Rootkit.TmpHider

"Further alarm was raised when it was discovered that the Bushehr facility was using an un-licensed version of Siemens' special industrial control software. To make matters worse, it was not properly configured."

:-O

""I have never seen anything like that, not even in the smallest cookie plant," an appalled Langner said, after seeing evidence of the violations in a press photo of a Bushehr central control monitor screen that registered a clear systems error."

http://it.tmcnet.com/news/2010/09/27/5031216.htm

 

@ noone_particular

Very good points about holding those responsible for any such disaster by such methods. And not just in this case, but Any others in the future.

In this case it "might" be to do damage locally, without releasing harmful materials/chemicals into our atmosphere. But **** can & does happen, and if so the people/nation responsible Must expect some comeback !

@ hawki

Thanks for the links.

*

 

Thanks for posting the article. It's certainly a welome diversion from the deluge of articles that sensationalize the exploit. This article actually gives pause to considerations of preventative security measures!

My bolded part, of course, is not correct. You do not have to eliminate the vulnerabilty (install a patch) in order to be proactively protected against something like Stuxnet, as has already been demonstrated in this and other threads.

I have argued for years that Management ("The Buck Stops Here"), not Technical Support, is ultimately responsible for the security of its organization. A review of a successful attack will reveal that Management's support people were not on the ball. Effective Management will hire an outside investigation, then make appropriate changes (which might mean firing incompetent people).

Need anymore be said?

----
rich

 

Rmus will like this

 

Iran claims Stuxnet worm did not hit nuclear systems

Head of the Atomic Energy Organization of Iran (AEOI) Ali Akbar Salehi says enemy efforts to infect Iranian nuclear systems with a computer virus have failed.

http://www.infowars.com/iran-claims-stuxnet-worm-did-not-hit-nuclear-systems

 

http://www.infowars.com/millions-of-computers-hit-by-virus-across-china

 

Symantec's Stuxnet Doossier:

http://www.symantec.com/content/en/..._response/whitepapers/w32_stuxnet_dossier.pdf

 

@ hawki

Thanks for posting you beat me to it

*

So MS ignored this vulnerability for over 18 months

*

Uses a Win32k.sys Vulnerability and a Task Scheduler vulnerability

 

Quoting...

 

FWIW: Due primarily to Russin implemented safeguards, the Bushehr nuclear reactor is not a high-priority target in Israel's view.

"A more plausible target is Iran’s uranium-enrichment plant at Natanz. Inspections by the International Atomic Energy Agency, the UN’s watchdog, have found that about half Iran’s centrifuges are idle and those that work are yielding little. Some say a fall in the number of working centrifuges at Natanz in early 2009 is evidence of a successful Stuxnet attack."

http://www.economist.com/node/17147818?story_id=17147818&fsrc=rss

 

Regardless of which plant it targets, this type of activity is no different than terrorism. If that malware either directly causes a radiation release or causes them to do something that causes one, it would qualify as an act of war. If another nation did that to us, guarantee you that's what we'd be calling it. The hypocrisy of this is sickening.

 

http://www.bbc.co.uk/news/world-middle-east-11459468

 

Conspiracies, Conspiracies, Conspiracies. Everybody loves to talk about conspiracy theories. Interesting insights(?) from the comments sections in various forums, blogs, news sites about Stuxnet...

http://www.prisonplanet.com/evidenc...in-stuxnet-attack-on-iranian-nuke-plants.html

http://www.economist.com/blogs/babbage/2010/09/stuxnet_worm?page=1

http://www.abovetopsecret.com/forum/thread613841/pg1

 

Code:

http://www.antiy.net/en/analysts/Report_On_the_Attacking_of_Worm_Struxnet_by_antiy_labs.html

btw, i was wondering why some sensitive places like nuclear power would use "MS windows" though all people know how much vulnerable it is !!!!

 

Clues Emerge About Stuxnet Worm - Christian Science Monitor

I decided to have some fun, Hebrew anagramatical like: Talmud style.

myrtus

Myrtus

9203 Myrtus

Possible hebrew involved (u is not a Hebrew letter)
mem yod resh tav/teit/tzadei samek/shin
40 10 200 400/9/900 60/300

Forward:
mem resh (mar /ah)= Mr., bitter
mem resh tav (marat)= Mrs.
mem resh teit (marat)= plucked (hair, fleathers)
resh tzadei (rats)= run, runner
teit samek (tas)= flew; tray, platter
tav shin (tash)= weakened; became exhausted

Backward:
shin teit (shat)= sailed, rowed
samek teit resh (satar)= slapped
samek tav resh (satar)= refuted, contradicted
resh mem (ram)= lofty, loud
tav resh (tar)= toured
tav resh mem (taram)= donated, contributed
tav resh yod mem (tareem)= lift! raise!

 

Stuxnet: Fact vs. theory

 

EU Agency analysis of 'Stuxnet' malware: a paradigm shift in threats and Critical Information Infrastructure Protection- ENISA:

http://www.enisa.europa.eu/media/pr...tical-information-infrastructure-protection-1

 

EU calls Stuxnet 'paradigm shift' as U.S. responds more mildly

In a statement released yesterday, Udo Helmbrecht, the executive director of ENISA (European Network and Information Security Agency), said that as a "new class and dimension of malware," Stuxnet represents a "paradigm shift."
...
U.S. response more tepid

Despite the sophistication of Stuxnet and the fact that it is aimed at critical infrastructure, U.S. cybersecurity officials seem to be treating it like any ordinary malware, an industry watcher told CNET and experts complained to The Christian Science Monitor.

Through US-CERT (Computer Emergency Readiness Team), the Department of Homeland Security issues advisories and alerts about computer vulnerabilities and attacks. Searches for "Stuxnet" and for "Siemens Simatic" revealed a handful of warnings, with the earliest dating back to July when Stuxnet was first publicized. These include updates to prior advisories as more was learned in mid-August about the PLC code injection aspect of the malware, which meant it was not just for espionage but could be used for sabotage.

"The question is where the heck is DHS?" Joe Weiss, a critical infrastructure security expert, said in an interview with CNET today. "There is no real guidance being given. There is nothing going out to the utilities or other end users talking about the actual compromise of the controller itself" and how to detect and remove the malware from infected PLCs.

U.S. officials seem oddly disinterested in something that other countries appear to be taking extremely seriously--the first malware known to specifically target critical infrastructure, Weiss suggested. As an example, he said the acting director of control systems for the DHS gave a talk two weeks ago at the Applied Control Solutions' Industrial Control Cyber Security conference run by Weiss and didn't mention Stuxnet.


link: http://news.cnet.com/8301-27080_3-20019124-245.html

 

Langner Stuxnet logbook:
http://www.langner.com/en/

 

@ Dermot7

Thanks for the latest Langner link

*

 

Microsoft Patch Tuesday: One Stuxnet hole remains open

While 16 updates from this Microsoft bumper Patch Tuesday close 49 security holes, a vulnerability exploited by the Stuxnet super worm to escalate access privileges remains open. Update MS10-073 does, however, close the other two known privilege escalation holes, which are related to loading keyboard layouts in the kernel. MS10-073 also fixes two previously undisclosed flaws. As one of the problems was discovered by Symantec, it's probably already actively being exploited in the wild.

http://www.h-online.com/security/ne...ay-One-Stuxnet-hole-remains-open-1106886.html

 

More than 30 persons built the Stuxnet worm.

WASHINGTON -- Details about the Stuxnet worm, a highly-engineered piece of malicious software that targeted industrial control systems, have trickled out since it made international news earlier this fall. The sophistication of the malware combined with its ability to target the controllers that run power plants and other infrastructure facilities impressed many security experts.

At a small conference on cybersecurity sponsored by TechAmerica, Symantec's Brian Tillett put a number on the size of the team that built the virus. He said that traces of more than 30 programmers have been found in source code.


http://www.theatlantic.com/technolo...xnet-worm-more-than-30-people-built-it/66156/

 

New STUXNET Scanner Tool by trendmicro
http://blog.trendmicro.com/stuxnet-scanner-a-forensic-tool/

not sure if it's the right place to post the tool though

 

http://www.symantec.com/content/en/..._response/whitepapers/w32_stuxnet_dossier.pdf