
Stuxnet Questions and Answers - Garbage
http://www.f-secure.com/weblog/archives/00002040.html
======
njharman
Stuxnet amazes me. My first tech job was (in part) installing anti-virus on
every computer in the Univ KS Library system, 1989-90. MS-DOS days. I've been
an avid watcher (not expert) of malware since. I've watched the Internet
arrive and embedded computer/automation revolutions. This 20yr perspective
brings me to the following conclusion.

Other than "jacking in" and other fluff Stuxnet does pretty much exactly the
kinds of things that CyberPunk Sci-fi described a decade ago.

I flippin love living in the future.

~~~
rm-rf
"Your computer is now stoned."

~~~
adrianwaj
The Iranian regime is now stoned. How happy I am with Stuxnet.

~~~
danbmil99
You'll be less happy when China uses the same techniques to destroy Google

~~~
adrianwaj
Stuxnet is real. Your scenario is unrealistic.

------
rm-rf
The F-Secure Q&A is relatively free from speculation. That's unusual for this
particular event.

------
iuguy
This is quite possibly the best Q&A on Stuxnet I have seen. Kudos to F-Secure
for not overhyping it.

------
chris_l
This reads like a section from a sci-fi novel. Once more reality is catching
up with cyberpunk.

I'd love to know what it's supposed to do when it reaches its target. Surely
the creator would have had to have some sort of blueprints for the target
system to successfully set it up to create more than collateral damage.

~~~
humbledrone
I'm very curious about what it's supposed to do as well. I work with SCADA
systems, and I can confirm that it would be difficult/impossible to tell
without knowing exactly what system it's targeting. SCADA systems are often
controlled by writing to "points," which typically have numeric addresses. So
point 35 might control the valve position in one installation, but it could
control something totally different in another. You'd need to know the layout
of the targeted system to know what parameters are controlled by what points.

~~~
sunburnt
_Q: What does it do with Simatic? A: It modifies commands sent from the
Windows computer to the PLC. One running on the PLC, it looks for a specific
factory environment. If this is not found, it does nothing._

So it seems that there is one factory layout Stuxnet is looking for. I.e. it
will know what point 35 is.

~~~
borism
is it possible to determine which factory environment you're in? maybe it just
tries the same combination in each and every one environment it gets to?

~~~
uxp
Considering the size of the file, (and the fact I have not examined StuxNet),
I'd assume that there is a good chance it has enough logic to determine which
factory it is in by pure brute force.

If the main fan control gives a fairly standard reading, it shouldn't be too
difficult figuring out what the particular factory it has infiltrated has
wired that point to, for example.

Also, I haven't heard any definitives on what kind of factory this is
targeting. I do know that there aren't many companies that develop and design
high tech industrial facilities. Despite StuxNet having infected thousands
(millions) of personal PCs, it really is only looking for maybe a few dozen or
so in the world that are of the right type. Combine that with a low number of
factory designs, and it could very well have a pre-determined database of how
its intended targets are wired.

------
Tycho
It said the registry key Stuxnet plants to indicate whether a system is
already infected has the value 19790509. Then it said an Iranian Jewish
business man was executed on that date for spying. Also the home directory
where the virus was originally compiled was called Myrtus. Which may contain
another clue...

~~~
eli
I'm not really buying this. You're making a lot of assumptions. That Iran is
the target, that the number is a date, that the date refers to that particular
event, etc.

The link between the word "Myrtus" and the Old Testament seems _really_
strained. It's the name of a plant. It features prominently in Greek mythology
-- maybe the Greeks did it?

~~~
acqq
I also vote for a plant, as the second mentioned name is Guava and there is

"The Chilean Guava (Ugni molinae, also called Myrtus ugni or Eugenia ugni)"

see: <http://www.strangewonderfulthings.com/206.htm>

~~~
eli
Good point. It could well be that the files are named after plants the same
way some people name their servers after colors or smurfs or whatever.

------
TrevorJ
"Q: How could governments get something so complex right? A: Trick question.
Nice. Next question."

That one caught me off guard.

------
twymer
"Siemens announced last year that Simatic can now also control alarm systems,
access controls and doors. In theory, this could be used to gain access to top
secret locations. Think Tom Cruise and Mission Impossible."

I've been reading pretty much everything I can find about Stuxnet so far, but
haven't heard this before. If it's true Stuxnet might really be living up to
the hype that it's the "first malware of it's kind."

------
16s
I've read that there are three stolen Microsoft Authenticode certificates
being used by stuxnet authors to sign the malware. I've used these sort of
certs myself to sign executables. They require passphrases to use. I could
believe that they cracked one passphrase to use one cert, but three? All from
different companies too.

~~~
mfukar
It's much more likely that the certificate used were stolen (from Realtek
Semiconductor Corp.), than cracked.

~~~
16s
Yes, but the point is that in order to use a stolen cert, you need the
passcode _and_ the cert. They somehow got three certs and three passcodes from
three different companies.

~~~
mfukar
That's right. However, I think that if I were in a position to steal a
certificate, it'd be trivial to also get the pass[code|phrase|whatever],
assuming there even was one to begin with. ;-)

~~~
ralphc
Realtek and JMricron were in the same building, maybe the third company is as
well?

------
Garbage
One interesting question is: * Q: Was Stuxnet written by a government? A:
That's what it would look like, yes. _

~~~
mh_
While it is pretty difficult to answer what a piece of code written by a
government would look like, a useful piece of information is also that the
code targeted 4 different 0-day bugs [1]. If we consider previous reports on
0-day pricing [2], this alone could put the cost fo the worm at over $200000
making it more likely to be built by a well funded adversary.

[1] <http://en.wikipedia.org/wiki/Zero-day_attack> [2]
<http://weis2007.econinfosec.org/papers/29.pdf>

~~~
InclinedPlane
A talented individual or small team, government funded or not, is going to be
able to research vulnerabilities on their own.

~~~
rouli
yes, but a talented individual would probably sell those vulnerabilities since
they worth so much, rather then use them for some obscure, probably not money
earning, goal.

~~~
InclinedPlane
That's just moving one layer of indirection. If vulnerabilities are worth
money, presumably so they can be exploited, then why isn't it possible for
someone to be motivated to use vulnerabilities and also having the talent to
discover them?

------
atomical
I could see a lot of nefarious individuals learning from this and using it to
cause tragedies for short-term gain (i.e. shorting a stock). It does seem
quite stupid to open up the door on something that could cause so much harm.

~~~
flipbrad
the possibility of it sinking BP's Deepwater Rig was interesting, not
something I had considered before reading it in the Q&A

------
statictype
Without Autorun enabled, how does code get executed on a usb drive?

~~~
uxp
Even when autorun is disabled, Windows will parse through the autorun.inf
file. This should have been patched with KB967715.

U3 enabled devices have been known to override the default settings in order
to emulate CD-ROM drives.

Double clicking the flash-drive icon can also force execution of binaries, but
I am unsure of how that works and if it is related to the user's autorun
settings or not.

------
somewhere
does anyone know where to get stuxnet from? can't find it on the regular virii
sources...

~~~
pilate
There's at least one sample on OffensiveComputing.

------
ErrantX
Take care. While this does have a lot of clear information about Stuxnet it
also has lots of idle speculation and "wink wink" stuff.

~~~
ErrantX
Ok, actually I do retract that. It's an excellent overview - I just didn't
like the small pieces of speculation they did drop in without marking them as
such ;)

