Forgot your password?
typodupeerror
Worms

Stuxnet Worms On 141

Posted by CmdrTaco
from the squirmy-squirmy dept.
Numerous Stuxnet related stories continue to flow through my bin today, so brace yourself: Unsurprisingly, Iran blames Stuxnet on a plot set up by the West, designed to infect its nuclear facilities. A Symantec researcher analyzed the code and put forth attack scenarios. A Threatpost researcher writes about the sophistication of the worm. Finally, Dutch multinationals have revealed that the worm is also attacking them. We may never know what this thing was really all about.
This discussion has been archived. No new comments can be posted.

Stuxnet Worms On

Comments Filter:
  • by i_ate_god (899684) on Tuesday October 05, 2010 @04:59PM (#33799714) Homepage

    Maybe it has a ghost that developed from the data inputs of over a billion individuals...

  • by Haedrian (1676506) on Tuesday October 05, 2010 @04:59PM (#33799724)
    Everyone knows Macs don't get viruses

    </sarcastic joke>
  • by elrous0 (869638) * on Tuesday October 05, 2010 @05:00PM (#33799744)
    I don't think this is just one of those "Look at Iran, making some outlandish crazy new allegation!" thing (like it was when Ahmadinejad tried to claim there were no homosexuals in Iran [youtube.com] or blamed the U.S. Government for 9-11 [cbsnews.com]). Considering the very disproportionate hit they took of these infections, the obvious suspects (those who would benefit most from their nuclear program taking a hit), the precision of the targeting of the virus (two very specific models of Seimens PLC's), the impressive sophistication of the worm, etc. I hardly think it's some tin-foil hat conspiracy theory for them to assert that it was a "western power" (most likely Israel or the U.S.) behind this worm.
    • by Ender_Wiggin (180793) on Tuesday October 05, 2010 @05:07PM (#33799860)

      I don't think he said there are no homosexuals in Iran, he said "We don't have gay people the way you do in America." I think he means they don't really have openly gay people in society like you find in New York. It's interesting because Iran actually allows and pays for sex-change surgeries.

    • by i_ate_god (899684) on Tuesday October 05, 2010 @05:09PM (#33799894) Homepage

      most likely Israel or US?

      I'm sure there are a lot of countries, like China, that would want to Iran stfu before they get blown up and the oil stops running. It's in the interest of pretty much any industrialised nation that war doesn't break out over Iran.

    • by MozeeToby (1163751) on Tuesday October 05, 2010 @05:10PM (#33799904)

      It's worth noting that although many systems have been compromised worldwide, the only reports of equipment actually being damaged are apocryphal reports of 'nuclear accidents' at Iran's centrifuge facilities. The international community has assumed that those accidents were caused by the worm, and Iran calling the worm an attack on their nuclear ambitions seams to support that claim. Personally, I find the second wave of infections more likely to be someone modifying the payload and basic parameters for their own ends, it seems quite different from the mindset that drove the first set of attacks.

    • And that's exactly the moral of the story, The Boy Who Cried Wolf.

    • by LWATCDR (28044) on Tuesday October 05, 2010 @05:36PM (#33800278) Homepage Journal

      I wouldn't even say most likely the US or Israel. I don't think there are many nations that want a Nuclear Iran.
      The list should include.
      China
      Russia
      India
      All of the EU
      Egypt
      Most of the Middle East.
      I mean really this list is long and while this worm is probably outside the limits for some guy with a grudge it isn't outside the limits for any nation with a large university with a good CS department.

      • by Dr. Evil (3501) on Tuesday October 05, 2010 @07:05PM (#33801280)

        Russia does a lot of business with Iran. Ditto for Germany and the E.U. Where do you think they got all the Siemen's hardware and how do you think they flew it in?

        • by perpenso (1613749) on Tuesday October 05, 2010 @07:24PM (#33801534)

          I wouldn't even say most likely the US or Israel. I don't think there are many nations that want a Nuclear Iran. The list should include. China Russia India All of the EU Egypt Most of the Middle East. I mean really this list is long and while this worm is probably outside the limits for some guy with a grudge it isn't outside the limits for any nation with a large university with a good CS department.

          Russia does a lot of business with Iran. Ditto for Germany and the E.U. Where do you think they got all the Siemen's hardware and how do you think they flew it in?

          So some of these "friendly" countries had the best access to the iranian nuclear infrastructure, that's enough to warrant their inclusion on the list. Given that stuxnet was "dormant" and not attempting to damage anything it may have been more of an insurance policy and not so much of an active weapon. Any of these countries would love to monitor and have a remote off switch should Iran begin to act against their interests at some future date. Now is this the most likely scenario, no. However it is still highly plausible.

        • by LWATCDR (28044) on Wednesday October 06, 2010 @09:28AM (#33807214) Homepage Journal

          So when it all blows up Iran will pay Russia to build it again for a pile of cash...
          Repeat until done.
          Also you might want to read up a bit. Russia has decided not to sell Iran a state of the art SAM system this week.
          Oh and Germany. If it blows up they will again buy more stuff form them.

      • by elrous0 (869638) * on Wednesday October 06, 2010 @09:46AM (#33807422)

        I think Occam's Razor usually applies to suspects too. And in this case the most obvious suspect, with the most to gain by far, is Israel. There is even some evidence [zdnet.com] in the code that this is the case, and the Israeli government itself has openly acknowledged [upi.com] that it has extensive cyber-warfare plans.

        Now of course, there are any number of ways to dismiss this if you REALLY want to believe that Israel wasn't involved (and it's always possible that they weren't). But you can do that with any case, no matter how clear-cut. I can make the same argument that O.J. Simpson never killed anyone (maybe it was just someone making it LOOK like he did it, there were probably other people with some reason to kill Ron and Nicole too). But is that the logical conclusion or just wishful thinking on my part because I don't want to believe that O.J. did it?

      • by sgt_doom (655561) on Wednesday October 06, 2010 @06:59PM (#33818182)
        It takes considerable resources to put something like this together, and the two probable entities would be the USA (DoD/NSA)or the gov't. of Denmark, as these are the only two countries (other than Germany, but I would discount them) who have the requisite relationships with Siemens and other groups to pull this off.
    • by TiggertheMad (556308) on Tuesday October 05, 2010 @05:48PM (#33800416) Homepage Journal
      I hardly think it's some tin-foil hat conspiracy theory for them to assert that it was a "western power" (most likely Israel or the U.S.) behind this worm.

      Possibly. What if they were having problems getting their plant working, and didn't want to look bad. Something like this might be a great way to blame the west, and get sympathy from other countries that might be willing to help out a victim of western aggression.

      Or, this might be the work of a western NGO. There are any number of groups that aren't part of the governments of the US or Israel that don't want to see a nuclear Iran. Perhaps this is a uninvolved state that just wants the US and Israel actively engaged and distracted by dealing with Iran.
      • by elrous0 (869638) * on Wednesday October 06, 2010 @10:03AM (#33807630)
        The bizarre claim that Iran did this to themselves is by far the silliest claim I have yet heard on Stuxnet. I can understand arguing for China, Britain, or even Russia. But arguing that Iran sabotaged *itself* reminds me of old lynching victim death certificate bit: "Victim suffered a broken neck, 20 gunshot wounds, and was severely burned. Cause of death: Suicide."
    • by SmallFurryCreature (593017) on Wednesday October 06, 2010 @05:22AM (#33805726) Journal

      And the claim short skirts cause earth quakes, that a western agent shot Neda, that the elections were fair etc etc.

      And then you swallow WHOLE the claim that Iran was hit hard by stuxnet... a claim made by WHO? Verified by who? And couldn't a big outbreak just be an indication of really bad security in Iran IF the claim is even true? The worm has also attacked in Indonesia and Holland. Might other places where better security kept it limited just kept quiet? After all, if MY security was bad I wouldn't tell YOU about it.

      As for the sophistication of the worm... right. If it was so sophisticated, why was it dissected so easily? That it was effective means nothing. Worms we KNOW to be written by amateurs have had massive world wide outbreaks. So a worm that only has an outbreak in one country with suspect IT skills is better? Odd definition of better.

      What amazes me is that you are paranoid to believe western governments can lie, but Muslim nations are to backward to spread false propaganda. Personally, I don't trust either one and follow the money. And there is no money for the west in this. Iran however has now got a scapegoat for anything that goes wrong. Yet another one. It is how dictators work to keep the population on their side, it is all the fault of group X. So support me or X will kill you.

      • by elrous0 (869638) * on Wednesday October 06, 2010 @10:11AM (#33807750)

        nd then you swallow WHOLE the claim that Iran was hit hard by stuxnet... a claim made by WHO? Verified by who?

        Symantec made this crystal clear in their white paper [symantec.com] on the worm. Or do you think that Symantec is in the tank for Iran?

        As for your rant about amateurs being able to write this worm, it's quite clear you haven't taken even a cursory look at it. Everyone who knows anything about worms who's looked at it has acknowledged that this is the most sophisticated piece of malware they've ever seen. This wasn't written by some script kiddie in his mom's basement.

        What amazes me is that you are paranoid to believe western governments can lie

        It amazes me that you think they don't.

  • by vlm (69642) on Tuesday October 05, 2010 @05:06PM (#33799858)

    Is there a big market for pirated Seimens PLCs?

    You know, the Chinese business plan where they run off extra copies after the assembly line closes, and sell them for pure profit? Also the move where they change virtually nothing but the name and start selling it as a generic model at Walmart / Harbor Freight / etc?

    Maybe it was an attempt to "get" the infringing Chinese devices that got a little out of control and got the real ones too?

  • by SuperKendall (25149) on Tuesday October 05, 2010 @05:12PM (#33799942)

    I'm pretty sure Stuxnet is in fact a sophisticated attack worm created by a government to slow or halt Iran in producing nuclear weapons.

    There are plenty of candidates beyond the U.S. and Israel - Saudi Arabia for one, would be another country really not happy with a nuclear Iran, though certainly the U.S. or Israel seems most likely.

    But lets consider the most intriguing possibility - a country with tons of expertise in developing advanced malware already, and one with incredibly detailed knowledge of Iranian systems.

    Of course, I'm speaking of Russia.

    At first it sounds crazy because Russian scientists are helping Iran build a reactor in the first place. But perhaps that help was lined up long before, and Russia has decided Iran is too crazy now to be allowed to have The Bomb, so they activated Stuxnet, prepared in advance for such an eventuality. Or perhaps they simply wanted to get money from the help and then the cleanup...

    Russian scientists have been fleeing Iran because Iran is now going after guys in cubicles and saying they are spies. So perhaps even there, they know something most of us do not...

    • by jayme0227 (1558821) on Tuesday October 05, 2010 @05:44PM (#33800366) Journal

      Let's consider this possibility: Iran couldn't get the Nuclear Facility up and running properly so they needed a scapegoat. Now, it can't be something simple or else they'd be considered to be incompetent. Also, they'd need to be able to track the problem to a malevolent source, again, so they can shift all blame away from themselves. So what do they do? Create a virus that will be released into the wild and contains obscure references to past Israeli-Iranian conflicts. The virus has the bonus effect of allowing them to spy on their own citizens and companies around the world.

      In the end, it doesn't matter who created the virus. If Iran (or anyone else) can't secure a nuclear facility, they shouldn't have a nuclear facility.

    • by moderatorrater (1095745) on Tuesday October 05, 2010 @06:17PM (#33800706)
      Consider this possibility: the last time [arstechnica.com] people were accusing a government of being behind an attack, it was someone with a grudge but no government connection. Considering how hard it is (or even impossible) to tell the difference between a talented amateur and a professional when it comes to computers, why is everyone jumping on the government bandwagon? Maybe it's some college buddies in Tel Aviv who decided that they wanted to target Iran, or maybe Stuxnet was just a worm of the week from blackhats (many of which are getting ridiculously complex) that just happened to get into the Iranian facilities.
      • by perpenso (1613749) on Tuesday October 05, 2010 @07:32PM (#33801638)

        ... Maybe it's some college buddies in Tel Aviv who decided that they wanted to target Iran, or maybe Stuxnet was just a worm of the week from blackhats (many of which are getting ridiculously complex) that just happened to get into the Iranian facilities ...

        They needed a lot of expensive industrial control equipment to develop and test on.

        • by SuperKendall (25149) on Tuesday October 05, 2010 @09:52PM (#33803006)

          They needed a lot of expensive industrial control equipment to develop and test on.

          That is the part that totally screams to me "government".

          Defiantly not the work of one guy in a basement.

          Now it could be some large and well funded organization, sure. But I just don't buy that it's an amateur effort instead of a well funded affair, and if it's someone like organized crime where is the payoff? Organized crime funds botnets because they make money from them, it's why for some time now no worm or botnet has really destroyed systems like in the early hacking days when destroying a system was just as fun as manipulating it for an individual.

    • by Yvanhoe (564877) on Tuesday October 05, 2010 @06:53PM (#33801130) Journal
      A question I always ask : why should it be a government ? I estimate a budget of one million dollar to create this thing, and that's a high estimate. That's more than a hobbyist budget (through it could be, if made by the original zero-day finders) but in the range of many organizations. It could also very well be a criminal organization who had simply money as their motive. I am sure that with such an infection on so many presumably critical structures, getting more than one million in blackmailing must not be that hard to do...
      • by znerk (1162519) on Tuesday October 05, 2010 @07:40PM (#33801734)

        I estimate a budget of one million dollar to create this thing

        [citation needed]

        If I were to pull a number out of my ass on what it would take to create any virus-like program, I would set the budget at:
        (1) extremely dedicated individual with internet access and some time on his/her hands.

        The information required for attacking practically anything is available online. Yes, looking for the information might raise some red flags, and accessing it could most certainly do so, but if the person perpetrating said attack is clever and careful (and maybe lucky, as well), there won't be anything pointing at a specific person for accessing that information (Public access (libraries, netcafes), wardriving, etc can all be used for misdirection).

        TL;DR: Once you have the plans for the death star, it just takes a bit of time to figure out where the reactor core is, and noticing the exhaust vent that goes straight to it.

        Pointing fingers should be reserved until after some facts have been found.
        --
        No, I didn't read the article; I still I believe my logic is sound.

        • by Yvanhoe (564877) on Tuesday October 05, 2010 @08:10PM (#33801992) Journal
          Well, the number the press is shouting everywhere is that it costs $250,000 to buy a 0-day exploit thatis not public. Of the 4 zero-days used, two were known. That leaves, at most, $500 000 for the two others. There is also a cryptographic certificate to get. I suspect this is at least as much expensive. 1 million is a high-range estimation I, yes, somehow put out of my ass by making very inflated guesses. It could also be a single person discovering the two unknown flaws that used them to steal Realtek's crypto key and made the virus by himself. It could very well be a zero-budget attack, as improbable as this look. All I am saying is that it didn't cost more than 1 million and that the number of organisations that have access to these resources is colossal.
    • by Phrogman (80473) on Tuesday October 05, 2010 @07:01PM (#33801228) Homepage

      I mean Stux is a variety of linux from Italy:

      http://gpstudio.com/ [gpstudio.com]

    • by Solandri (704621) on Tuesday October 05, 2010 @08:50PM (#33802428)
      There's another possibility which occurred to me. You know all those reports we read warning that our power grid is vulnerable to computer attack? Maybe someone making those warnings got tired of being ignored and decided to demonstrate how easy it was?
  • by NonUniqueNickname (1459477) on Tuesday October 05, 2010 @05:13PM (#33799950)
    Who hates the Iran's state-sponsored cultural intolerance and the Dutch?
    Austin Powers' father.
  • by Ender_Wiggin (180793) on Tuesday October 05, 2010 @05:20PM (#33800056)

    Despite the numerous slashdot articles and buzz about it, I'm seeing scant actual details.

    How was it delivered? Via Internet? Botnet? Unknown at this time? According to the article it "can spread using several vectors."
    It also says 2 of the 4 zero-day vulnerabilities have been patched by MS.

    The article about a possible attack scenario leads more credibility to the claim that there had to be inside help. You need people on the inside for Reconnaissance and deployment. Even if it was spread from the internet, someone had to get ahold of the security certificates to crack them and know the specific types of PLCs in use. The arrests [slashdot.org] that recently took place in Iran are making a lot more sense, despite all the knee-jerk condemnation from the /. posters.

  • by bhcompy (1877290) on Tuesday October 05, 2010 @05:21PM (#33800074)
    My only question is who the hell named it "stuxnet"?
  • by JonySuede (1908576) on Tuesday October 05, 2010 @05:21PM (#33800078) Journal
    Any one has more details on the PLC payload ? I want to know what kind of changes it makes to the plc software.
  • by Animats (122034) on Tuesday October 05, 2010 @05:22PM (#33800096) Homepage

    This attack is aimed at a very specific PLC configuration, and does nothing unless it finds that configuration. Until someone who has the matching PLC configuration admits it, speculation as to the target remains speculation.

    • by AHuxley (892839) on Tuesday October 05, 2010 @08:26PM (#33802188) Homepage Journal
      "Langner's analysis also shows, step by step, what happens after "Stuxnet finds its target. Once Stuxnet identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the giant industrial controls company, the malware takes control. One of the last codes Stuxnet sends is an enigmatic “DEADF007.” Then the fireworks begin, although the precise function being overridden is not known, Langner says. It may be that the maximum safety setting for RPMs on a turbine is overridden, or that lubrication is shut off, or some other vital function shut down. Whatever it is, Stuxnet overrides it, Langner’s analysis shows." from http://www.csmonitor.com/USA/2010/0921/Stuxnet-malware-is-weapon-out-to-destroy-Iran-s-Bushehr-nuclear-plant/(page)/3 [csmonitor.com]
      • by jonwil (467024) on Tuesday October 05, 2010 @09:27PM (#33802766)

        Wouldn't Siemens be able to tell (based on the commands sent to the PLC by the Stuxnet worm) what it is trying to do?

        • by AHuxley (892839) on Tuesday October 05, 2010 @09:49PM (#33802978) Homepage Journal
          Layers of NDA? Govs telling them too?
        • by sapphire wyvern (1153271) on Tuesday October 05, 2010 @11:20PM (#33803702)

          Not necessarily. The "P" in PLC stands for programmable. PLCs have a large amount of generic physical I/O (relay outputs, 4-20mA inputs, etc etc). From looking at the Stuxnet code, you *might* be able to tell that a particular output is being turned on - but without knowing what's wired into that output, you still haven't learned much. And that's a fairly blatant scenario (where Stuxnet is directly controlling PLC I/O),

          If Stuxnet is doing something more subtle, it could be doing something like patching the PLC code to silently disable safety interlocks, by replacing the results of a logic calculation with a different value. It's similar to installing a NoCD crack in a game executable so that the check_for_valid_disk() function call return value is always set to TRUE, and the disk checking code never even runs. If we can only see the patch (Stuxnet's observable behaviour) but not the original executable (the PLC code) there's no way to tell exactly what Stuxnet's payload is. Even Siemens wouldn't be able to figure it out unless they had a copy of the code put into the PLC by its owners.

  • by Black Parrot (19622) on Tuesday October 05, 2010 @05:31PM (#33800226)

    Dutch multinationals have revealed that the worm is also attacking them.

    The Wikipedia article [wikipedia.org] has a table of purported number of infections in various countries. Indonesia and India have the worst problem after Iran. Over six thousand in the Anglophone countries. If this is in fact only spreading via USB sticks, we've got some really promiscuous behavior going on.

    (You may well be skeptical of the six million reported for China. It's not a defacement; there's a link to an article that quotes someone actually making the claim. But the quote makes it sound like the speaker doesn't know what he's talking about.)

  • by codepunk (167897) on Tuesday October 05, 2010 @05:41PM (#33800326)

    I doubt the US had anything to do with it, we have a administration with "no bag" in office. Isreal on the other hand would be my first suspect. I can only hope that part of the stimulus money made it to a worthy cause such as this.

  • by Valtor (34080) on Tuesday October 05, 2010 @05:47PM (#33800410) Homepage

    I hope this is The Daemon [thedaemon.com] spreading. :)

  • by cpghost (719344) on Tuesday October 05, 2010 @05:51PM (#33800460) Homepage
    Siemens has a support and advisory page on Stuxnet [siemens.com], which is infecting their Simatic WinCC / PCS7 systems.
  • by joeflies (529536) on Tuesday October 05, 2010 @05:55PM (#33800500)

    Before Stuxnet, I'm sure the general public had no idea that Siemens was selling technology to Iran to fulfill its nuclear ambitions. Given that the west has a lot of misgivings about letting Iran do so, shouldn't western companies be a little more careful who they sell nuclear reactor parts to? I don't necessarily want to compare them to IBM's role in selling computers to the Nazis, but is there some point where you take some corporate responsibility before profits?

  • by bl8n8r (649187) on Tuesday October 05, 2010 @08:07PM (#33801964)

    "Almost all SCADA systems are -- for safety reasons -- standalone: not connected to a network, let alone the Internet."

    should actually read:
        "In theory, almost all SCADA systems are -- for safety reasons -- standalone: not connected to a network, let alone the Internet."

  • Intriguing. (Score:3, Informative)

    by jd (1658) <imipak@yaCOLAhoo.com minus caffeine> on Tuesday October 05, 2010 @08:42PM (#33802338) Homepage Journal

    Those marking me "troll" for having said earlier that other, definitely and unquestionably innocent, victims could happen, and then marked me "troll" for noting that the protections against such accidents didn't mean they wouldn't happen anyway, will doubtless ignore the fact that the Dutch are (a) not Iranian nuclear weapons scientists, and (b) that the only Iranian victims so far have been moderates who might have kept the program somewhat sane have now been arrested as spies. Iran is not known for treating those they suspect of spying very nicely.

    It is indeed unclear who the worm was aimed at, but I'm confident that it wasn't the Dutch and I'm now more certain than ever that other innocent victims will turn up. We have proof now that the safeguards (however well-intentioned) did not work. Which is no great surprise - it's hard to have a failsafe weapon as there are so few scenarios in which you need a weapon that badly and have it be safe if it fails.

  • by lennier (44736) on Tuesday October 05, 2010 @09:41PM (#33802904) Homepage

    Someone had reprogrammed the DNA synthesizer, he said. The thing was there for the overnight construction of just the right macromolecule. With its in-built computer and its custom software. Expensive, Sandii. But not as expensive as you turned out to be for Hosaka.
    I hope you got a good price from Maas.
    The diskette in my hand. Rain on the river. I knew, but I couldn't face it. I put the code for that meningial virus back into your purse and lay down beside you.
    So Moenner died, along with other Hosaka researchers. Including Hiroshi. Chedanne suffered permanent brain damage.
    Hiroshi hadn't worried about contamination. The proteins he punched for were harmless. So the synthesizer hummed to itself all night long building a virus to the specifications of Maas Biolabs GmbH. Maas. Small, fast, ruthless -- All Edge.

    New Rose Hotel, 1981.

    Wonder if we'll ever find out what Stuxnet did in 2010, and if it did what its designers hoped.

  • by wiredmikey (1824622) on Wednesday October 06, 2010 @12:52AM (#33804462) Homepage
    Win32/Stuxnet might be described as a worm of a slightly different color, though it’s attracted interest from the media that’s comparable in intensity to Conficker, or Code Red, or Blaster. David Harley did an interesting piece on this... http://www.securityweek.com/stuxnet-sux-or-stuxnet-success-story [securityweek.com]
  • by RogueWarrior65 (678876) on Wednesday October 06, 2010 @11:18AM (#33808682)

    Has anyone actually seen physical evidence that Stuxnet was present on one of the Iranian nuclear power computers?
    Or is it possible that their nuclear program has serious problems and they decided to create some propaganda to shift the blame to their arch-enemies?
    I personally wouldn't take the chance that it was the latter case. As a matter of history, the Soviet Union was far less advanced than originally thought but it took a surge in Cold War activities to find out.
    If there is a third world war, IMHO it will begin with a country like Iran. Yes, just as there were Germans who didn't follow the Nazi regime or the Kaiser's regime, there are Iranians who don't subscribe to the regime's ideals and there are Muslims who don't blindly follow sharia law or subscribe to radical Islam. But for the foreseeable future, radical Islam is entrenched in the halls of power.

FORTRAN is for pipe stress freaks and crystallography weenies.

Working...