| VulcanRider |
09-26-2010 09:07 AM |
War from a cubicle?
Join us for lunch?
Sure, just let me start WWIII... *CLICK* Ok. Pizza?
From Philosophy of Science Portal
Quote:
Cyber security experts say they have identified the world's first known cyber super weapon designed specifically to destroy a real-world target – a factory, a refinery, or just maybe a nuclear power plant.
The cyber worm, called Stuxnet, has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet's arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world – to destroy something.
At least one expert who has extensively studied the malicious software, or malware, suggests Stuxnet may have already attacked its target – and that it may have been Iran's Bushehr nuclear power plant, which much of the world condemns as a nuclear weapons threat.
The appearance of Stuxnet created a ripple of amazement among computer security experts. Too large, too encrypted, too complex to be immediately understood, it employed amazing new tricks, like taking control of a computer system without the user taking any action or clicking any button other than inserting an infected memory stick. Experts say it took a massive expenditure of time, money, and software engineering talent to identify and exploit such vulnerabilities in industrial control software systems.
Unlike most malware, Stuxnet is not intended to help someone make money or steal proprietary data. Industrial control systems experts now have concluded, after nearly four months spent reverse engineering Stuxnet, that the world faces a new breed of malware that could become a template for attackers wishing to launch digital strikes at physical targets worldwide. Internet link not required.
"Until a few days ago, people did not believe a directed attack like this was possible," Ralph Langner, a German cyber-security researcher, told the Monitor in an interview. He was slated to present his findings at a conference of industrial control system security experts Tuesday in Rockville, Md. "What Stuxnet represents is a future in which people with the funds will be able to buy an attack like this on the black market. This is now a valid concern."
.
.
Stuxnet surfaced in June and, by July, was identified as a hypersophisticated piece of malware probably created by a team working for a nation state, say cyber security experts. Its name is derived from some of the filenames in the malware. It is the first malware known to target and infiltrate industrial supervisory control and data acquisition (SCADA) software used to run chemical plants and factories as well as electric power plants and transmission systems worldwide. That much the experts discovered right away.
.
.
So far, Stuxnet has infected at least 45,000 industrial control systems around the world, without blowing them up – although some victims in North America have experienced some serious computer problems, Eric Byres, a Canadian expert, told the Monitor. Most of the victim computers, however, are in Iran, Pakistan, India, and Indonesia. Some systems have been hit in Germany, Canada, and the US, too. Once a system is infected, Stuxnet simply sits and waits – checking every five seconds to see if its exact parameters are met on the system. When they are, Stuxnet is programmed to activate a sequence that will cause the industrial process to self-destruct, Langner says.
Langner's analysis also shows, step by step, what happens after Stuxnet finds its target. Once Stuxnet identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the giant industrial controls company, the malware takes control. One of the last codes Stuxnet sends is an enigmatic “DEADF007.” Then the fireworks begin, although the precise function being overridden is not known, Langner says. It may be that the maximum safety setting for RPMs on a turbine is overridden, or that lubrication is shut off, or some other vital function shut down. Whatever it is, Stuxnet overrides it, Langner’s analysis shows.
"After the original code [on the PLC] is no longer executed, we can expect that something will blow up soon," Langner writes in his analysis. "Something big."
|
The folks at Symantec are working on it...
Quote:
We’ve been analyzing W32.Stuxnet, which is a threat that uses a legitimate digital certificate from a major third party and takes advantage of a previously unknown bug in Windows; ultimately, it searches for SCADA systems and design documents. The findings of our analysis are being documented in a series of blog articles.
Stuxnet contacts two remote servers for command and control, and until last week those domains were pointing to a server hosted in Malaysia. Once we identified those domains, we redirected traffic away from the C&C servers thereby preventing them from controlling the infected machines and retrieving stolen information.
|
Experts say Stuxnet worm could be state-sponsored
Quote:
The Stuxnet computer worm that may have been designed to attack a nuclear facility in Iran could have been state sponsored, according to two security experts with whom I spoke.
"We can tell by the code that it's very, very complex to the degree that this type of code had to be done, for example, by a state and not, for example, some hacker sitting in his parents basement," said Symantec security researcher Eric Chien. Chien added, however, that "there's nothing in the code that points to the particular author" or "what their motivation is." (Scroll down to listen to entire Chien interview.)
TrendMicro security researcher Paul Ferguson agrees that Stuxnet was likely state-sponsored. "The amount of technical expertise that went into this doesn't appear to have been by some random lone individual person because they would have had to have access to these systems to develop this."
Ferguson said "it is a big deal because the utility companies, and manufacturing communities and the power companies and gas and oil companies for years have been using closed propriety systems to manage their infrastructure and over the course of the past few years they've been making business decisions to use off-the-shelf software like Windows." He added that now we're seeing the same threat as with other networks as facilitates are connected to the Internet or allow access to thumb drives. This type of threat, according to Ferguson, is "absolutely new and that's why a lot of people in the intelligence community, in the Department of Homeland Security and different governments around the world are really kind of spooked by this development. It shows the targeted nature and sophistication of the criminal/espionage aspect to this."
|
The "Blue Screen of Death" just took on a whole new meaning...
.
|
