Comments

Richard Steven HackJuly 11, 2011 6:48 PM

Very nice piece, well researched.

The amusing thing is that the whole Stuxnet effort, that is, the effort directed against Iran, was a complete waste of time since Iran does not have and has never had a nuclear weapons program.

In the same vein, as journalist Seymour Hersh recently revealed in a New Yorker article, the US has spent an incredible effort to try to detect such a program - including devices like replacing building bricks and street signs in Tehran with nuclear radiation detection devices - and has been unable to find anything at all indicating that Iran has such a program.

It has long been my contention that both the US and Israel KNOW that Iran does not have a nuclear weapons program, and that the entire "crisis" is made up to cover the real motivation which is regime change for the benefit of Israel. However, this level of effort would seem to belie that.

OTOH, if the senior members of the US and Israeli governments want to keep their primary motivation secret, it would still behoove them to send marching orders to the lower level grunts to do this sort of thing. Otherwise, people would get suspicious that maybe there really wasn't anything to this "Iran bomb" business.

It's hard to gin up a war - especially after the Iraq debacle - if people don't believe there is a reason for it.

In 2007 the 16 intelligence agencies in the US generated an NIE - a National Intelligence Estimate - that Iran had stopped whatever nuclear weapons program they had in 2003 and had not restarted it. George W. Bush in his memoirs claimed this sabotaged his efforts to get a war with Iran.

Over the past year, those agencies re-assessed that estimate and earlier this year put out a new NIE - which has not been publicly released in even a redacted form - which basically agreed with the 2007 NIE. It hasn't been released because it would embarrass Obama as much as the 2007 one did Bush.

I have long considered that whatever nuclear weapon program Iran ever had was probably a "research database" intended to determine how to build a bomb - but was never an actual development and deployment program. This would be "due diligence" for any country's military who was being threatened by one or more nuclear powers.

So I was pleased to see in Sy Hersh's piece the fact that the Defense Intelligence Agency believed that the only program Iran ever had was one it initiated because it was concerned that Iraq's Saddam Hussein might have such a program. They didn't even care about Israel or the US - it was Iraq that worried them (for obvious good reason given the eight-year war Iran fought with Iraq in the '80's.) The DIA estimate didn't make it into the NIE because it would have been even more embarrassing to admit that Iran's only nuclear weapons program was some "paper studies".

None of this satisfies Israel, of course. Rumor has it that Israel is planning to attack Iran within the next two months, given that senior US Defense officials will be resigning in the fall, and possibly to offset a Palestinian effort to gain statehood in the United Nations.

While I don't give an specific credence to these rumors, neither would such an action surprise me. Israel has long intended to start a war between the US and Iran, although it would prefer the US start the war on its own. Dick Cheney offered Israel a $30 billion arms package during the Bush Administration as a bribe to do so, but Israel took the money and still refused to initiate the war by themselves. And Bush apparently thought he couldn't do that with the damning 2007 NIE out in public.

Obama, however, may be made of sterner stuff. OTOH, it would appear Obama is more interested in starting a war with Pakistan than Iran at this point. After all, a war with Pakistan which is far larger and more powerful than Iran would generate the sort of war profits the corporations that own and operate Obama - like General Dynamics - really appreciate.

But Israel would prefer an attack on Iran at this point, I suspect, so we might end up with both over the next couple years. And you thought Iraq and Afghanistan were disasters. You ain't seen nothing yet! :-)

JTJuly 11, 2011 7:32 PM

"After all of the effort put into deciphering Stuxnet, the code itself still holds a couple of mysteries — two small encrypted files that researchers have yet to crack. One file is 90 bytes, and gets copied to every system Stuxnet infects. The other is 24 bytes and gets copied to Step7 machines when Stuxnet’s malicious DLL file gets installed. The two files could hold additional clues to Stuxnet’s aims or origins, but we might never discover them. Symantec’s researchers have tried repeatedly to crack their encryption, but have never succeeded."

For me thats the most interesting part. The yet undiscovered portion of the code. I doubt it will ever be released.

Bruce ClementJuly 11, 2011 7:46 PM

Spreads via USB sticks.

They run Windows OS, produced in the country they call Great Satan, and put random USB sticks in PCs inside their trusted cell?

Shakes head.

Fascinating read though, thanks for the pointer. I wonder if they planned to use it multiple times against different opponents or if they regard a couple of hundred thousand dollars as being too small to worry about; it is less than a cruise missile and those are only usable once each.

NobodyspecialJuly 11, 2011 9:42 PM

Rather worrying development.
In the 80s the CIA (allegedly) introduced deliberately flaws into chips being obtained by Soviet agents. This led to a massive pipeline explosion, fortunately in siberia rather than the middle of a city - but that was pretty much pure luck.

Would a similar Isreali attack on a Iranian or Libyan pipeline be OK, what about a Saudi one?

How far down the axis-of-evil do you have to go to be a legitimate target? If this was the USA can we expect to see attacks on EU systems if the next farm surplus talks go wrong?

Are commercial targets fair game? If Boeing is a strategic supplier of US defense equipment, would an attack on Airbus software be justifiable in the national interest?

Could corporations start doing this themselves? If the stuxnet had input from Siemens (unlikely given Siemens performance at the BBC) - they are currently complaining about trade secrets being stolen by the chinese for their high speed train. Would it be acceptable if some chinese trains derailed because their PLCs went wrong.

And these are just targeted attacks, given the monoculture of PLC in the world a virus which deliberately or accidentally attacked a range of models at random could be messy.

RobertTJuly 11, 2011 11:25 PM

Fascinating stuff, it shows that many skilled hackers are thinking way beyond the realm of DOS netbots and credit card fraud.

It's a new world order if industrial complexes are valid targets. I can think of several complex industrial / manufacturing sites that have unique discoverable equipment configurations. If the industrial control system is NOT actually in control than anything is possible from explosions at chemical plants to yield loss at a competitors LCDTV production facility.

alJuly 11, 2011 11:54 PM

@Nobodyspecial

You have some valid points but I think a larger problem is those aspects what you are bringing out and the concentrations of power into the hand of the governments because of modern technology. Or not so much the technology itself but how it is being used and how the countries are (re)structured around the technology.

A problem with the concentrations of power is that one day in the future e.g. EU or USA could become a dictatorship (either 'real' or 'de facto') because of some eh "event" that require uh "more security". A modern dictatorship would not be your grandfathers dictatorship because of the technical integrations.

alJuly 11, 2011 11:58 PM

We should have a virus war game between stuxnet and TDL-4 (in a controlled environment, of course). Although might be hard to determine the winner since they have such different objectives.

alJuly 12, 2011 12:14 AM

@R.S. Hack
"OTOH, it would appear Obama is more interested in starting a war with Pakistan than Iran at this point."

yea but Pakistan already has nukes so I am not sure how good an idea that would be...

Anyway your text made me think of this article about "7 Mega-Cartels That Kill the Free Market and Our Sovereignty" (http://dairyjournal.com/7-mega-cartels-that-kill-the-free-market-and-our-sovereignty). It lists as the cartels:
1. Banking
2. Intelligence (agencies)
3. Military
4. Energy
5. Food
6. Medicine ("big pharma")
7. Media

over the topJuly 12, 2011 1:32 AM

the stuxnet hit has to be put in context:

1. assassinations of Iranian nuke scientists.

2. assassinations of senior officers of Iranian Revolutionary Guard in Iranian Baluchistan

3. 'hikers' being arrested in Iranian Kurdistan on the Iraqi-Iranian border

4. after the OBL op a journalist with access reported that Seal Team 6 had engaged previously in firefights with Al-Quds Force in three different countries.

So if that's a bit of the big picture, the question is: how is Iran going to respond?

AndyJuly 12, 2011 1:44 AM

IMF chief was sidelined with a hacking atemp and a strange(they all seemed to be those charges), which should stuff up EU currancy(Chreece,Itlay) mixted in with USA money worrys(goverment workers funds), hell they have already replied...
You should have stockpilled copper :(

RobertTJuly 12, 2011 4:24 AM

A few thoughts come to mind on rereading the article
- Were actual USB memory sticks really the attack vector? maybe the real vector was USB charged phones or email / phone folder synching using USB attached devices. Opens the door to Smart-phone browser => USB => PC for air gap jump. (especially important for iPhone type devices that need to be charged very often)

Why wasn't the virus propagation strictly limited to the isolated Iran nuclear enrichment network (were they also after N.Korea?)

- Seeding the virus, within the facility, could have been done with USB stick (phone) infection by "sneak 'n peek" ops targeted at known scientists / engineers. who knows maybe it was...But why continue to spread? Maybe to track the movements of people associated with the Iran enrichment efforts, kinda like remotely mapping AQ Kahn's network.

MarkWJuly 12, 2011 4:37 AM

Bravo to (fellow countryman) Liam O'Murchu and Eric Chien: "Well, bad guys are people who are writing malicious code that infects systems that can cause unintended consequences or intended consequences."

Frankly, I'm surprised the analysis was allowed to complete.

Hear, hear Richard Steven Hack.

Domains A..E anyone?

SJuly 12, 2011 7:10 AM

Interesting article - read it on Ars yesterday - but I'd much rather it had been a real Ars article rather than a Wired cross post. There'd be more technical detail, and less crap about peoples' hairstyles, laboured analogies and padding to fill multiple print pages in the magazine.

(I stopped reading Wired quite a while ago when the SNR got unbearably low - the articles they syndicate to Ars are the pick of Wired, but usually still some way below the technical & literary standard of Ars)

An interesting tangent, more prevalent in the Wired comments but surprisingly so even on Ars, is the amount of commenters advocating security through obscurity. This seems to stem from some misplaced nationalist belief that once Symantec figured out it was possibly a Western government operation, they should have partiotically shut up, because they're headquartered in the US. Some more discussion of this in the article would have been good.

Personally I think the intellectual exercise was more than enough reason for further investigation, never mind the security concerns. It's an interesting piece of malware in many ways, and I definitely subscribe to the 'this is the one they've found' rather than 'this is the first and only one so far' type theory.

& @ Bruce, tell the truth, were you more tempted to post this since you got described as a rock star on the first page?!

(j/k, it's definitely worth a read, even allowing for my above criticisms)

Richard Steven HackJuly 12, 2011 8:02 AM

RobertT: I agree it probably wasn't as simple as having random flash drives make it into the facility. Although we do know what happens when you drop random flash drives in the corporate parking lot - they get put in corporate PCs. Probably works as well at nuclear facilities...

I suspect that it entailed some covert ops to get the first sticks into the system.

What interests me is how the virus spread from Iran to India and elsewhere. That couldn't have been strictly from flash drives unless Iranian technicians are flying all over the world.

But I bet I know who DOES fly all over the world - IAEA inspectors, that's who. If you infect THEIR flash drives, almost by definition those drives will be inserted into Iranian, Indian and many other national nuclear facilities in order to download certain data logs and other reports created in compliance with that nation's Safeguards Agreement.

Which makes me wonder whether the IAEA were involved in the conspiracy to distribute this malware. This is HIGHLY likely because the IAEA since ElBaradei left has been even more politicized than before and is basically now the US' poodle. It is known that various diplomats at the IAEA have been pushing the US-EU-Israel agenda against Iran for some time, even during ElBaradei's tenure - people such as Ollie Heinonen.

So my guess is Stuxnet was deliberately distributed via IAEA flash drives directly to nuclear facility work stations or IAEA systems hooked up to local nuclear facility networks.

HistorianJuly 12, 2011 8:24 AM


@S - "...the amount of commenters advocating security through obscurity."

I think you may be faulting people for “security through obscurity” where it doesn’t really apply.

I’m not referring to the suggestion that Symantec should have stopped investigating the malware; as a capitalist company concerned for their customers, preventing the spread of this malware was a reasonable thing to do.

I’m referring to the idea that not sharing the details a secret operation with the public would somehow fall under the bad “security through obscurity” principle. There are many things that should be kept secure by being obscure, like your password, for instance. If country A is spying on country B, they better would be practicing lots of obscurity if they don’t want to get caught. If you were one of the people who found the plans of the D-Day invasion wafting around the streets of London, keeping the plans obscure was of paramount importance.

Trying to hide the fact that you use PKI, or running your FTP server on port 2121 to prevent people from finding it = bad security by obscurity.

Keeping your private PKI key secret, keeping a strong FTP password obscure, or not publicly disclosing espionage sources and methods = good security by obscurity.

karrdeJuly 12, 2011 9:34 AM

I allowed myself to be skeptical and wonder whether the Iranian nuclear centrifuges were the real target of Stuxnet.

This detailed level of evidence is pretty convincing.

Nick PJuly 12, 2011 1:36 PM

@ RSH

No, it was a Russian contractor that serviced many of those facilities. The infections appeared to have been caused by him. We talked about this in a previous Schneier post on Stuxnet. Whether he was paid to do it or his equipment subverted I don't know.

@ JT

Yes, that part about the remaining encrypted portions had my mind going too. The question is: "How would they be useful if they couldn't be decrypted?" So, there must be a way to decrypt them at runtime. They can't seem to decrypt them just by looking at them. Perhaps, it functions like malware that hides from VMs or uses CPU bugs to function. Maybe some aspect of the runtime environment interacts with that code in a way that causes the decryption. I think they should look into that, maybe taking traces of the code in memory to see if it pops out at any point. They worked so hard to hide what was in those portions. I got a hunch they're worth another stab at decryption.

Dirk PraetJuly 12, 2011 1:40 PM

To me, one of the more interesting aspects of the article is that apparently none of the Symantec or other researchers at any time met with any efforts by 3rd parties to interfere with their work or publication of their findings. As the entire story seems to point to a government sponsored operation, I think Stuxnet was more than just an ingenious proof of concept to subvert the Iranian nuclear program. I am led to believe that it also served as a testcase for whomever was behind it to assess how much time and effort it would take for the public intelligence community at large to discover, study and dissect such a particular piece of malware, thus allowing for a reasonably reliable time-line for any future such endeavours. It was also an interesting indicator for Iran's cyber defense capabilities and reaction. Additional positive results of the program include that even after a year no source code has appeared in the wild and despite serious suspicions of the US/Israel being behind Stuxnet still no conclusive attribution has been made. A few bits of the code remain a mystery.

All and all, I'd say Stuxnet was quite a successful project that has proved the feasibility and efficiency of such attacks for more than one government, as such paving the way for similar undertakings and funding thereof in the future.

graybeardJuly 12, 2011 2:23 PM

Agreed that it's a nice article, but

"The Most Menacing Malware in History"

?

Come on now. Granted I'm old, so by my perspective it's insulting to think anyone would agree with that.

And why does everyone make it sound like it took some kind of "programming god" to write it?

dustJuly 12, 2011 5:11 PM

@graybeard

Because Wired stories have always been about the cult of personality. So they need a programming god to be the personality.

RobertTJuly 12, 2011 7:54 PM

@Nick P
"The question is: "How would they be useful if they couldn't be decrypted?""

I wondered the same thing, but I assumed that the decode key would leak into the targeted machine through an available side channel. Many good side channels are data symmetric, so leaking information (keys) into, is just as easy as leaking out off.

I've got a feeling that either there are some big holes in their knowledge or they decided to key some aspects of this virus secret. Maybe they were just that scared, by what they found!

@RSH
"What interests me is how the virus spread from Iran to India and elsewhere.."

Agreed, everything about this virus is weird.
Iran => India (not Pakistan but India!)
Maybe this is telling us something about security procedures at the various facilities, maybe Pakistan's cyber-security is just that much better than India's and Iran's.

I had never though of the IAEA as a virus vector, but it is very possible that they use USB sticks on presentations done at outside facilities. I'm certain that procedurally they are not permitted to plug their laptops into Iranian networks.

JTJuly 12, 2011 8:24 PM

@ RobertT
@ Nick P

I was thinking about that a bit more today. There is another possibility entirely... That its nothing but random data. Nothing at all but put in specifically so that someone who was trying to decode it would be forever be chasing something that doesnt exist.
Of course that could be my tinfoil hat ringing from all the radio waves trying to get into my head. lol

Richard Steven HackJuly 12, 2011 10:20 PM

Nick P: Yes, a Russian contractor would definitely be a possibility. However, he would have to be either subverted or bribed, since the Russians have no reason to subvert Iran, still less India.

Also, that same Russian contractor, if he was complicit, would have had to have a reason for infecting India and other countries - unless the goal there was to throw off people from suspecting Iran was the real target. And in that respect, how could the real perps be sure that is how it would work out?

RobertT: "I'm certain that procedurally they are not permitted to plug their laptops into Iranian networks." Which is why they'd use a flash drive, right? One way or the other, either an Iranian infected flash drive was passed to the IAEA, or vice versa. There's no reason an Iranian drive would be carried to India, so I suspect the reverse.

I'm sure the IAEA monitoring entails some actual systems on site and/or passing of computer data from Iranian systems to IAEA systems or vice versa somehow. It can't all be just paperwork.

OTOH, the same argument against that is why would the IAEA be infecting other countries deliberately, except as a confusion tactic. Unless they didn't realize it.

It's quite possible several such unwitting vectors were used: Russian contractors, IAEA inspectors, and Iranians. But either someone was a vector who traveled to other countries or other countries had their own vectors to conceal Iran as the main target.

Dirk: The above would imply what you suggest - that this was a pilot program for something bigger. And definitely Israel and the US would both be major suspects, because Israel is one of the worst spy nations in the world (consistently listed in the FBI's top list of countries spying against the US in both military and commercial espionage) and the US intelligence community also has an insatiable desire to spy on everyone else.

It reminds me of the INSLAW PROMIS software scandal. Both Israel and the US intelligence community were in on that and used it to spy on everyone else.

Nick PJuly 13, 2011 1:17 AM

@ Richard Steven Hack

"Also, that same Russian contractor, if he was complicit, would have had to have a reason for infecting India and other countries - unless the goal there was to throw off people from suspecting Iran was the real target. "

I admittedly didn't think about that. I was too preoccupied with trying to determine the target back then. It could go either way. They sabotaged his USB drive and he didn't notice because he had a Windows machine, where it hid or didn't execute on. (Most people only look at the non-hidden files on the data partition.) Alternatively, he was paid (or coerced) to put it in a bunch of locations to obscure the target. Both seem believable & the Russian was all over the place.

", because Israel is one of the worst spy nations in the world (consistently listed in the FBI's top list of countries spying against the US in both military and commercial espionage)"

You're one of the few besides me who mention them in these discussions. They're also listed in the leaked British MOD Security Manual as one of the top three threats to intelligence officers overseas, the other two being obvious. The part of it that drives me nuts is that, due to the pro-Israel lobbying and religious groups, we have given them billions of dollars (and continue to). Effectively, we are paying them to spy on us and perform covert operations against US targets. If I did this, it would be "treason." If the US Govt does it, it's "diplomacy." Go figure.

GregWJuly 13, 2011 7:32 AM

@JT: Perhaps the remaining "encrypted" data is nothing but an unused key? Or a tracer set of bytes so someone who has a network view can see the payload whenever it goes by? I dunno enough about the details to know if either of those speculations makes a reasonable hypothesis.

@RSH: Your IAEA hypothesis, while lacking evidence, does remind me of this bit of history: http://news.bbc.co.uk/2/hi/middle_east/301168.stm

Richard Steven HackJuly 13, 2011 9:14 PM

GregW: Oh, yes, there's no doubt that IAEA has people in it who are in the US' pocket. Under ElBaradei they were mostly kept at bay, although not always, but under Amano they have free rein. Amano is in the US' pocket on the Iran nuclear issue, beyond doubt.

Also, I don't know what kind of computer security IAEA implements, but I wouldn't be surprised if they could be compromised without their complicity. It would have the same effect.

The main idea is that if Iran was the main target and the flash drives were primarily inserted into Iranian machines, one has to explain how those flash drives and Stuxnet got to India and other countries. It has to be either someone working in the nuclear community (contractors or IAEA) in all those countries or a deliberate planting by others to obscure the real target - or both.

RobertTJuly 14, 2011 3:23 AM

@RSH
I think you might be on to something with the IAEA involvement. I'm not suggesting that they were deliberately part of the plot, it could be something very simple...
Imagine the IAEA wants to collect some additional information, they probably go to the various monitored sites around the world and conduct seminars. This will probably involve displaying some Powerpoints. it could be at a hotel or maybe a conference room within the secure facility. The IAEA's USB stick infects the conference room computer and even though it is isolated, at some later time an employee working on the secure side of the network presents some analysis of the Step7 control taken off the secure network with his USB. Done USB stick infected and taken straight back to the secure air-gaped side.

Same procedure is repeated at next port of call, India and so on..

Travis SaffordJuly 14, 2011 10:19 AM

I think a lot of people are forgetting that Stuxnet had to propogate via IP in order to infect the windows PCs that the controllers were plugged into. The flash drives were likely inserted into admin computers or folks at the "front desk" equivalent, and then the worm propogated through the network. Eventually the virus had a connection to the Internet and spread to a bunch of countries - including the US. The fact that the concentration was heavier in certain countries is due in part to the lack of anti virus software and patching of systems.

Yes, the attack was probably initiated by flash drive insertion - but don't assume that because the worm was prolific in certain areas that it was delivered there by some malicious person. Random chance and propogation is how worms work.

In terms of the article- pretty interesting. I've had to research Stuxnet a bit and I always like reading new people's takes on it.

Miriam R.July 14, 2011 2:13 PM

SCADA systems are important and ubiquitous. They control everything from railways to water treatment plants, and have always been a base for suspicion when discussing how major infrastructure could be attacked.

The problem is, they were never designed to resist the sustained barrage of threats that modern connectivity makes possible. Most designs haven't been changed significantly for 15+ years, and the assumption was that they would be air-gapped or connected only to dedicated proprietary programming devices.

Siemens (http://www.wired.com/threatlevel/2010/07/siemens-scada/) was dinged for having a published hard-coded technician password on WinCC systems. This is common practice for other manufacturers as well.

Ladder-logic programming is a specialized skill, but widespread enough that it can't be thought of as "obscure". There's really no protection against "evil technician" problems, either.

This is a security risk for every nation. At the very least, control systems manufacturers need to update their standards and practices to ensure that devices have unique keys with sound cryptographic standards implementation and event logging.

Yes, it can get expensive to put more computational power in industrial equipment, but that's what customers are paying a premium for.

Unfortunately, even if the manufacturers make better systems available, there's a lot of infrastructure that would have to be upgraded. And you can depend on the manufacturers to dump the older models on the developing world...

Richard Steven HackJuly 14, 2011 7:33 PM

Travis: It's not clear to me that Stuxnet had any "worm" characteristics based on the descriptions of it so far. So while it may have moved between PCs on a LAN, I'm inclined to doubt it was moving between PCs over the Internet except via networks connected between countries.

If it was the case that it was a general worm, we would have seen it appearing on machines all over the world, not just in industrialized countries. While it wouldn't have done anything on machines not connected to controllers, it would still have been detected at other places at some point, not just in countries connected to nuclear programs or industries with concentrations of PLL controllers.

This is particularly likely since it contains safeguards to prevent each infected computer from spreading the worm to more than three others.

It also uses other exploits and techniques such as peer-to-peer RPC to infect and update other computers inside private networks that are not directly connected to the Internet. Which would indicate that while it possibly can spread over the Internet, it was really not designed to do so, but to infect a LAN associated with the specific controllers it was looking for. It also was limited to a specific type of network card.

It was intended to penetrate a specific type of LAN, first by USB insertion and then by other means to access the PCs controlling the systems it was targeting. The USB insertion was also relied on to reach such PCs that weren't attached to the Internet or even a LAN.

In other words, the designers did not want it to spread.

Computerworld has an article on why it did:

Why did Stuxnet worm spread?
http://www.computerworld.com/s/article/9189140/...

The Symantec Stuxnet Dossier says the following:

Self-replicates through removable drives exploiting a vulnerability allowing auto-execution.
Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732)

Spreads in a LAN through a vulnerability in the Windows Print Spooler.
Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073)

Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).

Copies and executes itself on remote computers through network shares.

Copies and executes itself on remote computers running a WinCC database server.

Updates itself through a peer-to-peer mechanism within a LAN.

As you can see, most of that spreading ability is relatively limited. One way it could jump physical systems is the use of network shares. If an organization in India, say the IAEA offices or Russian contractor offices there, had a network share connected to their main offices and their offices in Iran also had a network share in their main offices, Stuxnet could have jumped countries that way.

There were 40,000 unique external IP addresses, from over 155 countries, with 60% of them in Iran. But almost all of them were more or less industrialized countries: Iran had the most, Indonesia the second most, then India, Azerbaijan, Pakistan, Malaysia, USA (very tiny amount, .89 percent), Uzbekistan, Russia, Great Britain, and "others" making up about 5%.

So we're not saying it was spread SOLELY by USB key, clearly it had other methods. But the initial infections in Iran almost certainly were by USB key and those countries with the most infections probably were, too.

The Wired article says this: "Unlike most malware that used e-mail or malicious websites to infect masses of victims at once, none of Stuxnet’s exploits leveraged the internet; they all spread via local area networks. There was one primary way Stuxnet would spread from one facility to another, and that was on an infected USB thumb drive smuggled into the facility in someone’s pocket."

Clearly that word "primary" is key; there were other ways. The important issue is how were they distributed in the first place - and that had to be by people who had access to the facilities initially targeted. Which in turn reduces to Iranian personnel, Russian personnel, and IAEA personnel, and possibly others with access to such facilities such as contractors from any or all the infected countries. The Internet probably played only a small role in spreading the virus.

TravisJuly 15, 2011 9:11 AM

@Richard

While i agree with most of your wall of text, what makes you think it didn't act like a worm? I thought self propogation without human interference was the definition of a worm? Viruses spread when users spread infected files and worms spread unaided.

One interesting fact about Stuxnet that nobody has mentioned here so far is the fact that 4 0days were used to deliver the payload. Afaik that's the most that have ever been used in a single attack (unclassified at least), and definitely suggests that the attack almost had to be nation-state orchestrated. The really scary part is when you think about how many other instances of malicious software like this have been written and are as of yet undetected.

Richard Steven HackJuly 15, 2011 7:05 PM

Travis: It acted as a worm by moving between networks. This is the definition of a worm.

But the primary means of dissemination into a network in the first place was flash drives, followed by a secondary move between network shares and RPC.

Most of its propagation was limited to the LAN it was on. Since some LANS are actually WANS, presumably there was movement between networks in that manner. I suspect this is how it jumped countries and continents. There is likely also some movement across countries and continents via flash drives as we have discussed via contractors and inspectors and others.

It wasn't an "Internet worm" in the sense that it spread solely via the Internet like Blaster or Conficker. It was not designed to do so.

It's that simple.

wrecktafireJuly 16, 2011 1:04 PM

@Mr. Hack: so you believe some parts of the U.S. Gov't at some times when they say certain things and not when they say other things?

And Sy Hersh is an authority?

Shouldn't you rather view all these people with skepticism (including journos) all the time?

sooth sayerJuly 30, 2011 11:14 PM

Bruce

You analysis is shallower than your cryptology.

Iran is far stronger country compared to Pakistan -- having a bomb of chiense origin doesn't make Pakistan strong, internally it's a house of cards.

Iran, on the other hand is far more cohesive and is likely to survice a confrontation -- Pakistan will fold like a cheap accordion in a week.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..