
How Stuxnet was deciphered - paulsilver
http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/
======
landhar
"On June 17, 2010, Sergey Ulasen was in his office in Belarus sifting through
e-mail when a report caught his eye. A computer belonging to a customer in
Iran was caught in a reboot loop — shutting down and restarting repeatedly
despite efforts by operators to take control of it. It appeared the machine
was infected with a virus."

I am curious as to what in Stuxnet code and/or the client computer caused
this. From the rest of the article, Stuxnet went to great lengths to stay
undetected. Anyone has clues ?

~~~
nikcub
most worms have an 'installed' marker somewhere on the system. the loader will
check the mark and if not present, will install and reboot. my sense is that
the marker wasn't being set properly resulting in this bug.

I had the same bug in a worm I wrote. I was storing the marker in the local
user part of the registry, which was being loaded from the domain controller,
so the bit wasn't being retained.

------
Roritharr
This is easily the most interesting article i've read in the past 6 years.

~~~
funkah
I really enjoyed it as well. It provides enough technical detail while still
being accessible. Some of the analogies are a bit of a stretch, but you'll
have that.

I was disturbed by the implication that the researchers should stop
investigating Stuxnet (or refrain from publishing) because of the possibility
that it was a US or Israel covert op. There are so many problems with that
reasoning, and I'm glad they weren't swayed by it.

~~~
nutjob123
Will you still hold that opinion if Iran develops and uses nuclear weapons?

~~~
3pt14159
Not sure if this is a username troll, but at this point _many_ people had the
stuxnet code, so all that would have happened if they didn't publish their
findings is that it would have increase the risk to _our_ power plants because
it made it more accessible to the people that are actually in the position of
defending our power plants, whereas enemy clandestine intelligence agencies
would have the motivation to analyse the code anyway and re-purpose it for an
attack.

Furthermore, even if Iran does make WMDs, they do not pose a serious threat to
Israel or the United States. Their delivery systems (missiles/rockets) are
very antiquated and can be reliably intercepted and a suitcase nuke has
extraordinary low yield. And even if they somehow gain the capability to
effectively use their WMDs they would not do so due to MAD.

~~~
felipemnoa
Mad is the argument against nuclear war when the actors are somewhat
reasonable. What happens if you get unreasonable actors that don't really care
who dies, their countrymen and themselves included. At that point, we are
totally screwed. I would be surprised if these type of people don't exist.
Lets hope they never get near a nuclear weapon.

~~~
pavpanchekha
Somehow Kruschev, Stalin, and friends were not crazy enough. It's easy to call
someone a nutjob. It's hard to know what it's like to face the sober
realization that you _could_ , if you wanted, end human life on earth.

~~~
stickfigure
I'm relatively comfortable with corrupt politicians in control of nuclear
weapons. Their motivations are clear and predictable.

You cannot say the same of True Religious Believers.

------
sambeau
As software now sits between pedal and brake and cars are beginning to be
increasingly connected should we expect to see more assassinations performed
this way?

Google now has a fully-functional driverless car and at least one US state has
approved their use on the road.

Who needs polonium when you can send a virus out to seek a car?

~~~
mkr-hn
It's a complex attack vector for a simple problem. If you have enough access
to tamper with the software, why not just remove the cap from the brake fluid
reservoir? It's faster than figuring out how to access the PCM [1] (to tinker
with the throttle code) and less likely to fail.

And it would be catastrophically poor planning on the part of car designers to
make car firmware remotely modifiable. We're not talking about general purpose
computers here.

[1] <http://en.wikipedia.org/wiki/Engine_control_unit>

~~~
sambeau
It's a vector, however, that needs no physical access to the car. It can be
launched remotely from another country.

Who would have thought a centrifuge could be attacked in this way?

~~~
FaceKicker
> It's a vector, however, that needs no physical access to the car.

Are you sure about that? I can't imagine they'd put these autonomous driving
systems on the network... Didn't Stuxnet itself require at least physical
access by proxy in that it was propagated through USB drives being physically
used in the victim's systems?

~~~
owenmarshall
Many cars have Bluetooth support.

All it takes from there is the engineer putting the powertrain bus/ECU on the
same network with the Bluetooth adapter.

As I posted below, my Saab's engine control unit can be reprogrammed by
splicing a few wires onto the CD harness. That means the audio network can at
least access the ECU. I don't have a Bluetooth adapter on my car, but if I
did, I'd wager it can access the audio network...

~~~
FaceKicker
Good point. I'd hope the regulatory system will require that systems that can
make the car move be totally isolated from any other systems, but who knows.

~~~
Create
...Assuming it works as advertised, there are some handy features, including
the ability to remotely lock and unlock the car, fire up the climate control,
see how much gas is in the tank, look up in Google Maps where you left you
car, and check if the lights are on.

[http://www.reghardware.com/2011/07/06/review_cars_volvo_s60_...](http://www.reghardware.com/2011/07/06/review_cars_volvo_s60_drive/page2.html)

------
ugh
I always liked this talk by Bruce Dang at 27C3 (December 2010), telling (part
of) Microsoft’s side of the whole Stuxnet saga:
<http://www.youtube.com/watch?v=73HlkCI-GwA>

------
yread
The article made me remember of this virus I've heard about. Supposedly, it
was accessing a rotation media (harddisk, floppy disk? I don't remember) in
different patterns and monitoring the failure rate for each pattern. Then it
would keep accessing it in the pattern that caused most errors which would
kill the hardware device - as the errors were supposedly from resonances
caused by movements of the reading heads and would cause physical stresses in
the device.

Anybody else heard about that?

~~~
Create
Commodore 1541 FDD, but it was serviceable.

ps: also similar was setting "unfriendly" scanrates for unprepared CRT-s,
Samsung notebook HDD "click of death".

memoryhole:

[https://secure.wikimedia.org/wikipedia/en/wiki/Commodore_154...](https://secure.wikimedia.org/wikipedia/en/wiki/Commodore_1541#The_drive_head_misalignment_issue)

though my all time favourite is the ping

------
Swannie
I enjoyed reading along about this on the Langner blog during late last year
and early this year.

He was often the first to break news about new understanding in the PLC
related code, and at the time was given very little credit for it. Yet without
him it would probably have taken a LOT longer to get to the bottom of this.

If you want an example of an interesting post from his blog:
[http://www.langner.com/en/2011/02/22/intercept-infect-
infilt...](http://www.langner.com/en/2011/02/22/intercept-infect-infiltrate/)
Here he talks about a nice attack vector, that seems obvious if you have
access to bits of the postal infrastructure in Germany...

And: [http://www.langner.com/en/2010/11/15/417-attack-code-
doing-t...](http://www.langner.com/en/2010/11/15/417-attack-code-doing-the-
man-in-the-middle-on-the-plc/) Here he talks about the man in the middle
attack, which meant that the PLCs reported back correct frequency/speeds to
the operators, whilst doing something nasty underneath.

I'm waiting for a good book to come out that details all of the stuff in this
attack. It's pretty stunning work.

------
namank
The whitepaper:
[http://www.symantec.com/content/en/us/enterprise/media/secur...](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf)

------
aorshan
<http://vimeo.com/25118844> is a really cool video that helps explain a lot of
the same information about the virus. Not as technical, but it is still very
interesting.

~~~
joshstrange
I saw this video back when it was first uploaded, very interesting video and
well done

------
Amincd
It's funny that the US is spending so many billions of dollars trying to
sabotage Iran's economy and nuclear plant, when the country poses zero threat
to the US, and the US faces enormous fiscal challenges.

When I write funny, I mean utterly tragic, wasteful and a result of a
relentless propaganda campaign which has resulted in every political candidate
falling over themselves to prove how committed they are to facing down the
menacing Iranian threat.

~~~
iwwr
The propaganda is mutual. The US finds it convenient to have an enemy while
Iranians are cowed into supporting the aytollahs for fear of US invasion. This
is a dangerous kind of equilibrium.

------
bshep
Very interesting read. Although I would have preferred if they hadn't said the
ending at the beginning of the article.

~~~
hardy263
The difference between stories and technical papers is that stories leave the
conclusion for the ending and technical papers put the ending at the
beginning. The article seems to share a bit of both.

------
evilswan
Have to agree with other posters - Best article I've read on Stuxnet - good
job.

------
pnathan
This is a particularly well-written article by Wired.

------
cesar
This is an extremely well put article. The series of events and the way that
it was written kept me reading it to the end. It was a very interesting
article.

------
hammock
I dislike these magazine articles posted online that are some 8 pages long and
the entire first page is simply the hook, no real info. Sorry, I am not going
to read you, espeically if I came to you not for a feature story, but for a
piece of specific news info, e.g. "how stuxnet was deciphered."

Am I the only one who feels this way?

edit: not sure why opinion = downvoted.

~~~
rsingel
Because it's lazy tldr; thinking. It's an extremely well-written article and
there's a easily found view-as-one-page button at the bottom.

~~~
hammock
Dude you are a writer for Wired.com. I'm not surprised that you would bristle
at my criticism.

