Computer worm. Is this possible, or fiction?

Santilli

Hairy Aussie
Joined
Jan 27, 2002
Messages
5,257
Mystery Surrounds Cyber Missile That Crippled Iran's Nuclear Weapons Ambitions
By Ed Barnes

Published November 26, 2010
| FoxNews.com


AP

In the 20th century this would have been a job for James Bond.

The mission: Infiltrate the highly advanced, securely guarded enemy headquarters where scientists in the clutches of an evil master are secretly building a weapon that can destroy the world. Then render that weapon harmless and escape undetected.

But in the 21st century, Bond doesn't get the call. Instead, the job is handled by a suave and very sophisticated secret computer worm, a jumble of code called Stuxnet, which in the last year has not only crippled Iran's nuclear program but has caused a major rethinking of computer security around the globe.

Intelligence agencies, computer security companies and the nuclear industry have been trying to analyze the worm since it was discovered in June by a Belarus-based company that was doing business in Iran. And what they've all found, says Sean McGurk, the Homeland Security Department's acting director of national cyber security and communications integration, is a “game changer.”

The construction of the worm was so advanced, it was “like the arrival of an F-35 into a World War I battlefield,” says Ralph Langner, the computer expert who was the first to sound the alarm about Stuxnet. Others have called it the first “weaponized” computer virus.

Simply put, Stuxnet is an incredibly advanced, undetectable computer worm that took years to construct and was designed to jump from computer to computer until it found the specific, protected control system that it aimed to destroy: Iran’s nuclear enrichment program.

The target was seemingly impenetrable; for security reasons, it lay several stories underground and was not connected to the World Wide Web. And that meant Stuxnet had to act as sort of a computer cruise missile: As it made its passage through a set of unconnected computers, it had to grow and adapt to security measures and other changes until it reached one that could bring it into the nuclear facility.

When it ultimately found its target, it would have to secretly manipulate it until it was so compromised it ceased normal functions.

And finally, after the job was done, the worm would have to destroy itself without leaving a trace.

That is what we are learning happened at Iran's nuclear facilities -- both at Natanz, which houses the centrifuge arrays used for processing uranium into nuclear fuel, and, to a lesser extent, at Bushehr, Iran's nuclear power plant.

At Natanz, for almost 17 months, Stuxnet quietly worked its way into the system and targeted a specific component -- the frequency converters made by the German equipment manufacturer Siemans that regulated the speed of the spinning centrifuges used to create nuclear fuel. The worm then took control of the speed at which the centrifuges spun, making them turn so fast in a quick burst that they would be damaged but not destroyed. And at the same time, the worm masked that change in speed from being discovered at the centrifuges' control panel.

At Bushehr, meanwhile, a second secret set of codes, which Langner called “digital warheads,” targeted the Russian-built power plant's massive steam turbine.

Here's how it worked, according to experts who have examined the worm:

--The nuclear facility in Iran runs an “air gap” security system, meaning it has no connections to the Web, making it secure from outside penetration. Stuxnet was designed and sent into the area around Iran's Natanz nuclear power plant -- just how may never be known -- to infect a number of computers on the assumption that someone working in the plant would take work home on a flash drive, acquire the worm and then bring it back to the plant.

--Once the worm was inside the plant, the next step was to get the computer system there to trust it and allow it into the system. That was accomplished because the worm contained a “digital certificate” stolen from JMicron, a large company in an industrial park in Taiwan. (When the worm was later discovered it quickly replaced the original digital certificate with another certificate, also stolen from another company, Realtek, a few doors down in the same industrial park in Taiwan.)

--Once allowed entry, the worm contained four “Zero Day” elements in its first target, the Windows 7 operating system that controlled the overall operation of the plant. Zero Day elements are rare and extremely valuable vulnerabilities in a computer system that can be exploited only once. Two of the vulnerabilities were known, but the other two had never been discovered. Experts say no hacker would waste Zero Days in that manner.

--After penetrating the Windows 7 operating system, the code then targeted the “frequency converters” that ran the centrifuges. To do that it used specifications from the manufacturers of the converters. One was Vacon, a Finnish Company, and the other Fararo Paya, an Iranian company. What surprises experts at this step is that the Iranian company was so secret that not even the IAEA knew about it.

--The worm also knew that the complex control system that ran the centrifuges was built by Siemans, the German manufacturer, and -- remarkably -- how that system worked as well and how to mask its activities from it.

--Masking itself from the plant's security and other systems, the worm then ordered the centrifuges to rotate extremely fast, and then to slow down precipitously. This damaged the converter, the centrifuges and the bearings, and it corrupted the uranium in the tubes. It also left Iranian nuclear engineers wondering what was wrong, as computer checks showed no malfunctions in the operating system.

Estimates are that this went on for more than a year, leaving the Iranian program in chaos. And as it did, the worm grew and adapted throughout the system. As new worms entered the system, they would meet and adapt and become increasingly sophisticated.

During this time the worms reported back to two servers that had to be run by intelligence agencies, one in Denmark and one in Malaysia. The servers monitored the worms and were shut down once the worm had infiltrated Natanz. Efforts to find those servers since then have yielded no results.

This went on until June of last year, when a Belarusan company working on the Iranian power plant in Beshehr discovered it in one of its machines. It quickly put out a notice on a Web network monitored by computer security experts around the world. Ordinarily these experts would immediately begin tracing the worm and dissecting it, looking for clues about its origin and other details.

But that didn’t happen, because within minutes all the alert sites came under attack and were inoperative for 24 hours.

“I had to use e-mail to send notices but I couldn’t reach everyone. Whoever made the worm had a full day to eliminate all traces of the worm that might lead us them,” Eric Byers, a computer security expert who has examined the Stuxnet. “No hacker could have done that.”

Experts, including inspectors from the International Atomic Energy Agency, say that, despite Iran's claims to the contrary, the worm was successful in its goal: causing confusion among Iran’s nuclear engineers and disabling their nuclear program.

Because of the secrecy surrounding the Iranian program, no one can be certain of the full extent of the damage. But sources inside Iran and elsewhere say that the Iranian centrifuge program has been operating far below its capacity and that the uranium enrichment program had “stagnated” during the time the worm penetrated the underground facility. Only 4,000 of the 9,000 centrifuges Iran was known to have were put into use. Some suspect that is because of the critical need to replace ones that were damaged.

And the limited number of those in use dwindled to an estimated 3,700 as problems engulfed their operation. IAEA inspectors say the sabotage better explains the slowness of the program, which they had earlier attributed to poor equipment manufacturing and management problems. As Iranians struggled with the setbacks, they began searching for signs of sabotage. From inside Iran there have been unconfirmed reports that the head of the plant was fired shortly after the worm wended its way into the system and began creating technical problems, and that some scientists who were suspected of espionage disappeared or were executed. And counter intelligence agents began monitoring all communications between scientists at the site, creating a climate of fear and paranoia.

Iran has adamantly stated that its nuclear program has not been hit by the bug. But in doing so it has backhandedly confirmed that its nuclear facilities were compromised. When Hamid Alipour, head of the nation’s Information Technology Company, announced in September that 30,000 Iranian computers had been hit by the worm but the nuclear facilities were safe, he added that among those hit were the personal computers of the scientists at the nuclear facilities. Experts say that Natanz and Bushehr could not have escaped the worm if it was in their engineers’ computers.

“We brought it into our lab to study it and even with precautions it spread everywhere at incredible speed,” Byres said.

“The worm was designed not to destroy the plants but to make them ineffective. By changing the rotation speeds, the bearings quickly wear out and the equipment has to be replaced and repaired. The speed changes also impact the quality of the uranium processed in the centrifuges creating technical problems that make the plant ineffective,” he explained.

In other words the worm was designed to allow the Iranian program to continue but never succeed, and never to know why.

One additional impact that can be attributed to the worm, according to David Albright of the Center for Strategic and International Studies, is that “the lives of the scientists working in the facility have become a living hell because of counter-intelligence agents brought into the plant” to battle the breach. Ironically, even after its discovery, the worm has succeeded in slowing down Iran's reputed effort to build an atomic weapon. And Langer says that the efforts by the Iranians to cleanse Stuxnet from their system “will probably take another year to complete,” and during that time the plant will not be able to function anywhere normally.

But as the extent of the worm’s capabilities is being understood, its genius and complexity has created another perplexing question: Who did it?

Speculation on the worm’s origin initially focused on hackers or even companies trying to disrupt competitors. But as engineers tore apart the virus they learned not only the depth of the code, its complex targeting mechanism, (despite infecting more than 100,000 computers it has only done damage at Natanz,) the enormous amount of work that went into it—Microsoft estimated that it consumed 10,000 man days of labor-- and about what the worm knew, the clues narrowed the number of players that have the capabilities to create it to a handful.

“This is what nation-states build, if their only other option would be to go to war,” Joseph Wouk, an Israeli security expert wrote.
“It is a military weapon,” he said.

And much of what the worm “knew” could only have come from a consortium of Western intelligence agencies, experts who have examined the code now believe.

Originally, all eyes turned toward Israel’s intelligence agencies. Engineers examining the worm found “clues” that hinted at Israel’s involvement. In one case they found the word “Myrtus” embedded in the code and argued that it was a reference to Esther, the biblical figure who saved the ancient Jewish state from the Persians. But computer experts say "Myrtus" is more likely a common reference to “My RTUS,” or remote terminal units.

Langer argues that no single Western intelligence agency had the skills to pull this off alone. The most likely answer, he says, is that a consortium of intelligence agencies worked together to build the cyber bomb. And he says the most likely confederates are the United States, because it has the technical skills to make the virus, Germany, because reverse-engineering Sieman’s product would have taken years without it, and Russia, because of its familiarity with both the Iranian nuclear plant and Sieman’s systems.

There is one clue that was left in the code that may tell us all we need to know.

Embedded in different section of the code is another common computer language reference, but this one is misspelled. Instead of saying “DEADFOOT,” a term stolen from pilots meaning a failed engine, this one reads “DEADFOO7.”

Yes, OO7 has returned -- as a computer worm.

Stuxnet. Shaken, not stirred
 

Adcadet

Storage Freak
Joined
Jan 14, 2002
Messages
1,861
Location
44.8, -91.5
Wow. What horrible writing.

"Embedded in different section of the code is another common computer language reference..." - typo?

"Simply put, Stuxnet is an incredibly advanced, undetectable computer worm " - logically false.

"IAEA inspectors say the sabotage better explains the slowness of the program..." - than what?

"...and during that time the plant will not be able to function anywhere normally." -is the author really talking about the location of the plant?
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
A lot of it is conjecture, but I just spent 3-4 hours reading up on it, and yes, it's quite possible. :eek:

Calling it a worm hardly does it justice. As a whole, the product must be an order of magnitude more sophisticated than any other malware that came before it.

And stealing certificates from JMicron and RealTek in particular is inspired. How many PCs don't have RealTek software?

Stuxnet Under the Microscope is a presentation on aspects of the delivery system, which in itself is a collection of awesome engineering feats (the presentation doesn't really start until Section 3).

The payload is even more impressive because it clearly required enormous skill in the world of PLCs and industrial automation.

Ralph Langner has a blog that reports more detail. There are a lot of entries and he can seem a trifle melodramatic, but his technical analysis looks good to me. The product has the ability to record 15 seconds worth of sensor inputs, then play them back so as to conceal the source of the problem while it's wreaking havoc with machinery. And of course it successfully hides in the PLCs - even after any infected PCs are disconnected.

Eric Byres said:
It is very well written – it is 1.5 MBytes of complex logic and yet (according to Kaspersky) only one potential bug has been noted and they have not been able to actually see this bug take effect. This error rate is far better than industry standards for commercial software.

The real problem is not this product, but the techniques that it has introduced to the malware market. There really isn't much to stop someone else achieving widespread disruptions (eg. power blackouts).
 

MaxBurn

Storage Is My Life
Joined
Jan 20, 2004
Messages
3,245
Location
SC
In the automation industry where I work there is a lot of talk about this. Generally they are rather worried because till now there hasn't been any security concern for building management systems.
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
Considering it was probably state sponsored, and not just some "black hats" it seems within the realm of possibility.
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
PLCs? How many printers have their code rigorously checked for vulnerabilities? Seems like a good storage spot to me.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
17,454
Location
USA
You just learned of this one? It has been all over the place for months. Even I get spam at work about it, although none of the systems would be so affected.
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
Mitnick was an amateur. He also relied on 'stolen' passwords rather than engineering skill (to be fair, his methods are by far the most likely incursion, so his consultancy is probably quite valuable).

Printers don't control conveyor belts, stamping or cutting machines, robots, centrifuges or giant steam turbines. Let alone sewerage pumping stations - 46 attacks, it took the first 20 before they smelled a rat. ;)
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
Printers don't control conveyor belts, stamping or cutting machines, robots, centrifuges or giant steam turbines.

The value of a printer is not as an attack endpoint but in its spare storage capacity and that no one would think to look there. It may have value as a staging point or as an entry point, what with the number of external memory card slots now built into the printers.

A compromised printer firmware could sit on the network shooting out dead trees, probing for known vulnerabilities, and calling home for updates. Or even going dormant for months. :)
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,348
Location
Gold Coast Hinterland, Australia
The value of a printer is not as an attack endpoint but in its spare storage capacity and that no one would think to look there. It may have value as a staging point or as an entry point, what with the number of external memory card slots now built into the printers.

A compromised printer firmware could sit on the network shooting out dead trees, probing for known vulnerabilities, and calling home for updates. Or even going dormant for months. :)

An even better target would be the larger number of commercial routers out there. Most are now running Linux in some form, and most rely on MIPS or ARM CPUs. Excellent staging point to act as a DDOS node, to sniff network data, launch DNS redirection attacks (most people set their DNS to be the router), etc.

Now add in the mix that few people change the default password - very easy for an automated attack.

Just say'n.
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,348
Location
Gold Coast Hinterland, Australia
What next, infected mice and displays? I'm checking my stapler, too.

Blu-ray players? Most are online now, and offer downloadable content... XBox360 and PS3? Heck some TVs are Internet enabled to allow you to watch YouTube, NetFlix, Amazon Video on Demand, etc...

In a nutshell, anything that is directly connected to the 'net is a potential target.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
17,454
Location
USA
Why would a Blue Ray player need to be online? I don't like that idea at all.:spiderman:
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
17,454
Location
USA
So they know everything you watch on disc and must be connected for each new one? I'm having second thoughts about buying one for Christmas.
 

sdbardwick

Storage is cool
Joined
Mar 12, 2004
Messages
607
Location
North San Diego County
Netflix of course, but you don't need to leave the player connected to the 'net just to play discs (at least that I have encountered); just need connection to do updates.

I suppose it is possible for any modern player (CD, DVD, Blu-Ray) to keep track of what you watch and report back to the Overlords, but I haven't heard of any that do so without permission.
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,348
Location
Gold Coast Hinterland, Australia
As far as I know there is no strict requirement for any blu-ray player to be connected to the Internet, if you are only watching movies.

However an Internet connection is needed if you want all the extra stuff.

All Sony Blu-ray players can firmware update via CD-ROM negating the need for an Internet connection, but having a Internet connection available does make the process easier. Don't know about other brands and their ability to firmware update from spinning media.

PS. The in-laws just received a new Sony LCD TV (46" EX710), and it has full media streaming capability (so YouTube, Netflix, etc) as well as being able to stream media from any DLNA enable media server (Windows Media Player 11+ can act as a media server on XP, Vista or 7 - works best on Win7). It was awesome watching YouTube HD content on a 46" TV, and also being able to watch any movies he had on his PC as well.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
17,454
Location
USA
If one gives a new, retail BD player and 8 discs to an octogenarian, will they be able to play the discs without the internet?
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,719
Location
Horsens, Denmark
Yes. The question is:

If you give 8 recently released titles to someone who has not updated their bluray player in over a year, with they work?

And the answer is: maybe.

That sucks.
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
Yes. The question is:

If you give 8 recently released titles to someone who has not updated their bluray player in over a year, with they work?

And the answer is: maybe.

That sucks.
You can update the firmware via disc, internet, or USB.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,232
Location
I am omnipresent
The correct answer is to rip everything and forget you ever saw the disc. For old people the correct answer is to stick with DVDs. They can't see or hear the differences in the first place.

Now, if only I didn't need three different apps for my .mt2s to .mkv conversion...
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
17,454
Location
USA
The correct answer is to rip everything and forget you ever saw the disc. For old people the correct answer is to stick with DVDs. They can't see or hear the differences in the first place.

Maybe some can't see too well, but some can see just fine. I'll agree with you that the sound is not very important. Low distortion and good volume in the midrange seem to help.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,719
Location
Horsens, Denmark
It really is all about the screen size. A friend bought a blueray player and was disappointed as he didn't see a quality improvement. I introduced him to 1080p on my 120" screen. He now has a 120" screen.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,232
Location
I am omnipresent
Do you happen to have a howto on that somewhere?

I mostly use ripbot264. But it kind of sucks when titles are split across a bunch of files.

So I wind up using Xilsoft's BluRay ripper to preview which titles are which and figure out what order they go in. Xilsoft's ripper almost always picks the wrong audio track to encode so I don't use it for anything but handling previews.

Sometimes, ripbot screws up and won't decode a file, even with AnyDVD. At that point I usually try MakeMKV, which has its own content removal function but is by far the worst program of the three I've used in basically every way.
 
Top