A spokesman in Iran just announced that a few laptops are infected and they are trying to figure out how to remove the Stuxnet program.

I don’t like the terms malware or virus for something like this that’s so well intentioned.

“A few laptops”, heh heh heh.

The plant has been having problems for months and has the worm, as do the other plants in Iran.

The program has layers of defenses and can be remotely reprogrammed, so it’s not just a matter of hitting a delete button, or even reformatting disks because the program will reinstall over the network.

The program was written at least 18 months ago and the programmers obviously knew that it would eventually be discovered.

Do you think they’ve be sitting on their asses for the last 18-24 months?

There is probably another virus already in the system too.

I read that it was first discovered in Belarus and not Germany, but I guess that’s not really very important.

It’s such a great idea!

Why use planes and rockets when code will do a better job?

Raise and lower the temperature here and there, add some water or reduce it etc.

No need to destroy the plant which the program probably can do.

Just keep causing endless problems.

Oh, and should we be worried that similar programs will be used in warfare.

The threat is very very real and wars will be fought in the near future by programmers and not tanks and planes etc.

Since the US and Israel are allies, and China is the only other country with similar potential, right now our odds are at least 2-1 so we’re looking better than OK for the time being.

Who wrote Stuxnet?

My guess would be that the US and Israel combined to write it, but that’s only a hunch.

Below are a selection of statements made by a German security researcher named Ralph Langer, and they are statements with which most US cyber security experts agree.

The Stuxnet worm is targeted at a single location, which it seeks to destroy, or at the very least, cripple.

Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown.

Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world," says Langner, who last week became the first to publicly detail Stuxnet’s destructive purpose and its authors’ malicious intent. "This is not about espionage, as some have said. This is a 100 percent sabotage attack.

Stuxnet is so sophisticated that it may revolutionize the way modern warfare is fought entirely.

Stuxnet’s ability to autonomously and without human assistance discriminate among industrial computer systems is telling.

It is looking for one specific place and time to attack one specific factory or power plant in the entire world.

Stuxnet is the key for a very specific lock – in fact, there is only one lock in the world that it will open. The whole attack is not at all about stealing data but about manipulation of a specific industrial process at a specific moment in time.

This is not generic. It is about destroying that process.

The virus has already spread to the point where it is safe to say most critical SCADA infrastructure may already be infected.

Once a system is infected, Stuxnet simply sits and waits – checking every five seconds to see if its exact parameters are met on the system. When they are, Stuxnet is programmed to activate a sequence that will cause the industrial process to self-destruct.

Has Stuxnet already hit its target?

It might be too late for Stuxnet’s target, Langner says. He suggests it has already been hit – and destroyed or heavily damaged. But Stuxnet reveals no overt clues within its code to what it is after.

Will DEADF007 be the keyword that everyone will soon focus on?

Langner’s analysis also shows, step by step, what happens after Stuxnet finds its target. Once Stuxnet identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the giant industrial controls company, the malware takes control.

One of the last codes Stuxnet sends is an enigmatic “DEADF007”. Then the fireworks begin, although the precise function being overridden is not known. It may be that the maximum safety setting for RPMs on a turbine is overridden, or that lubrication is shut off, or some other vital function shut down.

Whatever it is, Stuxnet overrides it, Langner’s analysis shows.
"After the original code [on the PLC] is no longer executed, we can expect that something will blow up soon," Langner writes in his analysis. "Something big."

Who launched the program?

I personally won’t call it a virus or malware.

The finger of suspicion has pointed first at Israel and this is logical as Israel is in the first tier of both the technical and espionage leagues.

Israel is undoubtedly trying to sabotage Iran’s nuclear facilities in a variety of ways but that said, it doesn’t mean that Israel is responsible, only that it is among the main suspects.

The other possibilities include the Americans, British, Germans, Chinese and Indians, all of whom probably have the technological capability.

And it’s perhaps worth mentioning that the Germans and Israelis have a strong political and intelligence relationship.

More Surprises About Stuxnet

It was originally reported that Stuxnet could steal code and design projects and also hide itself using a classic Windows rootkit, but we now know it can also do much much more.

W now know that Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems.

In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet.

So, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.

How Does It Hide Injected Code

In particular, Stuxnet hooks the programming software, which means that when someone uses the software to view code blocks on the PLC, the injected blocks are nowhere to be found. This is done by hooking enumeration, read, and write functions so that you can’t accidentally overwrite the hidden blocks as well.

Stuxnet contains 70 encrypted code blocks that appear to replace some “foundation routines” that take care of simple yet very common tasks, such as comparing file times and others that are custom code and data blocks and before some of these blocks are uploaded to the PLC, they are customized depending on the PLC.

How Does It Compare To Previous Malware Programs? It Doesn’t!

By writing code to the PLC, Stuxnet can potentially control or alter how the system operates.

A previous historic example includes a reported case of stolen code that impacted a pipeline.

The code was secretly “Trojanized” to function properly and only some time after installation instruct the host system to increase the pipeline’s pressure beyond its capacity and this resulted in a three kiloton explosion, which was about 1/5 the size of the Hiroshima bomb.

How To Remove it? Good Luck!

In addition to cleaning up the Stuxnet malware, administrators with machines infected with Stuxnet also need to audit for unexpected code in their PLC devices and security giant Symantec is still examining some of the code blocks to determine exactly what they do and just announced that they will have more information soon on how Stuxnet impacts real-world industrial control systems. 

Does the above sound like sometime in the near future?

Before August?

Oops, there were problems.

Before October? Before November?

And what will Stuxnet do when Bushehr does go online?

Nobody knows yet, except those that wrote the code.

TEHRAN says that new versions of Stuxnet are spreading!

Iran suspects that a foreign organization or nation designed “Stuxnet,” a quickly mutating computer worm that has been infiltrating industrial computer systems in the Islamic republic, a high-ranking official said Monday.

“We had anticipated that we could root out the virus within one to two months,” Hamid Alipour, deputy head of Iran’s Information Technology Co., a part of the ministry of communication and information technology, told the Islamic Republic News Agency. “But the virus is not stable, and since we started the cleanup process three new versions of it have been spreading,” he said.

Did China invent Stuxnet?

As speculation mounts that Israel’s military created the Siemens-targeting Stuxnet worm, a US security researcher claimed to have evidence Stuxnet was also responsible for destroying an Indian broadcasting satellite.

“There are more and better theories to explain Stuxnet’s motivation than just Israel and Iran, as others have posited,” Jeffrey Carr, author of “Inside Cyber Warfare” and Forbes‘ The Firewall blog wrote.

While Stuxnet had found its way into Iran’s first nuclear power plant, Carr said the Indian Space Research Organisation (ISRO which used the vulnerable Siemens devices had also fallen victim to Stuxnet and Carr suggested that China was behind the attack.

On July 9, half the transponders on India’s three-year old INSAT-4B satellite shut down unexpectedly due to a solar panel failure.

And according Carr’s research, which he will present at the Abu Dhabi Black Hat conference in November, two staff at ISRO’s Liquid Propulsion Systems Centre confirmed it used Siemens S7-400 PLC and SIMATIC WinCC which will allegedly “activate the Stuxnet worm”.

Siemen’s PLC is a Programmable Logic Controller, which allows industrial control systems to be programmed from a Windows machine, according to Symantec researcher Nicolas Falliere.

The Indian Space Research Organisation attempted to resolve the power problem, but announced last week the satellite was completely ruined and would be replaced with GSAT 5 by December.

China and India are competing with each other to see which of them will be the first to land an astronaut on the Moon and China has announced a date of 2025 while India is claiming 2020.

When Ralph Langner told a reporter from BBC Worldwide that there are probably only ten people on the globe right now who are capable of inventing and implementing this attack vector, and three of them could be found in Langner’s office, the reporter was smart enough to ask,

“Did you do it? “.

Langner answered, “No, we didn’t” and went on to say that as far as their experience and crystal ball goes, neither Israel nor the US presently have the capability”.

Which begs the question, “If not the US or Israel then who?”

China, Russia and India spring to mind with Russia being the most likely since it doesn’t want a radical Muslim state with a nuclear bomb on its doorstep, and Russian technicians would have found it easy to insert the code from a flash drive.

A senior Iranian military official says Iranian experts have determined that the United States and Israel were behind a computer worm known as Stuxnet which harmed Iran’s nuclear program.

Gholam Reza Jalali says “Investigations by Iranian experts show that Stuxnet originated from the US state of Texas and Israel”.

Jalali heads a military unit called Passive Defense that primarily deals with sabotage and his comments were reported on Saturday (April 17, 2011) by Iran’s official IRNA news agency.

Iran previously acknowledged that “Stuxnet hit a limited number of centrifuges” at its main uranium enrichment facility which is the centerpiece of its nuclear program.

Leave it to Israel to figure a way to outsmart the Iranians, now they are just ticked off.

As a spy mission it was successful.

It’s what you always want to do to your enemies, mess up there programs any way possible.

The USA and Israel should be regarded as hero’s if the story is true.

Now that’s what I call “heroic acts of resistance”.

Without taking even one human life, I’m loving it. Hey Iran, How does it taste?

You peddle death, Israel peddles brilliance.

I’m looking forward to more of the same.

Good going!!

Iran Claims It Has Detected A Second Cyber Attack

Stuxnet and Stars!

Iran’s commander of civil defense, Gholamreza Jalalisaid announced on Monday that, “a new virus, called ‘Stars’ is now being investigated by experts and added:

“Fortunately, our young experts have been able to discover this virus and the Stars virus is now in the laboratory for more investigations”,but he didn’t specify the target of Stars or its intended impact.

“The particular characteristics of the Stars virus have been discovered. The virus is congruous and harmonious with our computer system and in the initial phase it does minor damage and might be mistaken for some executive files of government organizations”.

Jalali then added that the Stuxnet worm, which was discovered in computers at Iran’s Bushehr nuclear reactor last year, still posed a potential risk.

“We should know that fighting the Stuxnet virus does not mean the threat has been completely tackled, because viruses have a certain life span and they might continue their activities in another way”.

A star is born, bravo!

@Knopfman

Thanks for all the valuable information on The Stuxnet worm. In reading the post, I found that I became more and more curious about this extreme virus. People fear viruses because they know all the thing they can do to the information on their computer. There’s a known purpose. However for an extreme virus such as this, my fear comes from what is not known about it.

The world’s most extensive case of cyber-espionage, including attacks on U.S. government and U.N. computers, is set to be revealed Wednesday by online security firm McAfee, and analysts are speculating that China is behind the attacks.

The spying was dubbed “Operation Shady RAT,” or “remote access tool” by McAfee.

Analysts told The Washington Post that the finger of blame for the infiltration of the 72 networks — 49 of them in the U.S. — points firmly in the direction of China.

California-based McAfee would only say it believed there was one “state actor” behind the attacks, but the security firm declined to name it or many of the victims.

McAfee researchers discovered a “command and control” server in 2009 while investigating some attacks against defense contractors, Reuters reported. In March of this year, they returned to that computer and found logs revealing all of the attacks, the agency said.

While McAfee investigators can only guess what exactly was stolen, McAfee vice president of threat research Dmitri Alperovitch said the attacker looked for data that would give it military, diplomatic and economic advantage, Reuters reported.

McAfee found evidence of security breaches as far back as mid-2006, but said that it’s possible the hacking began before that, Reuters reported. Some attacks lasted just a month, while others lasted for more than two years.

The attacks were carried out using spear-phishing emails, which are tainted with malicious software, to specific people at the organizations they targeted. When people clicked on an infected link, the intruder was able to jump on to the machine and use it to infiltrate the organizations computer network, Reuters said.

The governments of Canada, India, South Korea, Taiwan and Vietnam were also hit, as were the Association of Southeast Asian Nations, the International Olympic Committee, and the World Anti-Doping Agency, Reuters reported.

The hackers sought out sensitive data on U.S. military systems and satellite communications, with the snooping apparently going on for several years.

Companies in construction, steel, energy, solar power, technology, accounting and media were targeted.

The intrusion into the U.N. computer system in Geneva in 2008 went unnoticed for nearly two years, while the hackers quietly combed through files of secret data, according to McAfee.

Many of the attacks targeted organizations linked to Taiwan and the IOC in the months leading up to the 2008 Beijing games, which pointed analysts toward China.

“This is the biggest transfer of wealth in terms of intellectual property in history,” Alperovitch told Reuters. “The scale at which this is occurring is really, really frightening.”

Israel was not attacked?!

There’s a great in-depth story over at Wired.com entitled, "How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History".

It’s a long read but is detailed and I found it fascinating.

I personally wouldn’t call it “malware” since it’s intent was or is to stop Iran from producing nuclear weapons.

Iran admitted yesterday that some of its computer systems have been infected by a new Stuxnet-like virus called Duqu.

The virus was discovered several months ago and is believed to be a more advanced version of the Stuxnet virus which attacked Iran’s Natanz nuclear facility last year.

Stuxnet is believed to have destroyed about 1,000 centrifuges at Natanz that were being used to enrich uranium.

The head of Iran’s civil defense branch Brig.-Gen. Gholamreza Jalali told the official IRNA news agency that, “Duqu was discovered inside computer systems but Iran had developed a way to contain and neutralize the malware”.

“All facilities and equipment that were affected with this virus have been cleaned, and the virus is under control”, he said according to Tehran Times.

And look what an Iranian spokesman had to say today.

“We are in the initial phase of fighting the Duqu virus,” Gholamreza Jalali, was quoted as saying. “The final report which says which organizations the virus has spread to and what its impacts are has not been completed yet.”

Seems like everything they say must be take with more than a pinch of salt.

Security experts have discovered a new data-stealing virus dubbed Flame, and found that the largest number of infected machines are in Iran, followed by Israel and the Palestinian territories, then Sudan and Syria.

Experts say the virus has lurked inside thousands of computers across the Middle East for as long as five years as part of a sophisticated cyber warfare campaign.

Check out the Flame PDF file.