Diamondeye wrote:
Ok that would work, but once you cleaned it off once, couldn't you just shut off all your USB ports and be fairly certain that it wouldn't get abck on if you specifically authorized each device?
That's what the Army did after problems with infected USB drives.
Unfortunately, it's not quite that simple. I should have said that
initial infection is spread by infected USB keys. Once a system is infected, it will seek to infect other machines over LAN, in particular looking for a machine on the local network with internet access. Once it finds one, it can update (and if necessary, re-infect) the local network via either C&C servers (they all went offline after Stuxnet was discovered) or, failing that, from its own peer-to-peer protocol.
But part of the problem, here, is dealing with "once you cleaned it off". Because Stuxnet functions as a rootkit, and still has significant portions of un-analyzed code, and is known to have multiple "dropper" components, you can't really be sure that a host, once infected, is ever really "clean" again. And then multiply that by all of the computers and PLCs the infect machine is potentially connected to, and all of the computers and PLCs
those are connected to ...
Given the sophistication exhibited by Stuxnet thus far, I wouldn't even count on being able to get rid of it by a "naive" OS reload. Pretty much the only sure solution is to nuke it from orbit, and by that, I mean actually zeroing the hard drive of every computer and PLC on the network, and rebuilding completely from scratch. Problem is, you can't just (easily) do that when the whole purpose of your network is to control critical infrastructure and/or potentially very dangerous nuclear systems.
And, of course, if Stuxnet really is the result of state-sponsored cyber-warfare, then you can never really be sure that you don't have someone sabotaging the system from the inside.
Slythe wrote:
So what's your opinion? If you believe this is state-sponsored, which 'state' produced this? US? Israel? China? Russia?
I can't say that I really have one. That depends heavily on who its target is. Stuxnet pulls certain information out of Siemen's WinCC/PCS 7 databases, builds a fingerprint from it, compares it to a target fingerprint, and then takes some as of yet unknown action if they match -- presumably something Very Bad(TM). But the fingerprinting system is basically a hash of some kind; you can't "reverse" the target from the fingerprint.
This points back to my speculation above that whoever Stuxnet is targeting has every reason to suspect a man on the inside. The only way to build the target fingerprint in the first place would be to have very specific field data from the target SCADA system -- data that shouldn't be accessible from off-site in any reasonably secure facility. To me this one of the aspects that really points to state-sponsored activity. If the target is military or national, getting a man on the inside would be very difficult for Joe Q. Hacker. If the target is private industry or just some municipal system, then it could be the work of a disgruntled employee, etc., but that theory is hard to swallow based on the sheer complexity of Stuxnet.
So without knowing the target, it's really hard to say. Initial infection analysis seemed to indicate that the epicenter was Iran. If we speculate that this was, in fact, the target, then the most likely culprits are Israel or the U.S. I'd say that the former is probably more likely than the latter, and that "both" is somewhere in between. I'm not buying any of the supposed "Israel connections" in the code itself, but that doesn't change their position in the list of suspects, frankly.
On the other hand, there are now lots of infections of China. I tend to not think China is the target because these appear to be late infections, but there are a few a counter-arguments to suggest China as a target:
1) Stuxnet's drivers are digitally signed with stolen certificates belonging to JMicron and Realtek; both are Taiwanese chip manufacturers. Neither has been able to determine how the certificates were stolen. One of the more interesting theories notes that both companies have offices in Hsinchu Science Park, and suggests that the inability to find any electronic intrusion to explain the theft could imply physical espionage. It's interesting, but I'm not sure that's anything but a red herring. If you pick any two Taiwanese chip manufacturers, I'm sure you'll find a similar connection somewhere. It's a small world. And the lack of evidence for an electronic theft could simply indicate that the culprit was
very good. Given the skill with which the rest of Stuxnet was executed, that's a very real possibility.
2) One of the original C&C servers was located in Malaysia (the other was in Denmark, though). It's a pretty weak connection given how easily even amateur hackers can acquire or subvert a server in pretty much any country in the world, but we don't have much else to go on.
As an aside, what's interesting to me about 1) and 2) is not what they might say about the potential target, but simply the fact that both trails have yielded absolutely nothing. Regardless of how the certificates were stolen, it's impressive that someone could pull it off not once, but twice, without leaving any evidence behind. As to the C&C servers, the lack of fringerprints there is a bit less impressive than the certificate theft, but it's still worth noting. Following the C&C trail has busted a number of "expert" crackers out there, including (most notriously) the NetSky guy. Again, to me this points to a level of expertise that's a little hard to attribute to conventional cracker groups -- even very good ones.
Final thought: whoever owns the target system almost certainly knows they were the target. Supposing that it were Iran, what would they do with that information? I really don't know. Normally, I'd say that they're not the type to shy away from an opportunity to point the finger at Israel or the U.S., but I'm not sure what they could hope to accomplish by doing so. Whoever the target is, if the speculation is correct that Stuxnet is being targeted via inside information, then I'm guessing it would be in their best interest not to acknowledge their awareness.
Login
Register
FAQ
Search
