It reads like Sci-Fi. More about Stuxnet.

[Hayabusa Rider]

http://www.foxnews.com/scitech/2010...ippled-irans-nuclear-ambitions/#ixzz16lV3fpw2

In the 20th century, this would have been a job for James Bond.

The mission: Infiltrate the highly advanced, securely guarded enemy headquarters where scientists in the clutches of an evil master are secretly building a weapon that can destroy the world. Then render that weapon harmless and escape undetected.

But in the 21st century, Bond doesn't get the call. Instead, the job is handled by a suave and very sophisticated secret computer worm, a jumble of code called Stuxnet, which in the last year has not only crippled Iran's nuclear program but has caused a major rethinking of computer security around the globe.

Intelligence agencies, computer security companies and the nuclear industry have been trying to analyze the worm since it was discovered in June by a Belarus-based company that was doing business in Iran. And what they've all found, says Sean McGurk, the Homeland Security Department's acting director of national cyber security and communications integration, is a “game changer.”

The construction of the worm was so advanced, it was “like the arrival of an F-35 into a World War I battlefield,” says Ralph Langner, the computer expert who was the first to sound the alarm about Stuxnet. Others have called it the first “weaponized” computer virus.

Simply put, Stuxnet is an incredibly advanced, undetectable computer worm that took years to construct and was designed to jump from computer to computer until it found the specific, protected control system that it aimed to destroy: Iran’s nuclear enrichment program.

The target was seemingly impenetrable; for security reasons, it lay several stories underground and was not connected to the World Wide Web. And that meant Stuxnet had to act as sort of a computer cruise missile: As it made its passage through a set of unconnected computers, it had to grow and adapt to security measures and other changes until it reached one that could bring it into the nuclear facility.

When it ultimately found its target, it would have to secretly manipulate it until it was so compromised it ceased normal functions.

And finally, after the job was done, the worm would have to destroy itself without leaving a trace.

That is what we are learning happened at Iran's nuclear facilities -- both at Natanz, which houses the centrifuge arrays used for processing uranium into nuclear fuel, and, to a lesser extent, at Bushehr, Iran's nuclear power plant.

At Natanz, for almost 17 months, Stuxnet quietly worked its way into the system and targeted a specific component -- the frequency converters made by the German equipment manufacturer Siemens that regulated the speed of the spinning centrifuges used to create nuclear fuel. The worm then took control of the speed at which the centrifuges spun, making them turn so fast in a quick burst that they would be damaged but not destroyed. And at the same time, the worm masked that change in speed from being discovered at the centrifuges' control panel.

At Bushehr, meanwhile, a second secret set of codes, which Langner called “digital warheads,” targeted the Russian-built power plant's massive steam turbine.

Here's how it worked, according to experts who have examined the worm:
--The nuclear facility in Iran runs an “air gap” security system, meaning it has no connections to the Web, making it secure from outside penetration. Stuxnet was designed and sent into the area around Iran's Natanz nuclear power plant -- just how may never be known -- to infect a number of computers on the assumption that someone working in the plant would take work home on a flash drive, acquire the worm and then bring it back to the plant.

--Once the worm was inside the plant, the next step was to get the computer system there to trust it and allow it into the system. That was accomplished because the worm contained a “digital certificate” stolen from JMicron, a large company in an industrial park in Taiwan. (When the worm was later discovered it quickly replaced the original digital certificate with another certificate, also stolen from another company, Realtek, a few doors down in the same industrial park in Taiwan.)

--Once allowed entry, the worm contained four “Zero Day” elements in its first target, the Windows 7 operating system that controlled the overall operation of the plant. Zero Day elements are rare and extremely valuable vulnerabilities in a computer system that can be exploited only once. Two of the vulnerabilities were known, but the other two had never been discovered. Experts say no hacker would waste Zero Days in that manner.

--After penetrating the Windows 7 operating system, the code then targeted the “frequency converters” that ran the centrifuges. To do that it used specifications from the manufacturers of the converters. One was Vacon, a Finnish Company, and the other Fararo Paya, an Iranian company. What surprises experts at this step is that the Iranian company was so secret that not even the IAEA knew about it.

--The worm also knew that the complex control system that ran the centrifuges was built by Siemens, the German manufacturer, and -- remarkably -- how that system worked as well and how to mask its activities from it.

--Masking itself from the plant's security and other systems, the worm then ordered the centrifuges to rotate extremely fast, and then to slow down precipitously. This damaged the converter, the centrifuges and the bearings, and it corrupted the uranium in the tubes. It also left Iranian nuclear engineers wondering what was wrong, as computer checks showed no malfunctions in the operating system.

Estimates are that this went on for more than a year, leaving the Iranian program in chaos. And as it did, the worm grew and adapted throughout the system. As new worms entered the system, they would meet and adapt and become increasingly sophisticated.

During this time the worms reported back to two servers that had to be run by intelligence agencies, one in Denmark and one in Malaysia. The servers monitored the worms and were shut down once the worm had infiltrated Natanz. Efforts to find those servers since then have yielded no results.
This went on until June of last year, when a Belarusan company working on the Iranian power plant in Beshehr discovered it in one of its machines. It quickly put out a notice on a Web network monitored by computer security experts around the world. Ordinarily these experts would immediately begin tracing the worm and dissecting it, looking for clues about its origin and other details.

But that didn’t happen, because within minutes all the alert sites came under attack and were inoperative for 24 hours.

“I had to use e-mail to send notices but I couldn’t reach everyone. Whoever made the worm had a full day to eliminate all traces of the worm that might lead us them,” Eric Byres, a computer security expert who has examined the Stuxnet. “No hacker could have done that.”

Experts, including inspectors from the International Atomic Energy Agency, say that, despite Iran's claims to the contrary, the worm was successful in its goal: causing confusion among Iran’s nuclear engineers and disabling their nuclear program.

Because of the secrecy surrounding the Iranian program, no one can be certain of the full extent of the damage. But sources inside Iran and elsewhere say that the Iranian centrifuge program has been operating far below its capacity and that the uranium enrichment program had “stagnated” during the time the worm penetrated the underground facility. Only 4,000 of the 9,000 centrifuges Iran was known to have were put into use. Some suspect that is because of the critical need to replace ones that were damaged.

And the limited number of those in use dwindled to an estimated 3,700 as problems engulfed their operation. IAEA inspectors say the sabotage better explains the slowness of the program, which they had earlier attributed to poor equipment manufacturing and management problems. As Iranians struggled with the setbacks, they began searching for signs of sabotage. From inside Iran there have been unconfirmed reports that the head of the plant was fired shortly after the worm wended its way into the system and began creating technical problems, and that some scientists who were suspected of espionage disappeared or were executed. And counter intelligence agents began monitoring all communications between scientists at the site, creating a climate of fear and paranoia.

Iran has adamantly stated that its nuclear program has not been hit by the bug. But in doing so it has backhandedly confirmed that its nuclear facilities were compromised. When Hamid Alipour, head of the nation’s Information Technology Company, announced in September that 30,000 Iranian computers had been hit by the worm but the nuclear facilities were safe, he added that among those hit were the personal computers of the scientists at the nuclear facilities. Experts say that Natanz and Bushehr could not have escaped the worm if it was in their engineers’ computers.

“We brought it into our lab to study it and even with precautions it spread everywhere at incredible speed,” Byres said.
“The worm was designed not to destroy the plants but to make them ineffective. By changing the rotation speeds, the bearings quickly wear out and the equipment has to be replaced and repaired. The speed changes also impact the quality of the uranium processed in the centrifuges creating technical problems that make the plant ineffective,” he explained.

In other words the worm was designed to allow the Iranian program to continue but never succeed, and never to know why.

One additional impact that can be attributed to the worm, according to David Albright of the Institute for Science and International Studies, is that “the lives of the scientists working in the facility have become a living hell because of counter-intelligence agents brought into the plant” to battle the breach. Ironically, even after its discovery, the worm has succeeded in slowing down Iran's reputed effort to build an atomic weapon. And Langer says that the efforts by the Iranians to cleanse Stuxnet from their system “will probably take another year to complete,” and during that time the plant will not be able to function anywhere normally.


http://www.foxnews.com/scitech/2010...ippled-irans-nuclear-ambitions/#ixzz16lV3fpw2​

This affected so many different types of equipment and had to do it in such a complicated way that I didn't think this level of programming existed.

It so compromised the Iranian nuke program that they even started killing their own, and the fear still lingers among the scientists and engineers. In effect this was Iran's 911 where they now dread the next strike and are paying for it.

 

[sunzt]

cool article and wow, what a weapon that worm is. What kind of entity has the knowledge and capability to execute this? IMO it has to be either China or the US. I would say either one is equally likely.

 

[pcgeek11]

Who ever did it is a great person/people. I hope this is all true.

 

[Modelworks]

Whoever wrote that article has so many facts wrong they must be reading an upcoming scifi channel movie script.

It is foxnews though so I guess it should be expected.

 

[xj0hnx]

Whoever wrote that article has so many facts wrong

lik wut

 

[ProfJohn]

Israel would seem the most likely to do something like this since they have the most to lose if Iran succeeds.

 

[Modelworks]

lik wut

,Stuxnet is an incredibly advanced, undetectable computer worm that took years to construct and was designed to jump from computer to computer until it found the specific, protected control system that it aimed to destroy: Iran’s nuclear enrichment program.

Nothing advanced about it. There are far more complex coded malware out there.

Years to construct. doubt it unless the person who wrote it had to learn programming to. The code uses bits of Siemens own code, so I suspect one of their developers leaked the information.

As it made its passage through a set of unconnected computers, it had to grow and adapt to security measures and other changes until it reached one that could bring it into the nuclear facility.

Grow ? It runs off an internal script, no ai here. Adapt ? Using a stolen signed driver isn't adapting to security, it just installs like a driver would.

Stuxnet was designed and sent into the area around Iran's Natanz nuclear power plant -- just how may never be known

It is known without a doubt to be a flash drive because the version of stuxnet used had no method for installing any other way.

The worm also knew that the complex control system that ran the centrifuges was built by Siemens, the German manufacturer, and -- remarkably -- how that system worked as well and how to mask its activities from it.

Considering it used code from the actual application and you use the same software to control the equipment, nothing remarkable about sending the equipment one value and telling the user it is another. It patched the software changing some values so that every time it ran it used the wrong formula. Once the program is patched no need to keep malware running.

But that didn’t happen, because within minutes all the alert sites came under attack and were inoperative for 24 hours.

The addresses used are easy to get, they are in the code and nothing became inoperative because the minute it was found Siemens told its customers.

“I had to use e-mail to send notices but I couldn’t reach everyone. Whoever made the worm had a full day to eliminate all traces of the worm that might lead us them,” Eric Byres, a computer security expert who has examined the Stuxnet. “No hacker could have done that.”

All traces were not eliminated, copies of it are everywhere and using proxies is about as old as the internet.

“We brought it into our lab to study it and even with precautions it spread everywhere at incredible speed,” Byres said.

Revoking the security cert for that driver or disabling access to rundll32.exe which the malware relies on to begin running never occurred ? How about requiring all applications to be signed which when patched the Siemens software signature was broken.

I guess precautions were , don't click on it till we have a chance to get some coffee.

Article is way over the top. I have malware that is far more invasive and clever than stuxnet. stuxnet got attention because of the target.

 

[werepossum]

Viruses are indeed amazing nowadays. I've had some that learn - if I use a particular tool that is successful in removing part of the virus, the remainder learns that tool and very soon it no longer damages the virus. This one though seems to be a highly targeted version, something designed to do exactly what it did rather than to learn its environment and fight back against anti-malware tools.

 

[Craig234]

This sounds more like a disinformation piece misrepresenting the virus. Add to that, it's unlikely a real virus like describe has the intelligence agencies describe it this way.

 

[Atreus21]

Nothing advanced about it. There are far more complex coded malware out there.

Years to construct. doubt it unless the person who wrote it had to learn programming to. The code uses bits of Siemens own code, so I suspect one of their developers leaked the information.


Grow ? It runs off an internal script, no ai here. Adapt ? Using a stolen signed driver isn't adapting to security, it just installs like a driver would.




It is known without a doubt to be a flash drive because the version of stuxnet used had no method for installing any other way.



Considering it used code from the actual application and you use the same software to control the equipment, nothing remarkable about sending the equipment one value and telling the user it is another. It patched the software changing some values so that every time it ran it used the wrong formula. Once the program is patched no need to keep malware running.

The addresses used are easy to get, they are in the code and nothing became inoperative because the minute it was found Siemens told its customers.


All traces were not eliminated, copies of it are everywhere and using proxies is about as old as the internet.



Revoking the security cert for that driver or disabling access to rundll32.exe which the malware relies on to begin running never occurred ? How about requiring all applications to be signed which when patched the Siemens software signature was broken.

I guess precautions were , don't click on it till we have a chance to get some coffee.

Article is way over the top. I have malware that is far more invasive and clever than stuxnet. stuxnet got attention because of the target.

...

I don't even know how to hack WEP.

 

[DesiPower]

Why is this in P&N?

Since its in P&N - Fvck Fuax News

 

[Londo_Jowo]

I can't believe that Siemens was using a Windows OS to control the centrifuges. Siemens normally uses their own Program Logic Controllers (PLC) with embedded "C" code based logic to control steam and gas turbine functions.

 

[bfdd]

I can't believe that Siemens was using a Windows OS to control the centrifuges. Siemens normally uses their own Program Logic Controllers (PLC) with embedded "C" code based logic to control steam and gas turbine functions.

They do use PLCs, these PLCs are connected to computer systems. I believe it was jumping form the computer systems that operators controlled to the PLCs, maybe I'm wrong but I remember reading something like that.

 

[Londo_Jowo]

Normally the HMI (Human Machine Interface) is secure programming that wouldn't be affected by malware. Unless someone that works for Siemens provided the HMI specifics and access to the code/programming.

 

[bfdd]

Normally the HMI (Human Machine Interface) is secure programming that wouldn't be affected by malware. Unless someone that works for Siemens provided the HMI specifics and access to the code/programming.

That's most likely the case.

 

[Zebo]

Sounds far out there. And talking about it does not help. Iran just won't link anything.

Next fuges will have PC running them that is offline permanent no USB ports no floppy no removable media at all.

 

[Zebo]

Viruses are indeed amazing nowadays. I've had some that learn - if I use a particular tool that is successful in removing part of the virus, the remainder learns that tool and very soon it no longer damages the virus. This one though seems to be a highly targeted version, something designed to do exactly what it did rather than to learn its environment and fight back against anti-malware tools.

This is why I don't even bother with all those tools. Ghost baby.

 

[Craig234]

Alternative theory: Something else was done, like CIA moles in the program, who are now being searched for and killed, and this is put out to throw them off the trail.

It has advantages like also making the people in the program paranoid that the government is killing them off for no good reason wrongly suspecting them.

Would be nice to change 'they found and killed our moles' to this story. Just a guess.

From inside Iran there have been unconfirmed reports that the head of the plant was fired shortly after the worm wended its way into the system and began creating technical problems, and that some scientists who were suspected of espionage disappeared or were executed. And counter intelligence agents began monitoring all communications between scientists at the site, creating a climate of fear and paranoia.

 

[NaughtyGeek]

Normally the HMI (Human Machine Interface) is secure programming that wouldn't be affected by malware. Unless someone that works for Siemens provided the HMI specifics and access to the code/programming.

The worm compromised Siemens WinCC software. Once said software was compromised, modified function blocks were written to the PLCs. Then these modified function blocks were obfuscated from the WinCC software.

 

[Londo_Jowo]

Siemens is denying that Stuxnet can take over the HMI/PLC and control equipment.

http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo〈=en&objid=43876783&caller=view

In all cases the malware could be removed. In none of these cases did the infection cause an adverse impact to the automation system.

 

[Modelworks]

Siemens is denying that Stuxnet can take over the HMI/PLC and control equipment.

http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo〈=en&objid=43876783&caller=view

You don't have to take over the equipment. Iran was using centrifuges to purify uranium. They need to turn at a specific RPM .Malware targets a specific variable in the software that controls RPM so that when executed it subtracts 300 from the desired speed before it is sent to the hardware . Next they add back the 300 to the speed variable before the RPM speed is read by displays or user programs.

To the user the readouts look normal and they think the centrifuge is spinning at the speed they set. They don't know it is spinning at 300 less because the software tells them the wrong speed.

If someone takes apart the control logic it would look perfectly normal. They didn't compromise the hardware, just the commands sent to it from the windows pc.

 

[NaughtyGeek]

Siemens is denying that Stuxnet can take over the HMI/PLC and control equipment.

http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo〈=en&objid=43876783&caller=view

You're misinterpreting here. The infection caused modifications to the control system in place. Depending on how that control system is coded, the added program blocks may not even be accessed thereby you can have an infected system without "an adverse impact to the automation system."

 

[Darwin333]

Sounds far out there. And talking about it does not help. Iran just won't link anything.

Next fuges will have PC running them that is offline permanent no USB ports no floppy no removable media at all.

Isn't that normal SOP for high security .mil systems? I heard users in our very sensitive systems only have access to a keyboard and a monitor and it requires more than one person at all times to change even the smallest part.

 

[yllus]

Once allowed entry, the worm contained four “Zero Day” elements in its first target, the Windows 7 operating system that controlled the overall operation of the plant. Zero Day elements are rare and extremely valuable vulnerabilities in a computer system that can be exploited only once. Two of the vulnerabilities were known, but the other two had never been discovered. Experts say no hacker would waste Zero Days in that manner.

Can't speak to the accuracy of the article, but if the part mentioned above is true, it 100% verifies something already suspected: Microsoft cooperates with spy agencies (U.S., maybe Israel) to provide back doors such as these. It's simply not knowledge anyone but insiders can provide.

 

[CADsortaGUY]

You don't have to take over the equipment. Iran was using centrifuges to purify uranium. They need to turn at a specific RPM .Malware targets a specific variable in the software that controls RPM so that when executed it subtracts 300 from the desired speed before it is sent to the hardware . Next they add back the 300 to the speed variable before the RPM speed is read by displays or user programs.

To the user the readouts look normal and they think the centrifuge is spinning at the speed they set. They don't know it is spinning at 300 less because the software tells them the wrong speed.

If someone takes apart the control logic it would look perfectly normal. They didn't compromise the hardware, just the commands sent to it from the windows pc.

Are you a PLC programmer/ automation guy?