Powered by WebAds

Friday, December 10, 2010

Stuxnet: It's the real thing

The Stuxnet worm is the real thing, and it's apparently got the Iranians tied up in knots.
Stuxnet was designed to take over the control systems and evade detection, and it apparently was very successful. Last week President Mahmoud Ahmadinejad, after months of denials, admitted that the worm had penetrated Iran's nuclear sites, but he said it was detected and controlled.

The second part of that claim, experts say, doesn’t ring true.

Eric Byres, a computer expert who has studied the worm, said his site was hit with a surge in traffic from Iran, meaning that efforts to get the two nuclear plants to function normally have failed. The web traffic, he says, shows Iran still hasn’t come to grips with the complexity of the malware that appears to be still infecting the systems at both Bashehr and Natanz.

“The effort has been stunning," Byres said. "Two years ago American users on my site outnumbered Iranians by 100 to 1. Today we are close to a majority of Iranian users.”

He said that while there may be some individual computer owners from Iran looking for information about the virus, it was unlikely that they were responsible for the vast majority of the inquiries because the worm targeted only the two nuclear sites and did no damage to the thousands of other computers it infiltrated.

At one of the larger American web companies offering advice on how to eliminate the worm, traffic from Iran has swamped that of its largest user: the United States.

“Our traffic from Iran has really spiked,” said a corporate officer who asked that neither he nor his company be named. “Iran now represents 14.9 percent of total traffic, surpassing the United States with a total of 12.1 percent. Given the different population sizes, that is a significant number.”

Perhaps more significantly, traffic from Tehran to the company's site is now double that of New York City.
What's special about Stuxnet (Hat Tip: Instapundit)?
* At least four zero-day vulnerabilities were used. Remember, these were classified as "zero-days" once we found out about them back in June/July -- which means the folks that discovered the vulnerabilities could have been using them/testing them for 12-24 months(?) before we even knew they existed. Discovering a single previously unknown vulnerability and using it successfully against a target is impressive!

* Used "legitimate certificates stolen from two certificate authorities" to digitally sign Stuxnet code to be installed on target machines -- this was needed to prevent Microsoft Windows from alerting the computer user that a suspicious file is trying to install on the computer. This is huge! Imagine if someone was able to steal a genuine SSL/TLS certificate for YOUR online bank from VeriSign or Entrust and set-up a web site that was an exact clone of YOUR online bank. If you accessed the cloned web site -- your web browser would NOT alert you to any problems with the fake web site because the site uses a valid certificate -- the entire Internet online commerce model is based on this "trust" of Certificate Authorities.

Sound unrealistic … how about this … anyone else remember 10 years ago when VeriSign issued two Microsoft certificates to someone posing as a Microsoft employee? Imagine what they could have done with those certificates … perhaps create their own "special" Microsoft Windows patch … how many folks would download and install? We often trust major companies and our systems will trust the process if the source file is using a "trusted" Certificate Authority (VeriSign for example) security certificate to sign the files! To further highlight this issue … to this day the only two "Untrusted Publishers" certificates installed in our Internet Explorer browsers are for Microsoft from VeriSign!

* Numerous propagation methods -- USB drives, network shares, other peer-to-peer methods, etc. Interesting to see the Conficker vulnerability (MS08-067) was one of the Stuxnet propagation options. Depending on what type/version/patch level of Windows the worm is residing determines which propagation method it will use. (Amazing)

* Command and Control options -- via Internet or peer-to-peer if Internet access is no longer available.

* Very specific configuration of the target environment is needed to activate the Stuxnet payload (manufacturer, specific product type, and unique product configuration are examples) … the intelligence and reconnaissance needed of the target must have been incredible.

* The goal does not seem to have been destruction -- rather interruption/delay. The payload modified the speed of very specific high speed motors and at seemingly random intervals. How many people knew weapons-grade uranium enrichment requires long periods of constant high speed motor action?
How could Iran solve the problem? At the moment, it appears that they can't. This is from the first link again:
“Here is their problem. They should throw out every personal computer involved with the nuclear program and start over, but they can’t do that. Moreover, they are completely dependent on outside companies for the construction and maintenance of their nuclear facilities. They should throw out their computers as well. But they can’t,“ he explained. “They will just continually re-infect themselves.”

“With the best of expertise and equipment it would take another year for the plants to function normally again because it is so hard to get the worm out. It even hides in the back-up systems. But they can’t do it,” he said.

And Iran’s anti-worm effort may have had another setback. In Tehran, men on motorcycles attacked two leading nuclear scientists on their way to work. Using magnetic bombs, the motorcyclists pulled alongside their cars and attached the devices.

One scientist was wounded and the other killed. Confirmed reports say that the murdered scientist was in charge of dealing with the Stuxnet virus at the nuclear plants.

Labels: , , ,


Post a Comment

<< Home