
A computer virus with an entirely new purpose - EGreg
http://news.yahoo.com/s/csm/20100921/ts_csm/327178
======
tptacek
I'm not an expert on Stuxnet (or really malware at all) but this whole thing
seems extremely overblown.

Is it interesting that there's a piece of malware out there that targets
industrial controllers? Absolutely it is. It's _probably_ not just some bored
college kid.

Is it a "cyber missile" aimed at the heart of Iran's nuclear weapons program?
Probably not. Among other things, the IP ranges it's "targeting" aren't
specific to Iran. Also, there's no evidence connecting it to Iran.

Whenever you see a better-than-average piece of offensive computing
technology, your first thought should be "extortion", and your second (distant
second) thought should be "competitive subterfuge". Extortion happens all the
time, and you rarely read about it, because the targets don't want to talk
about it. And, while there's never been a corroborated story about an actual
cross-state offensive strike using IT technology, there have in fact been
cases where industry leaders have whacked on each other using security flaws.

The reporting on Stuxnet seems too captive to tidy and palatable narratives
for me to take seriously. It doesn't help that these stories are sourced
mostly to SCADA security experts. There are some great people working on SCADA
problems, but that field takes everything annoying about computer security PR
and amplifies it.

~~~
eli
What IP ranges? These computers aren't connected to the internet. The article
speculates it was spread by a contractor's infected USB drive.

(I agree that the hyperbole is a bit much, though)

~~~
tptacek
I'm getting this detail secondhand and have probably mangled it. Please know:
I am not a Stuxnet expert.

------
dmlorenzetti
_Cyber security experts say they have identified the world's first known cyber
super weapon designed specifically to destroy a real-world target..._

Allegedly an explosion of a Soviet gas pipeline was caused by a bug
intentionally inserted into control software stolen from the United States.
<http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage>

Not a _cyber_ weapon, but close enough in spirit, I think.

------
extension
I have trouble believing that any moderately sane or respectable nation state
would deploy this thing. It's roughly the equivalent of launching thousands of
missiles at completely random targets around the world, but programming them
to only go off if they land on the enemy, hopefully. It also opens a Pandora's
box of mutations and clones. It's far too evil and stupid for any country
below NK insanity levels.

~~~
tptacek
You got downvoted, but I think this is exactly right: very low chance of
decisive success, maximal chance of embarrassing international incident. Not a
good way to attack a rival regional power.

~~~
nl
Ok, I get your argument that this is overstated, and I wouldn't be surprised
if you are right.

But why would someone have written it then? It's not like they were using it
to try and steal credit card numbers of send spam emails.

It had a very specific purpose, and according to the linked article didn't
seem to require manual intervention to turn on (or off?). It seems to have
been a one-shot thing - wait for a specific set of events, and then run that
mystery command.

Blackmail/Ransom theories are easier to believe than a state-run cyber war
program - but the reported logic of the program seems to make it pretty hard
to blackmail someone with. It appears to have been designed to cause maximum
damage once, with as little warning as possible. That's the opposite of what
you want with a ransom/blackmail situation.

------
pdx
I used to do industrial controls, so let me give the unfamiliar a little
background on these systems.

You have PLC's, (programmable logic controllers) often redundant sets of them
for critical systems, that run the code that controls the facility. They are
networked together via proprietary data networks with no internet involved.
These units do not run windows, or any operating system usually. They have no
USB ports, hard drives, or monitors. They are hardened against temperature,
dust, and power fluctuations. Once the facility is running properly, the PLC's
do everything. No human's need to make any decisions about facility operation.

However, sometimes, humans want to tweak a setpoint or override a safety
interlock because they know a sensor is bad, or they want to run a certain
automatic operation in manual, because something has changed in their process.
For this, they have windows based graphics interfaces with pretty animated
pictures of valves and motors and pumps and fans and reactors and pipes and
ductwork, all of which change their state based on the status of the actual
valve or motor or pump or fan. To do that, these windows based PC's are
networked to the PLC's, to query them for state information. So nobody is
"running a factory on windows". Think of these as terminals into your
webserver. If you lose the terminal the webserver keeps on trucking. Also,
just like terminals, you can have as many windows PC's as you want tied into
the PLC network, so if you lose a couple, you still have others, in case
there's something that you really don't want to lose visibility of.

At no point is this network tied to the internet, for obvious reasons.
Usually, the drives are locked out on these systems using physical locks, so
only engineering staff can load anything on them. USB is trickier, as I can
imagine people hooking up legitimate devices such as sirens and flashing
lights and even just speakers for audible alarms, all via USB, which exposes
the USB ports to the operators.

~~~
stonemetal
Sounds like you haven't been in the industry in a while or we just happen to
hit different cross sections. The industrial automation company I worked for
bought off the shelf "Industrialized" PCs dropped in a motion controller card
and went to town. Their older systems ran QNX(real time unix) with the GUI and
all the data right there on the system. Their newer systems were Windows\In
time(a real time windows addon) based. So yes there are people using windows
to control the system. I have seen systems where there is no air gap between
these windows based systems and the Internet. In fact I have remotely logged
in to systems in plants via vpn and worked from home.

~~~
pdx
> dropped in a motion controller card and went to town

Perhaps we were working on systems of a different scale. Most of the
facilities I controlled had on the order of 2000 - 5000 I/O points and
stretched over several multistory buildings. It sounds like you're doing
motion control of a pick and place machine or something similar. That's also
fun, especially now that you can do so much with optical recognition.

~~~
stonemetal
Yeah we mostly did smaller systems. On bigger jobs we tended to do it as
several smaller systems working together. The largest system we ever did was a
several hundred I\O points but that was over maybe 20 systems(we did all
product movement between machines in the place.)

------
aik
How is it that the virus is like a "military-grade guided cyber missile" yet
it is transferred by "memory stick"?

~~~
aik
Here's a much-less-sensationalist description (from symantec.com):

Stuxnet infects Windows systems in its search for industrial control systems,
often generically (but incorrectly) known as SCADA systems. Industrial control
systems consist of Programmable Logic Controllers (PLCs), which can be thought
of as mini-computers that can be programmed from a Windows system. These PLCs
contain special code that controls the automation of industrial processes—for
instance, to control machinery in a plant or a factory. Programmers use
software (e.g., on a Windows PC) to create code and then upload their code to
the PLCs.

Previously, we reported that Stuxnet can steal code and design projects and
also hide itself using a classic Windows rootkit, but unfortunately it can
also do much more. Stuxnet has the ability to take advantage of the
programming software to also upload its own code to the PLC in an industrial
control system that is typically monitored by SCADA systems. In addition,
Stuxnet then hides these code blocks, so when a programmer using an infected
machine tries to view all of the code blocks on a PLC, they will not see the
code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself
on Windows, but is the first publicly known rootkit that is able to hide
injected code located on a PLC.

In particular, Stuxnet hooks the programming software, which means that when
someone uses the software to view code blocks on the PLC, the injected blocks
are nowhere to be found. This is done by hooking enumeration, read, and write
functions so that you can’t accidentally overwrite the hidden blocks as well.

...

Fascinating: [http://www.symantec.com/connect/blogs/stuxnet-introduces-
fir...](http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-
rootkit-scada-devices)

~~~
spyder
Are they really running very critical systems on Windows? Yes, the are :( :
[http://www.neowin.net/news/nuclear-reactor-isnt-using-a-
lice...](http://www.neowin.net/news/nuclear-reactor-isnt-using-a-licensed-
copy-of-windows) And another related story from 2003:
<http://www.securityfocus.com/news/6767>

~~~
dfox
They are not. In almost any serious industrial automation application there
are Windows computers, but they are only user interface to some backend system
(that usually runs on some obscure virtual machine running in some even more
obscure RTOS on very specialized hardware)

------
CallMeV
Shadowrun only feels fun when you know it's a game of fantasy. When cyberpunk
concepts previously only seen in the pages of a William Gibson book start
erupting into this mundane, boring world of the daily commute and the weekly
shop, unfolding into the public consciousness like an ink-stained, holographic
neon rose, the fantasy doesn't seem so much fun any more when you're looking
at it from the inside. Not so jolly when it ceases to be a game.

------
docgnome
I'm confused. What is the method of delivery for this program? I sure hope no
one is hooking up nuclear power plants to the tubes in such a way that it's
even possible for the computers that control the reaction are able to make
talkies to anything. That just sounds like a really bad idea. And the plot for
a really bad Hollywood action flick.

~~~
sunir
Sneakernet.

    
    
         http://en.wikipedia.org/wiki/Sneakernet
    

In this case through USB keys. Presumably people updating software on the
machines or running diagnostics. Possibly USB dongles to unlock the machines.

~~~
docgnome
Right, but I'm assuming that there are controls over nuclear control machines.
That would seem to render this method of "attack" rather impractical unless
you had an inside man. In which case it seems a rather round about method of
sabotage vs just planting a bomb or yanking some wires or something.

~~~
azernik
From the article, speculation is that the virus was embedded on the USB drive
of a contractor who works on multiple setups, possibly without his or her
knowledge; one of the virus's most interesting features is that it can then
spread, without user intervention, as soon as the USB drive is plugged into a
vulnerable machine, and from that machine can spread onto other USB drives
plugged in later.

It doesn't take an inside man - only an inside snippet of code, which you can
foist on an unsuspecting worker or consultant. Also, the chain of transmission
can be indirect, so that even if you can't get a physical item into the
target, you can plant it somewhere else where it eventually spread to the
target (only so many degrees of separation between any two power plants, it
seems)

~~~
docgnome
The problem I have is that a contractor should not be allowed to bring in a
USB dongle to plug into a machine onside. Hell the machines shouldn't have
accessible USB ports at all. My other problem is that even if they are allowed
to plug their personal USB stick into a machine, control computers should be
completely isolated from the machines a random contractor would have access
to. I mean seriously? Why would they even be able to talk to one another?

------
bockris
Pre-cursor to IceBreakers in William Gibson's novel Neuromancer?

Life imitates fiction.

~~~
pyre
Life imitates fiction when fiction influences life, or when fiction just
points out basic principles of life.

------
api
The cyberpunk writers like Gibson were the most prophetic of all the sci-fi
authors of the 20th century. This is straight out of the Sprawl trilogy.

------
bigmac
A bit more discussion at <http://news.ycombinator.com/item?id=1699405>

------
ck2
Here's a thought - don't put mission critical computers on the internet?
Remove usb ports?

------
sliverstorm
"Memory stick"? Is this a ram stick or a flash drive?

~~~
astine
Flash drive. There's a number of flash drives that autoexecute when inserted
into a computer. These are a known vector for software infections.

As far as I know, ram doesn't generally hold memory after it's been powered
down. Ram sticks don't make sense as a vector for a virus as far as I can
tell.

~~~
qq66
What if you were to create RAM sticks with a small amount of flash and a
controller onboard, and then swap these with generic RAM sticks?

~~~
blasdel
That would require direct physical access, and if you had that there's a lot
of much easier ways to root a box.

