In recent days, all the world's media suddenly remembered the WIN32/Stuxnet worm, which was discovered back in June of this year. By computer standards, a three-month period is like several years in ordinary life. Even the leisurely Microsoft managed to release a patch that closes one of the four vulnerabilities present in Windows and exploited by the malware. True, not for all versions of the operating system, but only for Vista and "seven", while 2000 and XP remained Stuxnet-unstable, and all hope is only for third-party anti-virus programs. Which will still be needed, since the rest of the vulnerabilities are alive and well.
And suddenly Stuxnet flashed again in the headlines of news resources. It turns out that this is not just another "worm", albeit rather intricately written (half a megabyte of encrypted code, which uses several programming languages at once, from C / C ++ to assembler), but a digital spy-saboteur. He sneaks into industrial facilities where Siemens hardware and software systems are used, gains access to the Siemens WinCC system, which is responsible for data collection and operational dispatch control of production, and through it tries to reprogram logic controllers (PLCs).
Are you scared already? Wait, this is just the beginning! Stuxnet is not designed for some beer bottling shops. His main goal is the Iranian nuclear power plant in the city of Bushehr! Allegedly, it is precisely under its configuration that all the evil power of the worm is imprisoned, and either it has already managed to screw up the Iranians badly, since they have not been able to start the station since August, or it has quietly flashed the controllers, and when the nuclear power plant starts working, it will give the command to explode. And that's when...
Let me quote a few opinions of knowledgeable people. Thus, Evgeny Kaspersky in his blog calls Stuxnet “a masterpiece of malware engineering” and, in turn, cites excerpts from Alexander Gostev’s material, according to which we are talking about a “weapon of industrial sabotage” in general. It was made, of course, by the Israeli Mossad in order to stop the work of the Bushehr nuclear power plant.
Hardware and software complexesSiemens are used in very different industries. Okay, if we are talking about casting iron ...
… but imagine how the hearts of hundreds of thousands of men will tremble if the worm damages the beer production lines?
ESET analysts are slightly less emotional. They are not sure that the goal of Stuxnet is the BNPP, but they give credit to the quality of the code and the beauty of the idea. “Win32/Stuxnet was developed by a group of highly qualified specialists who are well versed in the weaknesses of modern information security tools. The worm is made in such a way as to remain unnoticed for as long as possible. The malware uses several serious remote code execution vulnerabilities as propagation mechanisms, some of which remain unpatched today. The cost of such vulnerabilities on the black market can reach 10 thousand euros for each. And the price of a vulnerability in the processing of LNK/PIF files (MS10-046), which allows the worm to spread through external media, is even higher.”
The disclaimer about external media is very important. As we understand, the control systems of factories and nuclear power plants do not have access to the Internet, so Stuxnet can infect flash drives, and from them make their way into closed networks. Security services? Yes, they certainly work, and sometimes very effectively. However, along with the banal human factor (we read - sloppiness), there are quite tricky ways to mask flash drives. For example, a carefully bribed employee can bring a mouse with built-in flash memory into the workplace and replace it with a government-owned one. Ask, why then do you need distribution over the Internet? So after all, to divert eyes, so that the same leaders of the security service would not look for an enemy in the team, but confidently nodded at accidental penetration from the outside. Meanwhile, to facilitate the work of the worm, some Win32/Stuxnet components were signed with legal digital certificates from JMicron and Realtek. As a result, until the revocation of certificates, Stuxnet was able to bypass a large number of implementations of HIPS (Host Intrusion Prevention System) environmental protection technology.
ESET also provides a wonderful table with the geography of recorded virus infections, which, on the one hand, confirms Gostev's hints, and on the other, makes conspiracy lovers even more actively scribble comments in forums and blogs. It's no joke, the contagion affects the largest developing countries, and to complete the picture, only China is missing in the table instead of Indonesia.
Are you already scared, like Evgeny Kaspersky? Wait. Let's take a breath.
First, you need to understand why cyber-threat vendors are so excited to talk about Stuxnet. Yes, of course, they want to save our little planet. But it is also a new giant market. Not only Siemens produces control and monitoring equipment for a wide variety of industries, from nuclear power plants to beer bottling shops. In addition to the Germans, there are also Americans, Japanese, and so on and so forth. Such complexes are, to put it mildly, not cheap, and if everyone manages to apply their own protective product ... Yes, yes, you understood me correctly.
Secondly, for all the beauty of the Mossad version, it is not worth believing in it. If a lot of man-months or even man-years were really spent on the worm, as experts say, then such an end to the operation is a huge failure. A terrible combination of lack of results and publicity for any intelligence officer. Usually, to solve the problems of obtaining information and sabotage, they resort to recruitment as old as the world, and the Mossad has vast experience of this kind of work in the Arab countries. No, of course, one can assume that the program was written specifically for silent implementation by one of the NPP employees, and when something went wrong, the worm was launched onto the Internet to cover up the agent. But this is if Stuxnet was definitely prepared for Bushehr, which there are many doubts about. About them - in the next paragraph.
Thirdly, as it turned out, for the automation of power plants (including in Bushehr) licensed Siemens equipment is used, which differs from traditional PLCs in much the same way as a combat fighter from a hang glider. PLC's job is, at best, the automation of a brewery or a gas/oil pumping station. It remains completely incomprehensible - what kind of PLC Stuxnet was going to change in Bushehr?
Finally, fourthly. Pay attention to Win32 in the full name of the virus. No serious plant, let alone a nuclear power plant, will allow Microsoft's operating system to control really important processes. Systems of the *nix family (in particular, QNX) reign there, and a virus from the Windows camp is absolutely harmless to them. So the sensation comes from a series of tales about a secretary who was afraid of catching a virus from a computer. True, the most severe authors of horror stories specify that the Windows PLC does not control, but under them there are tools for reprogramming controllers, and that's what Stuxnet uses. This is a little scarier, but in serious productions, no one has canceled the Big Knife Switches, which are responsible for really important things. They can only be pulled by hand, because it is much more reliable. And safer. If a computer is allowed to access them, it will not be today or tomorrow. And at a nuclear power plant, most likely never at all.
I don’t want to impose my opinion on the reader, but so far Stuxnet smells very strongly of unfair competition. Where does this hatred for Siemens solutions come from? Who is not too lazy to spend so much time and effort on a big fat worm, which, by and large, cannot do mischief, but leaves an extremely unpleasant sediment after itself. You see, investors of new plants with power plants will think, and even buy a complex from another manufacturer. When it comes to hundreds of millions and even billions of dollars, it's not a pity to spend a couple of millions on black PR.
So a weapon is a weapon, but it is unlikely that it will come to real explosions. Except perhaps outbursts of indignation at the next visit to the store or receiving an electricity bill. All these industrial wars are fought in the end at the expense of us, the consumers.
When writing this article, hundreds of conspiracy theorists were offended in the best feelings
a class of vulnerabilities called 0day. 0day is a term that refers to vulnerabilities (sometimes malware itself), against which the protection mechanisms of antiviruses and other computer protection programs are powerless. This concept appeared because attackers who discovered a vulnerability in a program or operating system carry out their attack immediately no later than the first ("zero day") day the developer was informed about the detected error. Naturally, this means that the developer does not have time to fix the vulnerability in time, which spreads complex epidemics of malware that are not amenable to timely treatment. At the moment, various attackers are focusing their attention on finding such vulnerabilities. First of all, they pay attention to such software, which has become widespread. Infecting such software malicious code, the attacker is guaranteed to get the most out of his actions. In this case, anti-virus programs will be powerless, since they will not be able to determine the malicious code that is in the popular program. One such example was the example above, when the virus infected the Delphi service files and thereby injected its code into various programs that were compiled in this compiler. Since such programs have been widely used, a large number of users have been infected. All this made it clear to attackers that such attacks are quite effective and can be used in the future. However, finding a 0day vulnerability is a rather time-consuming process. In order to find such a vulnerability, attackers resort to various software stress tests, parsing the code into parts, and also searching for various errors in the developer's program code. But if these actions are successful, and the vulnerability is found, then we can assume that attackers will definitely use it. To date, the most notorious malware exploiting the 0day vulnerability in software is the Stuxnet worm, which was discovered in the summer of 2010. Stuxnet exploited a previously unknown vulnerability in Windows operating systems related to the shortcut handling algorithm. It should be noted that in addition to the 0day vulnerability, Stuxnet used three more previously known vulnerabilities. Zero-day vulnerabilities also allow attackers to create malware that can bypass antivirus protection, which is also dangerous for the average user. In addition to such vulnerabilities (0day), there are also quite common vulnerabilities that an attacker constantly uses. Another dangerous type of vulnerabilities are vulnerabilities that use the Ring 0 of the operating system. Ring 0 is used to write various system drivers. This is a special level from which you can exercise full control over the operating system. In this case, the attacker is likened to a programmer who writes a driver for the operating system, because in this case writing a malicious program and a driver is an identical case. The attacker, using system functions and calls, tries to give his malicious program the functions of passing into Ring 0.The danger of identity theft from mobile phones
If this was said literally 7 years ago, then, most likely, they simply would not have believed such a fact. Now the danger of theft of personal data of mobile phone users is extremely high. There are a large number of malicious programs that are engaged in the theft of personal data from users' mobile phones. And quite recently, no one could have imagined that mobile platforms would be of interest to attackers. The history of viruses begins in 2004 when. This year is considered the starting point for mobile viruses. At the same time, the virus created this year was selected for the Symbian system. It was a demonstration of the very possibility of the existence of viruses on the platform of the Symbian operating system. The authors of such developments, driven by curiosity and the desire to contribute to strengthening the security of the system they attacked, are usually not interested in their distribution or malicious use. Indeed, the original copy of the Worm .SymbOS.Cabir virus was sent to anti-virus companies on behalf of the author himself, but later the source codes of the worm appeared on the Internet, which led to the creation of a large number of new modifications of this malicious program. In fact, after the release of the source codes, Cabir began to "roam" on mobile phones all over the world on its own. This caused trouble for ordinary smartphone users, but the epidemic did not actually happen, since antivirus companies also had the source codes of this virus and that was when the first releases of antiviruses for mobile platforms began. Subsequently, various assemblies of this virus began to spread, which, however, did not bring great harm. This was followed by the first backdoor (a malicious program that opens access to the system from the outside). Its functionality allows you to transfer files in both directions and display text messages. When an infected device connects to the Internet, the backdoor emails its IP address to its owner. Subsequently, another malicious program for mobile platforms appeared. The program is a SIS file - an installer application for the Symbian platform. Its launch and installation into the system leads to the substitution of icons (AIF-files) of standard operating system applications for an icon with a skull image. At the same time, new applications are installed in the system, on top of the original ones. Rewritten applications cease to function. All this was picked up by various hobbyists in writing malicious programs, who began to produce all kinds of modifications to old viruses, and also tried to create their own. However, at that time, all malicious programs for mobile platforms were quite primitive and could not be compared with their counterparts of malicious programs on a computer. Quite a lot of noise was made by a program called Trojan.SymbOS Lockhunt. This program was a Trojan. It exploits "gullibility" (lack of file integrity checks). After launching, the virus creates in the system directory /system/apps/ a folder with the dissonant name gavno in terms of the Russian language, inside which the gavno file is located. app and its companion gavno.rsc and gavno_caption.rsc. At the same time, instead of the service information and code corresponding to their formats, all files contain plain text. Operating system, based only on the file extension gavno. app , considers it executable - and hangs trying to start "app" after reboot. Turning on the smartphone becomes impossible. These viruses are mostly followed by viruses of the same type, which can transmit themselves through various technologies.
The very vulnerability of mobile platforms is quite high, since there are no such tools that would reliably protect mobile platforms. In addition, it is necessary to take into account the fact that modern mobile platforms are already closely approaching conventional operating systems, which means that the algorithms for influencing them remain similar. In addition, mobile platforms have two rather specific data transfer methods that computers do not have - Bluetooth technology and MMS. Bluetooth is a wireless data transfer technology developed in 1998. Today it is widely used to exchange data between various devices: phones and headsets for them, pocket and desktop computers and other equipment. Bluetooth communication usually works at a distance of up to 10-20 m, is not interrupted by physical obstacles (walls) and provides theoretical transmission speed data up to 721 Kbps. MMS is a relatively old technology designed to expand the functionality of SMS with the ability to send pictures, melodies and videos. Unlike a service
Mid-July was marked by a cyberattack on the industrial sector of entire
states. Naturally, our magazine could not miss such an event and
prepared material about this incident.
Industrial espionage
We are used to cybercrime trying to cheat, hack and steal
unfortunate Internet users. But time always makes people move
further, for new results and new profits. The same thing happens in
towards the bad guys. You can build botnets for another ten years, steal
CC numbers, but there is still a huge unexplored niche - industry, its
technologies, secrets and valuable data. It was with her that the incident occurred in the midst of
summer - an unprecedented attack on industrial systems
, Supervisory Control And
Data Acquisition, which translates as "Supervisory Control and Data Collection"
(in our opinion, this is an analogue of the automated process control system - Automated Control System
technological process). Such systems control production processes,
oil rigs, nuclear power plants, gas pipelines, etc. Naturally, such
complexes have their own databases, and the information that is in these databases is priceless.
This information was targeted by the latest malware that received
name .
Stuxnet
The first to discover a new beast were the Slavic brothers from Belarus, namely -
anti-virus office VirusBlokAda. On June 17, they found the body of Vir, but only to
On July 10 they issued a press release (explaining that they needed
notify the companies whose name was "defamated" in the course of the case and examine the copy).
These companies are well known - Microsoft and Realtek. VirusBlokAda specialists
fixed the use of the 0day vulnerability by the worm when processing shortcut files
(.lnk), and therefore Microsoft got involved in the matter (about the vulnerability itself
let's talk later). But what does Realtek have to do with it? The point is that the installed
worm drivers had a valid certificate certified by Verisign and issued to
realtek name. This turn of affairs greatly complicates the detection process.
malicious content by various detection and prevention systems
host-level intrusions (HIPS, anti-rootkits), since such systems are limitless
trust certificates, not paying attention to the essence of the matter. I'm quite sure that
the trusted certificate greatly extended the life of the malware before it was discovered.
Be that as it may, after the press release of the Belarusians, other antivirus companies
also joined the study as a new vulnerability, with which
spread the worm, and to the combat load.
Spreading
The mechanism of reproduction of the worm, it would seem, is not particularly original - through
USB flash drives. But autorun.inf has nothing to do with it. A new vulnerability comes into play
which allows you to load an arbitrary .DLL library as soon as a flash drive
will be inserted and the user will open its contents. The point is that on a flash drive
lies a .DLL file with malicious code (well, actually an extension, in the case of
worm, - .TMP) and .LNK file. A file with the .LNK extension is a common shortcut.
But in our situation, the label is not quite usual. When the label is displayed in
standard shell or Total Commander will automatically execute the adjacent
.DLL file with all the ensuing consequences! How could this happen?
As you know, the shortcut points to the executable file and when double-clicking
calls him. But here everything is without clicks, and the .DLL file cannot be executed in this way. If a
look at the shortcut in the HEX editor, you can see that the path is indicated in the middle of it
to our .DLL. In addition, this is not a regular tab, but a tab on a panel element.
control! This detail explains everything. Any control panel element - .CPL-
applet. But the CPL is essentially a simple .DLL, so the shortcut for the control panel is
special, he kind of understands that he is dealing with a .DLL. Moreover, this label
tries to PULL the icon out of the .DLL to display it in explorer. But for that
To pull out the icon, you need to load the library. What, in fact, is the shell and
does by calling LoadLibraryW().
To be fair, it should be noted that calling this function automatically
entails the execution of the DllMain() function from the loaded library.
Therefore, if such a label points not to a .CPL applet, but to an evil
library with evil code (in the DllMain() function), then the code will be executed
AUTOMATICALLY when viewing the shortcut icon. In addition, this vulnerability can
use and using .PIF shortcuts.
Combat load
In addition to an interesting distribution method, the combat load was also surprised - no
botnets, thefts of bank passwords, CC numbers. Everything turned out to be much larger.
Vulnerability.LNK provokes the download of a hidden file named ~wtr4141.tmp,
next to the label. This file is executable, but small (only 25 Kb). How
noted experts from Symantec, it is very important at first to hide your
presence while the system is not yet infected. Taking into account the specifics of the 0day vulnerability,
which is valid, as soon as the user sees the icons, it will work and
~wtr4141.tmp, which first of all hangs system call hooks in
kernel32.dll. Intercepted calls:
- FindFirstFileW
- FindNextFileW
- FindFirstFileExW
Hooks are also hung on some functions from ntdll.dll:
- NtQueryDirectoryFile
- ZwQueryDirectoryFile
All these functions are processed with the following logic - if the file starts with
"~wtr" and ends with ".tmp" (or ".lnk"), then remove it from
the value returned by the original function, and then return what's left.
In other words, hide your presence on the disk. Therefore, the user simply
will not see the files on the flash drive. After that, ~wtr4141.tmp loads the second file with
disk (~wtr4132.tmp). He does it not quite standard, I would even say
perversely - by installing hooks in ntdll.dll on calls:
- ZwMapViewOfSection
- ZwCreateSection
- ZwOpenFile
- ZwCloseFile
- ZwQueryAttributesFile
- ZwQuerySection
It then tries to load a non-existent file using the LoadLibrary call.
with a special name, previously installed hooks work for this case and load
the second file, which already really exists - ~wtr4132.tmp, or rather, its
unencoded part, which decodes the second part (in fact -
UPX compression). The second part is some resources, other files,
which come into play after decryption and export (similar to perverted
method with hooks on API functions).
First of all, two drivers are installed - mrxcls.sys and mrxnet.sys (namely
these files gave the worm its name, Stuxnet). They are installed in
system directory, and the functionality on them is a kernel-level rootkit with the same logic,
as in the first file. This will ensure the worm is protected after reboot and shutdown
~wtr4141.tmp process.
These drivers, as already mentioned, have a legitimate Realtek certificate,
therefore, their installation will pass without problems (at the moment, the certificate is already
withdrawn). In addition to the rootkit, the shortcut template files and ~wtr4141.tmp are unpacked for
organization of infection of other USB devices. Then the code is exported, which
Injects into system processes and adds the above-mentioned .SYS files to the registry
rootkit (HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxCls). Further
two .DLL files are decoded, which replace the existing SCADA system files
- Siemens Step 7.
Thus, all calls from the SCADA system go to fake libraries.
The "necessary" processing takes place there, after which the calls are transferred to the original .DLL
(Vir emulates the rest of the functions on its own). Above all
listed above, the worm blocks anti-virus processes and tries to find servers
DBMS (MSSQL). When it finds them, it tries to log in with the account
WinCCConnect and the default password is 2WSXcder. This is an account from the SCADA DB
type Siemens Simatic WinCC. As you can see, the worm is designed specifically for the Siemens product.
If authentication is successful, the spy downloads data about processes and other
secret info. In addition, he does not hesitate to look in local files for useful information.
information for spies. If it is possible to detect access to the Internet, then the worm crawls
to one of the command and control servers. Server names are:
- mypremierfootball.com
- todaysfootball.com
There the worm tried to reach out and "something" to merge in encrypted form.
The guys from Symantec figured out this problem as well. It turned out that encryption
represents a byte-by-byte XOR operation with a 31-bit key that has been
flashed in one of the .DLL libraries. The response from the server also comes in
XOR-form, however, uses a different key from the same library. Trojan
sends general information about the infected machine to the server (Windows version, name
computer, addresses of network interfaces, as well as a flag for the presence of SCADA). In reply from
command center can receive RPC calls to work with files, create
processes, incorporation into the process and loading of new libraries, etc.
What was it?
That's right... what was that?! Simple black hats won't get involved in what
won't make easy money. Data from SCADA systems is of interest only to competitors.
Competitors in commercial or political terms. If you look at the map
spread of the infection (according to the Kaspersky Lab), it can be seen that
epicenter - Asia (namely - India, Iran and Indonesia). If you look at
the described functionality of the worm, then you can be horrified - control over .DLL and interception
SCADA functions. Isn't it cool to run an Indian nuclear power plant
Internet? Or infiltrate the Iranian nuclear program? Moreover, we have the fact
that rootkit drivers have a legal certificate that is geographically
owned by a company based in the same area (in Thailand)!
Not only anti-virus companies are involved in this story, but also
government structures (to cover your tracks? :)). As a result
"capture" of the specified domains and command and control servers was analyzed
statistics of sick cars knocking there. As a result, Symantec data is almost
match the data of Kaspersky Lab - all the same countries. Above all
This has already been confirmed by the facts of penetration into the SCADA system itself. Not yet
a lot, about three facts (two from Germany and one from Iran). But not everyone will
publicly say that they were raped ...
What will happen?
After everything that happened, I think there will be a strong interest in security
SCADA. Prior to this incident, there were already researchers and firms that
warned about security problems and offered their services, but this
a specific case can help them make very good money. I dare to believe that
the same worm model is also suitable for ERP systems, since the diagram shown
applicable to this model. ERP systems are responsible for planning and managing
business - money, tasks, goods, etc., etc. (I would even say that
it would be easier to write such a worm for ERP, but since SCADA and regions were chosen
Asia, then it rather smacks of politics ...). So all these business and
industrial systems are still waiting for their heroes (hello to Alexander Polyakov aka
sh2kerr). But as far as LNK vulnerabilities are concerned, for example, the Zeus Trojan has already
began to use it for his reproduction. Also, the guys from Rapid7
made an exploit for Metasploit that is able to work over HTTP using
WebDav.
In this case, the shellcode is loaded into a .DLL file, and the shortcut loads it. Patch on
the time of writing the article was not yet, and the threat is very significant - that's all
anti-virus companies say that they are great at detecting viruses by signatures,
so it's time to point out that signatures suck. DLL signature us
not so interesting, but the signature by which it is determined that this label is
exploit, can definitely limp. Take the label from the public PoC
(suckme.lnk_) and send this miracle to virustotal.com. As a result, we have 27
antiviruses that detected it. Now let's open the control panel and create
a couple of shortcuts, one preferably from Java. Next, we will rename these shortcuts through
console:
nopy Java.lnk Java.lnk_
The second shortcut is copied in the same way as the first. Now we can edit them in
HEX editor. Usually all labels have a pointer in Unicode format, but
Java shortcut - no. As a result, we see two links to CPL applets, and for Java -
not in Unicode. Change the path to the CPL (DLL) to our file, delete in the middle
extra bytes (fa ff ff ff 20) and save. Copy back with the extension .LNK.
We send the results to virustotal.com. There are 11 antiviruses left for the Unicode label,
for a Java shortcut - 8, that is, 70% of antiviruses stopped detecting the exploit, and
among these antiviruses are such giants as Symantec, Kaspersky, AVG, NOD32. So
that the antivirus here is not a panacea.
This is so ... five kopecks from me, so that they don’t relax there, but in general,
thanks to the antivirus specialists for such a thorough and interesting work,
they did to help us sort out this threat. Thank you,
fighters of the anti-virus front: AdBlokAda (first discovered and studied), Symantec
(for detailed technical analysis on his blog), ESET and personally
Alexander Matrosov for their work in the Moscow laboratory. Also thanks
Kaspersky Lab and their blog, in which Alexander Gostev shared his
thoughts and beautiful maps :). Well, thank you, my reader, digested
this important material.
More and more details about the virus discovered in June of this year are being clarified. Why is the virus unusual? Yes, a lot...
First of all, by the fact that he knew how to distribute on flash drives (usinglnk file handling vulnerability ) This in itself is exotic in the age of the Internet.
He is also notable for the fact that he used not one, but four 0-day (i.e. hitherto unknown) vulnerabilities, which also happens infrequently. Or rather, two vulnerabilities were known, but very few. Microsoft did not know about them and, accordingly, did not release patches. To be sure, the virus also used the fifth, well-known, but very evil vulnerability in the RPC service, which was already fully exploited by the worm.
The virus has been signed stolen digital signature. For security reasons, Microsoft requires that all drivers on the system be signed. Did not help. The attackers most likely stole the signatures from the Taiwanese offices of MicronJ and RealTek. A strange fact, but the offices of these firms are located in the same building in the city of Shinchu. If this is not a mere coincidence, then it means someone physically entered the rooms, went to the corresponding computers, stole the keys. Not an amateur job.
It was clearly written by the team - half a megabyte of code in assembler, C and C ++.
Stuxnet was discovered not in America, China or Europe, where there are most people on the Internet, and where normal viruses are the most grace, but in Iran. 60% of infections happened in the state of the Islamic revolution.
He knows how to accept commands and update decentralized, by P2P type . Classic botnets use central command systems
And the most, I'm not afraid of this word, sensational - the virus does not send spam, does not format the disk, and does not even steal banking data. He is engaged in sabotage in production. More precisely, it attacks industrial control and management systems using software called Simatic WinCC . Even more sensational, Stuxnet secretly writes itself onto programmable chips (they are used to control production), disguises itself and kills some important process. Not a random process, but returning a certain code. Unfortunately, what this code means is not yet known. . This, by the way, explains the method of distribution via flash drives - industrial systems are rarely connected to the Internet.
The conclusion suggests itself: a group of tough professionals wanted to break something, something very expensive, important and industrial. Most likely in Iran (although the virus has also spread to other countries) and, most likely, has already successfully broken (according to estimates Virologists Stuxnet lived for almost a year before being discovered) This is not a simple group of hackers. Here you need first-class technical equipment - from people stealing keys, to vulnerability specialists, to industrial production experts. A minimum of a decent size is a corporation, and more likely someone's state structures.
Who exactly uses the WinCC system in Iran is unknown, but conspiracy theorists point out that a copy of WinCC, and unlicensed , stood on the buildingreactor in Bushehr . On the very one on which Iran wants to enrich uranium for its nuclear program, and on the protection of which Russia wants send missile system S-300 and already sent anti-aircraft guns Thor-1 .
That Bushehr is the target, of course, does not prove it. Maybe half of the factories in Iran work on this product. So much the worse for Iran.
(update: It seems that WinCC has already been licensed in Iran. Project key 024 inaccompanying README file specially reserved for Bushehr (see p. 2) There are no other Iranian facilities, by the way, on the list.)
By the way: most of the information needed to create a vir was in the public domain. Similar vulnerabilities were mentioned a couple of times in different , factory passwords for databaseswere on the forums . P2P botnets have been discussed as a theoretical possibility. About WinCC - the photo above. A very smart strategy. Firstly, cost savings, and secondly, it is impossible to trace the path of information. The question "who could know this?" becomes much more complicated - and anyone could.
In short, follow the news. Next week, Ralph Langner's presentation at conferences on industrial control systems, September 29 - researchers from Symantec, and researchers from Kaspersky.
Bonus: German hackers who gutted the virus also found a trojan that died two years ago on the website of our native AtomStroyExport (see the source www.atomstroyexport.com/index-e.htm) It most likely has nothing to do with the infection, it simply shows the level of safety in nuclear energy.
http://malaya-zemlya.livejournal.com/584125.html
Articles on the topic:
-
Rise of the Machines? Skynet is becoming a reality… The virus, first discovered about two weeks ago by the military's Host-Based Security System computer system, did not prevent... -
Thousands of users fell victim to the new ICQ Snatch virus by running the .exe file of the same name that came to them via the ICQ network. The viral epidemic began around noon on 16 August; at the time of writing... -
A blinding net was tried on Earth The well-known statement that the military is preparing for past wars is especially true today. However, as always. According to Army General Andrei Nikolaev: &ld...
“I don’t know what weapons they will fight in the third world war, but in the fourth, stones and clubs will be used”
Albert Einstein
At the end of September, it became known that the Stuxnet virus had caused serious damage to the Iranian nuclear program. Using operating system vulnerabilities and the notorious "human factor", Stuxnet successfully hit 1,368 out of 5,000 centrifuges at the uranium enrichment plant in Natanz, and also disrupted the launch of the Bushehr nuclear power plant. The customer is unknown. The perpetrator is a negligent Siemens employee who inserted an infected flash drive into a workstation. The damage inflicted on Iran's nuclear facilities is comparable to the damage from an attack by the Israeli Air Force. The world started talking about wars of a new generation. Cyber attacks could be ideal tools for the next wars - they are fast, effective in their destructiveness and usually anonymous. Today, states are hastily agreeing on a joint strategy to counter cyber threats. What will happen tomorrow? Unfortunately, Einstein's sad aphorism still remains the most realistic answer to this question.
Iran is helpless in the face of the techno threat
The front pages of the world press were filled with gloomy prophecies about the advent of an era of technological wars. Experts from various fields are struggling to unravel Stuxnet - the virus that hit Iran's nuclear facilities - from IT security to linguistics and anthropology. Stuxnet was discovered by anti-virus laboratories a long time ago, but the world learned about the true extent of the infection at the end of September, when it became known about the delay in the launch of the first Bushehr nuclear power plant in Iran. While Ali Akbar Salehi, head of Iran's Atomic Energy Organization, said the delay was not related to the virus, Mark Fitzpatrick of the International Institute for Strategic Studies noted that it sounds “not very serious”, and Iran tends to hush up real problems at nuclear power plants. Some time later, Mahmoud Jafari, project manager for the station in Bushehr, let it slip. According to him, Stuxnet "hit several computers, but did not cause any damage to the main operating system of the station." Sapienti sat. Iran's nuclear facilities at Natanz were also severely damaged, with 1,368 out of 5,000 centrifuges disabled by Stuxnet. When Mahmoud Ahmadinejad was directly asked about technological problems with the nuclear program after the session of the UN General Assembly, he only shrugged his shoulders and did not answer. Note that according to the New York Times, the damage from the actions of the virus in Iran is comparable, perhaps, with the attack of the Israeli Air Force.Author! Author!
For obvious reasons, the Stuxnet developers prefer to keep a low profile, but it is clear that the complexity of the virus can be called unprecedented. The creation of such a project requires huge intellectual and financial investments, which means that only structures of the state scale can do it. All experts agree that the virus is not the result of the efforts of a "group of enthusiasts." Laurent Eslo, director of security systems at Symantec, estimates that at least six to ten people worked on the creation of Stuxnet over a period of six to nine months. Frank Rieger, technical director of GSMK, supports his colleague - according to him, the virus was created by a team of ten experienced programmers, and development took about six months. Rieger also names the approximate cost of creating Stuxnet: it is at least $3 million. Eugene Kaspersky, CEO of Kaspersky Lab, says about the military purposes of the virus: “Stuxnet does not steal money, does not send spam, and does not steal confidential information. This malware was created to control production processes, literally manage huge production capacities. In the not too distant past we fought cyber criminals and internet bullies, now I'm afraid it's time for cyber terrorism, cyber weapons and cyber wars." Tillmann Werner, a member of the Honeynet Project, a community of Internet security specialists, is sure that lone hackers are not capable of this. "Stuxnet is so technically advanced that it should be assumed that government experts were involved in the development of the malware, or that they at least provided some assistance in its creation," Werner said.
During the analysis of Stuxnet, some media concluded that Israel was behind the creation of the virus. John Markoff, a journalist for the New York Times, was the first to speak about Israel's involvement in the attack on Iran, saying that analysts specifically noted the name of one of the code fragments "myrtus" ("myrtle"). Translated into Hebrew, "myrtle" sounds like "adas", which, in turn, is consonant with the name "Adassah" belonging to Esther (Esther) - the heroine of Jewish history, who saved her people from destruction in the Persian Empire. Drawing an analogy with ancient Persia, on whose territory modern Iran is located, some analysts believe that Israel left a “calling card” in the virus code. However, according to a number of experts, this version does not hold water and resembles the plot of a cheap detective story - too primitive "handwriting", as for a project of this magnitude.
At the same time, it should be emphasized that last summer (we recall that the distribution of Stuxnet began in 2009) WikiLeaks reported on a serious nuclear accident in Natanz. Shortly thereafter, it became known that the head of the Atomic Energy Organization of Iran, Gholam Reza Aghazadeh, resigned without explanation. Around the same time, statements by Israeli politicians and the military about a possible confrontation with Iran on the technological front appeared in the media. In addition, Israel has adjusted the projected date for Iran to receive the atomic bomb to 2014, and Meir Dagan, head of the Mossad, has been extended his mandate to participate in unnamed "important projects."
Human factor
The history of primary infection, which marked the beginning of the spread of the virus, is noteworthy. Obviously, automated control systems of this level are not connected to the Web. An expert from the NATO Cyber Center in Estonia, Kenneth Geers, suggested at a security conference that the success of the Stuxnet attack depended solely on contacts with the right people and ... elementary USB drives. “You could pay someone to run a trojan on a closed system, or swap a flash drive that was only for internal use,” Gears muses. “It is enough to insert an infected USB flash drive into a standard USB port on your computer, and Stuxnet immediately automatically jumps to the operating system, and no antivirus programs or other protection measures can interfere with it.” And indeed, the “weak link” turned out to be the human factor - Stuxnet was entered into the system via a regular USB drive, which a negligent employee inadvertently inserted into the workstation. It is noteworthy that after the statements of the Minister of Intelligence of Iran Heydar Moslehi (Heydar Moslehi) about the detention of "nuclear spies" (they turned out to be completely uninvolved Russian technicians), Siemens management admitted that the virus was introduced by company employees, emphasizing the unintentional nature of the infection. It should be noted that Stuxnet only affects a specific type of Siemens controller, namely SIMATIC S7, which, according to the IAEA, is used by Iran.Cyber war. Battlefield - Earth?
At the Virus Bulletin 2010 conference, held in Vancouver, Canada, a brief presentation by Liam O Murchu, one of Symantec's leading IT security experts, caught the public's attention. The analyst conducted an experiment that explained the dangers of a cyber threat better than hundreds of formal reports. O Merchu installed an air pump on stage running a Siemens operating system, infected the workstation controlling the pump with the Stuxnet virus, and put the process into action. The pump quickly inflated the balloon, but the process did not stop - the balloon was inflated until it burst. “Imagine that this is not a balloon, but an Iranian nuclear power plant,” the expert said, putting an end to the question of the “seriousness” of cyber wars.
Colleagues O Merchu fully share his concerns. Trend Micro researcher Paul Ferguson said that with the creation of Stuxnet, the world has a full-fledged cyber weapon that goes beyond traditional destructive schemes (theft of credit card numbers, etc.) and can lead to serious accidents on very dangerous industrial facilities. Ferguson emphasizes that now analysts will "literally intimidate the government in order for it to start taking serious security measures."
Indeed, General Keith Alexander, the head of the newly created US Cyber Command at the Pentagon, has publicly stated in Congress that the threat of cyber warfare has grown exponentially over the past few years. Alexander recalled two cyber attacks on entire states - on Estonia (in 2007, after the dismantling of the Bronze Soldier) and on Georgia (in 2008, during the war with Russia).
In an interview with the Berliner Zeitung, Estonian President Toomas Hendrik Ilves raises the issue of cyber threats at the highest level. The Estonian President emphasizes that NATO's decision to locate the Cybersecurity Center in Tallinn (recall, it opened in May 2008) is due to the fact that Estonia is one of the most computerized countries in Europe, as well as the first state to be subjected to a full-scale cyber attack in 2007. After the attack, which paralyzed the infrastructure of the whole country, Estonian Defense Minister Jaak Aaviksoo even demanded that NATO equate these cyber-attacks with military actions. The President is making similar points today: “The Stuxnet virus has demonstrated how seriously we need to take cybersecurity, because vital infrastructure can be destroyed with such products. In the case of Iran, the virus seemed to be targeting the nuclear program, but similar viruses could destroy our computer-controlled economy. This should be discussed in NATO: if a missile destroys a power plant, paragraph 5 comes into force. But what to do in the event of a computer virus attack? asks Toomas Hendrik Ilves. The president's proposal is in line with current trends: "Both the EU and NATO should develop a common policy, including legal norms, which will form the basis for collective defense against the threat in cyberspace," the head of state believes.
US Deputy Secretary of Defense William J. Lynn fully agrees with Toomas Hendrik Ilves. In an interview with Radio Liberty, Lynn tried to answer the question raised by Ilves: “If the blow affected essential elements of our economy, we should probably consider it an attack. But if the result of the hack was data theft, then it might not be an attack. There are many other options between these two extremes. To articulate a clear political line, we must decide where the line lies between hacking and attack, or between espionage and data theft. I believe that both in the government and outside it there is a discussion on this topic, and I do not think that this discussion has already been exhausted.
In addition, the key point of William Lynn's speech was the public announcement of the five principles on which the United States' new cybersecurity strategy is based. We quote the US Deputy Secretary of Defense without cuts:
“The first of these principles is that we must recognize cyberspace for what it has already become – a new war zone. Just like land, sea, air and outer space, we must consider cyberspace as a sphere of our operations, which we will protect and to which we will extend our military doctrine. That's what motivated us to create a unified Cyber Command within Strategic Command.
The second principle, which I have already mentioned, is that the defense must be active. It should include two generally accepted lines of passive defense - in fact, this is ordinary hygiene: patch on time, update your anti-virus programs, improve your defenses. We also need a second line of defense, which is used by private companies: intrusion detectors, security monitoring programs. All of these tools will probably help you repel about 80 percent of attacks. The remaining 20 percent is a very rough estimate - sophisticated attacks that cannot be prevented or stopped by patching holes. A much more active arsenal is needed. We need tools that can identify and block malicious code. You need programs that will detect and pursue malicious elements invading your own network. When you have found them, you should be able to block their communication with the outside network. In other words, it looks more like a war of maneuver than a Maginot line.
The third principle of a cybersecurity strategy is the protection of civilian infrastructure.
Fourth, the US and its allies must take collective defense measures. At the upcoming NATO summit in Lisbon, important decisions will be made in this regard.
Finally, the fifth principle is that the United States must remain at the forefront of software product development.”
The reaction of Dmitry Rogozin, Russia's permanent representative to NATO, to the processes taking place in the Alliance is quite remarkable. Apparently, Russia is extremely concerned about the upcoming NATO summit in Lisbon, which will be held on November 20, because it is planned to clarify the dilemma at it, whether an attack on the military and government computer networks of a NATO member is considered a reason to use Article 5 of the Washington Treaty and respond with a collective military strike. Rogozin, in his characteristic style, writes: “We will finally find out whether it is permissible for NATO to hit the apartments of hackers with a nuclear bomb or it is assumed that cyber warfare will not go beyond cyberspace after all. In the last scenario, I have good reason to doubt. Literally before our eyes, a huge scandal is unfolding in Western periodicals in connection with the spread of a computer worm called Stuxnet. I was used to reading and sending SMS in Latin, so I immediately read the name of the virus as a Russian verb in the future tense: “goes down.” Rest assured, something will die out or fall off for someone, and for those who launched this virus. As you know, whoever sows the wind will reap the whirlwind." Not daring to comment on the literary and creative research of Mr. Rogozin, we note that it was Russia that was blamed for the two largest hacker attacks on entire states (Estonia and Georgia) - perhaps this is precisely what caused such a violent reaction from the impressionable plenipotentiary.
Thus, against the background of the hysteria provoked by Stuxnet, a number of states declared the need to form a joint policy to prevent cyber attacks. Will this lead to the desired result, even if we assume that a certain document will be developed (and signed) regulating the use of destructive technologies? IT Business week it seems extremely doubtful, the temptations offered by high technologies are too great: anonymity, security (for an attacker), an unprecedented cost / effectiveness ratio. This means that Stuxnet was only the first sign of the era of the techno-social revolution, which did not start at all as dreamed.
Tags:
- virus
- Stuxnet
- Iran
