Rootkit.TmpHider

[hawki]

After Hitting Iran Hard Stuxnet Attacks Kazakhstan and Russia

Kaspersky Lab reports that the number of hosts infected with Stuxnet in Iran has been slowly decreasing since July, but has spiked in Kazakhstan and Russia this month.

Full Story Here: http://news.softpedia.com/news/After...a-158283.shtml

[hawki]

"Further alarm was raised when it was discovered that the Bushehr facility was using an un-licensed version of Siemens' special industrial control software. To make matters worse, it was not properly configured."

:-O

""I have never seen anything like that, not even in the smallest cookie plant," an appalled Langner said, after seeing evidence of the violations in a press photo of a Bushehr central control monitor screen that registered a clear systems error."

http://it.tmcnet.com/news/2010/09/27/5031216.htm

[CloneRanger]

@ noone_particular

Very good points about holding those responsible for any such disaster by such methods. And not just in this case, but Any others in the future.

In this case it "might" be to do damage locally, without releasing harmful materials/chemicals into our atmosphere. But **** can & does happen, and if so the people/nation responsible Must expect some comeback !

@ hawki

Thanks for the links.

*

Quote:

Worst Fears Realized

A Scary Piece of Malware Named Stuxnet Is in Town. Remember Its Name. Its Arrival May Make You Want to Change the Way You Think About Control System Security

We can't say we weren't warned. For years, the doubters and naysayers have been warning us that maybe all this PC-based computing and connectivity on the factory floor was a bad idea.

Security was always one of the main concerns. But the warnings were drowned out in the noise of the inexorable march to PCs on the plant floor and Internet connectivity.

http://www.controlglobal.com/article...lware1010.html

[Rmus]

Thanks for posting the article. It's certainly a welome diversion from the deluge of articles that sensationalize the exploit. This article actually gives pause to considerations of preventative security measures!

Quote:

For the uninitiated, a "zero-day" exploit is one that uses a previously unidentified security breach that only becomes apparent because of and at the same time as the original attack,
and leaves all other users of the same system or systems at risk until such time as the vulnerability is eliminated.

My bolded part, of course, is not correct. You do not have to eliminate the vulnerabilty (install a patch) in order to be proactively protected against something like Stuxnet, as has already been demonstrated in this and other threads.

Quote:

The Buck Stops Here

That brings us to the hard truth that applies to all control system users: Good cyber security begins at home.
What should you be doing in response to Stuxnet? The answer is both simple and not-so-simple. Look to your own security...

The not-so-simple part of the answer is that cyber security is not just about Stuxnet.

Cyber security is about culture change—one of the hardest things to pull off in any organization. The CEO or someone on the board is going to have to make cyber security a priority and make it someone's job—complete with accountability—not just another duty tacked on to the control room operator's task list.

I have argued for years that Management ("The Buck Stops Here"), not Technical Support, is ultimately responsible for the security of its organization. A review of a successful attack will reveal that Management's support people were not on the ball. Effective Management will hire an outside investigation, then make appropriate changes (which might mean firing incompetent people).

Quote:

Securing Your Systems

Look to physical security.

Physically turn off USB ports and switches.

Set up computers so they won't use a USB stick.

Another option is to install software to scan USB stick for malware or just eliminate their use.

Disallow executables.

Need anymore be said?

----
rich

[ronjor]

Quote:

stuxnet revisited

(some of you may have seen a very early draft of this in your RSS feeds - a slip of the finger caused a publishing mishap)

even though it wasn't that long ago that i posted a number of scathing criticisms of the stuxnet worm, new revelations about the worm and also some of the discussion in this computer world article that asks "is stuxnet the best malware ever?" (and many others i've seen since starting this post) have prompted me to re-examine my opinion on stuxnet.

there have actually been a number of really good technical analyses of stuxnet, but things seem to fall down when people try to turn their technical analysis into a tactical analysis.

Kurt Wismer

[CloneRanger]

Quote:

The Stuxnet Worm and Options for Remediation

Round up of info & links etc in one PDF. It obviously doesn't include the very latest details, but i felt it might be worth posting. Wilders gets a mention too with this thread linked

Rmus will like this

Quote:

10.7: Whitelisting/Host Intrusion Prevention Systems

http://j-j.co.za/wp-content/uploads/...et_08.2010.pdf

[CloneRanger]

Iran claims Stuxnet worm did not hit nuclear systems

Head of the Atomic Energy Organization of Iran (AEOI) Ali Akbar Salehi says enemy efforts to infect Iranian nuclear systems with a computer virus have failed.

http://www.infowars.com/iran-claims-...uclear-systems

[CloneRanger]

Quote:

Millions of Computers Hit by Virus Across China

A computer virus dubbed the world’s “first cyber superweapon” and which may have been designed to attack Iran’s nuclear facilities has found a new target — China.

*

Another unnamed expert at Rising International said the attacks had so far infected more than six million individual accounts and nearly 1,000 corporate accounts around the country, Xinhua state news agency reported.

http://www.infowars.com/millions-of-...s-across-china

[hawki]

Symantec's Stuxnet Doossier:

http://www.symantec.com/content/en/u...et_dossier.pdf

[CloneRanger]

@ hawki

Thanks for posting you beat me to it

Quote:

W32.Stuxnet Dossier

While the bulk of the analysis is complete, Stuxnet is an incredibly large and complex threat. The authors expect to make revisions to this document shortly after release as new information is uncovered or may be publicly disclosed. This paper is the work of numerous individuals on the Syman-tec Security Response team over the last three months well beyond the cited authors. Without their assistance, this paper would not be possible.

*

Quote:

November 20, 2008 Trojan.Zlob variant found to be using the LNK vulnerability only later identified in Stuxnet.

So MS ignored this vulnerability for over 18 months

*

Quote:

When the process does not have Adminstrator rights on the system it will try to attain these privileges by using one of two zero-day escalation of privilege attacks.

Uses a Win32k.sys Vulnerability and a Task Scheduler vulnerability

[trismegistos]

Quote:

Originally Posted by noone_particular

If that malware causes a major nuclear accident, the developer nation of that malware is guilty of mass murder of civilians and is responsible for all the environmental damage. The result would be no different than terrorists detonating a nuclear dirty bomb, with no regard for the hundreds of millions who are downwind.

Quoting...

Quote:

THIS IS DANGEROUS!!!

I am a DCS/PLC specialist and I know once the fail-safe control of PLC fails, it can destroy the whole plant. A virus was able to shutdown our system but I was able to re-start the whole plant in a matter of few hours but a program to command system to fail or to do things which will bypass the fail-safe mode is really terrifying...

[hawki]

Quote:

Originally Posted by trismegistos

Quoting...
Quote:
Originally Posted by noone_particular
If that malware causes a major nuclear accident, the developer nation of that malware is guilty of mass murder of civilians and is responsible for all the environmental damage. The result would be no different than terrorists detonating a nuclear dirty bomb, with no regard for the hundreds of millions who are downwind.

Quoting...
Quote:
THIS IS DANGEROUS!!!

I am a DCS/PLC specialist and I know once the fail-safe control of PLC fails, it can destroy the whole plant. A virus was able to shutdown our system but I was able to re-start the whole plant in a matter of few hours but a program to command system to fail or to do things which will bypass the fail-safe mode is really terrifying...

FWIW: Due primarily to Russin implemented safeguards, the Bushehr nuclear reactor is not a high-priority target in Israel's view.

"A more plausible target is Iran’s uranium-enrichment plant at Natanz. Inspections by the International Atomic Energy Agency, the UN’s watchdog, have found that about half Iran’s centrifuges are idle and those that work are yielding little. Some say a fall in the number of working centrifuges at Natanz in early 2009 is evidence of a successful Stuxnet attack."

http://www.economist.com/node/171478...47818&fsrc=rss

[noone_particular]

Regardless of which plant it targets, this type of activity is no different than terrorism. If that malware either directly causes a radiation release or causes them to do something that causes one, it would qualify as an act of war. If another nation did that to us, guarantee you that's what we'd be calling it. The hypocrisy of this is sickening.

[CloneRanger]

Quote:

Iran arrests 'nuclear spies' accused of cyber attacks
Guard at Bushehr nuclear power plant, Iran - 21 August 2010 The Stuxnet worm affected staff computers at Iran's Bushehr power station

Iran has arrested "nuclear spies" on suspicion of being behind cyber attacks on its nuclear programme, Iranian state media report.

Press TV says "a number" of people have been apprehended as part of an operation by Iran to counter "massive enemy schemes".

The report comes after the complex worm Stuxnet infected staff computers at Iran's first nuclear power station at Bushehr

http://www.bbc.co.uk/news/world-middle-east-11459468

[trismegistos]

Conspiracies, Conspiracies, Conspiracies. Everybody loves to talk about conspiracy theories. Interesting insights(?) from the comments sections in various forums, blogs, news sites about Stuxnet...

http://www.prisonplanet.com/evidence...ke-plants.html

http://www.economist.com/blogs/babba...et_worm?page=1

http://www.abovetopsecret.com/forum/thread613841/pg1

[SUPERIOR]

Code:

http://www.antiy.net/en/analysts/Report_On_the_Attacking_of_Worm_Struxnet_by_antiy_labs.html

btw, i was wondering why some sensitive places like nuclear power would use "MS windows" though all people know how much vulnerable it is !!!!

[Searching_ _ _]

Quote:

The New York Times reported Thursday that Stuxnet contains a file named "Myrtus," which may reveal the virus's origin in a Da Vinci Code-esque fashion. The "Robert Langdon" on the case is a German computer security expert named Ralph Langner.

Clues Emerge About Stuxnet Worm - Christian Science Monitor

I decided to have some fun, Hebrew anagramatical like: Talmud style.

myrtus

Quote:

The common myrtle Myrtus communis, also called true myrtle, is widespread in the Mediterranean region and is commonly cultivated.

Myrtus

Quote:

9203 Myrtus (1993 TM16) is a main-belt asteroid discovered on October 9, 1993 by E. W. Elst at the European Southern Observatory.

9203 Myrtus

Possible hebrew involved (u is not a Hebrew letter)
mem yod resh tav/teit/tzadei samek/shin
40 10 200 400/9/900 60/300

Forward:
mem resh (mar /ah)= Mr., bitter
mem resh tav (marat)= Mrs.
mem resh teit (marat)= plucked (hair, fleathers)
resh tzadei (rats)= run, runner
teit samek (tas)= flew; tray, platter
tav shin (tash)= weakened; became exhausted

Backward:
shin teit (shat)= sailed, rowed
samek teit resh (satar)= slapped
samek tav resh (satar)= refuted, contradicted
resh mem (ram)= lofty, loud
tav resh (tar)= toured
tav resh mem (taram)= donated, contributed
tav resh yod mem (tareem)= lift! raise!

[MrBrian]

Stuxnet: Fact vs. theory

[Dermot7]

EU Agency analysis of 'Stuxnet' malware: a paradigm shift in threats and Critical Information Infrastructure Protection- ENISA:

http://www.enisa.europa.eu/media/pre...e-protection-1

[trismegistos]

Quote:

Originally Posted by Dermot7

EU Agency analysis of 'Stuxnet' malware: a paradigm shift in threats and Critical Information Infrastructure Protection- ENISA:

http://www.enisa.europa.eu/media/pre...e-protection-1

EU calls Stuxnet 'paradigm shift' as U.S. responds more mildly

In a statement released yesterday, Udo Helmbrecht, the executive director of ENISA (European Network and Information Security Agency), said that as a "new class and dimension of malware," Stuxnet represents a "paradigm shift."
...
U.S. response more tepid

Despite the sophistication of Stuxnet and the fact that it is aimed at critical infrastructure, U.S. cybersecurity officials seem to be treating it like any ordinary malware, an industry watcher told CNET and experts complained to The Christian Science Monitor.

Through US-CERT (Computer Emergency Readiness Team), the Department of Homeland Security issues advisories and alerts about computer vulnerabilities and attacks. Searches for "Stuxnet" and for "Siemens Simatic" revealed a handful of warnings, with the earliest dating back to July when Stuxnet was first publicized. These include updates to prior advisories as more was learned in mid-August about the PLC code injection aspect of the malware, which meant it was not just for espionage but could be used for sabotage.

"The question is where the heck is DHS?" Joe Weiss, a critical infrastructure security expert, said in an interview with CNET today. "There is no real guidance being given. There is nothing going out to the utilities or other end users talking about the actual compromise of the controller itself" and how to detect and remove the malware from infected PLCs.

U.S. officials seem oddly disinterested in something that other countries appear to be taking extremely seriously--the first malware known to specifically target critical infrastructure, Weiss suggested. As an example, he said the acting director of control systems for the DHS gave a talk two weeks ago at the Applied Control Solutions' Industrial Control Cyber Security conference run by Weiss and didn't mention Stuxnet.


link: http://news.cnet.com/8301-27080_3-20019124-245.html

[Dermot7]

Langner Stuxnet logbook:
http://www.langner.com/en/

[CloneRanger]

@ Dermot7

Thanks for the latest Langner link

*

Quote:

Iran may have executed nuclear staffers over Stuxnet

Debkafile's intelligence sources report information reaching the West in the past week that Iran has put to death a number of atomic scientists and technicians suspected of helping plant the Stuxnet virus in its nuclear program. The admission by Ali Akbar Salehi, head of the Atomic Energy Organization, on Friday, Oct. 8 - the frankest yet by any Iranian official - that Western espionage had successfully penetrated its nuclear program is seen as bearing out those reports.

http://www.debka.com/article/9073

[hawki]

Microsoft Patch Tuesday: One Stuxnet hole remains open

While 16 updates from this Microsoft bumper Patch Tuesday close 49 security holes, a vulnerability exploited by the Stuxnet super worm to escalate access privileges remains open. Update MS10-073 does, however, close the other two known privilege escalation holes, which are related to loading keyboard layouts in the kernel. MS10-073 also fixes two previously undisclosed flaws. As one of the problems was discovered by Symantec, it's probably already actively being exploited in the wild.

http://www.h-online.com/security/new...n-1106886.html

[hawki]

More than 30 persons built the Stuxnet worm.

WASHINGTON -- Details about the Stuxnet worm, a highly-engineered piece of malicious software that targeted industrial control systems, have trickled out since it made international news earlier this fall. The sophistication of the malware combined with its ability to target the controllers that run power plants and other infrastructure facilities impressed many security experts.

At a small conference on cybersecurity sponsored by TechAmerica, Symantec's Brian Tillett put a number on the size of the team that built the virus. He said that traces of more than 30 programmers have been found in source code.


http://www.theatlantic.com/technolog...uilt-it/66156/

[SUPERIOR]

New STUXNET Scanner Tool by trendmicro
http://blog.trendmicro.com/stuxnet-s...forensic-tool/

not sure if it's the right place to post the tool though