Stuxnet Worms On 141
Numerous Stuxnet related stories continue to flow through my bin today, so brace yourself:
Unsurprisingly, Iran blames Stuxnet on a plot set up by the West, designed to infect its nuclear facilities. A Symantec researcher analyzed the code and put forth attack scenarios. A Threatpost researcher writes about the sophistication of the worm. Finally, Dutch multinationals have revealed that the worm is also attacking them. We may never know what this thing was really all about.
Re:Iran should all buy Macs (Score:3, Informative)
Only if the ships have certain specific PLCs.
World-wide distribution (Score:3, Informative)
Dutch multinationals have revealed that the worm is also attacking them.
The Wikipedia article [wikipedia.org] has a table of purported number of infections in various countries. Indonesia and India have the worst problem after Iran. Over six thousand in the Anglophone countries. If this is in fact only spreading via USB sticks, we've got some really promiscuous behavior going on.
(You may well be skeptical of the six million reported for China. It's not a defacement; there's a link to an article that quotes someone actually making the claim. But the quote makes it sound like the speaker doesn't know what he's talking about.)
Re:Never thought I would defend Iran, but... (Score:4, Informative)
I wouldn't even say most likely the US or Israel. I don't think there are many nations that want a Nuclear Iran.
The list should include.
China
Russia
India
All of the EU
Egypt
Most of the Middle East.
I mean really this list is long and while this worm is probably outside the limits for some guy with a grudge it isn't outside the limits for any nation with a large university with a good CS department.
Re:More details needed in story summary (Score:4, Informative)
Speculation/rumor is that the attack vector was USB drives used by Russian contractors. That is also it's primary method of spread, but it may be able to spread over networks as well (reports that I've seen seem contradictory on that one). Further speculation/rumor has it that a possible "nuclear accident" at Iran's centrifuge facility last year may have been caused by this worm, if that is the case it is the only report of actual hardware being damaged that I've heard of and would 100% support the idea that the worm was targeted at Iran's nuclear facilities. Given the number of infections in Iran and the artificial three hop limit that the worm's writers gave it, it would seem the attack originated there.
I think it's likely that the writers never planned on having the worm escape the target's network, I'm guessing someone at the nuke facility broke security protocol and took home a thumb drive that they weren't supposed to and it spread from there. The worm doesn't do much except take up cycles on systems that don't match the fingerprint that it is looking for, a fingerprint only makes sense if you're looking to take down a lot of identical systems, which lines up nicely with the centrifuge theory. Basically, it's highly likely that this was a government job, targeting Iran's centrifuges, done with inside knowledge of what systems they were using, and delivered using some pretty basic social engineering (leaving infected USB drives on the ground in the parking lot for instance).
That's what it was about! (Score:3, Informative)
The Earth was under attack by alien ships controlled by Siemens PLCs. Stuxnet was released to repel them and they all blew up and vanished into hyperspace. The whole thing was hushed up, of course, and what we are seeing is just the collateral damage.
Re:Never thought I would defend Iran, but... (Score:3, Informative)
Russia does a lot of business with Iran. Ditto for Germany and the E.U. Where do you think they got all the Siemen's hardware and how do you think they flew it in?
Re: The US (Score:4, Informative)
Bullshit. The intelligence agencies never do anything without implicit authorization from the White House. They just sometimes find plausible deniability convenient. Occasionally they find it necessary to drive out a scapegoat.
Re:More details needed in story summary (Score:3, Informative)
You have a USB device talking to Microsoft connecting to Siemens "something" then to some industrial system that has to work really well 24/7 and or to exact tolerances.
Microsoft is the way in, at it seem to be looking for something, like a key and a lock.
When it finds a match, interesting a 'new' things may happen over time to some industrial system.
Phone home and uninstaller seem to be part of the deal http://defense-update.com/wp/20100930_stuxnet-under-the-microscope.html [defense-update.com]
Security certificates would be floating around the web or could be stolen, bought.
Intriguing. (Score:3, Informative)
Those marking me "troll" for having said earlier that other, definitely and unquestionably innocent, victims could happen, and then marked me "troll" for noting that the protections against such accidents didn't mean they wouldn't happen anyway, will doubtless ignore the fact that the Dutch are (a) not Iranian nuclear weapons scientists, and (b) that the only Iranian victims so far have been moderates who might have kept the program somewhat sane have now been arrested as spies. Iran is not known for treating those they suspect of spying very nicely.
It is indeed unclear who the worm was aimed at, but I'm confident that it wasn't the Dutch and I'm now more certain than ever that other innocent victims will turn up. We have proof now that the safeguards (however well-intentioned) did not work. Which is no great surprise - it's hard to have a failsafe weapon as there are so few scenarios in which you need a weapon that badly and have it be safe if it fails.
Re:We may never know? We DO know! (Score:2, Informative)
I had a friend who would respond to the knee-jerk attacks about Iran by showing his vacation pictures. My favorites were from the ski resort outside Tehran. It's really amusing, because nobody expects to see *really good alpine skiing* in Iran, let alone pictures of Iranian ski bunnies. This stuff isn't supposed to exist, in their world where all of the Middle East is a barren wasteland...
Also by network shares (Score:2, Informative)
It also spreads through network shares, so once inside it can quickly get around. Still, F-Secure has a nice Q&A bit up on StuxNet + demo vid.
http://www.f-secure.com/weblog/archives/00002040.html [f-secure.com]