Inside Stuxnet: Researcher drops new clues about origin of worm

Inside Stuxnet: Researcher drops new clues about origin of worm

Summary: The mysterious Stuxnet worm took center stage at the Virus Bulletin 2010 conference with a prominent security researcher dropping a raw hint that Israel may be behind the industrial-strength malware attack.

SHARE:
TOPICS: Security, Malware
27

VANCOUVER -- The mysterious Stuxnet worm took center stage at the Virus Bulletin 2010 conference here with a prominent security researcher dropping a raw hint that Israel may be behind the industrial-strength malware attack.

Symantec security researcher Liam O Murchu (photo above) says he found the "05091979" date in the Stuxnet code, a possible link to the May 9, 1979 execution of Jewish Iranian businessman and philantropist Habib Elghanian.

Ever since the discovery of the worm, which Microsoft says dates back to January 2009, there has been incessant speculation that Stuxnet is a nation-state attack against Iranian nuclear plants.  We've heard murmurings of biblical references and public confirmation that the Iran's Buescher nuclear reactor was the main target.

Now comes O Murchu with this tittilating disclosure suggesting a direct link to Israel.  However, security experts are cautioning against reading too much into anything deliberately left in the code by the Stuxnet authors because, at this level, there could be all kinds of decoys and misdirection.

O Murchu's presentation, complete with a live demo of an attack against a Siemens PLC, provided the first detailed glimpse into the Stuxnet code.  He explained that the malware targets only two models of the Siemens PLC (S7 300 and S7 400) and injects rootkit code based on very specific configurations.

The code is so narrowly targeted that it will not infect the PLC unless it finds a specific network card (CP 342-5), he added.

"Stuxnet uses 'man-in-the-app' attack," O Murchu said.  Once Stuxnet is on your computer, you have lost control of your PLC."

"We know everything that Stuxnet does on an infected PLC but we're just unsure of real world effects of this code.  It is difficult to understand the real world actions without knowing what is connected on the inputs and outputs [of the PLCs]," he added.

During the demonstration, O Murchu used proof-of-concept code (not based on Stuxnet's) to infect a Siemens S7-300 PLC device connected to a humming air pump.   Using just eight lines of code, he programmed the pump to run for a few seconds, inflating a red balloon.

Hethen modified the code slightly to run the pump for 140 seconds, again inflating the balloon until it popped with a loud bang.

"If this PLC was connected to an oil pipeline, you can see that the result would be much worse," he declared to applause from the audience.

During a separate presentation, representatives from Kaspersky Lab (see disclosure), Symantec and Microsoft provided a discovery timeline and details on the four zero-day vulnerabilities used by Stuxnet.

Topics: Security, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

27 comments
Log in or register to join the discussion
  • Conspiracy theory

    Would a serious secret service agency leave a deliberate clue as to who they are? I don't think so.
    malcarada
    • RE: Inside Stuxnet: Researcher drops new clues about origin of worm

      @malcarada

      How to you know the clue that was left is secret service.

      Have you ever heard of challenge, counter challenge.

      Each day there is challenge word and each day there is a counter challenge word.
      daikon
  • RE: Inside Stuxnet: Researcher drops new clues about origin of worm

    It could have been built by somebody whose intentions were/are to implicate Israel in the whole thing.
    asg749d@...
  • Israel is bold enough

    It could of course be a misdirection but my personal feel is that Israel is bold enough to leave a clue such as the date knowing there is never any real evidence what the date or series of numbers really represent. By doing this they can fairly publicly make a warning whilst never really being implicated.
    Anyone remembere all the cut internet cables a couple of years ago which affected almost the whole of ME and particularly Iran but yet as through a miracle no cable used by Israel was severed. The whole thing of course conincidentally happened at the time the Iranian oilbourse was to open with a result that the opening was delayed and instead of trading Crude they are just trading minor amounts of oil related products.
    If it walks like a duck and quacks like a duck....it's Israel
    peaknikmicki
    • RE: Inside Stuxnet: Researcher drops new clues about origin of worm

      Nah... Israel prefers to serve up their attacks via jet fighters and tanks.
      Hallowed are the Ori
    • RE: Inside Stuxnet: Researcher drops new clues about origin of worm

      @peaknikmicki

      If you say so.....
      harishkumar09@...
  • Israel already left its cluprints in previous operation

    In 2007 the Israeli Air Force attacked the Syrian nuclear reactor, then, two Israeli F-15 deliberately dropped there reserve fuel tanks with Hebrew letters on them just next to the Syrian site. Then, according to US and European officials, the Israeli attack was preceded with electronic and cyber attacks on the Russian made cutting-edge anti air craft missile batteries, so the Israeli jets could fly above there target without taking any special caution. Israel want the Iranian to know what it can do, psychology is very important in the middle east.
    Gilisabo
  • RE: Inside Stuxnet: Researcher drops new clues about origin of worm

    So then it might be Israel, because they're the most obvious nation with a reason to want to sabotage Iran's nuclear weapons program... or it might be someone making it look like it was Israel, because they're the most obvious nation with a reason to want to sabotage Iran's nuclear weapons program. Lovely.
    masonwheeler
  • Critical systems connected to Internet?

    What idiot country would have critical systems on a network which can be accessed by or has access to the Internet? I know it's hard to resist the urge to connect my furnace to the Internet, but sheer willpower has prevailed so far.
    davidr69
    • Internet-linked critical systems?

      @davidr69 Reports (from Stratfor.com and others) say that the Iranian system is isolated from the internet and the virus was most likely introduced via a thumbdrive.

      You're right: only an idiot country would make critical systems accessible from the internet.

      (Let me climb up on a soapbox here:) Unfortunately, many power converters in the US are already online and the "smartgrid" efforts of the US government will only further increase American vulnerability.

      The US is way ahead of the world in integrating the internet into our critical systems. While that makes our oil, gas, electricity, food and medical distribution systems more efficient and profitable, it exposes the entire country to vast risk. Those who believe we can avoid militarizing cyberspace are ignoring our national dependency on the internet and our glaring vulnerability. The discovery of logic bombs inside of power generation systems (as described in Richard Clarke's new book "Cyberwar") is proof that our enemies are not ignoring American vulnerabilities.

      We need an integrated cyber security policy that encompasses public and private systems and addresses security as a core requirement, not an add-on. The US govt must support the private sector operators of critical infrastructure to improve their defenses.
      StartUpper
      • RE: Inside Stuxnet: Researcher drops new clues about origin of worm

        @StartUpper
        The surest way is at least to have multiple API wrappers connecting an infrastructure to the internet and industrial strength encryption used for challenge and response and even man-in-the-loop to protect the said infrastructure.

        The cost of having so many extra men in the loop is still less than the cost of employing so many in lieu of automation.
        harishkumar09@...
      • RE: Inside Stuxnet: Researcher drops new clues about origin of worm

        @StartUpper

        Also the automated infrastructure should have a protection system which limits the values that can be input into a component in the infrastructure, thus a pump can only run at a certain rpm or a flame can only be so hot, so that if it exceeds the limitation, the input will be ignored and humans will be informed about the anamolous input.

        Pretty much like modern FBW aircraft which the pilot cannot crash even if he wants to.

        You can then have the infrastructure directly connected to the internet and have no security and you need not worry about.

        Write safe code, in type safe language, with plenty of exception handling and you are almost safe. Very safe.
        harishkumar09@...
    • RE: Inside Stuxnet: Researcher drops new clues about origin of worm

      @davidr69

      Some have sheer idiocy, because their ideology is all about treating women as sex objects and hence thinking about sex all the time that they there isn't sufficient blood for their brains, as most of it has gone to the penis.
      harishkumar09@...
  • Date format

    Strange - made me log in, but "lost" posting....anyway, to do it again:

    Does anyone know what date format is common in Israel? If the date represents May 09, 1979, the date format used is MM-DD-YYYY, which is common in the US. Is this the format that is common in Israel, or do they use the more European DD-MM-YYYY format?
    tbuccelli
    • Good Question

      @tbuccelli
      I was thinking the same thing when I saw the date code. It is also possible that it is a set of numbers that look like a date but refer to something else.
      sboverie
    • RE: Inside Stuxnet: Researcher drops new clues about origin of worm

      @tbuccelli -Great catch!
      Facepalm. That is too funny.
      zeprider1
  • RE: Inside Stuxnet: Researcher drops new clues about origin of worm

    Israel has the right to defend itself against and threat foreign or domestic!! Just like any other nation!!!!
    jasonemmg
  • RE: Inside Stuxnet: Researcher drops new clues about origin of worm

    I heard that if you take the first letter of each line of code, it spells out "Francis Bacon is the real Shakespeare" frontwards, backwards, and sideways.
    Vesicant
  • ?05091979? date May is USA representation

    In Israel we use the European date standard in which the date would be interpreted as the 5th of September. Nice try lame.
    Kiryat8
    • RE: Inside Stuxnet: Researcher drops new clues about origin of worm

      @Kiryat8

      Does that mean that ALL people in Israel use that? No.
      Lerianis10