Stuxnet Analysis Backs Iran-Israel Connection 307
Trailrunner7 writes "Liam O'Murchu of Symantec, speaking at the Virus Bulletin Conference, provided the first detailed public analysis of the worm's inner workings to an audience of some of the world's top computer virus experts. O'Murchu described a sophisticated and highly targeted virus and demonstrated a proof of concept exploit that showed how the virus could cause machines using infected PLCs to run out of control. Though most of the conversation about Stuxnet is still based on conjecture, O'Murchu said that Symantec's analysis of Stuxnet's code for manipulating PLCs on industrial control systems by Siemens backs up both the speculation that Iran was the intended target and that Israel was the possible source of the virus. O'Murchu noted that researchers had uncovered the reference to an obscure date in the worm's code, May 9, 1979, which, he noted, was the date on which a prominent Iranian Jew, Habib Elghanian, was executed by the new Islamic government shortly after the revolution. Anti-virus experts said O'Murchu's hypothesis about the origins of Stuxnet were plausible, though some continue to wonder how the authors of such a sophisticated piece of malware allowed it to break into the wild and attract attention."
Symantec has also issued a lengthy and detailed dossier on Stuxnet (PDF).
Re:Wait a minute. (Score:1, Informative)
Also, the creators of the virus called it Myrtus, which is another name for Esther. Esther was the Jewish wife of a Persian king. One of the kings lieutenants hatched a plan to destroy the Jewish people and Esther convinced the king to give permission to fight back. The story is vaguely appropriate.
It was either created by Israeli interests or made to look like it.
Re:Whoever did release this (Score:2, Informative)
On the contrary, they made damn sure that the payload would only be triggered under very specific circumstances, the specifics of which are unknown to the general public. (Probably the only people who do know are the attackers and the target, and they aren't talking.)
If you want a car analogy: Stuxnet isn't a Time Machine that triggers at 88 MPH. It's not even a Time Machine that only trips if it's installed in a DeLorean doing 88 MPH. You only see some serious shit if if you're doing 88 MPH in a DeLorean with a specific VIN.
Re:Israel vs arab nukes (Score:1, Informative)
Re:Whoever did release this (Score:3, Informative)
Britain isn't that much larger than Rhode Island but has over a quarter of the population of the entire United States.
Not to be picky, but Britain is a little over 80,000 square miles in area, while Rhode Island is around 1,200 square miles. Not even in the same ballpark.
Re:Whoever did release this (Score:4, Informative)
Britain isn't that much larger than Rhode Island but has over a quarter of the population of the entire United States.
Nope.
Rhode Island area = 1,214 square miles [wikipedia.org]; Great Britain area = 84,600 square miles [wikipedia.org] - more than 60 times greater.
Great Britain population = ~60 million (mid 2009); United States population = ~310 million [wikipedia.org] (mid 2010) - more than 5 times greater.
Why o why (Score:2, Informative)
would Israel threaten to attack Iran? Oh, that's right: Iran is a state sponsor of terrorism and has threatened to attack Israel.
Re:Israel vs arab nukes (Score:2, Informative)
There are Arab Israelis, I went drinking with a bunch of Christian Arabs in Jerusalem one night.
http://en.wikipedia.org/wiki/Arab_citizens_of_Israel [wikipedia.org]
Also met a super friendly family of Druze.
The May 9, 1979 reference (Score:4, Informative)
Export 16 first checks that the configuration data is valid, after that it checks the value “NTVDM TRACE” in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation
If this value is equal to 19790509 the threat will exit. This is thought to be an infection marker or a “do not in- fect” marker. If this is set correctly infection will not occur. The value appears to be a date of May 9, 1979. While on May 9, 1979 a variety of historical events occured, according to Wikipedia “Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community. He was the first Jew and one of the first civilians to be executed by the new Islamic government. This prompted the mass exodus of the once 100,000 member strong Jewish community of Iran which continues to this day.” Symantec cautions readers on drawing any attribution conclusions. Attackers would have the natural desire to implicate another party.
Next, Stuxnet reads a date from the configuration data (offset 0x8c in the configuration data). If the current date is later than the date in the configuration file then infection will also not occur and the threat will exit. The date found in the current configuration file is June 24, 2012.
But really, May 9, 1979 being Rosario Dawson's birthday puts this back on the teenager in his basement path to me.
Re:It's called circumstantial evidence (Score:5, Informative)
there are also references to "Myrtus" within a path left in the code.
Considering the virus targets the PLCs [wikimedia.org] in SCADA [wikimedia.org] systems where RTUs [wikimedia.org] are standard system components, I'm willing to bet that "myrtus" is short for something like "My RTU Source" rather than an obscure reference to guavas. [palomar.edu]
Re:Wait a minute. (Score:5, Informative)
Who else does Iran sell these PLC's to?
Iran doesn't make and sell them, Siemens does.
Re:unabomber (Score:4, Informative)
May 9, 1979 is also the anniversary of the second unabomber attack.
Correction, May 9, 1979 was the date of the second unabomber attack. The anniversaries are the subsequent May 9ths in the years following.
Re:Wait a minute. (Score:2, Informative)
Siemens chips were targeted BECAUSE Iran's nuclear program relies on them.
Or, Siemens chips are used all over the fucking planet, and someone with a grudge/competition motive against Siemens targeted them simply because they were Siemens.
You're starting from your bias and trying to justify your conclusion later. It doesn't work.
Re:Wait a minute. (Score:4, Informative)
There is plenty of reading material on the topic and I would specifically site the analysis released a few days ago. However, to me the largest factor involved is the three hop maximum infection fuse. This would indicate the deployment had a very specific location based target in mind. I have not paid particular attention to the PLC design portion, but I have mostly heard second hand the PLC logic it targeted resembled Irans configurations.
However, don't dare let me be the only source of information and flip through the available material.
Re:Wait a minute. (Score:3, Informative)
Hell, thousands of hackers across the world have the motivation, capability, and demonstrated willingness to do things like this.
So you're suggesting that thousands of hackers knew that Iran used Siemens PLCs, knew the specific equipment being controlled by those PLCs, knew how to modify the program code in those PLCs to damage that equipment, had multiple stolen certificates, and had apparently four zero day exploits cued up and ready to be blown on this. Even as a self-righteous slashdot-reading geek, I'm not buying it. This was government all the way. The bullshit dates were thrown in the code to add an intentional tinge of unprofessionalism to an otherwise ridiculously professional piece of work.
Re:That still presumes a nation did it (Score:2, Informative)
Could very easily be private individuals. ...
No, actually, it couldn't very easily be. I suspect you don't know a lot about the subject. I thought the same thing until I heard more about it. Whatever organization created this had quite a bit of time, intelligence (as in information, not smarts, although they had that too), and resources, and they threw millions of dollars worth of it into making this.
Re:Wait a minute. (Score:4, Informative)
And how many independent hackers have access to SCADA? SCADA systems are not something that ends up just on any hacker's desk just like that.
One thing this incident shows is that SCADA security is inexistent when facing a modern "Internet Style" attack. It has all: buffer overruns, bad coding, idiotic design decision and total lack of security awareness in the admins who set up the networks. However, because it looks secure from the perspective of Joe Average Utility IT manager it is deemed secure.
After this incident this "secure" statement will be questioned quite a lot in most countries.
Re:Wait a minute. (Score:1, Informative)
Re:Wait a minute. (Score:2, Informative)