August 25, 2011


How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History (Kim Zetter, July 11, 2011 , Wired)

On June 17, 2010, Sergey Ulasen was in his office in Belarus sifting through e-mail when a report caught his eye. A computer belonging to a customer in Iran was caught in a reboot loop -- shutting down and restarting repeatedly despite efforts by operators to take control of it. It appeared the machine was infected with a virus.

Ulasen heads an antivirus division of a small computer security firm in Minsk called VirusBlokAda. Once a specialized offshoot of computer science, computer security has grown into a multibillion-dollar industry over the last decade keeping pace with an explosion in sophisticated hack attacks and evolving viruses, Trojan horses and spyware programs.

The best security specialists, like Bruce Schneier, Dan Kaminsky and Charlie Miller are considered rock stars among their peers, and top companies like Symantec, McAfee and Kaspersky have become household names, protecting everything from grandmothers' laptops to sensitive military networks.

VirusBlokAda, however, was no rock star nor a household name. It was an obscure company that even few in the security industry had heard of. But that would shortly change.

Ulasen's research team got hold of the virus infecting their client's computer and realized it was using a "zero-day" exploit to spread. Zero-days are the hacking world's most potent weapons: They exploit vulnerabilities in software that are yet unknown to the software maker or antivirus vendors. They're also exceedingly rare; it takes considerable skill and persistence to find such vulnerabilities and exploit them. Out of more than 12 million pieces of malware that antivirus researchers discover each year, fewer than a dozen use a zero-day exploit.

In this case, the exploit allowed the virus to cleverly spread from one computer to another via infected USB sticks. The vulnerability was in the LNK file of Windows Explorer, a fundamental component of Microsoft Windows. When an infected USB stick was inserted into a computer, as Explorer automatically scanned the contents of the stick, the exploit code awakened and surreptitiously dropped a large, partially encrypted file onto the computer, like a military transport plane dropping camouflaged soldiers into target territory.

It was an ingenious exploit that seemed obvious in retrospect, since it attacked such a ubiquitous function. It was also one, researchers would soon learn to their surprise, that had been used before.

VirusBlokAda contacted Microsoft to report the vulnerability, and on July 12, as the software giant was preparing a patch, VirusBlokAda went public with the discovery in a post to a security forum. Three days later, security blogger Brian Krebs picked up the story, and antivirus companies around the world scrambled to grab samples of the malware -- dubbed Stuxnet by Microsoft from a combination of file names (.stub and MrxNet.sys) found in the code.

As the computer security industry rumbled into action, decrypting and deconstructing Stuxnet, more assessments filtered out.

It turned out the code had been launched into the wild as early as a year before, in June 2009, and its mysterious creator had updated and refined it over time, releasing three different versions. Notably, one of the virus's driver files used a valid signed certificate stolen from RealTek Semiconductor, a hardware maker in Taiwan, in order to fool systems into thinking the malware was a trusted program from RealTek.

Internet authorities quickly revoked the certificate. But another Stuxnet driver was found using a second certificate, this one stolen from JMicron Technology, a circuit maker in Taiwan that was -- coincidentally or not - headquartered in the same business park as RealTek. Had the attackers physically broken into the companies to steal the certificates? Or had they remotely hacked them to swipe the company's digital certificate-signing keys? No one knew.

"We rarely see such professional operations," wrote ESET, a security firm that found one of the certificates, on its blog. "This shows [the attackers] have significant resources."

In other ways, though, Stuxnet seemed routine and unambitious in its aims. Experts determined that the virus was designed to target Simatic WinCC Step7 software, an industrial control system made by the German conglomerate Siemens that was used to program controllers that drive motors, valves and switches in everything from food factories and automobile assembly lines to gas pipelines and water treatment plants.

Although this was new in itself -- control systems aren't a traditional hacker target, because there's no obvious financial gain in hacking them -- what Stuxnet did to the Simatic systems wasn't new. It appeared to be simply stealing configuration and design data from the systems, presumably to allow a competitor to duplicate a factory's production layout. Stuxnet looked like just another case of industrial espionage.

Antivirus companies added signatures for various versions of the malware to their detection engines, and then for the most part moved on to other things.

The story of Stuxnet might have ended there. But a few researchers weren't quite ready to let it go. [...]

one looming question remained, however. Had Stuxnet succeeded in its goal?
If the malware's aim had been to destroy centrifuges in Iran and cripple the country's ability to produce a nuclear weapon, the consensus is that it failed. A physical attack would have been much more effective, though obviously much less stealthy or politically expedient. But if its intent was simply to delay and sow uncertainty in Iran's nuclear program, then it appeared to succeed -- for a time.

Earlier this year, the outgoing head of Israel's Mossad said that unspecified malfunctions had set back Iran's ability to produce a nuclear weapon until 2015. United States Secretary of State Hillary Clinton also said Iran's nuclear program had been "slowed," but added "[W]e have time. But not a lot of time." Albright has noted that Iran has material to build only 12,000-15,000 centrifuges, and if 1,000 to 2,000 were destroyed, this would hasten the demise of its stockpile.

But his and other organizations have also noted that after the centrifuges were replaced, Iran stepped up its enrichment program and its overall production of uranium had actually increased in 2010, despite any effects Stuxnet may have had.

Stuxnet required an enormous amount of resources to produce, but its cost-benefit ratio is still in question. While it may have helped set Iran's program back to a degree, it also altered the landscape of cyberattacks. Stuxnet's authors mapped a new frontier that other attackers are bound to follow; and the next target for sabotage could easily be a nuclear facility in the United States.

No one knows what Stuxnet might have achieved had it never been discovered by VirusBlockAda a year ago. The code contains one attack sequence that researchers say was never enabled in any of the versions of Stuxnet they found. It appeared the attackers were still developing the code when it was uncovered.

They will likely have no second chance to unleash their weapon now. Langner has called Stuxnet a one-shot weapon. Once it was discovered, the attackers would never be able to use it or a similar ploy again without Iran growing immediately suspicious of malfunctioning equipment.

"The attackers had to bet on the assumption that the victim had no clue about cybersecurity, and that no independent third party would successfully analyze the weapon and make results public early, thereby giving the victim a chance to defuse the weapon in time," Langner said.

In the end, Stuxnet's creators invested years and perhaps hundreds of thousands of dollars in an attack that was derailed by a single rebooting PC, a trio of naive researchers who knew nothing about centrifuges, and a brash-talking German who didn't even have an internet connection at home.

Posted by at August 25, 2011 6:37 AM

blog comments powered by Disqus