Rootkit.TmpHider

[CloneRanger]

Quote:

Clues Suggest Stuxnet Virus Was Built for Subtle Nuclear Sabotage

New and important evidence found in the sophisticated “Stuxnet” malware targeting industrial control systems provides strong hints that the code was designed to sabotage nuclear plants, and that it employs a subtle sabotage strategy that involves briefly speeding up and slowing down physical machinery at a plant over a span of weeks.

“It indicates that [Stuxnet's creators] wanted to get on the system and not be discovered and stay there for a long time and change the process subtly, but not break it,” (.pdf) says Liam O Murchu, researcher with Symantec Security Response, which published the new information in an updated paper on Friday.

http://www.wired.com/threatlevel/2010/11/stuxnet-clues

Quote:

Stuxnet: A Breakthrough

http://www.symantec.com/connect/blog...t-breakthrough

http://www.symantec.com/content/en/u...et_dossier.pdf

[JRViejo]

Quote:

The appearance of the Stuxnet worm in June should serve as a wake-up call to governments and businesses, especially those relying on Internet-based industrial control systems, a group of cybersecurity experts told U.S. lawmakers Wednesday.

The sophisticated Stuxnet is a "game changer" for companies and governments looking to protect their networks, said Sean McGurk, acting director of the National Cybersecurity and Communications Integration Center in the U.S. Department of Homeland Security. Stuxnet, likely developed by a well-financed team, modifies files of the software running industrial control systems and can also steal the data contained there without the owner knowing it, he told the U.S. Senate Homeland Security and Governmental Affairs Committee.

"We have not seen this coordinated effort of information technology vulnerabilities and industrial control exploitation completely wrapped up in one unique package," McGurk said.

Experts: Stuxnet changed the cybersecurity landscape by Grant Gross.

[TheGyre]

Courtesy of the New York Times... Some interesting conclusions.

"Then, on Wednesday, Mr. Albright and a colleague, Andrea Stricker, released a report saying that when the worm ramped up the frequency of the electrical current supplying the centrifuges, they would spin faster and faster. The worm eventually makes the current hit 1,410 Hertz, or cycles per second — just enough, they reported, to send the centrifuges flying apart.

In a spooky flourish, Mr. Albright said in the interview, the worm ends the attack with a command to restore the current to the perfect operating frequency for the centrifuges — which, by that time, would presumably be destroyed.

“It’s striking how close it is to the standard value,” he said. "


http://www.nytimes.com/2010/11/19/wo...nted=2&_r=1&hp

[kjdemuth]

Thanks for the update

[CloneRanger]

Israel admits it was behind Stuxnet Virus Attack

http://www.nytimes.com/2010/11/19/wo...xnet.html?_r=1



Not really a surprise as such, but i'm surprised the've admitted it !

I can't view the link as it says you need to be a member

If anyone can provide a working link and/or post some info from it

[JRViejo]

CloneRanger, after reading that article, it "hints" that Israel was behind it, however, I see no "admission" of them being behind the attack. Excerpts:

Quote:

The paternity of the worm is still in dispute, but in recent weeks officials from Israel have broken into wide smiles when asked whether Israel was behind the attack, or knew who was. American officials have suggested it originated abroad.

Quote:

Meanwhile, the search for other clues in the Stuxnet program continues — and so do the theories about its origins.

Ralph Langner, a German expert in industrial control systems who has examined the program and who was the first to suggest that the Stuxnet worm may have been aimed at Iran, noted in late September that a file inside the code was named “Myrtus.” That could be read as an allusion to Esther, and he and others speculated it was a reference to the Book of Esther, the Old Testament tale in which the Jews pre-empt a Persian plot to destroy them.

Writing on his Web site last week, Mr. Langner noted that a number of the data modules inside the program contained the date “Sept. 24, 2001,” clearly long before the program was written. He wrote that he believed the date was a message from the authors of the program, but did not know what it might mean.

Last month, researchers at Symantec also speculated that a string of numbers found in the program — 19790509 — while seeming random, might actually be significant. They speculated that it might refer to May 9, 1979, the day that Jewish-Iranian businessman Habib Elghanian was executed in Iran after being convicted of spying for Israel.

Interpreting what the clues might mean is a fascinating exercise for computer experts and conspiracy theorists, but it could also be a way to mislead investigators.

Let's stick to the subject and not take this thread off topic by discussing politics and countries. Thanks!

[Baserk]

Quote:

Originally Posted by CloneRanger

Israel admits it was behind Stuxnet Virus Attack
...
I can't view the link as it says you need to be a member

If you couldn't view/read that page, how did you come to your 'conclusion' in red?

[MrBrian]

Stuxnet has a double payload

Stuxnet virus could target many industries

[Pandorian]

Quote:

Originally Posted by MrBrian

Stuxnet has a double payload

Stuxnet virus could target many industries

The second link exaggerates the likelihood of this occurring. I used to design control system using various equipment, and in every system that I installed the control PCs were locked down to a dedicated shell, the PLC and control PCs were installed on a dedicated network with a firewall to any internal MIS systems or database. Data flow was one way from the control network to the MIS/internal network.

The same network arrangement occurred in the food, steel, nuclear, utilities, and other manufacturing industries that I worked in.

Industrial control systems have always been designed to a higher standard that a normal office network simply because they need to be reliable 24 x 7 x 365 in some cases. Polluting a control system network with traffic from a standard office network, is a big no-no.

[CloneRanger]

@ JRViejo

OK & thanks for the quotes


@ Baserk

I saw the link posted on another www & that's the headline it gave !

[hawki]

Attack code published for unpatched Stuxnet vulnerability

Exploit code for one of the still-unpatched Windows vulnerability used in the Stuxnet malware has been posted on the web, a move that puts pressure on Microsoft to release a security patch.

The exploit, written by webDEViL, provides a roadmap to exploit a flaw in the Windows Task Scheduler to elevate rights on vulnerable Windows machines.

It has been successfully tested on systems running Windows Vista, Windows 7 and Windows Server 2008.

http://www.zdnet.com/blog/security/a...erability/7732

UPDATE: MICROSOFT'S RESPONSE:

Attackers Must Already Have Access

“Microsoft is aware of the public posting of the details of an elevation of privilege vulnerability used by the Stuxnet malware,” Jerry Bryant, group manager of Response Communications at Microsoft, said in a statement. “We first discussed this vulnerability in September 2010. Because this is a local elevation of privilege issue, it requires attackers to be already able to execute code on a targeted machine. A bulletin addressing this issue will be released as part of our regular monthly bulletin cycle in the near future.”

MORE HERE: http://www.eweekeurope.co.uk/news/ex...s-public-14216

[Daveski17]

Stuxnet Redux: Questions and Answers F-Secure

Hmmmm... very interesting...

~removed comment~

[JRViejo]

Merged Threads to continue the discussion on the same topic!

[Pandorian]

Never in the field of software security was so much hype achieved from so little effect.

It seems to be this is a 'celebrity' virus, which in reality has achieved nothing but headlines. All bar one of the dropper mechanisms have been already been patched, and the payload was so very, very narrow in scope.

I think the reality is, this particular virus failed to achieve it goal, so why the hype?

[trismegistos]

Quote:

Originally Posted by Pandorian

Never in the field of software security was so much hype achieved from so little effect.

It seems to be this is a 'celebrity' virus, which in reality has achieved nothing but headlines. All bar one of the dropper mechanisms have been already been patched, and the payload was so very, very narrow in scope.

I think the reality is, this particular virus failed to achieve it goal, so why the hype?

This was intended to be as undetectable as possible being a sort of a targetted attack minus the collateral infections with the end result of malfunctioning of certain centrifuge machines that enrich uranium particularly in Iran to derail its nuclear program. But was discovered by accident as the story goes.

It was not intended to create havoc nor for espionage nor to create a botnet nor to create an end of the world scenario nor to create notoriety for its makers.

But there is the initial concern of the theoretical possibility of a greater danger, nuclear plant gone haywire creating greater casualties, or other industrial processes which could produce some mishap among innocent civilians. Also of the possibility that this will be reverse engineered and used by those with more malicious intent. What amazes the researchers with this malware is that it carried 4 zeroday exploits and that it is state sponsored. It's a good thing that zero days of Stuxnet are patched already except one. The shell32.dll vulnerability is I think the most important. Sort of a non documented USB autorun. What if those vulnerabilities weren't patched and other malwares would use those? Imagine the mushrooming of more malicious codes wreaking havoc even on well secured systems/networks to steal trade secrets, etc and more failures of industrial control sysems causing industrial accidents and misfortunes. And not to mention cyberwarfare. It was reported that some critical networks like the military in certain states were also affected by malwares just because of the ubiquitous USB devices. Yes, there are still some not as prudent as you and continue to have false practices despite safety policies like forbidding connectivity between critical systems and not to mentioned those USBs if carried by some insiders/rogue elements or infiltrators to infect your networks/systems. Paranoia? The attack scenario was outlined in the w32.stuxnet dossier by Symantec. Can be easily mitigated by polices and safe practices as you have said but there will always be a means for a determined attacker.

[MrBrian]

Report: Stuxnet code being sold on black market

[Meriadoc]

Incidentally admin/admin - OSVDB

[hawki]

FWIW:

Nuclear scientist killed in Tehran was Iran's top Stuxnet expert

Prof. Majid Shahriari, who died when his car was attacked in North Tehran Monday, Nov. 29, headed the team Iran established for combating the Stuxnet virus rampaging through its nuclear and military networks.

http://www.debka.com/article/20406/

[trismegistos]

Iranian President Mahmoud Ahmadinejad said Monday that malicious computer code launched by “enemies” of the state had sabotaged centrifuges used in Iran’s nuclear-enrichment program.
http://www.reuters.com/article/idUSLDE6AS1J120101129

[MrBrian]

Stuxnet researchers cautious about Iran's admission of centrifuge issues

[Serapis]

A remarkable piece of malware indeed. See a security expert's dissection of the Industrially designed worm that is stuxnet

http://www.tofinosecurity.com/sites/...o_ENGlobal.swf

[JRViejo]

Merged Threads to Continue Same Topic!

[Baserk]

Stuxnet’s Finnish-Chinese Connection

"A third important piece of the puzzle, which I’ll discuss later in this article, directly connects a Chinese antivirus company which writes their own viruses with the Stuxnet worm.
...
..based solely on the known facts, I consider China to be the most likely candidate for Stuxnet’s origin."

From Jeffrey Carr's 'China-scenario' article in Forbes. link

[TheGyre]

Some major updates on Stuxnet just posted on the New York Times website.

http://www.nytimes.com/2011/01/16/wo...tuxnet.html?hp

[CloneRanger]

@ TheGyre

Thanks for posting this I was just about to