Forgot your password?
typodupeerror
Worms IT

Stuxnet Worm Claimed To Be Devastating In Iran 390

Posted by CmdrTaco
from the new-same-world dept.
sciencewatcher writes "At debka.com, a website associated with intelligence communities focusing on the Middle East, the claim is made that Tehran this week secretly appealed to a number of computer security experts in West and East Europe with offers of handsome fees for consultations on ways to exorcise the Stuxnet worm spreading havoc through the computer networks and administrative software of its most important industrial complexes and military command centers."
This discussion has been archived. No new comments can be posted.

Stuxnet Worm Claimed To Be Devastating In Iran

Comments Filter:
  • Re:why don't they (Score:4, Informative)

    by Ant P. (974313) on Wednesday September 29, 2010 @08:58AM (#33733268) Homepage

    Or computer systems certified for safety-critical installations, instead of Windows which flat out says not to use it for that in the EULA?

  • by Motard (1553251) on Wednesday September 29, 2010 @09:02AM (#33733324)

    This site has a lot of seemingly tantalizing information, but a lot of it is BS. It reported that one of Saddam's palaces had huge glass covered aquariums where sharks would swim under your feet. Now that all the palaces have been 'visited', there have been no reports of any such thing.

  • by xaxa (988988) on Wednesday September 29, 2010 @09:10AM (#33733412)

    (and which they most likely had to pirate because there are export restrictions against iran).

    For the US -- there's nothing stopping me selling computer software to Iran, unless that software is of military/nuclear/etc use (you can see the full details of what's not allowed here (the PDF) [businesslink.gov.uk]).

  • by Are You Kidding (1734126) on Wednesday September 29, 2010 @09:11AM (#33733430)
    The observation is well taken. Prior to the Iraq war, Debka had a series of stories from "inside sources" who said that Sadam had constructed vast underground bunkers in the desert in which he had hidden his weapons of mass destruction. It is hard to tell whether a story on Debka is intelligence or propaganda.
  • by Trevelyan (535381) on Wednesday September 29, 2010 @09:15AM (#33733454)
    It's more likely to have been Israel.

    For example this story [ynetnews.com], note that its from 2009 but still make a pretty good description of how stuxnet works. Google or following the links on stuxnet news stories will bring up other possible links to Israel.
  • Re:Millions? (Score:3, Informative)

    by grub (11606) * <slashdot@grub.net> on Wednesday September 29, 2010 @09:25AM (#33733550) Homepage Journal

    I mean really, when Seimens or some other industrial supplier comes in, do they automatically say, "Oh, we need to have this connected to the internet for critical software updates." ? Do they use Microsoft's updating methods?

    I can't speak for Siemens' method of updating that type of software but I know that for the MRI console software they make (for the Siemens MRIs) we have a VPN between the console and Siemens directly. No full internet access required.
  • by chill (34294) on Wednesday September 29, 2010 @09:30AM (#33733598) Journal

    Crypto in U.S. law was removed from the munitions classification back in 1996 by then President Clinton.

    Shortly thereafter one of the exemptions granted was for open source. If the source code was freely available, you don't need an export license.

  • by gyranthir (995837) on Wednesday September 29, 2010 @09:33AM (#33733636)
    For the US, Cuba, Iran, Syria, Libia and a bunch of other countries are under an embargo, where american companies cannot export to them...
  • by Beezlebub33 (1220368) on Wednesday September 29, 2010 @09:51AM (#33733796)
    Take a look at the wikipedia page on Ahmadinejad and Israel. He's pretty nuts and definitely wants to get rid of Israel. I don't see a quote about genocide though, just wants to get rid of the state; weird comments about the holocaust and 9/11.
  • Re:why don't they (Score:5, Informative)

    by Hijacked Public (999535) on Wednesday September 29, 2010 @10:03AM (#33733916)
    You don't understand industrial control systems. It isn't Windows that does any safety-critical controlling, it is a PLC, which is the target of Stuxnet's payload. Stuxnet just happens to use Windows to propagate, which is a good choice because nearly all PLC programming and interface software is Windows only. Anyone this telented could have written a Linux worm that did the same thing, but it would have been ineffective because Linux is hardly ever connected to a Siemens PLC. Windows being a bottomless pit of zero days doesn't help, of course.
  • Also (Score:5, Informative)

    by Sycraft-fu (314770) on Wednesday September 29, 2010 @10:34AM (#33734224)

    Most modern reactor designs have a difficult time going critical. They are made such that if coolant goes away, they stop working. Depending on the kind of fuel you use you can set it up so that when the coolant goes away the excess heat causes things to spread out and thus the reaction slows. It gets hot, but not hot enough to melt down. Not fool proof, nothing is of course, but makes it pretty hard for things to go critical even in a worst case scenario.

    It also should be noted that often the SCRAM systems go beyond that. The rods will have springs behind them to force them in quicker, and there are usually secondary systems to drive them in as well, should the primaries fail.

    Over all, the world did a pretty good job learning from the problems of early reactors and it is pretty hard to cause a meltdown these days, with a modern reactor design at least.

    Do remember that the people who build these have a large vested interest in making sure they DON'T go critical, even in adverse situations. Safeties are taken seriously.

  • by BobMcD (601576) on Wednesday September 29, 2010 @10:43AM (#33734346)

    My Karma speaks for itself, and I fully understand the weight and value of your opinion.

  • Re:Also (Score:5, Informative)

    by BlueParrot (965239) on Wednesday September 29, 2010 @10:51AM (#33734454)

    makes it pretty hard for things to go critical even in a worst case scenario.

    All power reactors in the world today go critical as part of their normal operation. That's why they can sustain a chain reaction. However, they are all designed in such a way that their criticality is not sufficient to allow the reactor to remain critical without the contribution from so called delayed-neutrons. These are neutrons emitted by the fission products some time after the fission event. It's because the release of these neutrons is much slower than the release of fission neutrons that it is possible to build a stable nuclear reactor. Without them the reactor would either be sub-critical and hence not produce any power without an external neutron source, or it would be prompt-critical, which pretty much means you would not be able to control the rate of the chain reaction rapidly enough to prevent dangerous power fluctuations.

    Modern pressurized water reactors typically can't go prompt critical, since the quantity of relatively low enriched uranium is too small.

  • Re:Spreading havoc? (Score:5, Informative)

    by elrous0 (869638) * on Wednesday September 29, 2010 @11:15AM (#33734710)
    These models of PLC have a function block at OB 35 that automatically executes every 100 milliseconds. Stuxnet hides its own code at the beginning of this block (while also allowing the original code to run afterward). This allows it to mimic the original functions of the PLC, while it quietly runs in the background.
  • by XARG (188455) on Wednesday September 29, 2010 @11:16AM (#33734724)

    All this quotes are pure lies:
    search for "must expel Arabs and take" in
    http://en.wikiquote.org/wiki/David_Ben-Gurion [wikiquote.org]

    search for "We must use terror, assassination, intimidation"
    http://www.camera.org/index.asp?x_context=22&x_article=775 [camera.org]

    etc...

    some arab supported seem to just LOVE using lies as the best weapon.

  • by nedlohs (1335013) on Wednesday September 29, 2010 @11:19AM (#33734766)

    Microsoft is an American company. Hence, US export restrictions apply to Microsft Windows - irrespective of where you happen to be.

    Microsoft can't export it, and others can't buy it from Microsoft and then export it to Iran without also violating US law. Now those non-US folk mightn't care about that (though once the US supplier finds out they can't keep legally keep supplying), but it does violate the licensing on the software from Microsoft and hence all copies of Microsoft Windows do not have valid licenses which makes them pirated software by definition.

  • Re:Spreading havoc? (Score:3, Informative)

    by Hijacked Public (999535) on Wednesday September 29, 2010 @11:27AM (#33734884)

    How would the worm know if an input tied to turbine RPM or if it is some other device?

    It wouldn't know that speficially, but it modifies a block that is used to control a process that requires a very fast response. There aren't very many applications that would require that block so most programmers wouldn't bother programming and tuning it and interrupting the normal logic scan unless they really needed it.

    To me it seems that Stuxnet is trying to slow the response time of the block it modifies and of the PLC overall. If you were trying to control your oven's heating element by changing the current you allowed it to draw in response to input from a thermocouple, and I could slow down the calculation you were using to determine the current change, I could cause the oven to overrun the temp. If that were a turbine I could cause it to overspeed, or a pressure vessel to overpressure, etc etc. Just that one change would cause 'havoc' to whatever process it was controlling. The process is guaranteed to be time sensitive regardless of what it is.

    Do specific inputs on a PLC got specific ports?

    No. But a good programmer can often figure out details of the process just by watching the logic run. I can look at the constants used for a PID instruction and know whether it is controlling a heating element based on input from a Type J thermocouple...for instance.

    Or do you just have generic A/D and GPIO ports?

    Generally an input to a PLC will have an address like I:1.0/0. That would indicate a discrete input card was present in the first slot of the PLC's chassis and that the wires from this particular input landed on the first input point. Most are 16 bit IO so you'd have I:1.0/0 through I:1.0/15, then I:2.0/0 and so on.

    A discrete output would be O:1.0/0. You'd regonize analog IO because it would be used in the logic at the bit level. IO for modern PLCs is typically modular and can be arranged in any order.

    You wouldn't know what specifically the was at the end of the wires (a button or a 2 position switch or whatever) but you might be able to figure it out.

  • Re:Spreading havoc? (Score:2, Informative)

    by sh0dan (762382) on Wednesday September 29, 2010 @11:50AM (#33735232) Homepage
    The first version of Stuxnet (Stuxnet-A), uses a special "autorun.inf", that has an executable at the beginning of the file (which the autorun.inf parser skips). After the executable the "proper" information for the autorun.inf add another "Open" option for the rightclick menu. Selecting this will execute the content of autorun.inf (the malware). read about it here [symantec.com].

    The second version (Stuxnet-B or Stuxnet!lnk), uses the zero-day .lnk file vulnerability [symantec.com], that will automatically execute the content, when you browse the content of the USB stick.

    See the links for more detail - it's quite fascinating (also from a technical perspective).
  • by KevinIsOwn (618900) <herrkevin@@@gmail...com> on Wednesday September 29, 2010 @02:58PM (#33738252) Homepage
    Actual quote:

    We do not wish, we do not need to expel the Arabs and take their place. All our aspirations are built upon the assumption -- proven throughout all our activity in the Land -- that there is enough room in the country for ourselves and the Arabs.

    Go fuck yourself.

  • by penix1 (722987) on Wednesday September 29, 2010 @03:58PM (#33739198) Homepage

    Of course, often Congress does specify where in the executive branch things go, and even creates new offices, which the president cannot override. This is generally frowned upon at levels lower than cabinet positions....Congress creates the top level Departments, and maybe one level below that, but generally shouldn't be micromanaging within the offices, as it makes any sort of reorganization difficult. I.e., they create the Department of Homeland Security, and put the FBI (and others) within it, and assign specific crimes for the FBI to handle...but they shouldn't really be creating offices in the FBI to handle those crimes. (Because, over time, crimes change, and the FBI might find itself with one nearly empty office and one overworked one. I mean, at one time it would have made sense to have a 'train robbery' division.)

    Funny you should bring up Homeland Security. That bill was the most God awful piece of crap that they landed in the Executive Branches lap that has ever come out of Congress.

    http://www.dhs.gov/xlibrary/assets/hr_5005_enr.pdf [dhs.gov]

    Just look through the table of contents and you can see the Congressional micro-management going on. I remember the change, being in FEMA at the time, and it was terrible to endure. That bill needs to be revisited to remove FEMA from DHS for many reasons (including waste, fraud and abuse) and given a much smaller budget. It needs to become a coordinating agency between federal, state and local law enforcement agencies and the intelligence gathering communities. DHS needs to get out of the disaster business. DHS raiding of FEMA money and more importantly staff resources is a big part of why they are flailing about ineffectually on just about every disaster they try to run.

    Another reason the agency is impotent is the micro-management Congress has enforced on this agency through this bill. DHS is a paranoid and schizophrenic agency. It is fragmented into so many compartments it is little wonder why they are ineffective.

  • by sabt-pestnu (967671) on Wednesday September 29, 2010 @04:06PM (#33739320)

    A fair number of the GPs quotes seem to come from mepja.org [mepja.org], or at least are among those also quoted there.

    I find both the original references, and the refutation links interesting.

    The first refutation link is to a wiki (wikiquote), which one can imagine being subject to propaganda struggles on popular pages. The second refutation link describes the quote being refuted as from some entirely different sources than the GP's. One can't help but wonder, when a quote is attributed to different sources. Of course, the GP's quotes are from sources obscure enough that researching them becomes more than an idle moment's diversion from work as well.

    The parent's CAMERA.org link is to a page debunking a few particular "sources of misinformation". It is hard to tell, from the sidelines, whether they've cherry-picked particular statements that are provably false, or whether they have chosen a small set of examples fitting a larger pattern. The sources quoted, as well as those used for verification, are obscure beyond the idle endeavor.

    But in as much as I have no first hand evidence, and no experience with any of the sources or organizations involved, I have no basis to place trust in either side. CAMERA evidently has its stated goals, as described:

    The Committee for Accuracy in Middle East Reporting in America, or CAMERA, a media watchdog founded to combat what was perceived as anti-Israeli press coverage...

    Columbia Journalism Review [cjr.org]

    ...devoted to promoting accurate and balanced coverage of Israel and the Middle East. ... non-partisan organization, CAMERA takes no position with regard to American or Israeli political issues or with regard to ultimate solutions to the Arab-Israeli conflict. ...Frequently inaccurate and skewed characterizations of Israel and of events in the Middle East may fuel anti-Israel and anti-Jewish prejudice.

    CAMERA's stated policies. [camera.org]

    I would have more trust if they were an academic organization, or if they were interested in busting myths about both Israelis AND Arabs/Palestinians, instead of being specifically a defense of one side.

    And this, really, exhausts how far I'm willing to research a set of topics I have no personal stake or influence in, on whim alone. Someone wants to compensate me for my time, I'd develop more interest in chasing down these quotes.

    But it does show that you can trust quotes only as far as your personal knowledge, and your sphere of trust goes.

The degree of technical confidence is inversely proportional to the level of management.

Working...