Monday, January 24, 2011

Hi: Remember Me? I'm Stuxnet. We Met Back In July..

Flaws in Stuxnet Worm Deflect Suspicion From US, Israel. From The Epoch Times. Poorly thought out interpretation of events. Excerpts in italics:
The New York Times published an article on Jan. 16 shining more light onto the issue. It stated that Israel built nuclear centrifuges identical to those in the Bushehr plant to test a computer worm, and had cooperation from the United States. Although there is still no direct proof that the United States or Israel were behind Stuxnet, the two countries were the main suspects to begin with.
Despite accusations that Stuxnet was a U.S.-Israel project, there are flaws in the worm that suggest it was created elsewhere. Black Hat DC conference on digital exploits and cyberattacks on Jan. 18, security consultant Tom Parker analyzed Stuxnet’s code.
Parker “presented a compelling case that Stuxnet may be the product of a collaboration between two disparate groups, perhaps a talented group of programmers that produced most of the code and exploits and a less sophisticated group that may have adapted the tool for its eventual use,” states a report from Threat Post, the security news service of anti-virus company Kaspersky Lab.

"This was probably not a Western state. There were too many mistakes made. There's a lot that went wrong," Parker said, according to Threat Post. “There's too much technical inconsistency. But, the bugs were unlikely to fail. They were all logic flaws with high reliability." In simple terms, there were technical shortcomings, but the virus was still highly reliable.
Nate Lawson, a cybersecurity expert with Root Labs, analyzed Stuxnet in a Jan. 17 blog post, stating, “I really hope it wasn’t written by the USA because I’d like to think our elite cyberweapon developers at least know what Bulgarian teenagers did back in the early ’90s.”
Funny, but probably not. Here's a differing opinion:

The “Stuxnet” computer worm made international headlines in July, when security experts discovered that it was designed to exploit a previously unknown security hole in Microsoft Windows computers to steal industrial secrets and potentially disrupt operations of critical information networks. But new information about the worm shows that it leverages at least three other previously unknown security holes in Windows PCs, including a vulnerability that Redmond fixed in a software patch released today. (The article was last updated September 22, 2010)

..Experts say the worm was designed from the bottom up to attack so-called Supervisory Control and Data Acquisition (SCADA) systems, or those used to manage complex industrial networks, such as systems at power plants and chemical manufacturing facilities.

The worm was originally thought to spread mainly through the use of removable drives, such as USB sticks. But roughly two weeks after news of Stuxnet first surfaced, researchers at Moscow-based Kaspersky Lab discovered that the Stuxnet worm also could spread using an unknown security flaw in the way Windows shares printer resources. Microsoft fixed this vulnerability today(possibly September 22), with the release of MS10-061, which is rated critical for Windows XP systems and assigned a lesser “important” threat rating for Windows Vista and Windows 7 computers.

In a blog post today, Microsoft group manager Jerry Bryant said Stuxnet targeted two other previously unknown security vulnerabilities in Windows, including another one reported by Kaspersky. Microsoft has yet to address either of these two vulnerabilities – known as “privilege escalation” flaws because they let attackers elevate their user rights on computers where regular user accounts are blocked from making important system modifications.

Anti-virus researchers also discovered that Stuxnet leverages a Windows vulnerability that Microsoft patched back in 2008. Roel Schouwenberg, a senior anti-virus researcher at Kaspersky, said initially it wasn’t clear why the worm’s designers included such an antiquated vulnerability, which would almost certainly set off alarm bells inside of any organization using common intrusion detection and prevention tools.

But Schouwenberg said the inclusion of that 2008 vulnerability made more sense when he learned that most industrial control system networks do not employ these defensive tools or even basic network logging, as is common in most corporate networks. Consequently, he said, Stuxnet behaves differently depending on what type of network it thinks it is running on. Stuxnet performs some rudimentary checking to see whether it is on a corporate network or a control systems network: If it detects that it is running on a corporate network, it won’t invoke the older 2008 vulnerability, Schouwenberg said.

What can't Bulgarian teens from the 90's do? They must be amazing in person!

Returning to the first link for more.. Tenuous-ness..

Like Parker, Lawson states that the Stuxnet worm is full of holes. Among the shortcomings are “the Stuxnet developers seem to be unaware of more advanced techniques for hiding their target,” and “It does not use virtual machine-based obfuscation, novel techniques for anti-debugging, or anything else to make it different from the hundreds of malware samples found every day.” (Go back and re-read the previous link)

Giving it credit, Stuxnet was highly effective and accomplished at what it was likely set loose to do—destroy Iran’s nuclear centrifuges. It was also incredibly clean and was free of any digital fingerprints that could trace it back to its creator.

The worm has no potential for monetary gain, which made the United States and Israel prime suspects.

And:

The larger issue currently at hand is that the code behind Stuxnet is now freely available. A virus, which likely took millions of dollars to create, that can physically control moving parts of infrastructure, and can access systems even if they are not connected to the Internet, is on the loose. (With more variants TBA, ASAP..)

A quick Google search reveals that Stuxnet is readily available for anyone to download via file sharing websites and links on message boards. Stuxnet has the potential to cause massive damage, and the main risk is possible alterations that hackers, terrorists, or foreign governments could make to the virus.

Think of Stuxnet as the cyberweapon equivalent of an improvised explosive device (IED). It is easily attainable and can cause huge damage, but the world now knows how to spot it. (Except that targeted networks sometimes don't even use the software to identify the particular(and specific) entry, which could change locations with each new version..)Like an IED, the real potential is in the alterations that can be made to make it more damaging and harder to spot.

Stuxnet is Low-Tech sophisticated, effective in its mission, has/had two points of entry not immediately addressed by Microsoft, cost millions to produce, and is essentially "public domain," now available for upgrades and remixes by.. Just about anybody! This event, and all related consequential behavior sounds a lot more advanced and strategic than it portrays itself. Which is a reflection of Stuxnet's creators.

The first Sons of Stuxnet should be arriving anytime now..

So.. How about that Super Bowl?

No comments: