

Analysis of Stuxnet malware (and implication of Cyber Warfare) - bigmac
http://www.langner.com/en/index.htm

======
bigmac
This malware uses four 0day vulnerabilities, stolen device driver certs, and
specifically targets industrial control systems. I'll be very interested to
see who it turns out was the target of this attack.

Some more info here: [http://www.symantec.com/connect/blogs/stuxnet-
introduces-fir...](http://www.symantec.com/connect/blogs/stuxnet-introduces-
first-known-rootkit-scada-devices)

~~~
bobds
I read that article and I'd really like to read more about this part:

 _"A previous historic example includes a reported case of stolen code that
impacted a pipeline. Code was secretly 'Trojanized' to function properly and
only some time after installation instruct the host system to increase the
pipeline's pressure beyond its capacity. This resulted in a three kiloton
explosion, about 1/5 the size of the Hiroshima bomb."_

EDIT:

Found the story, it might not be entirely true:
<http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage>

------
MutinyCmbntr
Wow this is some next-generation William Gibson-esq shit right here.

As far as who its attacking if the PLC payloads could be unencrypted it might
reveal that they attack a certain kind of device, or perhaps in a certain
installation or configuration. Finding out exactly what those payloads doing
will be the most interesting, and revealing of all. The Symantec article says
that the payloads have changed over time, as well.

------
dguido
It's impossible to identify any one target as being "the one" that Stuxnet was
after like the author tries to do in this article. There were tens of
thousands of Stuxnet infections spread throughout the Middle East and Europe
at the time it was discovered. Stuxnet is a piece of malware, it's reusable,
and it was clearly a component of many successful intrusions into control
system networks rather than part of a single attack.

~~~
bigmac
Do you know if it has a command and control component? This author's analysis
seemed to indicate that it was relatively simple, which seemed to be why he
thought it was so focused. Given that it is going to be easy to patch, it will
likely have a short lifetime, no?

~~~
dguido
Yes, it has a C&C component. Symantec and others published a very thorough
analysis of it near when Stuxnet was first discovered.

Why do you think that it will have a short lifetime? Just because a patch is
available, doesn't mean that it's been applied.

~~~
bigmac
Maybe its optimistic, but I'd hope this has caused a big enough stir among
people running Siemens installations that they are taking care of this issue.
If so, that will give it a short lifetime. Even if the individual plant admins
aren't doing so, Siemens must be taking action here, right?

I guess I'm buying into the idea that its difficult to do attacks against
PLC's for SCADA systems. I have to claim ignorance on that issue, but it sure
seems like its a hard problem. That difficulty, combined with the relative
sophistication of the malware (four 0days, etc) lends credence to the idea
that its a targeted attack.

Additionally, releasing malware that targets something like that and then just
waiting to see which plants you end up owning seems unlikely. What is the
motivation? Once you figure out which ones you own, then you write more custom
attacks against those targets?

~~~
dguido
One of the exploited bugs is a default admin password in Siemens SCADA
equipment. Siemens released a statement shortly after Stuxnet was discovered,
urging admins not to change the default password because it might have
unexpected consequences.

Of course this attack was targeted in the sense that it went after SCADA
equipment, but there was far more than a single target. Like I said, this is
malware and malware is multi-purpose and reusable, and in this case it was
used many, many times. These guys are looking for a story about how a single
target was THE target, but they're missing the big picture.

