC. Or we can conclude the instigator doesn't realize how common the affects PLCs are and didn't realize how much collateral damage they would cause.
However, the fact that Iranian enrichment was diminished during a recent period isn't sufficient evidence that Natanz was the target. There's a lot of reasons centrifuge cascades can be less than efficient, apparently. Unless and until Iran explains the reasons in some IAEA report, we probably won't know what happened at Natanz. I'd say however that there's a good chance the IAEA will want to look into it and report on it in their next report since changes in production would be of interest to the IAEA.
One ex-Mossad agent said Mossad wouldn't be that clumsy as to leave clues in the code. OTOH, as Bruce says, that may have been deliberate. Remember Sharon Stone in Basic Instinct? And how do we know we can trust an EX-Mossad agent when he says this?
Until Iran identifies who they have claimed to have arrested as "spies" involved with distributing the malware, and assuming the "spies" ARE spies, we probably won't have any real clue as to the culprit.
The big problem now is that this malware is being taken as "proof" that "cyberwar" is a'happenin' and we all need to call the Pentagon to help and oh, yeah, by the way, censor the Internet.
As usual the reaction is worse than the problem.
Clearly, it's the work of SkyNet. Only a computer could spin so many conspiracy theories. An AI is behind this... ;-)
DEADF007 is the signature left behind by version 7 of the code. If version 6 had worked, we would be trying to figure out what DEADF006 meant.
This is a handy way to label memory dumps so it is easy to match them up with the source code.
I normally use RCSids, but that technique is not allowed by the relevant coding standards for this class of malware.
>But it does prove that the particular
>Seimens PLC doesn't have a secret
>backdoor, if they had to go to all this
>trouble - so you might want to choose
>that model to control the monorail in
>your evil villains lair.
From the James Jesus Angleton School of Paranoia...you go to all that trouble because just to harass your opponents you DON'T want to use the backdoor.
Which makes your opponents think there isn't a backdoor if you went to all that trouble. Of course leaving the backdoor still to be exploited in a crisis situation when there isn't time to develop a new worm.
Just sayin' once you go into the house of mirrors, you're never certain what you're looking at.
My other thought I didn't see addressed above:
I wonder if NSA or someone else is doing some serious forensic epidemiology.
One stat I saw was 50,000 infections in Iran, 10,000 outside of Iran, 1,000 in the U.S.
Even if the U.S. and/or Israel released it into Iran, I'm pretty sure they'd be REAL interested in the tracking carrier-to-carrier how it left Iran and landed back in the U.S. Might be nothing, might be a very interesting chain.
YYYYMMDD starting the name of windows folders put them in chronological order, a low tech way of dealing with long duration projects.
Scary stuff, too convoluted for a prank.
@ Nick P
"That essay was essentially a rehash of all the news reports and our commentary on your blog."
Are you saying Bruce just reposted everyone's comments without giving credit (other than Andrew Wallace, of all people)? Blasphemy.
"Has no one else considered that Siemens themselves might have done this?"
Well, if you're going to go that way... Has no one else considered that the Iranians themselves might have done this?
Their nuclear program may not be universally popular, either in the country as a whole, or in the Tarantino-like three-way stand-off between the clerics, the military, and Ahmadi-nejad and his followers.
"occam's razor dictates that "19790509" is the birthdate of one of the virus creators."
Or their mom. Or their girlfriend/wife/daughter. (Or switch the genders as appropriate.)
> very expensive message
In military budget terms it's very cheap.
4-5 man-years, even at contractor rates, is peanuts compared to bombing nuclear reactors and starting a war
Posted by: NobodySpecial at October 7, 2010 10:37 AM
That's a good point. Hell, it's less than the cost of a smart bomb.
Like Nick P I'm surprised Bruce did not mention Pakistan and the centrefuge cascade in Iran.
If the worm was directed against nuclear instalations this is by far the most likley explanation of the many seen. The use of PLC's ina a lose SCADA configuration is exactly what you would expect to see for a cetrifuge cascade and the PLC setup for such systems for the Natanz facility are very well known in detail (unlike the never ending construction of the Nuclear Reactor).
Why is the cascade at Natanz so well known... well if people remember back a few years they may remember the Pakastani Cheif Nuclear scientist
Abdul Quadeer Khan more commonly called just AQ Khan in the press.
Well he's speciality was the design of centrafuge technology that ended up in Iran, Iraq, Libya and North Korea amoungst others (upto something like 24 countries are suspected to have purchased the designs).
What rubbed the US and Geroge Bush administration up the wrong way was all their "axis of evil" countries where on the list...
You can see photo's of AQ Khan's centrafuges that where sent to Libya,
And compare them to those in the picture of Iran's political premier when walking around the Natanz facility and play a game of "spot the difference".
Now you may say so what but due to changes in political fortune it is very certain that the design of the centrefuge cascade as AQ Khan is aledged to have sold is known in almost every detail to the US.
What is also reasonably suspected is the links between Iranian and North Korean nuclear scientists.
After North Korea became "public enemy No 1" for supposadly detonanting an experimental nuclear device I would not have been surprised if the US launched yet another attack against North Korea. After all the US has been seriously baiting them into a war state for over thirty years with incursions into their teritorial waters etc).
However North Korea is not the sort of place you just attack because it is a "Buffer Nation" to China, thus it would be supported by China if it was directly attacked, and you would have another Vietnam on your hands.
The US would thus see attacking via "cyber space" as a legitimate attack route, but as North Korea is a closed nation how do you get it there?
Well through Iranian scientists is one of a number of routes.
As a speculation I would say that a worm amied at the AQ Kahn centrefuge design would be a very worthwhile target and fully worth the cost to whom ever chose to make it.
The US fits the bill if we are talking about anti proliferation, but then there are quite a few other people who would like to pick up on the business oportunities AQ Khan is aledged to have started. What better way to get business than to "obsolete" the current design and offer an "upgraded design" at low cost to get your foot in the door...
The one thing Bruce has spot on is there are so many shadows you can see but which is the right one...
@ Davi Ottenheimer
"Are you saying Bruce just reposted everyone's comments without giving credit (other than Andrew Wallace, of all people)? Blasphemy. "
Apparently, even the more reliable security news sources aren't above doing this. (sighs)
Nice edit. I think that's the most info packed edit you've done in a while. Must have been tiring. ;)
most of us programmers are using a common format so dont say that it is "commonly used by US Defense Department".
the rootkit of this "super worm" is very easy to detect. Any skilled programmer can code better stuff.
@atis and Noble_Serf and MikeB:
The date format YYYYMMDD (and variants with hyphens, etc) is not only specified by ISO 8601, it is also the US national standard (ANSI INCITS 30-1997 (R2008)), although very few people in the US seem to use it.
W3C uses a subset of ISO 8601 omitting some of the variants. The hyphens, optional in ISO 8601 and ANSI INCITS 30-1997, are mandatory in the W3C subset (as YYYY-MM-DD).
Why is Stuxnet so sloppily targeted? Maybe the authors just didn't want to limit it, allowing Stuxnet to benefit from the idea of six degrees of separation.
Please, can we get clear exactly what the worm is attacking and affecting.
The difference between PLCs and SCADA systems is significant. Programmable Logic Controllers (PLCs) are highly specialised computers for industrial applications. None that I know of runs any version of Windows, Linux or any other traditional 'computer' operating system. The main manufacturers of PLCs (Siemens, Rockwell, Mitsubishi ...) all have their own operating systems and instruction sets. You program a PLC to carry out certain tasks to control and react to events in a manufacturing or process plant (start this pump, open this valve, lock off this conveyor ... ) and the PLC is connected to the physical plant equipment through specialised I/O systems. It is perfectly natural and common to have a PLC installed in a cabinet in a factory and for it to run for years with no human intervention. Siemens mainstream bread-and-butter PLC range at this time is indeed know as the S7 family (twenty years ago it was S5 - since these computers are designed to have lifetimes of the same order as the plant they control they stay in production for a long long time).
The whole purpose of SCADA systems (Supervisory Control And Data Acquisition) however is human intervention. Some processes or operations in a factory require an operator or supervisor to view a graphical representation of what's happening to the plant or process. For this purpose it is universal to use standard PC architecture, Windows or Linux in some form, plus the SCADA application software from a given supplier. There are many more SCADA software suppliers on the market than there are PLC manufacturers. You don't need hardware manufacturing, assembly lines etc to create a bit of software. Siemens is also a SCADA supplier, the main software brand they use for this is WinCC (Windows Control Centre). These SCADA systems (PC+software) do *NOT* directly control things. They may, as another poster indicated, be used to allow data to be exchanged with a PLC, such as 'open this valve' "65%" rather than 'open this valve' "35%". The PLC contains and executes the instruction; the SCADA may write a new set-point, speed, temperature, recipe, whatever.
But let's get a few things clear.
1) People who write industrial control software in PLCs for a living always keep in mind error-checking. They know that a failure to validate an operation could lead to disaster. You never just open a supply valve to a vessel without checking how much is already in there. What if it's already full? You get spillage of who-knows-what all over the plant. You never just start a machine or device without ensuring all safety locks are in place and sending a closed signal through the input system. What if a maintenance guy is half-way inside the machine. You get dead maintenance people all over the factory. So even if an operator or a malicious worm on a SCADA system sent an instruction to do something like this, a competent PLC program (I know, I said 'competent') should prevent disaster.
2) No worm that I know of that can inhabit a Windows or Unix environment (on the SCADA PC) is also going to be capable of transmitting itself across an industrial communications network and embedding itself in the unique operating system of the PLC itself. Remember how we all laughed at Jeff Goldblum in "Independence Day"? Writing a virus on an Apple to infect the alien spaceships? Well, this is just as likely.
3) Finally, even if you suspect a worm/trojan/virus has infected your SCADA, unplug it. The PLC in charge of your plant carries on working as before. OK you may be blind to your process now but I'd bet that most plants still have more than a few hard-wired buttons and lamps to bring the process to a safe and controlled completion.
Overall, the PLC is like the engine in your automobile, and the SCADA systems are like the rev counter, speedometer, fuel gauge etc. Someone might screw up your speedometer so that it shows you're running 20mph faster than you are, but that's a long long way from actually having control over how much fuel gets injected in to your cylinders and disabling your brakes.
Fascinating. The idea that this might be a genuine case of cyberwar, rather than the BS that normally gets talked about, is enticing, of course.
You start thinking, "which country?" and "Who would they target?" and of course the answers US, and Iran, immediately spring to mind. Not that that means much.
Incidentally, DEADF007 reads a lot like the marvel comic character Deadpool, of which there seems to be something of an internet fad at the moment. Made me think it might be someone's handle. But again, that means nothing. I like the rogue value idea better.
Perhaps stuxnet doesn't have a dedicated target. It could be a "lab escape" or a experiment to study how sabotageware distributes and impacts industrial sights.
But neither is scanario completely convincing. Changing the signed driver to newer signature implicates the work was deilberate. OTOH such study would make future attacks harder as no doubt this will increase security level at many sights.
Pi^2, you're going to have to download from ESET (Nod32 makers) and Symantec their whitepapers, called 'whitepaper' by ESET and 'dossier' by Symantec. These are two separate papers. The Symantec paper is linked in an earlier comment.
The ESET paper had a broad overview of Stuxnet, together with a comparison to Aurora. The Symantec paper has a more detailed discussion of the infection process, complete with discussions of the actual methods used to bypass security software.
It is absolutely essential for anyone commenting on Stuxnet or thinking about it to read these two papers.
It is perfectly clear from the papers, and the Symantec paper goes into excruciating detail, that the Stuxnet worm first infects (rather promiscuously) every Windows computer that it can find, propagating itself as much as possible. If the Windows computer has either WinCC or Step7 installed, it then installs itself and uses whichever of those two programs is present (here I would have to check the details in the papers to be sure if it's both) to modify the PLC logic of the PLC's to which the computer is connected if they match a sensor signature the worm is carrying. This is the logic in the PLC that is being modified. The worm uses a rootkit to hide itself in the Windows O/S and a rootkit in the PLC to hide its modifications to the PLC from the person looking at the PLC logic using either Step7 or WinCC (see the papers for details). The worm is monkeying with the PLC.
The perps went to a lot of trouble to get there.
I would criticize Bruce's presentation for a lack of a clear discussion of the diachronic evolution of the worm's architecture. As is clear from a Cnet article that quotes Liam O Murchu of Symantec, the worm started out with a rather cautious USB propagation method and then after a year was changed to a rather aggressive 'all means possible' propagation method, leading O Murchu, I think correctly, to wonder whether the first year proved to be unfruitful.
Study of the two white papers indicates that this was not intended to be a one-off attack on some installation. Far far too much of an attempt to penetrate any Win O/S from 2000 to Win 7, and to bypass any of the major security packages present--it is at that point that two 0-day vulnerabilities were used (one for the keyboard, one for something else; both still unpatched, Bruce, as of 30 Sept 2010.)
If you read the whitepapers, you find out interesting facts, for example that the date that everyone is exercised about was written in HEX, not decimal.
Whoever did it, and for what reason, is certainly unclear. I don't think that we have anything more than guesses--a retrospective traffic analysis of traffic to the C&C servers to maintain them might come up with something.
However, the persons who did it went to a lot of trouble to be able to modify the worm once it was in place. That would suggest that they wanted it to be around for a while.
@ Pi Squared - "No worm that I know of . . . in the unique operating system of the PLC itself."
Meet Stuxnet, the worm that can (and does) propagate across the SCADA network, and through that embed itself into the top of the PLC memory.
Symantec's W32.Stuxnet Dossier (read it, the link is in Bruce's update) says Stuxnet "Hides modified code on PLCs, essentially a rootkit for PLCs." Page 2
@ Davi Ottenheimer
"Are you saying Bruce just reposted everyone's comments without giving credit (other than Andrew Wallace, of all people)? Blasphemy. "
I've thought for some time that a principal reason for the blog is to generate debate and let Bruce check his own thinking for gaps by our responses.
This might not be too relevant.. but by international standards, the type of PLC that is targeted by stuxnet should not be used in nuclear plants. Siemens is selling PLCs that are designed for that kind of task (with increased reliability checks and some failsave-features) for a premium.
Ok, maybe iran went cheap on the PLC for teh nuclear plant... but I guess, that the hardware of a PLC is not really a cost factor comared to a nuclear plant.
So a nuclear plant seems an unlikely target in my oppinion.
I'm just a noob on this land, but going back to the motives, are they any other similarities between this worm and the attack the CENTCOM suffered in 2008 (which had been infected by an USB stick)? I mean, Stuxnet seems to be designed to target Iran nuclear facilities, and CENTCOM suffered intel leaks (among others). (yeah, I like quite a lot the third explanation (-: )
I suppose there is a non-zero probability that this might be interesting or even useful:
On 29 Sep an anonymous poster on 4chan claimed to be one of the developers of stuxnet and answered questions. I managed to archive the page before it 404'ed and posted it at http://www.gregrperry.com/archive/... I hope I have stripped out the NSFW images, but have not messed with the scripts.
It's an incredible longshot, but it's just crazy enough that it could be real. I don't know how to tell.
> ...why is Stuxnet so sloppily targeted? Why doesn't
> Stuxnet erase itself when it realizes it's not in the
> targeted network? When it infects a network via
> USB stick, it's supposed to only spread to three
> additional computers and to erase itself after 21
> days--but it doesn't do that. A mistake in programming...
I believe this was done purposely that way. In the shoes of the authors I would have taken the same decision. Since Stuxnet medium is the USB key, to enhance the probability to get to the target, I'd stick it in place (the machine RAM) hoping to infect as many USB keys as possible so one of them will (maybe) get to target.
My 2 eurocents (almost 3 Us cents!)
For an aircraft engine-out condition the phrase is "dead stick", not "dead fool" or "dead foot".
Perhaps this is the trial for the release of a new Worm-Toolkit? It shows multiple and flexible routing points, peer and C&C access, and (albeit unlikely feasible) non-trivial endpoints. Today a common PLC, but tomorrow the chip that orders milk for your fridge...
Let's go Capitalist:
There are quite a few corporations, consultants, and pundits who stand to make boat-loads of money "helping" to defend industries against such attacks. Heavy PLC users include many corporations that just happen to have boat-loads of money. Whether this was "proof of concept" software that got out of hand, or even something more deliberate, a lot of money is going to change hands over this.
" A research project that got out of control...."
There's a grad student out there who's been very quiet, except for an, "Oops!" he uttered a while ago.
Near that date in June marks the 100th anniversary of Grande Armée invading Russia. Napoleon is what the Americans call Mille-feuille. Crème pâtissière is sometimes used to make Boston cream pie. Tom Scholz was a mechanical engineer. You see where I'm going with this, right? Coincidence? I don't think so!
Re: reports that there are now infections in Germany. If the original attack was carried out by USB key, presumably unkowingly propagated by service personnel or other outside people working at customer sites, isn't it rational to assume that those service people, or at least some of their work product, eventually make their way back to the source of all Siemens controllers - Germany? Sort of like salmon swimming upstream to the original spawning ground, in this case, where all the key code is created and patches and updates get issued. Eventually maybe versions in the field come home.
Also, has anyone checked if any large corporate or government entities dumped or swapped out vulnerable Siemens systems before the attack? That is, who is specifically not being affected by all this?
It is not myrtus, or just "my rtus".
Read what b:\myrtus\... means: Be my RTU's. I think this is included with intend.
The more interesting question is, what does guava stand for? The end of the string is ..\guava.pdb.
@ Pi Squared
As two others have pointed out, the papers claim that they are targetting PLC's. Even though I know little of PLC's, I know enough to say that your concluding three points are a little off. Let's address them.
"1) People who write industrial control software in PLCs for a living always keep in mind error-checking."
They *usually* do to a certain extent. Many error conditions are complex, though, or result from a long-running process. People can also get sloppy due to misinformation, cost-cutting or timing issues. There are tons of examples of safety-critical devices experiencing pretty basic bugs for these reasons. See THERAC radiation machine, Siberian pipeline, and that dam the hacker opened.
"2) No worm that I know of that can inhabit a Windows or Unix environment (on the SCADA PC) is also going to be capable of transmitting itself across an industrial communications network and embedding itself in the unique operating system of the PLC itself. "
Well... it did... just not the way you described it. You overcomplicated the situation. Most software today is built on numerous abstractions, like the Berkely Sockets API and WinCC software. They just use existing mechanisms to do much of the work for them. I was stunned they pulled it all off in just 500KB of code.
3) "...unplug it. The PLC in charge of your plant carries on working as before."
That's very plant-specific and some systems are so dangerous or complex they require a combination of machine monitoring and human intuition. There are essentially three classes of industrial computers: human-control with machines obeying orders; total machine control w/ manual override; dual man and machine control. The dual-control is largely used where the expertise to control an application isn't easily encoded into program logic, but where some safety features can be automated. These systems inherently trust the operator to act properly with certain functions, providing little to no safeguards for those.
I would bet the nuclear centrifuges' PLC's were either machine control with implicit trust in facility security or dual-control with few safeguards relative to spin rate. That would be all the worm needs. Your argument only applied to the first class of industrial systems. The other two classes don't work properly without human intervention (i.e. the infected PC). Unplugging = downtime/disaster.
Immunity Debugger, a windows debugger optimised for exploit creation and reverse engineering, can display targeted job advertisements at the top of the screen. There is currently an ad for an "experienced exploit developer" for a job in DC, that requires security clearance. I'm not suggesting this is in any way related to stuxnet.
May the "myrtus" be just the standard name for the WinCC/whatever projects, as in "My RTUS" meaning "Remote Terminal Unit Something-with-s" ( http://en.wikipedia.org/wiki/Remote_Terminal_Unit )
If the objective is to conceal the nature of the project, it's lingo, and the associated parties, using the default IDE-provided name seems rational.
"There is currently an ad for an "experienced exploit developer" for a job in DC, that requires security clearance. "
That's hilarious. They are so brave these days. "We just hacked your computer you porn-surfing fool. Btw, do you want a job?"
DEADF007 is being read wrong:
700FDAED as in "my Toof is da-ed, cletus bring mae the hamer". This is clearly the work of some cat hoarding yokel.
19790509: Thats the birthday of the guy who worked on the code. Typical age of an experienced hacker. And people are just vain and want give some credit to themselves. Someone just has to check all guys born on that date...
A much more simpler version
Time to build - 3 month - 6 moths
Cost under 5000
Team ~ 6 -7 high end developers ,2-3 assemblers
Location somewhere between Beijing Mumbai Paris
Lab Rats? what ever noisy country like Iran
Reason . no material reason ,they working on something bigger than that.That's a private deal not a government deal.
curious about this:
"There's also the lab setup--surely any organization that goes to all this trouble would test the thing before releasing it..."
what's involved in the lab setup, besides some test tubes containing colored liquids, beakers overflowing with dry ice smoke, and some erector set struts and rubber tubing to hold it together?
Ralph didn't start the Bushehr/Natanz speculation.
Steve Bellovin did.
What's up with that photo?
"meaning Remote Terminal Unit"
RTU also refers to,
'Remote Telemetry Unit'
The RTU TLA meaning is effectivly context sensitive and has changed with time and some argue now is effectivly an obsoleate term (due to high speed, high bandwidth low latency communications and even low end PLC's having way more capability these days than DCS systems twenty years ago).
Depending on which part of the "Offshore" and "Process" Industrial Control System (ICS) industry you work in the different RTU meanings might or might not be equivalent...
It is in this respect like the other ICS Process Control terms such as SCADA, DCS and PLC, are ambiguous unless put in a clear context. And why there is now a more generalised industry term PAC to cover all of them.
Originaly DCS (Distibuted Control Systems) where seen as wide area systems with intelligence and PLC (Programable Logic Control) systems being local area with little or no intelligence.
For those old enough to remember, PLC's where seen as a way to get over the distinct limitations of "Ladder Controlers" which where in essence "Relay Logic" and reprograming involved wire cutters and a soldering iron. Likewise with later DML (Diode Matrix Logic) RTL (Resistor Transistor Logic) TTL (Transistor Transistor Logic) systems (You have to be carefull how you use TTL as it does not describe 7400 series IC's which are technicaly "Integrated TTL Gates" or the Phillips electronics NorBit "Packaged TTL"). None where really programable without significant error prone mechanical intervention using hand and machine tools (back when programmers where "real men" with beards etc and the ability to resist the effects of molten solder dropping in their face and laugh about it down the pub ;)
The first practical programable RTU systems came from British Hovercraft and slightly later in the UK from other Companies such as Ocean Technical Systems. Who had a range of RTU systems based on an 8bit RCA 1802 CMOS processor (contary to popular belief 1802 is the manufactures CPU number not the year it was designed ;). The RCA 1802 came out back in1976 and had a varient that was a radiation hardend "silicon on sapphire" which made it one of the few CPU's suitable for space use, and why until Spt 2003 it could claim to be "the most out of this world" CPU. For a number of reasons is still in use today for "design in" although more for telecoms than space technology, and I'm assuming the continued use is not just due to it's SEX instruction.
For my sins in muddying the terms up, one of my claims to fame is that I designed the first Intrinsicaly Safe 16 Bit RTU. Which effectivly was an 8088/8086 system with upto 512Mbyte of SRAM and 512Mbyte of PROM in bytewide format with a very considerabl number of on board status IO lines and 8bit Analog I/O lines as well as a 16Bit expansion bus to as many other (within reason) Status line I/O Boards or 12bit A2D boards. As well as the all important multiple high speed serial ports and keyboard interface controler which allowed it to be a SCADA or RTU or PLC or DCS controller or node...
I still have the pen plots of the six layer PCB which at well over 80% component to board area density on a double hight EuroCard look realy spectacular when hung on the wall as "Modern Industrial Art". The downside of manufacturing the boards was the required 0.5mm track edge to track edge which made the PCB just over a tenth of an inch thick...
One typo, which may have been in the original Forbes.com article: "Iran had an usually high number of infections".
General 1: We gotta do somethin' 'bout these Eye-ranian jokers, an' fast.
General 2: Hmmm...how come WE ain't got none o' them hacker fellers like in the movies? We could attack their COMPUTERS fer a coupla thousand bucks, write off MILLIONS on some other bogus project, an' funnel 'em back ta our friends."
General 1: Yeah, I been hearin' about them innertubes. Lookee-here, tell Joe ta git down ta the GWDC* an' snatch a coupla them geek fellers outa their cubicles. We kin tell 'em they're stoppin' a nuke-u-lar war, maybe git 'em some hookers an' stuff, then when they git all done, we can stick 'em all in one plane, if ya catch my drift."
*Government Website Design Center
(A secret underground bunker entirely populated by black-sheep nephews of large political contributors, all trained to use M$ FrontPage and paid by the line.)
General 2: Mmmm. They gotta be jist right. Nobody with earrings, no atheists, none o' that Commie fag stuff.
Make sure they're over 40, got some family we can always use for a pry bar, and so on.
General 1: And neckties! Man don't wear a necktie, ya can't trust him! Ya can't go wrong if a feller's wearin' a white short-sleeved shirt, a necktie an' one o' them pocket-protector things.
General 2: Yeah! (cackles) Let's git us our OWN hackers!
Read the code for this thing? Hell, my CAT could do better, and she'd crunch the hell out of it, too. Jesus, if this is the best that a major country OR corporation can do at a keyboard, no WONDER the goatherders are winning!
@ BF Skinner
True dat. Bruce makes not warranty expressed or implied about our comments.
This debate about attribution is as old as the Schneier blog itself, I believe. It must have been six or so years ago when I got into one heated version of it and someone said "get'yer own blog if you want to claim credit". It was sound advice and I the same now.
@ McCoy Pauley
Hell, Jesus and goats in the same paragraph? You reveal your identity too easily.
The most amusing analysis I have seen so far: major infections are said to be in India, Iran and Indonesia...thus clearly there is a vendetta against countries that start with the letter "I".
A Windows Virus, for a real SCADA plants?
But, tell me, Windows is a product of Microsoft ( home software )........
"Virus for a Windows machine, to target Industry Plants, defense, etc"......
may be some childs playing....
ohhh, you tell me that Industry Plants, Defense, and so on, use Windows..... oh,oh, we have a problem with the professionals that mount such systems...
There are no coinsidences....
@ titanics cruncher
"There are no coinsidences..."
There are no spell checked word processors... in your home.
Over time the attackers swapped out modules that didn't work and replaced them with new ones--perhaps as Stuxnet made its way to its intended target. Those certificates first appeared in January. USB propagation, in March.
if you have analyzed the code that is injected to the PLCs as we did and have an understanding of how PLCs work, there is much less speculation required to get a clue of what's going on here, believe me.
The same is true for the attack vector and theories who may be behind it.
Hernan Monserrat gets it. The real wtf is using any flavor or descendant of windows in a production environment. You cannot incrementally evolve a consumer toy into production software.
Symantec has a discussion of the three sequences that are injected into the PLC, and the criteria for each. Curiously, the third sequence is not complete and can't do anything. See:
Anyone that doesn't even suspect of Israel intelligence probably lacks of some cell neurons.
Its a proven fact that the Israeli government and the Mossad hired over thousands of persons to deliberate control mass media and social networks about bad propaganda against Israel when all this Lebanon thing happened.
Hundreds and even thousands of people started to tag as spam and hateful content anything that wast not pro Israeli on any Internet website to act as a counterweight and probably against free speech.
This is not the first time that Jews around the world unite to make some sabotage. It would not surprise me that they have people even working inside the US department that helped them out as they have spied on Iran, Germany, Russia, allot of third countries but specially the US for years. Israel has invested allot in IT security and programmers development in the past years and they would not dude one second to use all their resources, military and financial against anyone like they already proved in the past. So its just stupid to pretend they would never use digital attacks or informatics against their enemies as well. Just look at who was most targeted and you will find who wanted the most benefit out of this.
And it seems when anyone tries to point this out there will come some defenders to say you are an anti-Semitism or this are just conspiracy theories just to act as a distraction. Well, someone developed this and it was not to make a joke to someone. And we know who they wanted to target so it doesn't require a 10 year old to at least suspect of them. Maybe im 100% wrong, but still this is extremely suspicious. Just like China did and does and is involved in allot of cyber-crime I would not be surprised Israel is researching in IT attacks and cyber warfare as well.
I do happen to know someone that worked as moderator at Youtube when all this Lebanon thing and other anti Israeli things started to pop out on the Internet it was not a conspiracy, it was real life, he was pressed and allot to remove content no matter what it was and he received menaces of all types, legal, personal attacks, black mailing, etc. So things are always a conspiracy until you hear it live from someone that you know and trust and was affected or participated then its just a conspiracy for other people but its a real fact for you.
What really is amazing is that some people here blame that Siemens itself probably did this. I wonder for who this people actually work. Probably for the same people that want to turn off all attention to the real programmers. Why in the world would Siemens be so stupid to make their own system vulnerable and even infected their own customers in their won country? They are a private company and so they probably want to earn money like Microsoft. Im sure Microsoft will not be happy of all enterprise customers start to turn their backs on them because their OS is not secure anymore. Same for Siemens, its not good PR for them either but it probably will cost them allot of customers that will think twice before implementing their systems. So comments are so ridiculous as saying Microsoft programs their own vulnerabilities to keep people updated. Fist updates are free and the number 1 point Microsoft was always attacked is security, so its like they earn credit for this.
Well I would follow the money : domainsbyproxy.com was used to buy the domains in 2008, It's a US company so I bet the government already knows who was the buyer and has followed in this step.
They have advance tracking and I'm sure they already got to the buyer and to the people that stole his/hers credit card to buy the domain. It's a lot of work but I'm sure they already know, they have the "federal" means to do it.
I would be nice to see the actual target. My money is on the nanotechnology production looking at the infection list, the satellites and nuclear plants are just collateral.
> I wonder if "1979 05 09" (May 9 1979) is
> native date format for some countries?
Huh? It's ISO date format (albeit without the delimiters). Everyone in the developed world uses this date order (for the last, oh, fifteen or twenty years now, where have you been), especially computer geeks (who all use it exclusively).
It's the only (numeric) date order that is unambiguously understood internationally, so if you ever communicating with anyone from a different continent, it's the only order you would use.
> occam's razor dictates that "19790509" is
> the birthdate of one of the virus creators.
My thoughts exactly. Or high-school graduation date, wedding date, something like that. Trying to analyze it is pointless, because there's no way to verify or rule out any hypothesis.
There are now claims by an Israeli online service that,
"Iran has put to death a number of atomic scientists and technicians suspected of helping plant the Stuxnet virus in its nuclear program."
(However the article appears to be lacking in all but one verifiable fact so treat it with considerable caution.)
The story is that the,
"forebodings of personnel at Iran's nuclear facilities"
Have been reported to the west and apparently,
"They had already suspected that a number of their colleagues taken away for questioning about the worm - and never since seen or heard of at work or at home - were no longer alive"
The reason given by the Debka online service for these rumors being true is,
"The admission by Ali Akbar Salehi, head of the Atomic Energy Organization, on Friday, Oct. 8 the frankest yet by any Iranian official - that Western espionage had successfully penetrated its nuclear program is seen as bearing out those reports."
OK here goes, I like this game .
The Israelis have a bugged and/or sabotaged component that they need fitted into Iran's nuclear power plant, to shut down the plant catastrophically, if it turns out weapons grade plutonium is being produced rather than civilian power.
But it's too late, they didn't manage to get it up and working and smuggled into the shipment and now the plant is passed that stage. They need to get the Iranians to order more (The gimped unit is waiting in a batch with the supplier)
They write a worm that targets the PLC of this component so that it will report a fault with those components/ or just crap out (They know exactly the system they are targeting, what it's for, and how to generate this error)
They package the payload up in a multi wrappered worm, that will scatter and bounce over air gaps etc... Then launch it in the general direction of Iran.
It has a 2 year lifespan then self destructs, hopefully after achieving its goal.
Iran orders some new parts.
Israels like "Hey Uncle Bob" and Uncle Bobs like "Hey dude"
The first i thought when i saw this was
dead agent or dead fool
Nobody is talking about this but Iran also owns and operates a copy of Nokia Siemens ‘Intelligence Platform’ (Intelligence Solutions tools). The tool provides Iran with mobile phone monitoring, eavesdropping, filtering, and tracking capabilities. The human surveillance system has two main components; the Monitoring Center (for deep packet inspection) and the Intelligence Platform (provides real-time data mining intelligence).
Stuxnet was supposed to erase itself from the host computer after 21 days (it didn’t because of a programming error) so there is some speculation that the worm was just meant to temporarily disrupt Iran’s phone surveillance capabilities and then erase itself after the op was over. The nuclear and manufacturing impact of the worm may have just been a nice public decoy.
"so there is some speculation that the worm was just meant to temporarily disrupt Iran’s phone surveillance capabilities and then erase itself after the op was over. The nuclear and manufacturing impact of the worm may have just been a nice public decoy."
It does not stack up as an argument.
Or to put it another way where would you be using PLC's in a phone surveillance system?
Although Siemens do manufacture telco equipment as far as I'm aware the software is radicaly different from anything the worm (as published) appears to have targeted.
As for the worms 21days thrive and then self eviserate I think that this self immolation or "kill switch" not functioning was not a mistake. I suspect it was disabled because after initial field trials the stuxnet designers found the latency involved with deployment across air-gaps was exceeding 21 days. I've been party to some research on "fire-&-forget" malware spread to non direct connection (aka air-gap) systems and a sixty to ninety day period for one communication cycle is to be expected.
The obvious problem with this sort of research is it is at best dubious as it has to be done in the wild as insufficient is known to do lab testing. However it is not unknown for "state actors" to dubiously test weapons in the wild (The CIA for instance is reputed as to having tested Biological Weapons infection paterns on the New York Metro/underground system with a light bulb sized flask full of modified influenza virus).
For a long time, SCADA admins and developers pretended to live in a parallel universe and had a luxury to be delusional about "air gaps" between control system and SCADA, and to practice "security by obscurity". Not anymore. Stuxnet was a wake up call for the industrial automation industry - it's time to look around and start leveraging the experience that humankind has accumulated fighting security threats in the last decades. The following article based on the excellent Stuxnet analysis paper from Symantec discusses SCADA and web SCADA security:
You're all wrong. This code was written by Morpheus to catapult those of us who took the blue pill into the real world.
Well, it is quite obvious to those of us with industrial controls and specifically siemens programming experience that this code does most specifically target specific models of siemens PLC's and specificly written sections of code. There is a lot of hype, propeganda, and speculation floating around out there at to what the intent, I am not at liberty to comment on what I have learend, but however I can say that this was a very specific and targeted attack. The particular addresses in the PLC code targeted and mode of operation is the key. I have over 20 years experience working with siemens plc's among many others and can tell you that this attack was directly written to target a specifice type of system. Only specific PLC's that already use this particular section of code will be affected - none other. I work and lecture on industrial security, and I have analyzed many attacks over the last 10 years and I have never seen such an amazingly well written and purpose driven piece of code. Rest assured this will not be the last attack of it's type. Automation and controls engineers and designers are the biggest bunch of prima donnas in the world, and have taken the ostrich approach by buring their heads in the sand for years. We have analyzed and tested this code and have verified specifically which systems it was intended to interfere with. I am so very sorry that I cannot let you all know everything right now, but I am not willing to risk my career over it. The full truth will be out soon enough, but till then you will have to wait. Until then those of you who know nothing about this subject matter would do best to hold there comments - I don't go out and give my opinion or expertise on a medical forum-- I know better.
Thanks for the link. It appears that Nick P's and my assumptions about the enrichment process is considerably more likley.
More so since the uranium hexafloride centrifuges designed by AQ Khan (Pakistan) are well known to the US (and it is why there is the export ban on the PLC controlers for speeds above 600Hz mentioned in the article).
See my comments on AQ Khan,
The reason it is considerably more likley is there are very few industrial systems that have rotational speeds up at 60,000RPM due to amongst other things the shear amount of potential energy and harmonicaly related instability (think about the size of a C# tunning fork to see why).
The two types of system that come to mind are centrifuges and electro-mechanical energy storage devices (basicaly fly wheels on air bearings with a DC motor/generator). Neither are that common due to the engineering involved.
With regards harmonic instability even a relativly small change in speed could cause a 2meter long spining centrifuge to fly apart as longitudinal vibrations build up and cause it to shatter the bairings / casings and the conversion of potential to kinetic energy would be quite dramatic...
The materials used in U6F centrifuges is supposadly secret but various sources sugest a sintered nickel alloy was one the US tried and of more recent times a modified form of carbon fibre.
One of the reasons South Africa went for a vortex design for it's enrichment plant was no moving parts to come to grief with minor speed changes even though the vortex process supposadly requires 50 times the energy input of a centrifuge system.
A thought occurs with regards AC synchronous motors and the speed I gave above (yes I know 60,000RPM sounds ridiculously high but it's not)
There are two basic formular for the rotational shaft speed the first gives the speed of rotation of the magnetic field in the stator in revs per minute (rpm),
Srpm = Fhz * (120/Poles)
Fhz = The supply frequency in Hertz
Poles = The number of poles in the motor.
The minimum number of poles is 2 so with a 1000Hz supply and 2 poles 60,000RPM is your maximum stator magnetic field speed.
However there is a problem with synchronous motors and that is torque. If the rotor is aligned with the magnetic field the motor has zero torque thus the rotor falls behind slightly by a torque related angle.
There is a second more serious problem with synchronos motors which is the rotor needs to be a permanent magnet or seperatly excited via slip rings. Slip rings are a major source of failure in motors and are thus not used as much in industrial systems.
The soloution is the Induction motor where the rotating magnetic field induces a magnetic field in the rotor and thus it is "self excited" the most commonly seen induction motor rotor is the so called "squirrel cage" motor. It's operation aproximates that of a transformer where the stator is the primary winding and the secondary winding is the shorted turn squirrel cage in the rotor.
But there is a catch if the rotor spins at the same speed as the magnetic field then no current would be induced in the shorted turn, with no current there would be no magnetic field and thus there would be no reason for the rotor to turn...
So the rotor has to turn slower than the magnetic field for the current to be induced in the rotor winding and thus for torque to be generated.
Thus max speed cannot be achieved as it would have zero torque... So the rotor "slips" behind the rotational magnetic field. The amount of torque is related to the amount of slip.
Slip is a dimensionless number and can be calculated in a number of ways. Of relevance here is the way it affects the rotor speed in rpm.
Rrpm = Srpm (1-slip)
This gives rise to a secondary issue in that if the rotor for some reason runs at the same speed or faster than the stator field you get some unwanted effects. In a system with varying load or variable speed at times you would expect the control system to want to slow the rotor down in an induction motor you get a dead zone where current is nolonger induced in the rotor and it's field colapses and the stator current consiquently rises to the same proportion as "startup current".
Secondly if the stator field speed is less than the rotor speed it stops being a motor and starts becoming a generator which puts current back into the stator supply...
Thus the powersupply to the motor needs to take these effects into account.
Thus "fritzing" with the frequency of the supply quickly by first taking it up then suddenly droping it can induce large regenerative currents in the powersupply causing it to trip out or worse vastly shorten it's design life.
Either way is not good for a large long rotating mass such as a centrifuge (look up critical speed, shaft resonance, torsional oscillation), as it slows the potential energy stored in the rotational mass has to go somewhere either electrically or kinetically. Also as it slows it will go through various frequency domains of resonance and antiresonance defined by the mechanical properties of the rotor strange things happen at these points and the results are usually not good (see video of Tacoma Narrows bridge). Thus if you do not slow the centrifuge in a controled manner you will get these resonance effects and mechanical components will suffer and break in unexpected and expensive ways.
As an analagy a vehicle towing a trailer, the trailer can have either a solid tow bar or a damped tow bar. As some drivers are aware if you slow down at certain speeds you get juddering where the trailer goes into resonance and will try "break dancing" on the back of the vehicle. The solution to the problem is usually counter intuative.
I have no knowledge of the centrifuge construction but I can't imagine the centrifuge motor speed control is done directly by the PLC.
My guess would be that each centrifuge has a dedicated DSP (TI or Analog devices) or a programmable FPGA (Xilinx or Altera) that controls actual motor speed. These devices are fast enough to do all the field calculations real time and run the motors with PWM waveforms from a DC supply, probably using some IGBT's to control the motor current/ PWM period. The start-up and slow down states would just use different PWM waveforms for regenerative breaking and acceleration.
With a simple DC/PWM system like this regenerative breaking just charges the Battery / filter cap.
Maybe I'm missing something....
Here's how we did it: While Cinnamon created a diversion by wearing a skimpy dress, I used a tiny narcotic dart to knock out the power plant manager and remove his body.
Rollin, wearing a plastic mask, masqueraded as the manager long enough for Barney to sneak up to the next floor, pick the lock on the control room door, walk over to the Windows PC, and infect it with a new, super-high-tech worm of his own design.
Meanwhile, Willy drove up to the door in a laundry truck. Just before Rollin's identity was revealed, we all jumped into the laundry truck, drove to the airfield, and returned to the United States.
(This message will self destruct in five seconds.)
A Russian aluminium magnate apparently spent hundreds of thousands of meatspace dollars buying in-game assets for his alliance in EVE Online.
If someone's that crazy about a game, what's to say someone else wasn't prepared to spend hundreds of thousands on a few choice zero-days and some development equipment for the sake of seeing what would happen?
Is it possible that Iran is a suspect rather than a 'victim'? Is it possible that Iran (maybe with expert help from a third party) developed the worm with the objective to test their own cyber vulnerabilities etc.?
Sure, a far-fetched theory - no evidence, but something to think about.
may be stuxnet has various targets. or might be the real target is india by china and to shift the focus it first attacked iran - because automatically suspect will go to Israel and US.
A more likely a Usual Suspect than disgruntled Russian scientists are angry Iranian scientists.
The Iranian regime's desperate attempts to retain power after the fraudulent elections of June, 2009, including murdering student protesters, deeply alienated Iranians in many levels of society.
The regime now complains of a "soft war" being waged against it internally, much of it by leaks of very sensitive info to global media.
Abbas Milani, Director of Iran studies @ Stanford U, said " 'I think the purged and discontented officials [of the Iranian govt] are the sources of increasingly revealing leaks to the press and to the Green Movement of activities and plans by leaders of the regime.’ Mr Milani is a critic of the Iranian government..." The Iranian govt is angered by what it calls a “softwar” against it, and has criminalized Iranians contacting many foreign new orgs, NGOs & websites.
DEADF007 are the chords to a song I wrote. My lawyers are going to sue for copyright infringement!
I don't think there's a worm at all. I think the frequency converters were pre-programmed with code at the factory and depending on who the customer is, like Mahmoud Ahmadinejad (pronounced I'm-Mad-In-The-Head), the code is activated remotely if it turns out the customer is going to use the product irresponsibly.
If it was Israel who did it they would go all the way and release the code into Iran's infrastructure computer systems and completely collapse their country's infrastructure by disabling their computers.
I would. Maybe that's next?
You don't think the manufacturer is going to sell their product to somebody who's going to start WWIII without a fail safe?
The worm story was fabricated to cover up the real source.
Why is Siemens allowed to advertise and sell products in the USA when they are the facilitators/automators of the Iranian nuclear program.
That is the question for the West.
The origins of StuxNet are not a mystery at this point. There is no value to be gained by disclosing such information for now. What is important,is to realize that it will more than likely be back.
If you want to know who is doing business with Iran, follow the infections.
i'm not a programmer or a rocket scientist, i'm just a 50-something year old mom - but i am THRILLED to my very core at iran's centrifuges being targeted. the usa and our worthless president are far too busy throwing Israel under a bus to assist Israel in doing something to prevent itself from being targeted by a nuclear attack. of course, Israel has proved time and again, that with God's help, they can take care of themselves. Go Israel!!
Reminds me... Germans may read September 5th (05.09.1979), english speaking people may read May 9th (05/09/1979). :O
According to the URL I posted, the Daily Mail reports Monday, "Dr Majid Sharuyari was killed in a bomb attack on his car in Tehran on Monday." Article goes on to say other nuclear scientists have been killed and some say he was point on removing Stuxnet. All the makings of a fine spy novel! Here is the article:
THE ALFRED HITCHCOCK OF CYBERSPACE!
Your NY Times link pulls up a login page (paywall?) do you know of another link, or can you post the articles title and author and I can google around for it.
Also don't know if you noticed but the article link indicates the 16th Jan 2011, but your post is on the 15th Jan in the evening, I guess at the NY Times they go home early on a Saturday ;)
tuxnet is right i think those peple who luched it ...we must give the credit on their good job becz this will improve security in industrial systems..
Nima Bagheri Security Researcher, U0vd Security presented "The Art of Deception for Stuxnet in Iran"
International Cyber Weapons Agreement (Treaty) Is Needed
*By +Eugene Kaspersky* chairman and CEO of
Kaspersky Lab that found the Flame Virus
Environmental Systems Technologist
Direct Digital Control - Programmable Logic Control Technician
aka The Toxic Reverend
I am NO KNOWN RELATIONSHIP to
Jon Krohmer MD Chief Medical Officer of Homeland Security.
But my Uncle Jack Krohmer PhD (deceased) was one of the leading authorities on the effects of radiation on humans
Cyberweappons: The 1982 American Cyberweapon Attack Against A Russian Pipeline That Resulted In A Huge Explosion
The censored story was also carried by MSNBC News and trhe censored but Archived story link is given.
Copy / Paste of the 2004 Washington Post article follows
CIA slipped bugs to Soviets
Memoir recounts Cold War technological sabotage
By David E. Hoffman The Washington Post Feb. 27, 2004
Three Mile Island nuclear plant shuts down unexpectedly, releasing radioactive steam
"Residents near the plant, outside Harrisburg, Pa., the state capital, reported hearing a loud bang"
By Michael Winter, USA TODAY Newspaper, September 20, 2012
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.