Stux on you
By Dave Birch posted Nov 29 2010 at 8:58 PM[Dave Birch] The media are full of cyberwar at the moment. I'm sleeping safely in my bed knowing that we now have a cyberwar strategy. But there does appear to have been one cyberwar attack that has already succeeded. The story about Stuxnet is fascinating, especially now that the Iranians have admitted that it worked.
President Mahmoud Ahmadinejad admitted Monday that "several" uranium enrichment centrifuges were damaged by "software installed in electronic equipment," amid speculation Iran's nuclear activities had come under cyberattack.
[From France24 - Iran admits uranium enrichment hit by malware]
So whoever wanted to stop the Iranians from enriching uranium (the Americans, the Saudis, the Israelis etc) found a cheaper and more efficient way to do it than launching cruise missiles or dropping bunker busting bombs.
Here are the bare bones.
the malicious code that Stuxnet aims to run on the industrial control system execute on the PLC and are written in MC7 bytecode. MC7 is the assembly language that runs on PLCs and is often originally written in STL... only CPUs 6ES7-417 and 6ES7-315-2 are infected
[From Exploring Stuxnet’s PLC Infection Process | Symantec Connect]
OK. So this seems reasonable. A clever virus writer has put together something that propagates across PCs and when it finds a particular CPU attached (for industrial control) is sends its "payload" to that CPU. It's very specific.
Stuxnet searches for frequency converter drives made by Fararo Paya of Iran and Vacon of Finland. In addition, Stuxnet is only interested in frequency converter drives that operate at very high speeds, between 807 Hz and 1210 Hz. The malware is designed to change the output frequencies of drives, and therefore the speed of associated motors, for short intervals over periods of months. This would effectively sabotage the operation of infected devices while creating intermittent problems that are that much harder to diagnose.
[From Missing piece completes Stuxnet jigsaw • The Register]
Pretty dastardly.
O'Murchu noted that researchers had uncovered the reference to an obscure date in the worm's code, May 9, 1979, which, he noted, was the date on which a prominent Iranian Jew, Habib Elghanian, who was executed by the new Islamic government shortly after the revolution.
[From Stuxnet Analysis Supports Iran-Israel Connections | threatpost]
On the other hand, it was also the day that the Unabomber struck at Northwestern, so maybe it's got something to do with that? Or what if it is related to the famous Pierre Trudeau rally on that day and BC separatists are behind the hack, actually targeted at the Canadian oil industry? Of course, none of us has any idea whether any of this is true or not. I does make you wonder though: if there was a proper digital identity infrastructure in place, which managed M2M transactions as well as P2M transactions, then how would this kind of attack work? Suppose, for example, that the kind of digital identity infrastructure that uses digital signatures was in place that how would sneaky foreign viruses get their payload on board?
It turns out that the Stux story does involve digital signatures. Having followed the links from a few stories to try and find out what actually happened, I'm none the wiser. Perhaps journalists aren't reporting it properly, or perhaps bits of the story are missing.
Q: How can it install its own driver? Shouldn't drivers be signed for them to work in Windows?
A: Stuxnet driver was signed with a certificate stolen from Realtek Semiconductor Corp.Q: Has the stolen certificate been revoked?
[From Stuxnet Questions and Answers -]
A: Yes. Verisign revoked it on 16th of July. A modified variant signed with a certificate stolen from JMicron Technology Corporation was found on 17th of July.
I don't understand this. A stolen certificate wouldn't allow you to forge a signature, since it contains the public key, whereas you need the private key to form a signature. Is there anyone out there who can point me in the right direction to find out what has actually been going on? Or is this more evidence that someone has the master key to the internet that The Daily Telegraph told us about.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]
A stolen certificate wouldn't allow you to forge a signature, since it contains the public key, whereas you need the private key to form a signature.
The public key is already just that - public. There is no reason to steal it. What has been stolen is Realtek's and JMicron's private key.
Here is one related link on the topic: http://www.mail-archive.com/[email protected]/msg11324.html
Posted by: Eitan Adler | 30/11/2010 at 06:48 AM
Thanks for this excellent pointer Eitan.
Posted by: Dave Birch | 30/11/2010 at 12:32 PM