Saturday, September 25, 2010

Stuxnet: making Bushehr a self-exploding joke?

In June 2010, a highly sophisticated Stuxnet worm began to spread through computer networks.



In the recent days, media began to amplify the hypothesis that this malware was created in a government-sponsored project targeting Iranian facilities - 60% of the infections are in Iran.




The virus is the first known malware designed to damage physical systems outside the computers - namely gadgets using SIEMENS corporate software that runs under Windows.

To have an idea about the sophistication: it uses four zero-day vulnerabilities (those that have been known to the creators of the buggy software at most for zero days), including bugs in printer queue software, the recent shortcut bug, and others. The Autorun.inf file that is being started from USB sticks etc. is constructed in such a way that it can be read as a text file with allowed commands - special characters are ignored - or as a malicious executable machine code, too. Sweet. ;-)

It also uses two working, genuine, stolen certificates to guarantee that the worm may spread between companies and a detailed knowledge of the control systems. The original processes of the control systems are replaced by new ones as soon as the return code from FC 1874 is DEADF007, a hexadecimal number that may also be read as "deadfoot" (the IP address is in Shandong, China). The code proves that James Bond is a part of the operation. He will try to disarm the attacked organizations peacefully but once the Agent 007 is killed, the attacked facilities will blow up - and I am only partially joking. ;-)

The friendly TRF readers in Iran are advised not to attend any activation ceremony for a nuclear power plant. We hope that Mahmoud and mullahs are generally not TRF readers. :-)

Some experts have estimated that a dozen of top security experts had to be working on the project for half a year; the estimated price for the contract to create the 500-kilobyte virus (coded both in C and C++) is $3 million, so a "country" is blamed, with Israel and the U.S. being the most frequently cited possible authors. Especially when you mention Israel, indeed, that's about what David would do against the Philistine giant, Goliath. ;-)



Everyday life (and everyday afterlife) in the Bushehr province, 2008.

Well, $3 million is a lot of money for an average teenage hacker - but there are lots of people in the world who can afford to pay it. To say the least, every country in the world could have paid for that - and lots of millionaires could have done the same thing.

At any rate, I think it's a good idea, and if the U.S. and others haven't been working on such software control over places in problematic countries such as Iran, they should certainly start. $3 million is a lot for an average person - but it is really totally negligible an amount for the U.S. government.

I don't quite understand why Siemens is allowed to serve the Iranian plants in such a perfectionist way - and provide them with weapons to fight a possible infection that was installed to protect the Middle East from a possible nuclear threat. Even if it is OK for Siemens to serve in this way, the Western governments should pay Siemens to guarantee that a maximum data can be taken from the consumer if he is located in Iran - and that the facility may be remotely stopped if some top intelligence determines that it's needed for the security.

At any rate, the story shows how preposterous it is for chimp Ahmadinejad to claim that this regime is self-sufficient. It depends on products from Siemens, Microsoft, and many others. If there is a little bit of will in the West, pretty much all hi-tech things in Iran can be controlled in a different way than the mullahs would prefer.

By the way, the female host above makes fun out of Windows: she can't believe that nuclear plants may run on Windows. I think that she is confused. Windows, a system from the real world, may sometimes crash or a security hole may be found. But it's still the most well-tested operating system in the world. A large army of programmers is trying to make the system safer than anything else.

I think that a "private" competition for Microsoft that would be running inside Siemens couldn't achieve the same level of security, assuming that the computers would still be able to do all the things that are expected from them. So in this sense, it's guaranteed that "very special" consumers such as power plants end up using the same basic software as an average Joe. Siemens simply leave the operating system job to the operating system professionals and only focus on their layer, the WinCC platform.

At any rate, I think that the government of Israel - and maybe others, including wealthy private sponsors who share the worries about Iran - should pay not $3 million but up to $100 million for a big project to systematically hurt portions of the Iranian economy that are connected to potential security threats originating from Iran. In my opinion, such an approach is much more targeted, much more effective, and much cheaper than things such as "sanctions".

Obviously, power plants and other facilities in the civilized world must also think about their vulnerabilities, too. I still think that if this kind of a "modern cold warfare" spreads, the more refined peoples will benefit.

3 comments:

  1. Ralph Langler's excellent analysis of the attack, published last week:
    http://www.langner.com/en/index.htm

    ReplyDelete
  2. >>> I don't quite understand why Siemens is allowed to serve the Iranian plants in such a perfectionist way - and provide them with weapons to fight a possible infection that was installed to protect the Middle East from a possible nuclear threat. Even if it is OK for Siemens to serve in this way, the Western governments should pay Siemens to guarantee that a maximum data can be taken from the consumer if he is located in Iran - and that the facility may be remotely stopped if some top intelligence determines that it's needed for the security.


    I would point though, that Siemens is probably not at fault here - AFAIK, Iran is using pirated versions of WinCC (Siemens' SCADA software) to run their nuclear plants.

    This was been known for a while ...

    http://www.neowin.net/news/nuclear-reactor-isnt-using-a-licensed-copy-of-windows?showcomments=true

    ReplyDelete
  3. Sorry to rain on somebody's fun conspiracy theories BUT ...

    It looks to me like that virus was cobbled together from known and documented source code for assigning queues and sorting, etc. It wasn't some "big government project" it was just some hacker taking pieces of this and that and putting it together to see what would happen. The most probable outcome of it as I see it is, system jamming or crashing.

    Besides, the Iranians don't use a whole bunch of computers, ladies and gentlemen. They use ledgers, excepting in some government and academic circles. [Interpretation of an Iranian national and my own evaluation from my time spent in Basra a few years ago.] If they use a computer they use Win 95, still, and I am not sure how effective any of that virus would be, anyway

    ReplyDelete