How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History

4 posts

nuclear launch detected

An excellent article but a little too long to post so i will just post a link and some excerpts

nuclear launch detected
Stuxnet : 5 Things Men Should Know

Read more:

1- Stuxnet is the first virus to be active in the physical world

The first thing men should know about Stuxnet is that it can actually reach out and touch you -- and not in a good way.

Computer worms, viruses and malware have been causing relative mayhem since the mid-1980s, when fossils like the Brain virus and the Morris worm got things started rather innocently. By 2000, infamous bugs like the Melissa macro virus and the LoveLetter virus were causing billions of dollars in damage. Until recently, a virus might simply hijack your computer and disable the operating system, or some malware might steal your personal information and your identity. But as bad as those were, they now look like child's play. Never before has a computer virus been able to manipulate devices in the physical world as would human hands. A plant operator will enter a command into his computer, expecting the Programmable Logic Controllers (PLCs) -- the actual machinery -- to obey his commands. Stuxnet modifies those commands, and it's so clever that the operator will read that all systems are normal, for months or longer, when in fact Stuxnet has severely compromised output or function.

2- Stuxnet contains a mysterious numerical infection marker

If there's any fun to be had in the Stuxnet saga, it's in the malware's so-called infection marker. If, during infection, Stuxnet stumbles across a specific registry key value in the program that equals the number 19790509, infection stops dead in its tracks. This marker, also called a “do not infect” marker, has become one of Stuxnet's most tantalizing details, drawing (overblown) conspiratorial comparisons to the likes of the Da Vinci Code .

Speculation has generally rested upon the number representing the date of an infamous Iranian execution by firing squad of a Jewish man, the first execution of a Jew in the newly established Islamic Republic of Iran, giving weight to those who think Israel is behind the malware. But why make such an important factor -- an infection marker -- so easily tied to your identity? Wouldn't someone do this to throw people off their trail? As Symantec writes in its 69-page dossier of Stuxnet, "Attackers would have the natural desire to implicate another party."

3- It took over 10 man-years to create Stuxnet

Another thing men should know about Stuxnet is that this is not the work of unwashed, sleep-deprived hackers washing down Ritalin with Red Bull. Stuxnet raises the bar considerably. It's the viral equivalent of Beethoven's Third Symphony -- a work of such genius and complexity that it had no realistic precedent. Listen to experts talk about Stuxnet. If the malware didn't represent such disturbing real-life scenarios, these eggheads would be positively gushing over it like middle-school girls at a Justin Bieber concert.

One of the most impressive and unprecedented aspects of Stuxnet, and one that never fails to impress , is that it is the first virus to exploit four so-called "zero-day vulnerabilities" -- security flaws or vulnerabilities in an operating system. Why is this a big deal? Because there is a black market for these zero-day vulnerabilities, and people pay up to half a million dollars for them. How those behind Stuxnet came upon four such flaws is not fully known, but it helps to convince experts that Stuxnet is extraordinarily well-funded -- beyond the means of hackers or terrorist groups, and more likely sponsored by one or more governments.

4- Stuxnet has a built-in kill date

Remember that eight-digit infection marker? Here's another reason to believe that it signifies a date: Another such number exists within Stuxnet, namely 20120624, or June 24, 2012, which experts have determined to be a built-in kill date for the malware. If Stuxnet finds that the date within the configuration data is after this date, it will not infect the system.

Why June 24, 2012? If you know the answer, you may have created the malware, and right now, you and your cohorts have the IT universe on a string.

5- No existing programs or standards could have prevented Stuxnet

The last thing men should know about Stuxnet is that it subverted every existing security policy and was ultimately not preventable. Even if a power plant complied with the standards of the National Institute of Standards and Technology (NIST), the North American Electric Reliability Corporation (NERC) and the International Organization for Standardization (ISO), to name just a few, Stuxnet would still have penetrated the plant because industry guidelines don't even address a threat like this.

No electronic security perimeters, data diodes or anti-virus software could have stopped it -- not even the most secure measure of all: air gaps (or air walls). Air gaps are a physical gap between an operating system and a network. In this instance, the system is not even connected to a potentially insecure network. How does Stuxnet get past this seemingly insurmountable obstacle? Ask computer guys from the 1980s. They'll tell you that before the World Wide Web, viruses traveled through people sharing floppy discs. Except in the case of Stuxnet, the vector has been data sticks -- USB flash drives.

The people behind Stuxnet required broad, sophisticated knowledge of a variety of systems and languages -- not just computer codes but in-depth understanding of industrial engineering. They also likely speak English and Urdu fluently.

But though Stuxnet is so complex, the genius of its creators sparkles brightest in the basics, like using the most common disease vectors -- careless humans.

nuclear launch detected
President Camacho

This article was fascinating...

I remember hearing about this Stuxnet infecting Iran's nuclear systems last year, but it disappeared down the memory hole quickly. Then the news about Iran nuclear's scientists being assassinated popped up, and that was quickly forgotten as well. If we really had a "free press" this story would be back on top of everyone's agenda after all the pieces were put together, but unfortunately it only appeared in a niche tech magazine.

Interesting thing about the mass-exodus of Iranian Jews that followed this event: apparently Jews fleeing to America from the Islamic Republic were permitted to claim tax writeoffs in this country for the amount of capital the Islamic government confiscated from them in Iran. (I think some Jewish congress critter forced this legislation through) Of course, this figure was impossible to determine or prove, so even the Jews running small operations claimed exorbitant amounts of losses fresh off the boat, ensuring they could retain profits essentially tax-free for years in America. Yet some of them still managed to jew up that deal...

My mother is in commercial real estate and used to do business with one of these Iranian Jews who fled to the States; this guy was some (relatively large, by Iranian standards at least) paper manufacturer, and he carried over losses on his American tax forms in the hundreds of millions of dollars... I only remember this guy because he wound up sending us several gigantic boxes filled with his toilet paper (though IIRC it was all 1-ply, public restroom quality, the dirty Jew) as a token of gratitude after he got financing from my mother's bank. But recently he's managed to land in prison in upstate New York for some type of fraud. So you can see what type of people the Iranians were dealing with...

Sounds like good old-fashioned Hebrew hubris...