The story behind the Stuxnet virus.doc

the story behind the stuxnet virusa government-produced worm that may be aimed at an iranian nuclear plant? of course its made headlines. bruce schneierforbes commentary10.07.10 comments (3)computer security experts are often surprised at which stories get picked up by the mainstream media. sometimes it makes no sense. why this particular data breach, vulnerability, or worm and not others? sometimes its obvious. in the case of stuxnet, theres a great story.as the story goes, the stuxnet worm was designed and released by a government-the u.s. and israel are the most common suspects-specifically to attack the bushehr nuclear power plant in iran. how could anyone not report that? it combines computer attacks, nuclear power, spy agencies and a country thats a pariah to much of the world. the only problem with the story is that its almost entirely speculation.heres what we do know: stuxnet is an internet worm that infects windows computers. it primarily spreads via usb sticks, which allows it to get into computers and networks not normally connected to the internet. once inside a network, it uses a variety of mechanisms to propagate to other machines within that network and gain privilege once it has infected those machines. these mechanisms include both known and patched vulnerabilities, and four zero-day exploits: vulnerabilities that were unknown and unpatched when the worm was released. (all the infection vulnerabilities have since been patched.)stuxnet doesnt actually do anything on those infected windows computers, because theyre not the real target. what stuxnet looks for is a particular model of programmable logic controller (plc) made by siemens (the press often refers to these as scada systems, which is technically incorrect). these are small embedded industrial control systems that run all sorts of automated processes: on factory floors, in chemical plants, in oil refineries, at pipelines-and, yes, in nuclear power plants. these plcs are often controlled by computers, and stuxnet looks for siemens simatic wincc/step 7 controller software.if it doesnt find one, it does nothing. if it does, it infects it using yet another unknown and unpatched vulnerability, this one in the controller software. then it reads and changes particular bits of data in the controlled plcs. its impossible to predict the effects of this without knowing what the plc is doing and how it is programmed, and that programming can be unique based on the application. but the changes are very specific, leading many to believe that stuxnet is targeting a specific plc, or a specific group of plcs, performing a specific function in a specific location-and that stuxnets authors knew exactly what they were targeting.its already infected more than 50,000 windows computers, and siemens has reported 14 infected control systems, many in germany. (these numbers were certainly out of date as soon as i typed them.) we dont know of any physical damage stuxnet has caused, although there are rumors that it was responsible for the failure of indias insat-4b satellite in july. we believe that it did infect the bushehr plant.stuxnet was first discovered in late june, although theres speculation that it was released a year earlier. as worms go, its very complex and got more complex over time. in addition to the multiple vulnerabilities that it exploits, it installs its own driver into windows. these have to be signed, of course, but stuxnet used a stolen legitimate certificate. interestingly, the stolen certificate was revoked on july 16, and a stuxnet variant with a different stolen certificate was discovered on july 17.over time the attackers swapped out modules that didnt work and replaced them with new ones-perhaps as stuxnet made its way to its intended target. those certificates first appeared in january. usb propagation, in march.stuxnet has two ways to update itself. it checks back to two control servers, one in malaysia and the other in denmark, but also uses a peer-to-peer update system: when two stuxnet infections encounter each other, they compare versions and make sure they both have the most recent one. it also has a kill date of june 24, 2012. on that date, the worm will stop spreading and delete itself.we dont know who wrote stuxnet. we dont know why. we dont know what the target is, or if stuxnet reached it. but you can see why there is so much speculation that it was created by a government.stuxnet doesnt act like a criminal worm. it doesnt spread indiscriminately. it doesnt steal credit card information or account login credentials. it doesnt herd infected computers into a botnet. it uses multiple zero-day vulnerabilities. a criminal group would be smarter to create different worm variants and use one in each. stuxnet performs sabotage. it doesnt threaten sabotage, like a criminal organization intent on extortion might.stuxnet was expensive to create. estimates are that it took 8 to 10 people six months to write. theres also the lab setup-surely any organization that goes to all this trouble would test the thing before releasing it-and the intelligence gathering to know exactly how to target it. additionally, zero-day exploits are valuable. theyre hard to find, and they can only be used once. whoever wrote stuxnet was willing to spend a lot of money to ensure that whatever job it was intended to do would be done.stuxnet also sets a registry value of 19790509 to alert new copies of stuxnet that the computer has already been infected. its rather obviously a date, but instead of looking at the gazillion things-large and small-that happened on that the date, the story insists it refers to the date persian jew habib elghanain was executed in tehran for spying for israel.sure, these markers could point to israel as the author. on the other hand, stuxnets authors were uncommonly thorough about not leaving clues in their code; the markers could have been deliberately planted by someone who wanted to frame israel. or they could have been deliberately planted by israel, who wanted us to think they were planted by someone who wanted to frame israel. once you start walking down this road, its impossible to know when to stop.another number found in stuxnet is 0xdeadf007. perhaps that means dead fool or dead foot, a term that refers to an airplane engine failure. perhaps this means stuxnet is trying to cause the targeted system to fail. or perhaps not. still, a targeted worm designed to cause a specific sabotage seems to be the most likely explanation.if thats the case, why is stuxnet so sloppily targeted? why doesnt stuxnet erase itself when it realizes its not in the targeted network? when it infects a network via usb stick, its supposed to only spread to three additional computers and to erase itself after 21 days-but it doesnt do that. a mistake in programming, or a feature in the code not enabled? maybe were not supposed to reverse engineer the target. by allowing stuxnet to spread globally, its authors committed collateral damage worldwide. from a foreign policy perspective, that seems dumb. but maybe stuxnets authors didnt care.my guess is that stuxnets authors, and its target, will forever remain a mystery.bruce schneier is a security technologist and the chief security technology officer of computer security firm bt. read more of his writing .related stories stuxnet speculation fuels crackdown by iranian intelligence british nuclear power plant goes dark. stuxnet worm to blame? reality check: is stuxnets iran connection the new iraqi wmd? you never hear the cyber bullet that kills you theories mount that stuxnet worm sabotaged iranian nuke facilitiesreader commentsto most (if not all) of the world outside the us, the date string (if it is a date) 19790509 depicts 5 september 1979 - not 9 may 1979. this is somewhat telling in its own right. although 19790509 read moreposted by vancem | 10/08/10 09:08 am edt i keep asking this question about myrtus which is also the gamer tag of someone who held pole position on the leaderboard of a free combat game called rumble fighter for a really long time. isnt i read moreposted by lissnup | 10/07/10 05:39 pm edt i would make speculation maybe someone in microsoft also get involved? the reason i say that is the microsoft security essential purposely modify files permission. in our lab testing, if you open a read moreposted by myview | 10/07/10 11:48 am edt 我的大学爱情观1、什么是大学爱情：大学是一个相对宽松，时间自由，自己支配的环境，也正因为这样，培植爱情之花最肥沃的土地。大学生恋爱一直是大学校园的热门话题，恋爱和学业也就自然成为了大学生在校期间面对的两个主要问题。恋爱关系处理得好、正确，健康，可以成为学习和事业的催化剂，使人学习努力、成绩上升；恋爱关系处理的不当，不健康，可能分散精力、浪费时间、情绪波动、成绩下降。因此，大学生的恋爱观必须树立在健康之上，并且树立正确的恋爱观是十分有必要的。因此我从下面几方面谈谈自己的对大学爱情观。2、什么是健康的爱情：1) 尊重对方，不显示对爱情的占有欲，不把爱情放第一位，不痴情过分；2) 理解对方，互相关心，互相支持，互相鼓励，并以对方的幸福为自己的满足; 3) 是彼此独立的前提下结合；3、什么是不健康的爱情：1)盲目的约会，忽视了学业;2)过于痴情，一味地要求对方表露爱的情怀，这种爱情常有病态的夸张;3)缺乏体贴怜爱之心，只表现自己强烈的占有欲;4)偏重于外表的追求;4、大学生处理两人的在爱情观需要三思：1. 不影响学习：大学恋爱可以说是一种必要的经历，学习是大学的基本和主要任务，这两者之间有错综复杂的关系，有的学生因为爱情，过分的忽视了学习，把感情放在第一位；学习的时候就认真的去学，不要去想爱情中的事，谈恋爱的时候用心去谈，也可以交流下学习，互相鼓励，共同进步。2. 有足够的精力：大学生活，说忙也会很忙，但说轻松也是相对会轻松的！大学生恋爱必须合理安排自身的精力，忙于学习的同时不能因为感情的事情分心，不能在学习期间，放弃学习而去谈感情，把握合理的精力，分配好学习和感情。3、 有合理的时间；大学时间可以分为学习和生活时间，合理把握好学习时间和生活时间的“度”很重要；学习的时候，不能分配学习时间去安排两人的在一起的事情，应该以学习为第一；生活时间，两人可以相互谈谈恋爱，用心去谈，也可以交流下学习，互相鼓励，共同进步。5、大学生对爱情需要认识与理解，主要涉及到以下几个方面：（1） 明确学生的主要任务“放弃时间的人，时间也会放弃他。”大学时代是吸纳知识、增长才干的时期。作为当代大学生，要认识到现在的任务是学习学习做人、学习知识、学习为人民服务的本领。在校大学生要集中精力，投入到学习和社会实践中，而