Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Stuxnet Worms On

CmdrTaco posted more than 3 years ago | from the squirmy-squirmy dept.

Worms 141

Numerous Stuxnet related stories continue to flow through my bin today, so brace yourself: Unsurprisingly, Iran blames Stuxnet on a plot set up by the West, designed to infect its nuclear facilities. A Symantec researcher analyzed the code and put forth attack scenarios. A Threatpost researcher writes about the sophistication of the worm. Finally, Dutch multinationals have revealed that the worm is also attacking them. We may never know what this thing was really all about.

cancel ×

141 comments

Sorry! There are no comments related to the filter you selected.

Ghost? (1)

i_ate_god (899684) | more than 3 years ago | (#33799714)

Maybe it has a ghost that developed from the data inputs of over a billion individuals...

It was random segments of code (1)

Noughmad (1044096) | more than 3 years ago | (#33800252)

One day they'll have secrets... one day they'll have dreams.

first post (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33799720)

I made it first or not.

We may never know? We DO know! (4, Funny)

interkin3tic (1469267) | more than 3 years ago | (#33799848)

I for one feel it's safe to assume Iran is right, that this is a nefarious plot by unnamed western nations to stop Iran's glorious peaceful nuclear power program, but that absolutely no computers controlling the nuclear program were infected. After all, Iran is completely trustworthy and it's nuclear scientists are smart enough not to use control computers to check their e-mail and click on random links from random people.

I'm also going to assume that fake first post was part of a nefarious plot by unnamed western nations to tarnish Iran's glorious image as first posters.

Re:We may never know? We DO know! (-1, Troll)

Moryath (553296) | more than 3 years ago | (#33800126)

I for one feel it's safe to assume Iran is right

Oh geez. Iran is the same nation where beheadings are common (as is cousin and even double-cousin marriage), women have to be kept in beekeeper outfits for fear some Iranian neanderthal male will see an ankle and go on a rampage of rape and destruction...

Oh. I get it. Your post was tongue-in-cheek. Whew, for a second there I thought you were as insane as the Iranians!

I'm going with my original guess from the last time this was posted - most likely, Stuxnet was either the result of a pissed-off former Siemens employee, or of a competing PLC manufacturer somewhere in Asia or Russia getting the "bright idea" to hire on a mafia or yakuza group with some programmers (the same guys who code worms to set up botnets and run "pay us or we DDoS you, crash your system" extortion scams [eweek.com] ) to make the world think "OMG don't use Siemens, better use someone else instead, those Siemens things can't be trusted."

Re:We may never know? We DO know! (2, Insightful)

Anonymous Coward | more than 3 years ago | (#33800888)

Oh geez. Iran is the same nation where beheadings are common (as is cousin and even double-cousin marriage), women have to be kept in beekeeper outfits for fear some Iranian neanderthal male will see an ankle and go on a rampage of rape and destruction...

Yes, we know, you hate Iran and Iranians, but don't you get sick of posting the same troll again and again on every article that has to do with Iran? You knew parent's post was tongue-in-cheek, but you still took the time to make it known how much you hate Iran before going "oh, it was tongue-in-cheek" ha ha ha. So clever.

This is what Iran looked like in the 1970s [pagef30.com] before the revolution -- none of these people were "neanderthals". It's not the people who want their women to dress up in "beekeper outfits", it's the tyrannous government. I take it you were born after 1979? Please, get some perspective.

Re:first post (0, Offtopic)

i_ate_god (899684) | more than 3 years ago | (#33799852)

I win!!!

Iran should all buy Macs (1, Flamebait)

Haedrian (1676506) | more than 3 years ago | (#33799724)

Everyone knows Macs don't get viruses

</sarcastic joke>

Re:Iran should all buy Macs (5, Funny)

MrEricSir (398214) | more than 3 years ago | (#33799786)

And yet, Macs *are* capable of uploading viruses to alien ships.

Re:Iran should all buy Macs (1, Funny)

Anonymous Coward | more than 3 years ago | (#33800208)

"Macintosh: The Typhoid Mary of home computing"

Yeah, I should totally be in advertising.

Re:Iran should all buy Macs (2, Informative)

LaminatorX (410794) | more than 3 years ago | (#33800224)

Only if the ships have certain specific PLCs.

That's what it was about! (2, Informative)

John Hasler (414242) | more than 3 years ago | (#33801246)

The Earth was under attack by alien ships controlled by Siemens PLCs. Stuxnet was released to repel them and they all blew up and vanished into hyperspace. The whole thing was hushed up, of course, and what we are seeing is just the collateral damage.

Skynet (1)

lmnfrs (829146) | more than 3 years ago | (#33800494)

Seriously, though, it is Windows PC's that are present in government organizations, can gain sentience, and launch nuclear attacks to destroy all humans..

Re:Skynet (1)

blair1q (305137) | more than 3 years ago | (#33800518)

WOPR was an IBM compatible?

Re:Iran should all buy Macs (1)

CannonballHead (842625) | more than 3 years ago | (#33800662)

Only if the alien ship hardware is approved for Apple Hardware Communications. ;)

Re:Iran should all buy Macs (1)

cjb658 (1235986) | more than 3 years ago | (#33800854)

And yet, Macs *are* capable of uploading viruses to alien ships.

Yeah, but that app was rejected from the app store.

Never thought I would defend Iran, but... (3, Insightful)

elrous0 (869638) | more than 3 years ago | (#33799744)

I don't think this is just one of those "Look at Iran, making some outlandish crazy new allegation!" thing (like it was when Ahmadinejad tried to claim there were no homosexuals in Iran [youtube.com] or blamed the U.S. Government for 9-11 [cbsnews.com] ). Considering the very disproportionate hit they took of these infections, the obvious suspects (those who would benefit most from their nuclear program taking a hit), the precision of the targeting of the virus (two very specific models of Seimens PLC's), the impressive sophistication of the worm, etc. I hardly think it's some tin-foil hat conspiracy theory for them to assert that it was a "western power" (most likely Israel or the U.S.) behind this worm.

Re:Never thought I would defend Iran, but... (3, Interesting)

Ender_Wiggin (180793) | more than 3 years ago | (#33799860)

I don't think he said there are no homosexuals in Iran, he said "We don't have gay people the way you do in America." I think he means they don't really have openly gay people in society like you find in New York. It's interesting because Iran actually allows and pays for sex-change surgeries.

Re:Never thought I would defend Iran, but... (1)

Pharmboy (216950) | more than 3 years ago | (#33799958)

It's interesting because Iran actually allows and pays for sex-change surgeries.

Is that before or after they administer the death penalty for homosexual acts? [wikipedia.org] And they *sometimes* subsidize surgery [wikipedia.org] , which is not the same as "pays for".

Fortunately, Iran doesn't consider the testimony of women to be trustworthy enough to consider as evidence (see first link).

Re:Never thought I would defend Iran, but... (4, Interesting)

TheCarp (96830) | more than 3 years ago | (#33799966)

Thats pretty much what he said. Actually, homosexuality in their culture is a whole topic unto itself. What was interesting to me was the way he seemed to imply that there is a difference between "public morality" and "private". Have you ever seen how many "witnesses" are required to accuse someone of certain things (like being a homosexual) under sharia law, for example?

What he seemed, to me, to be espousing was the idea that "what you do in private is between you and god, but, what other people see you do, is another matter". In some ways it reminds me of a japanese woman who was interviewed for the book "Lust in Translation" (never read it, but heard several stories about it) who was not mad at her husband for having an affair, as she had her own, but was mad that he was careless and allowed her to find out about it.

Having known a few Iranian ex-pats, I must say, they have a fascinating culture, and one thats very different from our own in many ways.

-Steve

Re:Never thought I would defend Iran, but... (2, Insightful)

gad_zuki! (70830) | more than 3 years ago | (#33800542)

>they have a fascinating culture, and one thats very different from our own in many ways.

Finding a death penalty for homosexuality fascinating? It should be horrifying. Same thing for atheism or denying Islam.

>Thats pretty much what he said.

Err, transsexualism and homosexuality are two very different things. Iran has a lot of social pressures to force homosexuals into subsidized transsexual treatment, which does nothing but victimize and humiliate homosexuals who have no problem with their gender, its what they want to have sex with that has the theocracts running scared. Theocracy is not a valid form of government. Stop defending it as fascinating. Its victimizing and horrible.

Re:Never thought I would defend Iran, but... (2, Insightful)

at_slashdot (674436) | more than 3 years ago | (#33802534)

>they have a fascinating culture, and one thats very different from our own in many ways.

Finding a death penalty for homosexuality fascinating?

Since when the legal system, especially in a religious autocratic regime, is part of "culture".

Re:Never thought I would defend Iran, but... (1)

Securityemo (1407943) | more than 3 years ago | (#33803520)

It's sprung out of culture. I guess you could view it as a formalized mask of cultural morality, warts and all?

Re:Never thought I would defend Iran, but... (0, Troll)

gad_zuki! (70830) | more than 3 years ago | (#33800504)

>It's interesting because Iran actually allows and pays for sex-change surgeries.

News flash, transsexualism and homosexuality are two very different things. Please note we are talking about a country with a FUCKING DEATH PENALTY for homosexual acts. This makes Turing's treatment by the UK authorities sound like a walk in the park.

Re:Never thought I would defend Iran, but... (1)

c6gunner (950153) | more than 3 years ago | (#33800804)

News flash, transsexualism and homosexuality are two very different things

Yep. This is especially troubling since only a minority of male-to-female transsexuals are "heterosexual"; in other words, men who get a sex change in order to become women are more likely to be attracted to women than to men. Which raises the question ... will the government of Iran pay to have a man made into a woman ... only to then execute "her" for having sex with a woman?

Re:Never thought I would defend Iran, but... (1)

Thing 1 (178996) | more than 3 years ago | (#33803422)

No, they'll just convert "her" back. (Hope he saved "his" foreskin!)

Re:Never thought I would defend Iran, but... (1)

Securityemo (1407943) | more than 3 years ago | (#33803552)

Why is the above modded troll? It's a perfectly good thing to be morally outraged over.

Re:Never thought I would defend Iran, but... (1)

i_ate_god (899684) | more than 3 years ago | (#33799894)

most likely Israel or US?

I'm sure there are a lot of countries, like China, that would want to Iran stfu before they get blown up and the oil stops running. It's in the interest of pretty much any industrialised nation that war doesn't break out over Iran.

Re:Never thought I would defend Iran, but... (1)

JustOK (667959) | more than 3 years ago | (#33800112)

China is closer to Iran than we are.

Re:Never thought I would defend Iran, but... (2, Insightful)

MozeeToby (1163751) | more than 3 years ago | (#33799904)

It's worth noting that although many systems have been compromised worldwide, the only reports of equipment actually being damaged are apocryphal reports of 'nuclear accidents' at Iran's centrifuge facilities. The international community has assumed that those accidents were caused by the worm, and Iran calling the worm an attack on their nuclear ambitions seams to support that claim. Personally, I find the second wave of infections more likely to be someone modifying the payload and basic parameters for their own ends, it seems quite different from the mindset that drove the first set of attacks.

Re:Never thought I would defend Iran, but... (1)

jd (1658) | more than 3 years ago | (#33802454)

The article on the Netherlands reports a satellite being knocked out of service. It may not be physical damage in the sense that you could go up there and hit the reboot switch, but short of a shuttle flight to rescue it, you can effectively consider that satellite to be destroyed. It's dead in space. Deceased. Bereft of life. Since it was probably a communications satellite, and thus a repeater, it's an ex-parrot.

Re:Never thought I would defend Iran, but... (1)

Thing 1 (178996) | more than 3 years ago | (#33803466)

My mod points have expired, so I'll just say, "well said" and "that was never five minutes just now!" (In fact, it's been less than a minute, as Slashcode reminded me -- after, I'll have you note, I decided to quote Monty Fucking Python, so it was really neat that Slashcode tripped me up, yet again, to remind me that Slashcode's tripping was topical!)

Re:Never thought I would defend Iran, but... (1)

Thing 1 (178996) | more than 3 years ago | (#33803444)

Personally, I find the second wave of infections more likely to be someone modifying the payload and basic parameters for their own ends, it seems quite different from the mindset that drove the first set of attacks.

Exactly! Just like, Sony releasing a rootkit (that would have ended up in PMITA prison for you and me) ended up in viruses being written that target that rootkit's additional vulnerabilities. Thus, the second wave.

Re:Never thought I would defend Iran, but... (1)

Dynedain (141758) | more than 3 years ago | (#33800032)

And that's exactly the moral of the story, The Boy Who Cried Wolf.

Re:Never thought I would defend Iran, but... (3, Informative)

LWATCDR (28044) | more than 3 years ago | (#33800278)

I wouldn't even say most likely the US or Israel. I don't think there are many nations that want a Nuclear Iran.
The list should include.
China
Russia
India
All of the EU
Egypt
Most of the Middle East.
I mean really this list is long and while this worm is probably outside the limits for some guy with a grudge it isn't outside the limits for any nation with a large university with a good CS department.

Re:Never thought I would defend Iran, but... (2, Informative)

Dr. Evil (3501) | more than 3 years ago | (#33801280)

Russia does a lot of business with Iran. Ditto for Germany and the E.U. Where do you think they got all the Siemen's hardware and how do you think they flew it in?

"Friendly" nations engage in espionage too (2, Interesting)

perpenso (1613749) | more than 3 years ago | (#33801534)

I wouldn't even say most likely the US or Israel. I don't think there are many nations that want a Nuclear Iran. The list should include. China Russia India All of the EU Egypt Most of the Middle East. I mean really this list is long and while this worm is probably outside the limits for some guy with a grudge it isn't outside the limits for any nation with a large university with a good CS department.

Russia does a lot of business with Iran. Ditto for Germany and the E.U. Where do you think they got all the Siemen's hardware and how do you think they flew it in?

So some of these "friendly" countries had the best access to the iranian nuclear infrastructure, that's enough to warrant their inclusion on the list. Given that stuxnet was "dormant" and not attempting to damage anything it may have been more of an insurance policy and not so much of an active weapon. Any of these countries would love to monitor and have a remote off switch should Iran begin to act against their interests at some future date. Now is this the most likely scenario, no. However it is still highly plausible.

Re:Never thought I would defend Iran, but... (0)

Anonymous Coward | more than 3 years ago | (#33801598)

And now they need new hardware! Golly, could be a financial incentive at work here.

Could be any number of people (1)

TiggertheMad (556308) | more than 3 years ago | (#33800416)

I hardly think it's some tin-foil hat conspiracy theory for them to assert that it was a "western power" (most likely Israel or the U.S.) behind this worm.

Possibly. What if they were having problems getting their plant working, and didn't want to look bad. Something like this might be a great way to blame the west, and get sympathy from other countries that might be willing to help out a victim of western aggression.

Or, this might be the work of a western NGO. There are any number of groups that aren't part of the governments of the US or Israel that don't want to see a nuclear Iran. Perhaps this is a uninvolved state that just wants the US and Israel actively engaged and distracted by dealing with Iran.

But. but, but.... (0)

Anonymous Coward | more than 3 years ago | (#33801678)

....didn't they say that the worm did nothing to them? I don't know what you guys are talking about.

Re:Never thought I would defend Iran, but... (1)

Thearls (1916070) | more than 3 years ago | (#33803564)

I would hope that the US would be more responsible than this. I'm and engineer that works with the type of instrumentation that this worm is supposed to infect. Siemens instrumentation is used all over the world. It could kill a lot of people if it infects the wrong facility.

Market for pirated Seimens PLCs? (1, Interesting)

vlm (69642) | more than 3 years ago | (#33799858)

Is there a big market for pirated Seimens PLCs?

You know, the Chinese business plan where they run off extra copies after the assembly line closes, and sell them for pure profit? Also the move where they change virtually nothing but the name and start selling it as a generic model at Walmart / Harbor Freight / etc?

Maybe it was an attempt to "get" the infringing Chinese devices that got a little out of control and got the real ones too?

Re:Market for pirated Seimens PLCs? (0)

Anonymous Coward | more than 3 years ago | (#33800622)

Siemens. Like Tolkien.

*sigh*

Re:Market for pirated Seimens PLCs? (1)

_merlin (160982) | more than 3 years ago | (#33801056)

Your hypothesis reminds me of the "Frankie" virus [nai.com] that targeted pirated versions of Aladin (a Mac emulator for Atari ST). It ended up attacking most Mac emulators on the ST, and not just the ones it was supposed to target (although some, like SPECTRE, were naturally immune).

Other targets (1)

mischi_amnesiac (837989) | more than 3 years ago | (#33799934)

Makes sense, it hides the real purpose.

Might not be the West... (4, Interesting)

SuperKendall (25149) | more than 3 years ago | (#33799942)

I'm pretty sure Stuxnet is in fact a sophisticated attack worm created by a government to slow or halt Iran in producing nuclear weapons.

There are plenty of candidates beyond the U.S. and Israel - Saudi Arabia for one, would be another country really not happy with a nuclear Iran, though certainly the U.S. or Israel seems most likely.

But lets consider the most intriguing possibility - a country with tons of expertise in developing advanced malware already, and one with incredibly detailed knowledge of Iranian systems.

Of course, I'm speaking of Russia.

At first it sounds crazy because Russian scientists are helping Iran build a reactor in the first place. But perhaps that help was lined up long before, and Russia has decided Iran is too crazy now to be allowed to have The Bomb, so they activated Stuxnet, prepared in advance for such an eventuality. Or perhaps they simply wanted to get money from the help and then the cleanup...

Russian scientists have been fleeing Iran because Iran is now going after guys in cubicles and saying they are spies. So perhaps even there, they know something most of us do not...

Re:Might not be the West... (1)

jayme0227 (1558821) | more than 3 years ago | (#33800366)

Let's consider this possibility: Iran couldn't get the Nuclear Facility up and running properly so they needed a scapegoat. Now, it can't be something simple or else they'd be considered to be incompetent. Also, they'd need to be able to track the problem to a malevolent source, again, so they can shift all blame away from themselves. So what do they do? Create a virus that will be released into the wild and contains obscure references to past Israeli-Iranian conflicts. The virus has the bonus effect of allowing them to spy on their own citizens and companies around the world.

In the end, it doesn't matter who created the virus. If Iran (or anyone else) can't secure a nuclear facility, they shouldn't have a nuclear facility.

Re:Might not be the West... (0)

Anonymous Coward | more than 3 years ago | (#33803140)

Wow, that is too much like "man goes to a restaurant, orders a pelican, has a bite, goes outside and shoots himself" story, too much lateral thinking... why make something so sophisticated as a diversion...

Re:Might not be the West... (2, Interesting)

moderatorrater (1095745) | more than 3 years ago | (#33800706)

Consider this possibility: the last time [arstechnica.com] people were accusing a government of being behind an attack, it was someone with a grudge but no government connection. Considering how hard it is (or even impossible) to tell the difference between a talented amateur and a professional when it comes to computers, why is everyone jumping on the government bandwagon? Maybe it's some college buddies in Tel Aviv who decided that they wanted to target Iran, or maybe Stuxnet was just a worm of the week from blackhats (many of which are getting ridiculously complex) that just happened to get into the Iranian facilities.

Re:Might not be the West... (2, Insightful)

perpenso (1613749) | more than 3 years ago | (#33801638)

... Maybe it's some college buddies in Tel Aviv who decided that they wanted to target Iran, or maybe Stuxnet was just a worm of the week from blackhats (many of which are getting ridiculously complex) that just happened to get into the Iranian facilities ...

They needed a lot of expensive industrial control equipment to develop and test on.

MOD UP (1)

SuperKendall (25149) | more than 3 years ago | (#33803006)

They needed a lot of expensive industrial control equipment to develop and test on.

That is the part that totally screams to me "government".

Defiantly not the work of one guy in a basement.

Now it could be some large and well funded organization, sure. But I just don't buy that it's an amateur effort instead of a well funded affair, and if it's someone like organized crime where is the payoff? Organized crime funds botnets because they make money from them, it's why for some time now no worm or botnet has really destroyed systems like in the early hacking days when destroying a system was just as fun as manipulating it for an individual.

Re:Might not be the West... (0)

Anonymous Coward | more than 3 years ago | (#33803484)

A Siemens PLC costs less then $600.

http://www.matrikonopc.com/opc-drivers/opc-siemens-s7-plc/base-driver-details.aspx

It is not expensive to develop and test on.

Re:Might not be the West... (1)

Yvanhoe (564877) | more than 3 years ago | (#33801130)

A question I always ask : why should it be a government ? I estimate a budget of one million dollar to create this thing, and that's a high estimate. That's more than a hobbyist budget (through it could be, if made by the original zero-day finders) but in the range of many organizations. It could also very well be a criminal organization who had simply money as their motive. I am sure that with such an infection on so many presumably critical structures, getting more than one million in blackmailing must not be that hard to do...

Re:Might not be the West... (2, Interesting)

znerk (1162519) | more than 3 years ago | (#33801734)

I estimate a budget of one million dollar to create this thing

[citation needed]

If I were to pull a number out of my ass on what it would take to create any virus-like program, I would set the budget at:
(1) extremely dedicated individual with internet access and some time on his/her hands.

The information required for attacking practically anything is available online. Yes, looking for the information might raise some red flags, and accessing it could most certainly do so, but if the person perpetrating said attack is clever and careful (and maybe lucky, as well), there won't be anything pointing at a specific person for accessing that information (Public access (libraries, netcafes), wardriving, etc can all be used for misdirection).

TL;DR: Once you have the plans for the death star, it just takes a bit of time to figure out where the reactor core is, and noticing the exhaust vent that goes straight to it.

Pointing fingers should be reserved until after some facts have been found.
--
No, I didn't read the article; I still I believe my logic is sound.

Re:Might not be the West... (1)

Yvanhoe (564877) | more than 3 years ago | (#33801992)

Well, the number the press is shouting everywhere is that it costs $250,000 to buy a 0-day exploit thatis not public. Of the 4 zero-days used, two were known. That leaves, at most, $500 000 for the two others. There is also a cryptographic certificate to get. I suspect this is at least as much expensive. 1 million is a high-range estimation I, yes, somehow put out of my ass by making very inflated guesses. It could also be a single person discovering the two unknown flaws that used them to steal Realtek's crypto key and made the virus by himself. It could very well be a zero-budget attack, as improbable as this look. All I am saying is that it didn't cost more than 1 million and that the number of organisations that have access to these resources is colossal.

Re:Obviously it was the Italians... (1)

Phrogman (80473) | more than 3 years ago | (#33801228)

I mean Stux is a variety of linux from Italy:

http://gpstudio.com/ [gpstudio.com]

Re:Might not be the West... (1)

Solandri (704621) | more than 3 years ago | (#33802428)

There's another possibility which occurred to me. You know all those reports we read warning that our power grid is vulnerable to computer attack? Maybe someone making those warnings got tired of being ignored and decided to demonstrate how easy it was?

Re:Might not be the West... (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33803544)

The cooperation was lined up long time ago but even then it had been known about Iran's nuclear ambitions, ideology and general attitude. Russia is playing a dangerous and sophisticated game in this region. They try to gain influence on Iran, to draw it into their orbit. It has to do with Caucassian states, oil and oil transport. They also try to play this card in the international scene as they seem to be the only country to have some persuasive power. OTOH Iran seems to be happy to buy technology from Russia but reluctant to follow Russia's rules concerning West and Central Asia policies. And here it is good to remember that Russia is notorious for applying force to their smaller counterparts.

finger pointing without proof (1)

NonUniqueNickname (1459477) | more than 3 years ago | (#33799950)

Who hates the Iran's state-sponsored cultural intolerance and the Dutch?
Austin Powers' father.

More details needed in story summary (4, Interesting)

Ender_Wiggin (180793) | more than 3 years ago | (#33800056)

Despite the numerous slashdot articles and buzz about it, I'm seeing scant actual details.

How was it delivered? Via Internet? Botnet? Unknown at this time? According to the article it "can spread using several vectors."
It also says 2 of the 4 zero-day vulnerabilities have been patched by MS.

The article about a possible attack scenario leads more credibility to the claim that there had to be inside help. You need people on the inside for Reconnaissance and deployment. Even if it was spread from the internet, someone had to get ahold of the security certificates to crack them and know the specific types of PLCs in use. The arrests [slashdot.org] that recently took place in Iran are making a lot more sense, despite all the knee-jerk condemnation from the /. posters.

Re:More details needed in story summary (3, Informative)

MozeeToby (1163751) | more than 3 years ago | (#33800304)

Speculation/rumor is that the attack vector was USB drives used by Russian contractors. That is also it's primary method of spread, but it may be able to spread over networks as well (reports that I've seen seem contradictory on that one). Further speculation/rumor has it that a possible "nuclear accident" at Iran's centrifuge facility last year may have been caused by this worm, if that is the case it is the only report of actual hardware being damaged that I've heard of and would 100% support the idea that the worm was targeted at Iran's nuclear facilities. Given the number of infections in Iran and the artificial three hop limit that the worm's writers gave it, it would seem the attack originated there.

I think it's likely that the writers never planned on having the worm escape the target's network, I'm guessing someone at the nuke facility broke security protocol and took home a thumb drive that they weren't supposed to and it spread from there. The worm doesn't do much except take up cycles on systems that don't match the fingerprint that it is looking for, a fingerprint only makes sense if you're looking to take down a lot of identical systems, which lines up nicely with the centrifuge theory. Basically, it's highly likely that this was a government job, targeting Iran's centrifuges, done with inside knowledge of what systems they were using, and delivered using some pretty basic social engineering (leaving infected USB drives on the ground in the parking lot for instance).

Re:More details needed in story summary (1)

dpilot (134227) | more than 3 years ago | (#33802446)

Somehow this reminds me of grey-goo or tailored virus attacks out of science fiction - and just as well targeted. After all, the "story" happens once things go awry, not while they're working as expected.

Re:More details needed in story summary (2, Informative)

AHuxley (892839) | more than 3 years ago | (#33802126)

http://www.csmonitor.com/USA/2010/0921/Stuxnet-malware-is-weapon-out-to-destroy-Iran-s-Bushehr-nuclear-plant [csmonitor.com]
You have a USB device talking to Microsoft connecting to Siemens "something" then to some industrial system that has to work really well 24/7 and or to exact tolerances.
Microsoft is the way in, at it seem to be looking for something, like a key and a lock.
When it finds a match, interesting a 'new' things may happen over time to some industrial system.
Phone home and uninstaller seem to be part of the deal http://defense-update.com/wp/20100930_stuxnet-under-the-microscope.html [defense-update.com]
Security certificates would be floating around the web or could be stolen, bought.

only question (1)

bhcompy (1877290) | more than 3 years ago | (#33800074)

My only question is who the hell named it "stuxnet"?

Re:only question (1)

nemasu (1766860) | more than 3 years ago | (#33800448)

Good question, made me curious....and I can't really figure it out. Usually whoever discovers in gets to name it, if that's the case then it's an anti virus vendor in Belarus called VirusBlokAda and going by their company name, it wouldn't surprise me.

Re:only question (1)

Erikderzweite (1146485) | more than 3 years ago | (#33800712)

IIRC, the name has been discovered somewhere in worm's files. Can't find the link though.

Any one has more details on the plc payload ? (2, Insightful)

JonySuede (1908576) | more than 3 years ago | (#33800078)

Any one has more details on the PLC payload ? I want to know what kind of changes it makes to the plc software.

Target is still speculation (2, Interesting)

Animats (122034) | more than 3 years ago | (#33800096)

This attack is aimed at a very specific PLC configuration, and does nothing unless it finds that configuration. Until someone who has the matching PLC configuration admits it, speculation as to the target remains speculation.

Re:Target is still speculation (1)

AHuxley (892839) | more than 3 years ago | (#33802188)

"Langner's analysis also shows, step by step, what happens after "Stuxnet finds its target. Once Stuxnet identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the giant industrial controls company, the malware takes control. One of the last codes Stuxnet sends is an enigmatic “DEADF007.” Then the fireworks begin, although the precise function being overridden is not known, Langner says. It may be that the maximum safety setting for RPMs on a turbine is overridden, or that lubrication is shut off, or some other vital function shut down. Whatever it is, Stuxnet overrides it, Langner’s analysis shows." from http://www.csmonitor.com/USA/2010/0921/Stuxnet-malware-is-weapon-out-to-destroy-Iran-s-Bushehr-nuclear-plant/(page)/3 [csmonitor.com]

Re:Target is still speculation (1)

jonwil (467024) | more than 3 years ago | (#33802766)

Wouldn't Siemens be able to tell (based on the commands sent to the PLC by the Stuxnet worm) what it is trying to do?

Re:Target is still speculation (1)

AHuxley (892839) | more than 3 years ago | (#33802978)

Layers of NDA? Govs telling them too?

Re:Target is still speculation (2, Interesting)

sapphire wyvern (1153271) | more than 3 years ago | (#33803702)

Not necessarily. The "P" in PLC stands for programmable. PLCs have a large amount of generic physical I/O (relay outputs, 4-20mA inputs, etc etc). From looking at the Stuxnet code, you *might* be able to tell that a particular output is being turned on - but without knowing what's wired into that output, you still haven't learned much. And that's a fairly blatant scenario (where Stuxnet is directly controlling PLC I/O),

If Stuxnet is doing something more subtle, it could be doing something like patching the PLC code to silently disable safety interlocks, by replacing the results of a logic calculation with a different value. It's similar to installing a NoCD crack in a game executable so that the check_for_valid_disk() function call return value is always set to TRUE, and the disk checking code never even runs. If we can only see the patch (Stuxnet's observable behaviour) but not the original executable (the PLC code) there's no way to tell exactly what Stuxnet's payload is. Even Siemens wouldn't be able to figure it out unless they had a copy of the code put into the PLC by its owners.

Re:Target is still speculation (1)

nashville-tn (1751826) | more than 3 years ago | (#33803480)

It could be something that is not all that readily apparent, such as preventing a centrifuge from enriching uranium anywhere close to weapons grade, thinking the Iranians would blame their technicians as incompetent, rather than a worm.

Its the Satan bug (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33800116)

Its the Satan bug sent by the imperialist capitalist western Satan to undermine the peaceful country and the religion of peace in their quest for civil nuclear power. Convert to Islam or die, the religion of peace is the true way.

Dutch companies were NOT attacked (1)

sciencewatcher (1699186) | more than 3 years ago | (#33800144)

The worm was found on pc's in The Netherlands like they were found elsewhere throughout the world. The worm did NOT attack the Siemens machines, and the worm was easily removed using standard AV programs. So far only militairy hardware in Iran has been attacked. The press release was written by non techies.

World-wide distribution (2, Informative)

Black Parrot (19622) | more than 3 years ago | (#33800226)

Dutch multinationals have revealed that the worm is also attacking them.

The Wikipedia article [wikipedia.org] has a table of purported number of infections in various countries. Indonesia and India have the worst problem after Iran. Over six thousand in the Anglophone countries. If this is in fact only spreading via USB sticks, we've got some really promiscuous behavior going on.

(You may well be skeptical of the six million reported for China. It's not a defacement; there's a link to an article that quotes someone actually making the claim. But the quote makes it sound like the speaker doesn't know what he's talking about.)

Just NeoCon propaganda? (0)

webalimaster (1707858) | more than 3 years ago | (#33800324)

Up to now I have not seem a single report from really trusted sources in Iran. All media stories are western-based stories about iran. It's just me or this equals to propaganda. I don't trust the anti-virus companies reports (I don't use Windows either). This story smells funny too because of all the media hype anti-iran about it's nuclear energy production by the neocons (still alive). It seems more of the same. Bash Iran, create false news, whatever. I have worked in Software/Systems for Advanced and normal industrial automation and it's standard procedure this networks are disconnected from the Internet.

The US (1)

codepunk (167897) | more than 3 years ago | (#33800326)

I doubt the US had anything to do with it, we have a administration with "no bag" in office. Isreal on the other hand would be my first suspect. I can only hope that part of the stimulus money made it to a worthy cause such as this.

Re: The US (1)

Black Parrot (19622) | more than 3 years ago | (#33800710)

I doubt the US had anything to do with it, we have a administration with "no bag" in office.

The US intelligence agencies have a long history of doing things without getting clearance from the White House.

Re: The US (3, Informative)

John Hasler (414242) | more than 3 years ago | (#33801394)

Bullshit. The intelligence agencies never do anything without implicit authorization from the White House. They just sometimes find plausible deniability convenient. Occasionally they find it necessary to drive out a scapegoat.

Re:The US (1)

nashville-tn (1751826) | more than 3 years ago | (#33803432)

"no bag" What are you basing that on? This admin authorized Navy Seals to kill Somalian pirates, authorized a marked increase in CIA drone attacks in Pakistan, authorized ramped up surveillance of comms concerning terrorism, authorized a surge of troops in Afghanistan, increased military exercises in the vicinity of North Korea, etc. Something previous admins didn't do.

I hope it's the Daemon... (1)

Valtor (34080) | more than 3 years ago | (#33800410)

I hope this is The Daemon [thedaemon.com] spreading. :)

Siemens Stuxnet support / advisory page (1)

cpghost (719344) | more than 3 years ago | (#33800460)

Siemens has a support and advisory page on Stuxnet [siemens.com] , which is infecting their Simatic WinCC / PCS7 systems.

Why isn't Siemens being taken to task here? (1)

joeflies (529536) | more than 3 years ago | (#33800500)

Before Stuxnet, I'm sure the general public had no idea that Siemens was selling technology to Iran to fulfill its nuclear ambitions. Given that the west has a lot of misgivings about letting Iran do so, shouldn't western companies be a little more careful who they sell nuclear reactor parts to? I don't necessarily want to compare them to IBM's role in selling computers to the Nazis, but is there some point where you take some corporate responsibility before profits?

Re:Why isn't Siemens being taken to task here? (1)

SteeldrivingJon (842919) | more than 3 years ago | (#33800752)

Iran knows how to buy things through complicated webs of shell companies in order to hide the final destination.

Re:Why isn't Siemens being taken to task here? (1)

Average_Joe_Sixpack (534373) | more than 3 years ago | (#33800756)

My guess, is that the tech was sold to Russian contractors who then sold and installed the tech for Iran.

Re:Why isn't Siemens being taken to task here? (1)

yurtinus (1590157) | more than 3 years ago | (#33800970)

Isn't there some point where we realize Iran is a sovereign nation and as such is well within their rights to pursue nuclear technologies? Did Siemens directly violate trade embargoes? If that's the case, that's where you take them to the task. I haven't followed this issue so I don't know if Siemens violated any laws on the matter, but if it's a "well, I just don't think those guys should have that stuff..." public sentiment issue, I don't see why they would (or should) care.

Re:Why isn't Siemens being taken to task here? (0)

Anonymous Coward | more than 3 years ago | (#33803292)

-1 sockpuppet

Re:Why isn't Siemens being taken to task here? (1)

dave562 (969951) | more than 3 years ago | (#33801808)

A lot of technology falls under the multi-purpose loop holes. A PLC is a standard industrial component. It is a "programmable logic controller". It simply activates machinery and coordinates activities in industrial machinery. The PLC doesn't know if it is opening a valve that is dumping gas into a centrifuge, or water into a sanitation system.

Organized crime? (0)

Anonymous Coward | more than 3 years ago | (#33800952)

Organized crime types have used computer viruses to blackmail business before. Instead of simply threatening to wipe out computer data, Stuxnet could actually stop production at a factory. Not sure why this would be any different.

Re:Organized crime? (1)

perpenso (1613749) | more than 3 years ago | (#33801710)

Organized crime types have used computer viruses to blackmail business before. Instead of simply threatening to wipe out computer data, Stuxnet could actually stop production at a factory. Not sure why this would be any different.

Because the target is a government not a business. Businesses don't have the resources to fight organized crime, governments do. Like many predators organized crime would pick a target that is least able to defend themselves.

hey, what about india! (-1, Redundant)

Anonymous Coward | more than 3 years ago | (#33801194)

after all, they did write a part of windows.

wait... what's this about stuxnet?

tro7l (-1, Redundant)

Anonymous Coward | more than 3 years ago | (#33801498)

this 8istakE or

correction TFA (1)

bl8n8r (649187) | more than 3 years ago | (#33801964)

"Almost all SCADA systems are -- for safety reasons -- standalone: not connected to a network, let alone the Internet."

should actually read:
    "In theory, almost all SCADA systems are -- for safety reasons -- standalone: not connected to a network, let alone the Internet."

Not looking close enough (0)

Anonymous Coward | more than 3 years ago | (#33802246)

I think all this deal with people wondering what "nation" is attacking what "nation" is missing the elephant in the living room. This isn't about that, it has been an attack against *Siemens*.

That's the one common denominator that everyone seems to keep missing, even though it is mentioned in every article about it. Hiding in plain sight.

Now, motive, means, opportunity. The latter two can be purchased on the open black market for this sort of attack, it could be contracted obviously, now who has a *motive* to hurt Siemens (revenge/disgruntled employee action, or "it's just business" from a rival or potential rival, whatever), and what is it?

Intriguing. (2, Informative)

jd (1658) | more than 3 years ago | (#33802338)

Those marking me "troll" for having said earlier that other, definitely and unquestionably innocent, victims could happen, and then marked me "troll" for noting that the protections against such accidents didn't mean they wouldn't happen anyway, will doubtless ignore the fact that the Dutch are (a) not Iranian nuclear weapons scientists, and (b) that the only Iranian victims so far have been moderates who might have kept the program somewhat sane have now been arrested as spies. Iran is not known for treating those they suspect of spying very nicely.

It is indeed unclear who the worm was aimed at, but I'm confident that it wasn't the Dutch and I'm now more certain than ever that other innocent victims will turn up. We have proof now that the safeguards (however well-intentioned) did not work. Which is no great surprise - it's hard to have a failsafe weapon as there are so few scenarios in which you need a weapon that badly and have it be safe if it fails.

Re:Intriguing. (1)

Thing 1 (178996) | more than 3 years ago | (#33803620)

It is indeed unclear who the worm was aimed at, but I'm confident that it wasn't the Dutch and I'm now more certain than ever that other innocent victims will turn up.

Interesting. I tell you "I am a victim" so therefore I could not have written the virus. Hmm... (Just interesting, definitely not informative or insightful -- pre-meta-modding.)

Obligatory William Gibson (2, Interesting)

lennier (44736) | more than 3 years ago | (#33802904)

Someone had reprogrammed the DNA synthesizer, he said. The thing was there for the overnight construction of just the right macromolecule. With its in-built computer and its custom software. Expensive, Sandii. But not as expensive as you turned out to be for Hosaka.
I hope you got a good price from Maas.
The diskette in my hand. Rain on the river. I knew, but I couldn't face it. I put the code for that meningial virus back into your purse and lay down beside you.
So Moenner died, along with other Hosaka researchers. Including Hiroshi. Chedanne suffered permanent brain damage.
Hiroshi hadn't worried about contamination. The proteins he punched for were harmless. So the synthesizer hummed to itself all night long building a virus to the specifications of Maas Biolabs GmbH. Maas. Small, fast, ruthless -- All Edge.

New Rose Hotel, 1981.

Wonder if we'll ever find out what Stuxnet did in 2010, and if it did what its designers hoped.

air jordan shoes (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33803338)

1. visit websites of jordanshoes-discount.com [jordanshoes-discount.com] ,you will find jordans shoes [ttp] are of good quality.We contain Nike Jordan 2010 Shoes [jordanshoes-discount.com] ,Air Jordan 2009 shoes [jordanshoes-discount.com] ,Air Jordan 1 (I) shoes [jordanshoes-discount.com] ,Air Jordan 2 (II) shoes [jordanshoes-discount.com] ,Air Jordan 3 (III) shoes [jordanshoes-discount.com] ,Air Jordan 4 (IV) shoes [jordanshoes-discount.com] ,Air Jordan 5 (V) shoes [jordanshoes-discount.com] ,Air Jordan 6 (VI) shoes [jordanshoes-discount.com] ,Air Jordan 7 (VII) shoes [jordanshoes-discount.com] ,Air Jordan 8 (VIII) shoes [jordanshoes-discount.com] ,Air Jordan 9 (IX) shoes [jordanshoes-discount.com] ,Air Jordan 10 (X) shoes [jordanshoes-discount.com] ,Air Jordan 11 (XI) shoes [jordanshoes-discount.com] ,Air Jordan 12 (XII) shoes [jordanshoes-discount.com] ,Air Jordan 13 (XIII) shoes [jordanshoes-discount.com] ,Air Jordan 14 (XIV) shoes [jordanshoes-discount.com] ,Air Jordan 15 (XV) shoes [jordanshoes-discount.com] ,Air Jordan 16 (XVI) shoes [jordanshoes-discount.com] ,Air Jordan 17 (XVII) shoes [jordanshoes-discount.com] ,Air Jordan 18 (XVIII) shoes [jordanshoes-discount.com] ,Air Jordan 19 (XIX) shoes [jordanshoes-discount.com] ,Air Jordan 20 (XX) shoes [jordanshoes-discount.com] ,Air Jordan 21 (XXI) shoes [jordanshoes-discount.com] ,Air Jordan 22 (XXII) shoes [jordanshoes-discount.com] ,Air Jordan 23 (XXIII) shoes [jordanshoes-discount.com] ,Jordan Mix Shoes [jordanshoes-discount.com] ,Nike Jordan Melo shoes [jordanshoes-discount.com] ,Jordan OL School shoes [jordanshoes-discount.com] ,Jordan L Style One shoes [jordanshoes-discount.com] ,Nike Jordan True Flight shoes [jordanshoes-discount.com] ,Nike Air Jordan All Day shoes [jordanshoes-discount.com] ,Nike Walter Ray Allen shoes [jordanshoes-discount.com] .
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?