Stuxnet is not just another worm, or cybercrime toolkit. It is perhaps the most sophisticated industrial sabotage tool to emerge so far. The good news? This does not infect your home or office PC. The bad news: It is directed to take control of complete industrial plants and systems.
This has been a busy summer and looks to be an even a busier fall for malware and threat analysts. The Stuxnet worm has got all manner of us experts involved in analyzing its deepest and darkest orifices. Having examined the worm, on the one hand it is difficult not to admire the way it has been engineered and project managed; on the other hand, we are dismayed at the range of its capabilities.
“Stuxnet was undoubtedly created by professionals who’ve got a thorough grasp of antivirus technologies and their weaknesses,” stated Aleks, a Kaspersky Lab Expert and one of the main researchers, in his incident write-up this week.
In one sense, the arrival and potential consequences of Stuxnet -- or something similar to it -- has been anticipated hypothetically for some time, but its arrival brings a sobering reality: industrial espionage on a level that could make the Clearwater Horizon oil spill in the Gulf look like a minor incident.
So what makes Stuxnet so special? Well, this is highly selective and targeted. It can be installed on a PC without any effect. Only when the PC is using WinCC (Windows Control Center, a PC-based process visualization system) and Siemens SCADA (Supervisory Control and Data Acquisition Visualization System) and connected to industrial PLCs (programmable logic controllers), does it go to work. It is structured to control all manner of industrial plants, energy complexes, critical infrastructures, and numerous other processes run from such an operating system.
Actually, this kind of vulnerability is old news that was first reported by Cisco and patched back in July. What makes Stuxnet so special is the multiple vulnerabilities that it exploits. As a Kaspersky Lab announcement states: “This makes Stuxnet truly unique: it is the first threat we have encountered that contains this many surprises in a single package.”
Among the vulnerabilities recently patched on September 14 is the Windows Print Spooler Service Impersonation Vulnerability that can send malicious code via a printer, either shared-access or networked. Still awaiting correction are two “Elevation of Privilege” vulnerabilities.
So who is behind Stuxnet? It is clearly not targeting financial institutions, or hapless PC users, so a quick grab-and-run is not the intention. Back in July, Symantec reported that nearly 60 percent of Stuxnet attacks were found in Iran. So intelligence gathering and industrial sabotage are its most likely aims -- taking into account the use of stolen trusted Realtek and Jmicron digital certificates.
Quite clearly, the ongoing system problems Iran is having with bringing online the Bushehr nuclear power plant help to provide a few pointers.
While many could be tempted to feel reassured that this is only targeting one country’s industrial infrastructure, Stuxnet has now infected between 90,000 and 100,000 systems worldwide. Initially, back in July, Siemens reported just two cases where SCADA systems (i.e., complete plants) were infected. Currently, 15 have been detected, and so far it would appear that no critical infrastructure or production industry has been infected.
Such infected industrial plants are now also in Korea, the US, and the UK. Just as a reality check: When compared with Conficker, which infected millions of PC systems, 15 infected SCADA-based processing plants does not sound like much to concern us. But to help visualize the potential scale -- and without wanting to be alarmist -- just consider: That could be 15 Clearwater Horizon Gulf operations, 15 New York subway systems, 15 Three Mile Islands, or 15 Chernobyls.
— Jart Armin, Editor of RBNexploit.com, a watch blog on the infamous RBN (Russian Business Network), and HostExploit.com
The fact that there are "several" zero days and that "hiding mechanisms" and "techniques" that are on the bleeding edge seems to indicate that this is a government sponsored operation. There is obviously no criminal gain in taking over and reprogramming Seimens PLC's.
Makes you wonder what else is out there that we don't know about, even on our own computers.
I would say that the mainstream media is not touching this because they do not want to "know how far the rabbit hole goes". Historically, Israel does not make grand maneuvers like this without informing the US, either before or after, but they do tell us eventually. Additionally, there are very smart people at our three letter agencies that I am sure have deconstructed Stuxnet for themselves and probably have a pretty good idea of its origination.
Israel has always done their own thing, in the name of protecting its state. The current administration can not take the hit politically before the November elections if it is revealed that we either knew or condoned the Israelis releasing Stuxnet. Especially since they have worked so hard to differentiate themselves from what the Bush administration has been accused of doing for the eight years he was in the White House.
The concern is the payload: installing a rootkit on the control system and injecting code into PLCs. These are things that cause things to happen in the control system: so there's a potential for some pretty severe damage," he says.
Note: injecting code and installing rootkits is pretty much the SOP of Bad Behavior for computer attacks. We need to learn to monitor behavior as the only effective defense against malware.
It seems this STUXNET has gotten to the process control computer via USB sticks. Do we never learn anything? DOS virus codes spread on floppy disks. So we make autorun files for USB sticks which do the same thing, except now you don't even need to wait for the user to re-boot: as soon as he plugs in the USB stick you got him.
Plug in a USB stick: the autorun can install a device driver and enable your twitterpated blue ray gun. that's ok on a play toy computer but not on business or industrial systems.
there's a bunch of people who need to get their dunce hats on
="Is UAC or other options the answer. No, Good software is the answer. Unfortunately I do not have the recipe for good software. Actually I do believe MS is improving. However, they want to have all applications communicating with each other. So are certificates the answer?"
Alas, I too have seen altogether too many well meaning people just turn off UAC, grumping that it's "just a nuisance"
wait till they pick up a REAL nuisance, then they'll sing a new tune :-(
Victor: the REAL problem is the CONCEPT that it is permissible for an application program to modify the host O/S to facilitate its objectives. this might have been OK for a stand-alone "PC" but in a Network Endpoint it facilitates virus attacks. The concept is NOT APPLICABLE to Network Endpoints.
We certainly do not take the position that modifications to the host O/S are never allowed. We take the position that modifications to the host O/S must be authenticated. and so yes: certificates will be an important part of the solution.
what is absolutely verboten is that a document, such as a web page, can update your host O/S without your knowlege or permission. This can ONLY be effectively enforced by monitoring the behavior*2 of web-page programs and other application programs*1 including those found on USB sticks and launched via "autorun".
that is where UAC comes into play. If something you are running tries to update your system you need to know about it. And if you cannot authenticate the update you might not want to allow it.
So UAC and Code Signing will be key elements of security from now on. Developers who do not "get it" will end up in the junk can where they belong.
read also tsaleem post ( below ) . as i have often noted here: we all need to learn and understand Trust Models. anytime you are working with digital signatures you need to be aware that a signature could be revoked. it's not enough to check to see if you have a signature -- you have to verify that signature.
~~
*1 Examples: Word, Excel, Access, Photo-Shop, Flash, Acrobat, Outlook, I.E. Firefox, Power Point, et.al. The defense is positioned around the O/S. Attempting to cover all the application code expands the attack surface to include much that is un-known. While these applications should be installed in areas protected by the O/S, when they are run they should run in user mode so that any scripts or macros they encounter in their data files do not have system update privilege.
*2 Monitoring Behavior: what we are interested in is NOT what your program looks like--- but what it wants to do. Running in user mode without administrator privilege an application program -- or web page -- can't do anything for itself: it must as the o/s to perform the desired update. Which may or may not be carried out -- depending on who made the request, and what the request wants to do.
Good point and good articles. What scares me is when I was helping a client with a problem in TimeSlips software and Sage tells me that we need to turn off UAC for the program to run properly. I told him that I was not going to do it. It scares me because so many software companies bitch and complain about Microsoft. And I believe that MS is trying to do the right thing. So these companies put out updates almost every year, so that the three year old software can be upgraded. But these companies do not actually upgrade their programs to current standards. So tech support will tell the customer that UAC is a pain and they should turn it off. Mark Minasi stated back in October of 2006 that MS had been publishing since 1992 how programmers should be developing applications to not run as administrator. He calls them lazy for not fixing it when Vista came out then and Win 7 recently. So how many people turn off security on their systems and get hit and never know it.
Is UAC or other options the answer. No, Good software is the answer. Unfortunately I do not have the recipe for good software. Actually I do believe MS is improving. However, they want to have all applications communicating with each other. So are certificates the answer?
On code signing, it must be noted that once a Windows device driver is signed with a valid legitimate certificate, this "signed" driver will never expire. This is what the stuxnet exploited with the Realtek cert which expired June 11 2010. The signed driver is still valid even after the pointless revocation by Verisign.
Might want to add that by Win7 Level 4 UAC you mean "Always notify" setting as I have come across one article that labels "4" as switching off UAC altogether. Although it is obvious, just thought I bring this up as officially there are no numbered levels and it may cause confusion for new users.
Win7 is also great for the new AppLocker feature. This greatly enhances the earlier software restrictions functions available in earlier versions of Windows.
Jart:=Just so we know MS were recently arguing for users NOT to operate in admin mode but as a user."
I like the discussion of UAC that you can find HERE and HERE(7)
Exerpt:
UAC’s Goal UAC is meant to enable users to run with standard user rights, as opposed to administrative rights. Administrative rights give users the ability to read and modify any part of the operating system, including the code and data of other users—and even Windows® itself. Without administrative rights users cannot accidentally (or deliberately) modify system settings, malware can’t alter system security settings or disable antivirus software, and users can’t compromise the sensitive information of other users on shared computers. Running with standard user rights can therefore reduce urgent help desk calls in corporate environments, mitigate the impact of malware, keep home computers running more smoothly, and protect sensitive data on shared computers.
This article is concentrated reading. but it is what we need.
Sadly, all this magnificent effort would be for naught if the motherboard or other key component is shipped with malware in micro-code (MIM).
As per the discussion the wires were buzzing over the weekend around the 'who' and 'where' of Stuxnet.
As Tsaleem also points to the Israeli news article, note:
"Wary of naked force, Israel eyes cyberwar on Iran"
"Decade-old cyberwarfare project seen as new vanguard of Israel's efforts to block Tehran's nuclear ambitions; American expert says 'malicious software' could be inserted to corrupt, commandeer or crash the controls of sensitive sites like uranium enrichment plants"
"A contaminated USB stick would be enough,"
Appears more as a Gov advisory, than ordinary press?
Just so we know MS were recently arguing for users NOT to operate in admin mode but as a user.
For me this really makes me worry, as it's an ostrich (head in the sand) like approach. This would possibly allow even less control over what the admin is doing or rather code escallation automatically on behalf of admin.
As you say the right approach is for admin to prevent any code or privileged escalation, in the first place.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Distributed denial-of-service (DDoS) came into the public eye over 12 years ago, with attacks on Websites such as Amazon, CNN, E*Trade, Yahoo, and eBay, for financial gain. DDoS is still in regular use for many more reasons, including hacktivism, revenge, extortion, and ideology.
Within cybersecurity circles, talk of smartphone or mobile malware certainly produces a heated debate. To add gasoline to this fire, we can now add the examples of the first “pocket botnet,” a botnet solely or partly made up of smartphones, which could infect PCs.
The likelihood that critical infrastructures are woefully vulnerable has been predicted for many years by a few in security circles. Sadly, the reality hit home again last week with the disclosure of ongoing hacks on utilities at national and international levels.
A recent exposé by the hacker group Anonymous shone a light on the “Darknet,” the name given to an alternative network that operates beneath the backbone of the Internet. For those who know and use it, the Darknet has long been a place for clandestine operations, legitimate or otherwise.
Europe's largest “white hat” hacker group, the Chaos Computer Club (CCC), recently reverse engineered and analyzed an anonymously submitted malware program. Nothing out of the ordinary for security researchers. However, to its surprise, the group discovered this particular malware was commissioned by German police and used to spy on German citizens.
Sean Smith, a US Foreign Service IT manager, gave his life in service of his country and the world. His life and death are a humbling example for all of us who work in IT.
All the recent hoopla about cloud security overlooks an important point, which is that it's not strictly a cloud problem. The linkage of online services into cooperative chains creates the risk, and only biometrics and federation of providers can save us.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
50 billion household devices will be on the Internet by 2020, according to Cisco. And we're hearing foreign governments are hacking our infrastructure. Surely our refrigerators are next!
ITRC found that more than 600 security breaches took place in 2012. Flaws were found in some of the nation's most respected companies: Apple, Citibank, and Wells Fargo. So, it seems the bad guys are doing better than the men in the white hats.
Multi-tenant clouds assure security for clients, but not necessarily for their ideas. Here's one thing you should discuss with your cloud provider before you sign on.
The FBI recently issued a warning to smartphone users, highlighting two mobile malware applications: Loozfan, which steals personal information, and FinFisher, which is spyware that takes over a smartphone's functions.
The bring-your-own-device approach isn’t suited to monitoring of enterprise equipment and processes. In these cases, it is up to IT to come forward with gear suited to the task.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Subsidized handsets, rather than locked handsets, should be the focus of regulators. We're not getting good deals, not fostering innovation, and weakening our power as buyers.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
