Wednesday, September 22, 2010
Stuxnet
I would write about the Stuxnet worm which seems to be the first publicly known piece of military grade attackware, but Bruce Schneier and others have written extensively about it. Langner's blog and Geekheim.de have the most pieces of evidence for who did what to whom where. The Symantec Security Response blog has some very good technical breakdowns of the reverse engineering of specific parts of the worm. Air gapping the networks would not help because the worm was designed to defeat that barrier by using USB sticks which is a method originally used by floppy disk based worms in the days before PCs were connected to the Internet. Since our own DOD isn't smart enough to protect its own networks from USB worms, the likely American suspects are the CIA or NSA, probably the latter. But, the nation who had the best motive for doing this very cost effective attack was Israel. The Natanz ultracentrifuges were the likely target of this operation.
Update (10/01/2010): F-secure has a nice Stuxnet Questions and Answers post along with a video demonstration of what Stuxnet is capable of. Two pieces of internal evidence from the reverse engineering:
1. The path statement in the compiled code, \myrtus\src\objfre_w2k_x86\i386\guava.pdb, has the words myrtus and guava. Guavas are plants of the myrtle family. They are a type of pomegranate which serves as the Jewish symbols of righteousness and fruitfulness. Is Stuxnet a weapon of righteousness targeting the servants (machines) of the enemies of Israel? In this case, is the enemy, Iran? Are we dealing with a former biologist who is now a programmer, or with someone exposed to taxonomic nomenclature who could make an inside joke?
2. The registry key created called 19790509, which is the date, May 9, 1979, which was the date Habib Elghanian was executed in Iran as a spy on what appear to be completely false charges. His death led to the mass exodus of 100,000 Jews from Iran.
Here's The Register's analysis. Symantec has released the Steuxnet Whitepaper.
Update (10/01/2010): F-secure has a nice Stuxnet Questions and Answers post along with a video demonstration of what Stuxnet is capable of. Two pieces of internal evidence from the reverse engineering:
1. The path statement in the compiled code, \myrtus\src\objfre_w2k_x86\i386\guava.pdb, has the words myrtus and guava. Guavas are plants of the myrtle family. They are a type of pomegranate which serves as the Jewish symbols of righteousness and fruitfulness. Is Stuxnet a weapon of righteousness targeting the servants (machines) of the enemies of Israel? In this case, is the enemy, Iran? Are we dealing with a former biologist who is now a programmer, or with someone exposed to taxonomic nomenclature who could make an inside joke?
2. The registry key created called 19790509, which is the date, May 9, 1979, which was the date Habib Elghanian was executed in Iran as a spy on what appear to be completely false charges. His death led to the mass exodus of 100,000 Jews from Iran.
Here's The Register's analysis. Symantec has released the Steuxnet Whitepaper.
Labels: military grade specific targeted attackware