“Doesn’t that bother any of you? Because it scares the living piss outta me!” – Lloyd Bridge as Admiral Tug Benson
That pretty much sums up my feelings about the Stuxnet worm the more and more I read about it. It seems like every week brings more and more dastardly information about this worm and its consequences for cyber warfare in general for the foreseeable future. First, a refresher course for those that might not be totally familiar with this little gem.
Anatomy of a Scary Virus
A Belarusian security firm got it’s hands on a sample of a new worm in mid-June of 2010. It was a Windows-based attack that seemed to be quite virulent from the very beginning. More disturbing, however, was the complexity that lay just beneath the surface upon further examination. Stuxnet targetted 4 separate zero-day exploits in Windows. In the security arena, this is the equivalent of showing your hand too early in a poker game. Zero-day exploits have great value on the black market for virus writers, so they tend to be hoarded and exploited only when a significant advantage can be had. For a virus to use four of them at once meant that it was serious about infecting things. Secondly, it installed a rootkit on the target system. While this isn’t necessarily new in and of itself, the way it succeeded was brilliant. The writers of the virus hijacked to signed security certificates from trusted manufacturers JMicron and Realtek. This meant that the kernel mode drivers necessary for rootkit operation could be installed without so much as a blip of a warning. Also disturbing was the method in which the virus was constructed, a mish-mash of C and C++ code. This is quite odd for a trade that typically uses simple coding techniques.
After digging into the payload and operation of the virus, the malicious intent cranked up two or three more notches. The virus used a data cable connect between the PC and a Siemens Programmable Logic Controller (PLC) to hop into the PLC where it really started its nefarious work. Firstly, a rootkit was installed to hide the infection. Then, using the PLC it started messing with variable frequency drives that were slaved to the unit. Specifically, it was looking for drives that spin between frequencies of 807 Hz and 1210 Hz. Why so specific, you ask? Because drives that run at those frequencies just happen to be of the same kind that are used in centrifuges, which are critical to process needed to enrich uranium in nuclear power plants. Once it found the target, it didn’t make itself obvious by disabling the drive. Instead, it varied the rotational speed of the unit, ramping it up to 1400 Hz then back down to 2 Hz then back up again. To the outside observer, it would just look like the device was going haywire or having mechanical difficulties. At worst, you might think to pull the drive out and replace it with another unit. Of course, as soon as that unit was connected to the PLC, it would be infected by the Stuxnet worm and the whole process would begin all over again.
A New Chapter in Warfare
Once the security firm started tracing the command and control centers for the virus, the trail started going cold as servers were shutdown and erased from the face of the Internet. Usually, those kinds of disappearing acts are perpetrated by the kind of three-letter agencies that don’t like to make the headlines. And so it was that a large number of security researchers started speculating about the nature and purpose of Stuxnet. Symantec believes that a well-coordinated team of 5 to 10 individuals spent several months writing the virus. As well, the largest number of infected systems appears to be located in Iran. Based on the specific target of the virus (industrial equipment known to be purchased by Iran), it seems quite plausible to assume that someone or something wanted to make sure that the equipment didn’t function correctly. But, rather than take it out completely, the idea behind Stuxnet was to mask the damage done and make it look like mechanical failure. Indeed, since it was looking for such specific target criteria, it might have laid dormant for months before unmasking itself. The speculation currently is that the worm was designed to do one thing with brutal efficiency – cripple the Iranian nuclear program. Not by airstrikes or conventional means, but with cyber warfare.
When you think back on many of the malware programs that have sprung up and been quite irritating over the last few years, realize that the authors wanted to make a statement with them. Whether it was the theft of personal information or the hijacking of your PC for less-than-honorable purposes, each author left a stamp or calling card. These are the kinds of people that do things for fame and fortune. They want the exposure. If someone finds out who wrote Code Red or Nimda, all the better for them. Exposure gives credibility and prestige in that community. Even something like the SQL Slammer worm was an attempt to exploit a known vulnerability, perhaps for use by someone at a later date. Only the ham-handedness of the coding caused it to race out of control and be fought back so quickly. And so security professionals see these viruses and malware infections and combat them as best we can. But we only catch them because we can see the tell-tale signs.
Stuxnet appears to have been coded by a person or persons who don’t ever intend to be known. Their job succeeds when no one knows they did anything. These kind of people don’t leave marks or traces of any kind when they are done. They are professional. The pick a target and pursue it relentlessly until it is neutralized. And when all is said and done, no one would think twice about the cause of the misfortune to be man-made or inflicted.
Imagine if this had happened in America? Infected USB drives are scattered around a parking lot at a facility that services nuclear power plants. Or mailed to key individuals that have access to sensitive areas. Imagine the chaos that could ensue if the payload hadn’t been designed to subtly cripple, but instead was crafted to cause mayhem and disorder? Imagine what might happen if it were to occur on the scale of something that we can’t live without, like the GPS constellation? The idea that agencies and organizations that have made careers out of the kind of malicious and nasty tricks that mark intelligence and spying are now beginning to focus on cyber warfare is frightning. Think about what could happen if the most prolific and successful malware creators were hired for a job that would pay a fortune, provided the attack was successful and left zero trace. Would it be worth several million dollars if a country could cripple the military command and control functions of their enemy with a moment’s notice? What would happen if an invading army had no fear about its ability to render any and all resistance moot with the press of a button from some previous malware infection that went totally undetected until it was too late?
Granted, this all pie-in-the-sky rambling, but the directions that these types of programs can be taken in boggles even the most die-hard security researchers. Think about how many information system breaches we’ve seen. Now think about what would happen if it was targeted to, say the Department of Defense. Or the Social Security Administration? And no amount of money or threat of prosecution could deter the people doing it. State-sponsored terrorism is bad enough today. What happens when state-sponsored cyber terrorism becomes more prevalent? And before you answer that question too quickly, look at what happened with GMail just a few months ago. And realize that many in the security realm are starting to believe that those attacks were state-sponsored.
For those of you science fiction fans out there, my thought exercises may sound eerily similar to the reimagined Battlestar Galactica mini-series, where the Cylons were able to cripple the entire military effectiveness of the Colonials with a few well-placed programs. We all laughed at it and said that it made for great story telling, but it was still just fiction. Well, with the rise of Stuxnet and inevitably more programs like it, we can only hope that the escalation of cyber warfare doesn’t lead us to some kind of horrible conclusion. Because it’s something like that which makes me truly afraid.
Good summary, thanks.
Maybe we’ll look back at 2010 as the year we – security professionals in the private sector and non-military government – realize that, like it or not, the systems we work with have a larger exposure to state-level threats than we thought.
What is the answer? Maybe more stringent designs/baseliens and risk assessments, which will inevitably drive up costs. Not a fun discussion to have, but certainly an important one…
Pingback: Tweets that mention Stuxnet: Be Afraid | The Networking Nerd -- Topsy.com
Pingback: Internets of Interest:10 Dec 10 – My Etherealmind
Pingback: Friday (+1) Links – 6/18/2011 | The Networking Nerd
Also note that it was designed to attack air gapped systems, which you usually think of as secure by default.
We have seen very few things with the breadth of Robert Morris’s worm back in 1988, it would infect two hardware platforms via 4 vulnerabilities. Imagine what a nightmare that would be these days.
Pingback: The Coming Cyber Cold War? | The Networking Nerd