Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Worms IT

Stuxnet Worm Claimed To Be Devastating In Iran 390

sciencewatcher writes "At debka.com, a website associated with intelligence communities focusing on the Middle East, the claim is made that Tehran this week secretly appealed to a number of computer security experts in West and East Europe with offers of handsome fees for consultations on ways to exorcise the Stuxnet worm spreading havoc through the computer networks and administrative software of its most important industrial complexes and military command centers."
This discussion has been archived. No new comments can be posted.

Stuxnet Worm Claimed To Be Devastating In Iran

Comments Filter:
  • by Pojut ( 1027544 ) on Wednesday September 29, 2010 @08:53AM (#33733212) Homepage

    Do you think the US did this in an official capacity, an "official" capacity, or had nothing to do with it?

    • by Anonymous Coward on Wednesday September 29, 2010 @08:58AM (#33733276)

      No, they didn't. Proof: it worked.

    • by Bert64 ( 520050 ) <bert&slashdot,firenzee,com> on Wednesday September 29, 2010 @08:58AM (#33733284) Homepage

      Doesn't really matter either way...

      Iran was grossly negligent in allowing their critical infrastructure to run on software controlled by a hostile government (and which they most likely had to pirate because there are export restrictions against iran).

      • by xaxa ( 988988 ) on Wednesday September 29, 2010 @09:10AM (#33733412)

        (and which they most likely had to pirate because there are export restrictions against iran).

        For the US -- there's nothing stopping me selling computer software to Iran, unless that software is of military/nuclear/etc use (you can see the full details of what's not allowed here (the PDF) [businesslink.gov.uk]).

        • by Darkness404 ( 1287218 ) on Wednesday September 29, 2010 @09:16AM (#33733464)
          ...Except for the fact that encryption software is often times classified as "military" technology, making the distribution of most software impossible.
          • by chill ( 34294 ) on Wednesday September 29, 2010 @09:30AM (#33733598) Journal

            Crypto in U.S. law was removed from the munitions classification back in 1996 by then President Clinton.

            Shortly thereafter one of the exemptions granted was for open source. If the source code was freely available, you don't need an export license.

            • by bsDaemon ( 87307 ) on Wednesday September 29, 2010 @09:55AM (#33733836)

              Clinton issued an executive order placing cryptographic software under the dominion of the Commerce Department with regards to export, and the Commerce Department simplified export rules to make things easier. However, they can always take it back, its not law, just policy.

        • by gyranthir ( 995837 ) on Wednesday September 29, 2010 @09:33AM (#33733636)
          For the US, Cuba, Iran, Syria, Libia and a bunch of other countries are under an embargo, where american companies cannot export to them...
        • Re: (Score:3, Informative)

          by nedlohs ( 1335013 )

          Microsoft is an American company. Hence, US export restrictions apply to Microsft Windows - irrespective of where you happen to be.

          Microsoft can't export it, and others can't buy it from Microsoft and then export it to Iran without also violating US law. Now those non-US folk mightn't care about that (though once the US supplier finds out they can't keep legally keep supplying), but it does violate the licensing on the software from Microsoft and hence all copies of Microsoft Windows do not have valid licen

      • You assume that they couldn't find an ethically bankrupt businessman willing to sell them things under the table. Think George Bluth Sr. from Arrested Development.
      • Re: (Score:3, Insightful)

        So they should have built their own software to run on S7 PLCs? What country that you know of does that? Do you know of any country that does? If so name them, because I've been to dozens and never seen anything of the sort.

        They could have probably run a lot of their automation with relay logic, but at a significantly increased cost.

        • Re: (Score:3, Insightful)

          by Dare nMc ( 468959 )

          built their own software to run on S7 PLCs

          To be fair, were not at a hostile level with Germany, so we may not have the same level of concern, for a foreign based software ownership (Siemiens)

          It is fair to say the PLC's don't have to be always accessible from windows computers, Can be disconnected after verified... That connection is likely for SCADA (data logging/monitoring protocol to the S7), which is available for other operating systems.

          A quick search shows these guys, among others:
          http://www.modcomp.com/scada/scada_app.html [modcomp.com]

          So it does seam for

    • by Randle_Revar ( 229304 ) <kelly.clowers@gmail.com> on Wednesday September 29, 2010 @09:06AM (#33733362) Homepage Journal

      If Stuxnet is attacking Iran, I'd bet on Israel (just) ahead of the US.

      • Re: (Score:3, Insightful)

        by John Hasler ( 414242 )

        So would I, but I'd put Israel way ahead. However, I don't discount the possibility that no government was involved.

        • by rtb61 ( 674572 ) on Wednesday September 29, 2010 @09:55AM (#33733844) Homepage

          The catch with the whole theory of a software hack, the stuxnet worm is far too tightly tied to Iran, hardware is far more likely to be the culprit rather than software. So hardware infrastructure in Iran, well if it was sourced from China or Russia likely safe, except of course in companies head quartered elsewhere were involved.

          So access to windows source and Siemens PLC seems a must, so the really only leaves two suspects. Now if the worm in industrials plants result of industrial accidents that kill people, then clearly it would be an act of war, which would be pretty stupid because there are far more effective means of crippling infrastructure with far more primitive methods.

          • by John Hasler ( 414242 ) on Wednesday September 29, 2010 @10:39AM (#33734288) Homepage

            > So access to windows source and Siemens PLC seems a must...

            I see no need for access to Windows source, and anyone can buy the Siemens hardware.

          • by GooberToo ( 74388 ) on Wednesday September 29, 2010 @10:46AM (#33734386)

            So access to windows source and Siemens PLC seems a must, so the really only leaves two suspects.

            Actually, access to Window's source absolutely does not seem a must. But regardless, obtaining it is likely trivial. I know I've seen references to it on the net before. Any student and/or spy attending any number of various universities have access to it. Accordingly, it has been periodically freed on the Internet.

            You're also missing the fact that Iranians themselves have reason to do this type of thing. Iranians, on average, are far more educated than the average American. Lots work in industry. They likely have no shortage of people who are fully capable and qualified to pull off such worms. Not to mention, politically speaking, they have almost endless justification.

            If you want to be honest about it, the Iranian people themselves are the number one group which have reasons to pull this off. Next are the Israelis, followed by other surrounding Arab nations, Europe, and then lastly the US, followed by lots of smaller, less interested parties.

            People seem to be in a hurry to forget that with the fall of Iraq, Iran now has center stage for regional power and authority. This is absolutely not acceptable to other Arab countries in the region.

            • Re: (Score:3, Interesting)

              by thegameiam ( 671961 )

              well said, with very minor nitpick: s/other Arab/Arab/ - whether Iraq is an Arab country (or Persian country) depends on who you ask, but I don't know of anyone with any knowledge of Iranian history who would call Iran an Arab country.

              I have no knowledge of who's responsible for the worm, but Steve Bellovin wrote about it very intelligently [columbia.edu].

          • Re: (Score:3, Interesting)

            Now if the worm in industrials plants result of industrial accidents that kill people, then clearly it would be an act of war, which would be pretty stupid because there are far more effective means of crippling infrastructure with far more primitive methods.

            Not if it is built into the side of a mountain, like, say, a nuclear fuel processing plant.

    • Re: (Score:3, Insightful)

      by davev2.0 ( 1873518 )
      I think Iran did it to themselves.
    • by Trevelyan ( 535381 ) on Wednesday September 29, 2010 @09:15AM (#33733454)
      It's more likely to have been Israel.

      For example this story [ynetnews.com], note that its from 2009 but still make a pretty good description of how stuxnet works. Google or following the links on stuxnet news stories will bring up other possible links to Israel.
    • by Rob Riggs ( 6418 )
      The U.S.? No. There's a far more likely suspect...
    • Re: (Score:2, Funny)

      by rootchick ( 910668 )
      Maybe it was extraterrestrials: http://www.americanchronicle.com/articles/view/188021 [americanchronicle.com]
  • A communications disruption can mean only one thing - invasion.

    well, what better time to fix that pesky reactor.

  • by Anonymous Coward

    why don't they just use firefox instead of ie??

    • Re:why don't they (Score:4, Informative)

      by Ant P. ( 974313 ) on Wednesday September 29, 2010 @08:58AM (#33733268) Homepage

      Or computer systems certified for safety-critical installations, instead of Windows which flat out says not to use it for that in the EULA?

      • Re:why don't they (Score:5, Informative)

        by Hijacked Public ( 999535 ) on Wednesday September 29, 2010 @10:03AM (#33733916)
        You don't understand industrial control systems. It isn't Windows that does any safety-critical controlling, it is a PLC, which is the target of Stuxnet's payload. Stuxnet just happens to use Windows to propagate, which is a good choice because nearly all PLC programming and interface software is Windows only. Anyone this telented could have written a Linux worm that did the same thing, but it would have been ineffective because Linux is hardly ever connected to a Siemens PLC. Windows being a bottomless pit of zero days doesn't help, of course.
  • the only problem with this contract is just how much of a target one can become if one decided to go for the money and the fun of 'exorcising' the demon from the nuclear power plant (and whatever else) systems.

  • I guess... (Score:2, Funny)

    by Anonymous Coward

    ...it really stux to be iranian.

  • Does it run on Linux? For once a relevant question... ;)

  • by SlappyBastard ( 961143 ) on Wednesday September 29, 2010 @08:57AM (#33733266) Homepage
    I'm not a fan of quoting anything from a website whose motto is "We start where the media stop".
  • by d3ac0n ( 715594 ) on Wednesday September 29, 2010 @08:59AM (#33733288)

    But I'm having a really hard time getting upset over the Iranian government being brought to a crawl by a computer virus. These ARE the same people that have made no bones about wanting to commit genocide against all Jews, and have tortured and murdered millions of their own people.

    Personally, I hope it causes a total collapse. Perhaps then the Green Revolution people (those that are still alive, anyway) can have a chance at creating a true Democracy in Persia. The Persian people certainly deserve it.

    What DOES worry me is that this is, in some ways, a "genie out of the bottle" moment. Formal "Weaponized" use of a computer virus to attack a state. While I'm sure it was inevitable, it is still a bit of a shock to know that the day has arrived.

    All the more reason to be sure to be using a variety of redundant and disparate OS types to support your infrastructure I guess.

    • Re: (Score:2, Insightful)

      by elrous0 ( 869638 ) *
      If a virus like this were to succeed in its apparent goals (reeking havoc on the Natanz enrichment facility [globalsecurity.org], or worse, the new Bushehr nuclear power plant [wikipedia.org]) it could potentially cause an accident that could kill a LOT of innocent people. It had the very real capacity to send the reactors at Bushehr into meltdown. And I'm pretty sure the people who live around that facility had nothing to do with genocide against the Jews (nor have most Iranians ever fired so much as a shot against Israel).
      • by Iphtashu Fitz ( 263795 ) on Wednesday September 29, 2010 @09:55AM (#33733834)

        Any modern-day reactor should have an out-of-band method of SCRAMing [wikipedia.org] that doesn't rely on computer control of any sort. A common approach is to have control rods held physically over the nuclear fuel by electromagnets. If power is cut to the electromagnets for any reason then gravity drops them into place and the reaction ceases. If monitoring systems don't automatically cut power to the SCRAM system then it would just take a worker pushing a button. Heck, they may even have fuses located around the reactor that would melt in the presences of excessive heat or the presence of radiation, causing power to the magnets to be cut. So the likelihood of a computer worm causing a meltdown is highly unlikely unless the Iranians are stupid enough to disable the SCRAM system.

        • Also (Score:5, Informative)

          by Sycraft-fu ( 314770 ) on Wednesday September 29, 2010 @10:34AM (#33734224)

          Most modern reactor designs have a difficult time going critical. They are made such that if coolant goes away, they stop working. Depending on the kind of fuel you use you can set it up so that when the coolant goes away the excess heat causes things to spread out and thus the reaction slows. It gets hot, but not hot enough to melt down. Not fool proof, nothing is of course, but makes it pretty hard for things to go critical even in a worst case scenario.

          It also should be noted that often the SCRAM systems go beyond that. The rods will have springs behind them to force them in quicker, and there are usually secondary systems to drive them in as well, should the primaries fail.

          Over all, the world did a pretty good job learning from the problems of early reactors and it is pretty hard to cause a meltdown these days, with a modern reactor design at least.

          Do remember that the people who build these have a large vested interest in making sure they DON'T go critical, even in adverse situations. Safeties are taken seriously.

          • Re:Also (Score:5, Informative)

            by BlueParrot ( 965239 ) on Wednesday September 29, 2010 @10:51AM (#33734454)

            makes it pretty hard for things to go critical even in a worst case scenario.

            All power reactors in the world today go critical as part of their normal operation. That's why they can sustain a chain reaction. However, they are all designed in such a way that their criticality is not sufficient to allow the reactor to remain critical without the contribution from so called delayed-neutrons. These are neutrons emitted by the fission products some time after the fission event. It's because the release of these neutrons is much slower than the release of fission neutrons that it is possible to build a stable nuclear reactor. Without them the reactor would either be sub-critical and hence not produce any power without an external neutron source, or it would be prompt-critical, which pretty much means you would not be able to control the rate of the chain reaction rapidly enough to prevent dangerous power fluctuations.

            Modern pressurized water reactors typically can't go prompt critical, since the quantity of relatively low enriched uranium is too small.

    • by Goaway ( 82658 )

      Well, here we have someone who certainly likes to swallow his propaganda whole.

  • by wiredog ( 43288 ) on Wednesday September 29, 2010 @09:02AM (#33733326) Journal

    Or something like that. Could get a bit scary, push comes t5o shove and all that. I wonder who will get hit with the retaliatory strike?

    Alternatively, I wonder if this is the retaliatory strike?

    You are in a twisty maze of little passages, all alike...

  • by Anonymous Coward

    (repost as the first one isn't showing up)

    They would in any case have an incentive to give the impression that everything grinds to a halt. The more their nuclear programme slows down the longer it will be until Israel feels the urgent need to bomb it.

    I like to play a little game called "Which world do we live in?". You describe two worlds that are generally similar but differ on some characteristics, and try to find out which of the two worlds we live in, or ways to go about finding out. I am not sure of a

  • Spreading havoc? (Score:5, Insightful)

    by brian0918 ( 638904 ) <brian0918@nOSpam.gmail.com> on Wednesday September 29, 2010 @09:08AM (#33733388)
    It's my understanding that Stuxnet was designed to only *do only* to one certain computer/system that was specifically targeted. On all other computers that do not match the signature of that computer, it leaves them alone. So what is the "havoc" that it is causing?
    • Re: (Score:3, Insightful)

      by dr2chase ( 653338 )

      As I understand it (I just used teh Google to figure out whether this worm phones home), the worm does phone "somewhere", and worms on a network update among themselves in a peer-to-peer fashion.

      So, perhaps it started as one thing, and has become another. In particular, if the party answering the "phone home" can tell who is calling, they might deliver different payloads to known-Iranian IP addresses and other addresses. (That's what *I* would do.)

      Reality seems to be catching up to our more paranoid fanta

    • by __aaqvdr516 ( 975138 ) on Wednesday September 29, 2010 @09:26AM (#33733560)

      IAAICT (I am an Instrumentation and Controls Tech)

      Stuxnet specifically targets Siemens Simatic Wincc software and associated PLC's. Essentially, the Wincc software is the programming base to interact with the PLC's, which are discreet CPU/memory clusters running optimized code for whatever it is you'd like to do. There are many PLC manufacturers and they use their own programming software to upload/download to their cpu's. The fact that this worm only interacts with Siemens software is not surprising as Siemens is one of the major manufacturers of industrial equipment. I have a large number of Siemens devices all around where I work. I do not use Siemens PLC's though, so I am unaffected by this worm.

      This whole thing smells to me like a disgruntled software guy that used to work for Siemens.

      • I guess GP referred to the studies that concluded stuxnet would only activate some of its more dangerous parts only if the infected PLC had some very specific building blocks. So the "true" havoc would only be unlashed when the infected machine was part of a very specific facility (which was rumored, but never confirmed, to be "noclear plant", but that may be just some sensationalist's guess), while on all other infected hardware it would mostly stay ineffective, (apart from spreading and probably phoning h

        • The specific are that it looks for S7-300 and S7-400 controllers and modifies OB35, which is usually used for safety circuit type monitoring of very high speed processes. It also inserts blocks all over the PLC, which I assume is a method to increase scan times.

          I've not seen anything to suggest that is looks for anything more specific than that and there are tons of S7-300/400s out there. It wouldn't likely cause 'havoc' in very many applications since OB35 isn't needed in very many generic industrial proce

      • Re:Spreading havoc? (Score:5, Interesting)

        by elrous0 ( 869638 ) * on Wednesday September 29, 2010 @09:54AM (#33733832)
        Having looked carefully at this worm (I'm preparing for a presentation on it at a local security conference), I can tell you it almost certainly wasn't written by one guy. It's the most complex piece of malware I've ever seen. It's written in three languages (C and C++ on the Windows side, MC 7 assembly language on the PLC side), it uses four different Windows exploits and two stolen code-signing certificates from companies in Taiwan (both of which read as legit until just recently), and it has one of the most aggressive and clever rootkits I've ever seen. And that's not even getting into how it can update itself. Unless said disgruntled employee was the goddamn jedi master of hackers in addition to his day-job, I would say this is definitely a major team effort (a very specialized team).
        • Re:Spreading havoc? (Score:5, Interesting)

          by Lord Ender ( 156273 ) on Wednesday September 29, 2010 @10:40AM (#33734296) Homepage

          The Air Force was recruiting hackers at DEFCON this year. The recruiter actually said they will take anyone, regardless of criminal record.

          It seems reasonable that you wouldn't let criminal hackers work on your own defensive systems. So what *would* you do with them? You would develop offensive technology--that doesn't require the developers have any access to your own infrastructure.

          • Re: (Score:3, Insightful)

            by swb ( 14022 )

            Why should they fear criminal hackers?

            I'm sure during the "orientation" session it was made clear that if they fucked up, there were some scenarios to consider -- like suddenly finding yourself in Pelican Bay State Prison under a new name, starting a 30 year stretch for multiple child molestation convictions.

          • Re: (Score:3, Insightful)

            by kevinNCSU ( 1531307 )
            You're forgetting hackers like to target people miles away with complete anonymity. Not people they work with that hold sub-machine guns, sign their pay checks, and have their complete life's history on file along with polygraph tests.
    • Re:Spreading havoc? (Score:5, Interesting)

      by elrous0 ( 869638 ) * on Wednesday September 29, 2010 @09:31AM (#33733606)

      It targets two specific models of Seimens programable logic controllers (by targeting the Windows software used to program those PLC's). PLC's are used to control very time-intensive industrial processes. Pretty much every power plant, nuke plant, modern manufacturing plant, etc. uses these, and they control very dangerous physical equipment. Reeking havoc with these processes can cause explosions, radiation leaks, major industrial accidents, etc. (it could even cause nuclear reactors to go critical). That's very bad stuff. Best case scenario, it could cause serious damage to equipment. Worse case scenario, it could cause significant lose of life.

      In other words, tampering with a PLC can make things go BOOM. In 1982, the CIA purported did this [wikipedia.org] with the Siberian pipeline, and the resulting explosion was so powerful it set off missile launch alarms in the U.S.

    • No one knows exactly what it does. More than likely it did target a specific industrial complex with the purpose of physically damaging machinery. However, there could be multiple targets, or the software could be collecting data / signatures of additional hardware which it could be instructed to attack at a later time.

      This is purported to be the most advanced, complex and highest quality malware ever discovered. I seriously doubt it would be spreading as far and wide as it has for so long if it was targeti

    • It's my understanding that Stuxnet was designed to only *do only* to one certain computer/system that was specifically targeted.

      Right, and I believe that is the version released in January 2009. Now that the cat is out of the bag and Microsoft is likely to patch the 0-days, Stuxnet probably phoned home and was given all the remaining payloads. The results would be unknown at this point.

  • by Noryungi ( 70322 ) on Wednesday September 29, 2010 @09:08AM (#33733400) Homepage Journal

    This is DEBKA. Completely ridiculous website, riddled with disinfo.


    Not only have their own attempts to defeat the invading worm failed, but they made matters worse: The malworm became more aggressive and returned to the attack on parts of the systems damaged in the initial attack.

    'nuff said.

    Of course, that does not mean Iran is not hit hard by Stuxnet - just that everything you read at this site should be taken with a big grain of salt.

  • I know that Mossad, the CIA, or whoever did this probably intended this to be a one-shot deal and didn't expect it to go as viral as it did. But I hope they truly appreciate what a nasty thing they've started. Now everyone will be doing it. And these sorts of viruses have the potential to cause real-world loss of life.

    All this for a petty strike against a country that probably didn't even work (and would only have pushed them closer to war even if it had).

  • What I don't understand is why the *heck* the SCADA systems running Iran's { illegal | sooper-sekrit | stealth } nuclear weapons program aren't air-gapped! Isn't that something like standard procedure?

    • by Jaysyn ( 203771 )

      All it takes is one asshole to dig out the epoxy in the USB slots & not get caught & boom, you're infected.

  • Debka is BS at times and Israeli misinformation at other times.
  • Go ahead and mod me down, but it's only a matter of time before this happens again. You either accept the liability and put your trust in microsoft for patches, or do something else. It's not a stretch to expect more of the same.

    "At the same time, the company said it would not patch Windows because doing so would cripple existing applications."
    http://www.computerworlduk.com/news/applications/3236953/microsoft-confirms-unpatched-vulnerabilities-in-key-enterprise-programs/ [computerworlduk.com]

    "The security firms also notified Mi

  • remedy is simple...
    install some form of linux instead of windows, and run the scada software through wine

  • by amias ( 105819 ) on Wednesday September 29, 2010 @10:39AM (#33734280) Homepage Journal

    have a look at the whois for debka

          DEBKAfile Ltd.
          4, Hamaapilim St.
          Jerusalem, 92545

    why should anyone trust news about Arabic interests that is published by people living in Israel ?

    it would certainly suit Israeli interests to discredit the security of Iran and its the kind of racism that
    seems to be all too common in Israel .


  • by master_p ( 608214 ) on Wednesday September 29, 2010 @10:40AM (#33734302)


    or... ...Suxnet.

This login session: $13.76, but for you $11.88.