Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Precursor To the Next Stuxnet?

Unknown Lamer posted more than 2 years ago | from the us-government-denies-involvement dept.

Security 49

An anonymous reader writes "On Oct. 14, 2011 Symantec was alerted to a malware sample from some recovered computers that demonstrated code similar to Stuxnet. This code however appears to serve a different purpose, apparently laying the groundwork for a future Stuxnet type of attack." Quoting Symantec: "The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility."

cancel ×

49 comments

Sorry! There are no comments related to the filter you selected.

After all the publicity Stuxnet created... (2)

wrldwzrd89 (611694) | more than 2 years ago | (#37754666)

... a development like this seemed inevitable, it was only a question of when it would happen again - the mere existence of Stuxnet proved that a malware attack on an industrial control system is not only plausible, but effective if done right. Furthermore, I'm sure the attackers realize that they can cause a lot of damage without ever having to visit a site physically. This fact makes such attacks more difficult than usual to defend against, and not helping matters is that not all industrial control vendors are even aware of security problems with their devices; let alone the time it takes to get a patch tested, validated, and deployed.

Re:After all the publicity Stuxnet created... (2)

mlts (1038732) | more than 2 years ago | (#37754800)

Not to mention that Stuxnet showed that one could do a major attack against a country without a single shot being fired.

Additionally, I'm sure the IRG has a bunch of coders looking to exact revenge... and there are a lot of IT departments run by lazy PHBs who believe in the slogan, "I can just call Geek Squad if we get hacked... otherwise it is too expensive to bother with security."

So, seeing something Stuxnet based is not a surprise... I just wonder what will be attacked first, some power company whose idea of security is turning off SSID broadcast (but leaving the wireless segment open so the old game console can get on without configuration), or perhaps some manufacturing company who has Joe Sixpack in receiving browsing pr0n between trucks causing malware entry will be the target. It really is only a matter of time when someone will knock something down.

Re:After all the publicity Stuxnet created... (1)

tqk (413719) | more than 2 years ago | (#37755014)

So, seeing something Stuxnet based is not a surprise... I just wonder what will be attacked first, some power company whose idea of security is ...

That's what first occurred to me. The last time we discussed this, a host of security people showed up to testify about the rampant lack of security they'd seen in this area. No air gap, the boss wants to access it from home, default passwords never changed, & etc. What Stuxnet really proved was how vulnerable many very important, powerful, and dangerous systems are. I mean, geez, viruses infiltrating Predator drone control networks? Yikes. Monumental failure doesn't begin to describe it.

Re:After all the publicity Stuxnet created... (1)

tqk (413719) | more than 2 years ago | (#37755102)

Oh, and to finish this, what the US/Israel/$whoever could do to Iran, Iran can do to US/Israel/$whoever.

Re:After all the publicity Stuxnet created... (0)

Anonymous Coward | more than 2 years ago | (#37762444)

some manufacturing company who has Joe Sixpack in receiving browsing pr0n between trucks causing malware entry will be the target

Did you read this sentence before you posted it?

Re:After all the publicity Stuxnet created... (1)

tlhIngan (30335) | more than 2 years ago | (#37755406)

So, seeing something Stuxnet based is not a surprise... I just wonder what will be attacked first, some power company whose idea of security is turning off SSID broadcast (but leaving the wireless segment open so the old game console can get on without configuration), or perhaps some manufacturing company who has Joe Sixpack in receiving browsing pr0n between trucks causing malware entry will be the target. It really is only a matter of time when someone will knock something down.

No. None of the above. Stuxnet proved that even if you air-gapped the networks, the "secure" network can STILL be infected.

One of Stuxnet's actions was to replicate itself to USB drives. USB drives that can be carried towards the secure network (bonus - secure network computers are often unpatched because said patches have to be manually copied over!), where it can exploit an unpatched vulnerability to infect PCs on the "secure" network. From there, it can proceed to do the dirty work.

So even if you have an airgapped network that keeps the open SSID and pr0n browsing to the insecure side, the secure side can easily be infected by someone needing to copy a configuration file, updated data, or ironically, patches to the secure network.

This is especially true if the attackers are patient and can wait years for the results of their virus.

Re:After all the publicity Stuxnet created... (0)

Anonymous Coward | more than 2 years ago | (#37760858)

Only if the airgapped PC's are set up to autorun media off the USB drives

You haven't been following (1)

CSMoran (1577071) | more than 2 years ago | (#37764902)

... or if you can exploit a zero-day in thumbnail handling, right?

Re:After all the publicity Stuxnet created... (0)

f()rK()_Bomb (612162) | more than 2 years ago | (#37754844)

They did have to physically visit the site for stuxnrt, it was delivered on USB. You'd imagine control systems would generally be on their own network, seemed that way where I've worked.

Re:After all the publicity Stuxnet created... (1)

ttyRazor (20815) | more than 2 years ago | (#37754946)

They wouldn't have to visit the site, just infect the USB drive of someone visiting the site. It'd be a lot easier to target someone who would have reason to visit the site, including foreign contractors.

Re:After all the publicity Stuxnet created... (1)

Fnord666 (889225) | more than 2 years ago | (#37757954)

They wouldn't have to visit the site, just infect the USB drive of someone visiting the site. It'd be a lot easier to target someone who would have reason to visit the site, including foreign contractors.

This is true and that may be how it happened with Stuxnet. If so, it may also have been the primary reason that Stuxnet met with limited success at best. Stuxnet spread too much for its own good. It was detected and analyzed a lot earlier than I suspect its creator would have preferred. The other thing that was likely unanticipated was that the size, complexity, and uniqueness of the code would attract attention from people with the drive to solve mysteries, the knowledge to actually attack the code, and the connections to bring the right resources together. My greatest fear is that whomever created and released Stuxnet will not make these mistakes again.

Original Authors? (1)

SomePgmr (2021234) | more than 2 years ago | (#37754796)

The threat was written by the same authors (or those that have access to the Stuxnet source code)

Erm, the stuxnet code was released online, no?

Re:Original Authors? (3, Informative)

chrb (1083577) | more than 2 years ago | (#37755212)

"Stuxnet source code is not out there. Only the original authors have it. So, this new backdoor was created by the same party that created Stuxnet." - F-Secure. [f-secure.com]

Re:Original Authors? (1)

SomePgmr (2021234) | more than 2 years ago | (#37755714)

That's funny, there was lots of talk about the code being out there. I never had much interest in looking for it though... I guess it was all BS.

Re:Original Authors? (1)

dropadrop (1057046) | more than 2 years ago | (#37759322)

That's funny, there was lots of talk about the code being out there. I never had much interest in looking for it though... I guess it was all BS.

I thought there was a lot of talk about the code, not about it being out there. You can get pretty far by just looking at the binaries.

Re:Original Authors? (1)

russotto (537200) | more than 2 years ago | (#37757480)

"Stuxnet source code is not out there. Only the original authors have it. So, this new backdoor was created by the same party that created Stuxnet." - F-Secure.

Unless someone reverse-engineered the object code. It's been done for lesser reasons.

Re:Original Authors? (0)

Anonymous Coward | more than 2 years ago | (#37760366)

"Stuxnet source code is not out there. Only the original authors have it. So, this new backdoor was created by the same party that created Stuxnet." - F-Secure.

Unless someone reverse-engineered the object code. It's been done for lesser reasons.

Didn't you read the EULA to Stuxnet?
It's explicitly forbidden to reverseengineer the binary. Doing so will immediately revoke your license.

(Coincidentially the CAPTCHA to post this is "robbing")

  - Peder

Re:Original Authors? (0)

Anonymous Coward | more than 2 years ago | (#37760606)

Why the hell would they do that? They knew Stuxnet had been detected -- they would be idiots to reuse any of the source code in another virus!

Either this was made by a third party based on reverse-engineering the binaries, or TFA is incorrect to claim this was made after Stuxnet was detected, or the Stuxnet authors are fools who deserve to be discovered.

Re:Original Authors? (0)

Anonymous Coward | more than 2 years ago | (#37756656)

Disassemblies, not the original source. World of difference when you're dealing with self-modifying / deliberately obfuscated asm.

Duqu? (2)

Ihmhi (1206036) | more than 2 years ago | (#37754810)

Duqu? Like the count?

Programmers are Star Wars nerds, Film at 11.

Next year, we'll have a worm called 4n4k1n which melts hard drives as if they were dropped into molten lava. Damn, evil geniuses used to give their doomsday weapons classy names like "Ice-9" or "Moonraker" or "Britney Spears".

Re:Duqu? (0)

Anonymous Coward | more than 2 years ago | (#37754866)

a worm called 4n4k1n

You can't win! I have an air gap and the high ground!

Re:Duqu? (1)

hellkyng (1920978) | more than 2 years ago | (#37754892)

*This is not the post you are looking to Buzz Kill with facts from the article*

Re:Duqu? (0)

Anonymous Coward | more than 2 years ago | (#37754928)

If you were to RTFA (I know, I know), you would have found this:

They named the threat "Duqu" [dyü-kyü] because it creates files with the file name prefix “~DQ”.

What I want to know is how they managed to get from an easily-pronounced "dee-cue" to a weirdly-pronounced "dyoo-kyoo" that's spelled in a way that's going to be pronounced "doo-koo".

Re:Duqu? (1)

Anonymous Coward | more than 2 years ago | (#37756156)

Well, my guess would be that Dairy Queen is the author, they are planning to infect the ice cream factories to create a shortage of ice cream to increase their prices. The research lab discovered this, of course, but were paid off by Dairy Queen to keep it a secret, thus DQ is perverted into Duku to remove suspicion.

From the makers of Stuxnet... (0)

Anonymous Coward | more than 2 years ago | (#37754826)

Stuxnet 2: Electric Boogaloo

Hey, if at first you succeed... (2)

Fluffeh (1273756) | more than 2 years ago | (#37754846)

Then you are clearly onto something good!

Seriously, if anyone thought that either a, whoever built Stuxnet or b, all those who said "Wow, that worked well..." wouldn't be stumbling over one another to release ver 2.0 either had their head buried in the sand, or there are pink unicorns farting rainbows in their existence.

I would go further again and say that if anyone thinks that the mega-corporations might not be looking at possible similar little ideas to say knock out a competitors new product range of TVs or to cause problems in that new line of cars with wifi spots is also sadly mistaken. It's not to say that I have a tinfoil hat on or the like, but this is "serious business" when it comes to potentially millions and millions of dollars. Just look at all the fuss and bad press that Toyota got when they had their "funny accelerator pedal" problem a while ago. I can't even remember what the eventual cause was, I do recall reading a number of amusing possible scenarios like particles from space, people getting confused with the pedals and a bunch more - but what if the next time it was simply a virus engineered by a rival manufacturer?

Re:Hey, if at first you succeed... (1)

PolygamousRanchKid (1290638) | more than 2 years ago | (#37754910)

I can't even remember what the eventual cause was

Loose nuts behind the steering wheels.

Re:Hey, if at first you succeed... (1)

ridgecritter (934252) | more than 2 years ago | (#37755316)

"but what if the next time it was simply a virus engineered by a rival manufacturer?"

- or a virus engineered by somebody who wanted to short a company's stock...

Re:Hey, if at first you succeed... (1)

Fluffeh (1273756) | more than 2 years ago | (#37755496)

"but what if the next time it was simply a virus engineered by a rival manufacturer?"

- or a virus engineered by somebody who wanted to short a company's stock...

See, you're getting it now!

Re:Hey, if at first you succeed... (0)

Anonymous Coward | more than 2 years ago | (#37755510)

if anyone thinks that the mega-corporations might not be looking at possible similar little ideas to say knock out a competitors new product range of TVs

Has already been done:
http://www.guardian.co.uk/technology/2002/mar/13/media.citynews
http://www.wired.com/politics/law/news/2008/04/murdoch

Re:Hey, if at first you succeed... (1)

jon3k (691256) | more than 2 years ago | (#37757378)

FUD.

Re:Hey, if at first you succeed... (1)

Gyorg_Lavode (520114) | more than 2 years ago | (#37762768)

Agree. FUD. If it doesn't pass pre-existing AV, its either old or poorly done. The A team hackers don't forget to check their code against antivirus.

Re:Hey, if at first you succeed... (1)

Fnord666 (889225) | more than 2 years ago | (#37757868)

Seriously, if anyone thought that either a, whoever built Stuxnet or b, all those who said "Wow, that worked well..." wouldn't be stumbling over one another to release ver 2.0 either had their head buried in the sand, or there are pink unicorns farting rainbows in their existence.

It will be interesting to see if it does occur. A couple of interesting points:

  1. Stuxnet was extremely sophisticated and included four 0day exploits in it to propagate. That is a lot of advantage to blow on something like this for the average virus author.
  2. For all intents and purposes Stuxnet was designed to propagate on a LAN and targeted specific systems. Much of the code will not generalize well, even if it could be disassembled.
  3. The code hiding and organization was extremely convoluted and it is unlikely to be disassembled by 99.999% of the virus writing community.

Now some things might be usable and I am sure it has inspired many new ideas. It has also demonstrated that something like this could indeed be done.

Re:Hey, if at first you succeed... (1)

martas (1439879) | more than 2 years ago | (#37763650)

there was no cause, because there was no problem -- it was just media panic.

Re:Hey, if at first you succeed... (1)

Jazari (2006634) | more than 2 years ago | (#37764712)

I would go further again and say that if anyone thinks that the mega-corporations might not be looking at possible similar little ideas to say knock out a competitors ... Toyota got when they had their "funny accelerator pedal" problem a while ago. I can't even remember what the eventual cause was,

No major corporation would ever do this. Not because they are benevolent, but because the penalty for being caught would be huge: possible bankruptcy and liquidation following massive lawsuit and criminal investigation, plus jail time for the executives. Governments can get away with this because they write the laws and can enforce secrecy. Corporations will eventually be ratted out by their subcontractors.

Toyota: the problem was proven to be entirely due to driver error except due to a few cases of floor mats bunching up under the brake pedal.

Uhm (0)

Anonymous Coward | more than 2 years ago | (#37754902)

So now Symantec are with us or the terrorists?

Gentlemen I present to you... (0)

Anonymous Coward | more than 2 years ago | (#37755040)

The air gap*, complete without wireless hotspot . For a special discount price for Military and Governments of four million dollars. Wire cutters are an upgrade but we should be able to do it for say 6 mil.

*May not work against stupid such as USB sticks from outside contractors

Re:Gentlemen I present to you... (1)

DigiShaman (671371) | more than 2 years ago | (#37755370)

While it may sound moot, how does one update software and apply security patches to the OS in an air gapped network? I suppose you have someone audit the code with SH1 hashes, store to external removable media, sign and document the transfer with a trusted individual, and apply physical patches?

Re:Gentlemen I present to you... (1)

GigaHurtsMyRobot (1143329) | more than 2 years ago | (#37757056)

You could use CD's and the hash audits you mentioned, it would at least be better than giving a device USB access.

Re:Gentlemen I present to you... (0)

Anonymous Coward | more than 2 years ago | (#37757912)

Why not use a thin client that wipes all traces of the previous session? That way you just have to update the One Big Box (tm) in the secure server room and all your hosts are good to go.

Otherwise, I'd go with a full wipe and reinstall using the new (audited and verified) base image. Swap out the HDD for critical infrastructure; you are using stringently audited hardware, right? Compatability shouldn't be an issue.

CAPTCHA: extremal

Maybe not such a bad thing... (1)

Nom du Keyboard (633989) | more than 2 years ago | (#37755554)

Considering who Stuxnet attacked, perhaps this is not such a bad thing.

Re:Maybe not such a bad thing... (0)

Anonymous Coward | more than 2 years ago | (#37759122)

Given Mossad and the CIA's propensity for trying to infiltrate EVERY data source in the world that they possibly can, this type of virus may not work out very well for THEM.
Trying to hack EVERYTHING in sight is just like trying to FUCK everything in sight, you better be prepared to pick up some nasties !

Re:Maybe not such a bad thing... (0)

Anonymous Coward | more than 2 years ago | (#37761282)

> Considering who Stuxnet attacked, perhaps this is not such a bad thing.

Yeah, because only the zionist have the right to manufacture 220 nuclear bombs in their Negev Dimona nuclear reactor, while the world looks hard the other way and whoever Vanunu blows the cover of this scandal, just keep him in jail for 18 years.

Only zionists are free to enlarge their country by waging wars and have done so on three occasions, but Iraq got hit hard for the same thing on the first try. In contrast, the Islamic Republic of Iran never attacked anybody, in fact it was her neighbour Iraq, financed by the USA, armed by the USSR and France, who was incited to attack Iran in a war that lasted seven years of the 1980s. The great powers that were opponents in the Cold War, got united for this cause, as they simply could not accept the very existance of an islamic republic. Iran was saved by the self-sacrifice of 1 million patriots on the battle-field that resembled WWI for the most cruel fighting.

On the other hand, zionists are free to sniper-cull people to harvest their organs for human transplant and even admit doing so. Sometimes they do it via proxy and then even their minions, like the "yellow house" serb-culling kosovan mafioso of Hashim Tachi are protected, as long as the organs go to turkish private clinics serving the wealthy jewish patients.

Zionists are entitled to 10 billion USD in military aid per year from Uncle Sam. They are free to demolish palestinian housing en masse and they can even debate openly the idea of relocating the palestinian population wholesale to the pampas. (Regrettably, Argentine went state bankrupt several years ago and was told sternly to auction off some of her territories to neighbours and move the international border and use the price to pay the debt or face another war with Britain. Then somehow the argies made a pact with their guess-what-race creditors and accepted a partial debt write-off. Not too suprisingly, the devil part of the deal became public soon afterwards, that is to non-voluntarily relocate eventually at least 1 million gaza strip palestinians to the pampas and the tip of South America. Cynics say the Antarctica is not too far from there and the palestinian deportation transport ships will likely end up in the ice due to "navigational errors".)

We will probably see the end game of the palestinian's plight before 2012 ends and it will not be a pretty one. The fall or weakening of Iran can only hasten it and if Tel-Aviv thinks so, USA will attack Iran. You see, the zionists are somehow special, they can do as they please and what they do is always right, even if you feel like vomiting when the news hit the TV screen.

Lovely! (1)

Anonymous Coward | more than 2 years ago | (#37756464)

Maybe Symnatec can let them attack Iran properly this time?

Why Help Iranians? (0)

Anonymous Coward | more than 2 years ago | (#37758082)

I just don't understand why a US based mega-corporation would help Iranians secure they weapon of m*** destruction? Sure it may bump up their PR, but they wouldn't really want Iranians to have the b**b right?

Re:Why Help Iranians? (1)

RockDoctor (15477) | more than 2 years ago | (#37773710)

I just don't understand why a US based mega-corporation would help Iranians secure they weapon of m*** destruction?

One word answer : money. Any mega-corp, and most midi- and mini- corps, will do pretty much anything for money. It's in the nature of being in business.

Why is it difficult to understand this?

Small attack vector (1)

TheInternetGuy (2006682) | more than 2 years ago | (#37758710)

It seems that changing target from Siemens to NeXT is a very inefficient way to increase your attack vector. I mean how many NeXT computers are still around these days? ... And yeah, I know , but I really cant be bothered to read anything more than the headline of the articles these days.

Lot's of speculation (1)

gatkinso (15975) | more than 2 years ago | (#37760708)

The trojan uses the exact same mechanism as Stuxnet, and has the same compilation date stamp.

This proves that the authors of Stuxnet are behind this? Really?

That stamp would be one of the first things I spoofed.

nice keyword grab (0)

Anonymous Coward | more than 2 years ago | (#37763236)

i'm surprised the title doesn't include the words iphone, middle east conflict, swine flu and lady gaga

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?