Stuxnet Worms On 141
Numerous Stuxnet related stories continue to flow through my bin today, so brace yourself:
Unsurprisingly, Iran blames Stuxnet on a plot set up by the West, designed to infect its nuclear facilities. A Symantec researcher analyzed the code and put forth attack scenarios. A Threatpost researcher writes about the sophistication of the worm. Finally, Dutch multinationals have revealed that the worm is also attacking them. We may never know what this thing was really all about.
Market for pirated Seimens PLCs? (Score:2, Interesting)
Is there a big market for pirated Seimens PLCs?
You know, the Chinese business plan where they run off extra copies after the assembly line closes, and sell them for pure profit? Also the move where they change virtually nothing but the name and start selling it as a generic model at Walmart / Harbor Freight / etc?
Maybe it was an attempt to "get" the infringing Chinese devices that got a little out of control and got the real ones too?
Re:Never thought I would defend Iran, but... (Score:4, Interesting)
I don't think he said there are no homosexuals in Iran, he said "We don't have gay people the way you do in America." I think he means they don't really have openly gay people in society like you find in New York. It's interesting because Iran actually allows and pays for sex-change surgeries.
Might not be the West... (Score:5, Interesting)
I'm pretty sure Stuxnet is in fact a sophisticated attack worm created by a government to slow or halt Iran in producing nuclear weapons.
There are plenty of candidates beyond the U.S. and Israel - Saudi Arabia for one, would be another country really not happy with a nuclear Iran, though certainly the U.S. or Israel seems most likely.
But lets consider the most intriguing possibility - a country with tons of expertise in developing advanced malware already, and one with incredibly detailed knowledge of Iranian systems.
Of course, I'm speaking of Russia.
At first it sounds crazy because Russian scientists are helping Iran build a reactor in the first place. But perhaps that help was lined up long before, and Russia has decided Iran is too crazy now to be allowed to have The Bomb, so they activated Stuxnet, prepared in advance for such an eventuality. Or perhaps they simply wanted to get money from the help and then the cleanup...
Russian scientists have been fleeing Iran because Iran is now going after guys in cubicles and saying they are spies. So perhaps even there, they know something most of us do not...
Re:Never thought I would defend Iran, but... (Score:5, Interesting)
Thats pretty much what he said. Actually, homosexuality in their culture is a whole topic unto itself. What was interesting to me was the way he seemed to imply that there is a difference between "public morality" and "private". Have you ever seen how many "witnesses" are required to accuse someone of certain things (like being a homosexual) under sharia law, for example?
What he seemed, to me, to be espousing was the idea that "what you do in private is between you and god, but, what other people see you do, is another matter". In some ways it reminds me of a japanese woman who was interviewed for the book "Lust in Translation" (never read it, but heard several stories about it) who was not mad at her husband for having an affair, as she had her own, but was mad that he was careless and allowed her to find out about it.
Having known a few Iranian ex-pats, I must say, they have a fascinating culture, and one thats very different from our own in many ways.
-Steve
More details needed in story summary (Score:5, Interesting)
Despite the numerous slashdot articles and buzz about it, I'm seeing scant actual details.
How was it delivered? Via Internet? Botnet? Unknown at this time? According to the article it "can spread using several vectors."
It also says 2 of the 4 zero-day vulnerabilities have been patched by MS.
The article about a possible attack scenario leads more credibility to the claim that there had to be inside help. You need people on the inside for Reconnaissance and deployment. Even if it was spread from the internet, someone had to get ahold of the security certificates to crack them and know the specific types of PLCs in use. The arrests [slashdot.org] that recently took place in Iran are making a lot more sense, despite all the knee-jerk condemnation from the /. posters.
Target is still speculation (Score:3, Interesting)
This attack is aimed at a very specific PLC configuration, and does nothing unless it finds that configuration. Until someone who has the matching PLC configuration admits it, speculation as to the target remains speculation.
Re:Might not be the West... (Score:3, Interesting)
"Friendly" nations engage in espionage too (Score:3, Interesting)
I wouldn't even say most likely the US or Israel. I don't think there are many nations that want a Nuclear Iran. The list should include. China Russia India All of the EU Egypt Most of the Middle East. I mean really this list is long and while this worm is probably outside the limits for some guy with a grudge it isn't outside the limits for any nation with a large university with a good CS department.
Russia does a lot of business with Iran. Ditto for Germany and the E.U. Where do you think they got all the Siemen's hardware and how do you think they flew it in?
So some of these "friendly" countries had the best access to the iranian nuclear infrastructure, that's enough to warrant their inclusion on the list. Given that stuxnet was "dormant" and not attempting to damage anything it may have been more of an insurance policy and not so much of an active weapon. Any of these countries would love to monitor and have a remote off switch should Iran begin to act against their interests at some future date. Now is this the most likely scenario, no. However it is still highly plausible.
Re:Might not be the West... (Score:3, Interesting)
I estimate a budget of one million dollar to create this thing
[citation needed]
If I were to pull a number out of my ass on what it would take to create any virus-like program, I would set the budget at:
(1) extremely dedicated individual with internet access and some time on his/her hands.
The information required for attacking practically anything is available online. Yes, looking for the information might raise some red flags, and accessing it could most certainly do so, but if the person perpetrating said attack is clever and careful (and maybe lucky, as well), there won't be anything pointing at a specific person for accessing that information (Public access (libraries, netcafes), wardriving, etc can all be used for misdirection).
TL;DR: Once you have the plans for the death star, it just takes a bit of time to figure out where the reactor core is, and noticing the exhaust vent that goes straight to it.
Pointing fingers should be reserved until after some facts have been found.
--
No, I didn't read the article; I still I believe my logic is sound.
Obligatory William Gibson (Score:3, Interesting)
Someone had reprogrammed the DNA synthesizer, he said. The thing was there for the overnight construction of just the right macromolecule. With its in-built computer and its custom software. Expensive, Sandii. But not as expensive as you turned out to be for Hosaka.
I hope you got a good price from Maas.
The diskette in my hand. Rain on the river. I knew, but I couldn't face it. I put the code for that meningial virus back into your purse and lay down beside you.
So Moenner died, along with other Hosaka researchers. Including Hiroshi. Chedanne suffered permanent brain damage.
Hiroshi hadn't worried about contamination. The proteins he punched for were harmless. So the synthesizer hummed to itself all night long building a virus to the specifications of Maas Biolabs GmbH. Maas. Small, fast, ruthless -- All Edge.
New Rose Hotel, 1981.
Wonder if we'll ever find out what Stuxnet did in 2010, and if it did what its designers hoped.
Re:Might not be the West... (Score:1, Interesting)
The cooperation was lined up long time ago but even then it had been known about Iran's nuclear ambitions, ideology and general attitude. Russia is playing a dangerous and sophisticated game in this region. They try to gain influence on Iran, to draw it into their orbit. It has to do with Caucassian states, oil and oil transport. They also try to play this card in the international scene as they seem to be the only country to have some persuasive power. OTOH Iran seems to be happy to buy technology from Russia but reluctant to follow Russia's rules concerning West and Central Asia policies. And here it is good to remember that Russia is notorious for applying force to their smaller counterparts.
Re:Target is still speculation (Score:3, Interesting)
Not necessarily. The "P" in PLC stands for programmable. PLCs have a large amount of generic physical I/O (relay outputs, 4-20mA inputs, etc etc). From looking at the Stuxnet code, you *might* be able to tell that a particular output is being turned on - but without knowing what's wired into that output, you still haven't learned much. And that's a fairly blatant scenario (where Stuxnet is directly controlling PLC I/O),
If Stuxnet is doing something more subtle, it could be doing something like patching the PLC code to silently disable safety interlocks, by replacing the results of a logic calculation with a different value. It's similar to installing a NoCD crack in a game executable so that the check_for_valid_disk() function call return value is always set to TRUE, and the disk checking code never even runs. If we can only see the patch (Stuxnet's observable behaviour) but not the original executable (the PLC code) there's no way to tell exactly what Stuxnet's payload is. Even Siemens wouldn't be able to figure it out unless they had a copy of the code put into the PLC by its owners.