09.28.10

Great cyberweapon or cyberfizzle?

Posted in Crazy Weapons, Cyberterrorism at 3:36 pm by George Smith

On Stuxnet, yes, I’ve seen the stories.

But do go to the site of the German researcher propagating its central thesis, Ralph Langner.

Langner’s discussion is an interesting one and often compelling.

But “hack of the century” is the type of overused phrase that won’t get you a lot of mileage in circles not inclined to believe absolutely everything published about global malware. Or cyberwar.

Langner knows the technical side and makes a reasonable argument
as to the amount of effort put into the Stuxnet bug. He argues that it was created by a national intelligence/defense program. And the obvious insinuation for this story is Israel, although other countries are not ruled out.

However, the discussion goes a bit to far — understandably, in linking circumstantial news — that Iran’s nuclear program has progressed slower than expected — and Stuxnet.

There is no proof that anything went bang or failed catastrophically in a nuclear reactor or even a a centrifuge cascade. Other equally or more plausible explanations exist for any perceived slow down, if there is one, in an Iranian nuclear weapons program.

Still, if one takes the broad leap and grants that a virtual effect of some kind was achieved, Stuxnet still has had an indiscernible effect to everyone not already in on the story.

Years ago, I said publicly that I thought governments would try to write malware and pursue cyberwar. I had no real idea how long ago until I started digging up some old digital news records.

It was all the way back in 1995.

At the time, it was for a Voice of America news broadcast, and this is what I said, something I’ve repeated from time to time in many other discussions:

“George Smith is skeptical that offensive military operations will work very well in cyberspace.

“For years, Mr. Smith has been writing a newsletter on computer break-ins . . . He says Pentagon officials are overstating the danger from computer hackers and intruders.

“Nevertheless, [Smith] expects the United States and many other nations to try to create ‘cyber-attack’ forces: ‘I think it is likely that people will try, I think it is unlikely they will have any impact.’

“Mr. Smith says armies in Bosnia and the Gulf War faced computer problems, including viruses. He says they coped with them in much the same way they coped with flat tires on vehicles, or worn out parts on aircraft.

“[Smith] said] the idea that small groups of people, armed only with keyboards, could seriously hurt a powerful military force belongs in Hollywood — not the battlefield.”

To this I’d only add that the lack of substantial proof of success in offensive malware operations won’t stop anyone in the business of insisting just the opposite.

However, Iran’s nuclear program also won’t be stopped by a piece of malware aimed at controller software in its factories.

And the liabilities of employing something like Stuxnet are now fairly obvious.

The most glaring being that such a thing is immediately seized upon and pulled apart by the worldwide distributed network of computer security researchers. And second, that even granting for a moment that it was designed to be directed at Iran, the intelligence requirements for it to be solely limited to that were still way too great to limit its spread to that country.

Wrote David Sanger at the New York Times over the weekend:

Stuxnet, which was first publicly identified several months ago, is aimed solely at industrial equipment made by Siemens that controls oil pipelines, electric utilities, nuclear facilities and other large industrial sites. While it is not clear that Iran was the main target — the infection has also been reported in Indonesia, Pakistan, India and elsewhere — a disproportionate number of computers inside Iran appear to have been struck, according to reports by computer security monitors.

Another ramification is the identification of the ioriginating country. If the country of origin is already an international pariah, then it doesn’t matter if Stuxnet is pinned on such a nation.

As a thought experiment, assume for a minute that Stuxnet is a part of a US program, not Israel’s.

In terms of national security and unilateral action, everyone already thinks the US acts rashly and can be reliably depended upon to behave with little regard for others.

At this point, there’s no longer much of a downside to using something like Stuxnet.

Even if a national program were to execute something so poorly the backfire would sweep over the originating country’s civilian systems. (That’s certainly progress, of sorts.)

It would just be yet another example of some team or some agency thinking, perhaps reasonably, that it’s godly and beyond reach.

And we’ve already had a few of those.

Bruce Ivins and the lack of professional diligence at Fort Detrick, in the world of real things as opposed to virtual, coming to mind.

Stuxnet as a super cyber weapon is a hot, sexy story. The hype behind it is predictable, even logical. Paradoxically, one of the famous journalists usually the first to exaggerate such things — John Markoff of the New York Times — gave it, what was for him, a mild reception.

Markoff’s second paragraph, from the 27th:

The most striking aspect of the fast-spreading malicious computer program — which has turned up in industrial programs around the world and which Iran said had appeared in the computers of workers in its nuclear project — may not have been how sophisticated it was, but rather how sloppy its creators were in letting a specifically aimed attack scatter randomly around the globe.

All of the old anti-virus programmers, as far back as the late Eighties and Nineties, would have told anyone the same. In fact, they told stories like it about various computer viruses many times, the only difference being the wherewithal didn’t yet exist to aim them roughly over a global network.

In essence, once a piece of replicating malware is released into the world, no matter how “smart” (that being a relatively elastic term) its creator(s), it’s effectively liable to wind up where least expected, no matter how exactingly programmed.

If we get back to nuclear fuel cycles and national bomb programs for a moment, it should be remembered that uranium can be enriched, and an atom bomb made, entirely without the use of Siemens software and globally networked computers.

Entire libraries of books exist on the matter.

And people who have devoted professional careers to the study of nuclear proliferation can give entire classes on what can go wrong inside a bomb program. Without ever getting to software problems and malware. There are many things in the material world which can effect the progress of a bomb-making program, not the least of which are easily understood hurdles like inexperience, subpar skills and interference with access to essentials and properly engineered machinery.

In August, prior to Stuxnet news, the Times reported:

It is unclear whether the problems that Iran has had enriching uranium are the result of poor centrifuge design, difficulty obtaining components or accelerated Western efforts to sabotage the nuclear program …

For most of this year, Iran has added relatively few centrifuges — the machines that spin uranium at supersonic speed, enriching it — to its main plant at Natanz. Only about half of those installed are operating, according to the International Atomic Energy Agency. So far, Iran has produced about 5,730 pounds, enough, with considerable additional enrichment, to produce roughly two weapons.

The public explanation by American officials is that the centrifuges are inefficient and subject to regular breakdowns. And while Iranian officials have talked about installing more advanced models that would be more efficient and reliable, only a few have been installed.

“Either they don’t have the machines, or they have real questions about their technical competence,” Mr. Samore said.

Some of Iran’s enrichment problems appear to have external origins. Sanctions have made it more difficult for Iran to obtain precision parts and specialty metals.

Any of these explanations are as likely, perhaps even greatly moreso, than Stuxnet.


keys: cyberwar, cybersecurity, cyberterrorism, cybersabotage

Update: Some typos corrected.

9 Comments

  1. Major Variola said,

    September 29, 2010 at 7:47 am

    The authors knew the target unique signature thanks to a bit of humint but did not have access to the target facility. It did have access to computer networks via USB sticks. *Whether or not it worked*, it was targeted malware. To a SCADA system. That concealed its mods in the SCADA system.

    The potential consequences of this experiment are small compared to the potential gains.

    BTW its pretty easy to make a virus that does not infect certain machines. I believe one of the recent botnets does not infect computers with Ukrainian keyboards. Looking for a particular system is pretty selective; though like the Morris worm you have to watch out for logic problems in your code :-)

    Perhaps more worrisome is some US legislators’ idea to use DNS as a weapon, to deny access to wikileaks. Of course, this won’t work, as DNS is just sugar-coating. And its not the case that all your TLDs belong to US. Silly congresscritters..

  2. R. James said,

    September 29, 2010 at 11:40 am

    Despite certain facets of this malware that are definitely notable (e.g. employing multiple 0-day exploits, the use of code signing certificates, auto-update with an option to use P2P channels in the event that the C2 node goes down), there are aspects of the implementation that surprised me as being slightly dated.

    For example, to map DLLs into memory Stuxnet relies on a well-known hook-based approach that alters a handful of lower-level APIs used by the Kernel32.LoadLibrary() routine. This strategy generates forensic artifacts by virtue of the fact that a DLL loaded in this manner ends up in memory, and in the system’s runtime bookkeeping, while failing to show up on disk (a telltale sign, just ask the response team at Guidance Software). In other words, the absence of an artifact is itself an artifact.

    A less conspicuous strategy is to use what’s been called “Reflective” DLL injection, which is what contemporary suites like Metasploit use. Essentially, reflective DLL injection sidesteps the Windows Loader entirely in favor of a custom user-mode loader (an idea that was presented years ago by researchers like the Grugq, e.g. Data Contraception).

    Stuxnet also uses DLLs packed with UPX. Any anti-forensic developer worth their salt knows that UPX leaves a signature that’s easy for a trained investigator to recognize. A brief glance at the file headers is usually enough. Once recognized, unpacking is a cake walk. Now, I would expect that if the engineers who built this software took the time and care to implement the obscure PLC features that they did, they’d also have the resources and motivation to develop custom packing components. I mean, if you’re going to pack your code, at least make it difficult for the forensic guy wading through your payload.

    Why even use DLLs? Why not create some special-purpose file format that relies on a shrouded address table and utilizes an embedded virtual machine to execute one-of-a-kind bytecode?

    What all of this seems to indicate is that the people who built this in some respects took the path of least resistance. They opted to trade development effort for a forensic footprint.

  3. George Smith said,

    September 30, 2010 at 7:50 am

    This in from one reader, who I’ll keep nameless unless he wants it published. And concerning the latest round of speculation on what clues may or may not be embedded in the thing:

    =========

    Perhaps “myrtus” from the left-behind Stuxnet file path string “b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb” stands for either “My RTUs” or “My RTU software”. Here is what an RTU is:

    http://en.wikipedia.org/wiki/Remote_Terminal_Unit

    It looks “src\objfre_w2k_x86\i386” is standard stuff generated by Microsoft development tools.

    Here’s what others are saying:

    In a Computer Worm, a Possible Biblical Clue
    http://www.nytimes.com/2010/09/30/world/middleeast/30worm.html?_r=1&hp

  4. George Smith said,

    September 30, 2010 at 8:35 am

    Another reader writes, pointing another essay/comment on Stuxnet.

    An excerpt:

    Sponsor – sitting in a room with a swaying light bulb over a desk. He smokes a cigarettes taking slow ‘drags’ of his cigarette. The orange light flaring from his cigarette. “We need to decapitate their nuclear facilities.” As the rogue hacker sits listening he immediately blurts out “I have a plan!” “We will build USB switchblades [1], deploy them to Iran. They in turn will pick them up in awe, wonder what is on them and plug them into these machines in the nuclear facility and it is game over.” “Cut” yells the Hollywood director. Shocking!, Thrilling!, Amazing!, Academy Award Winning!

    http://www.theaeonsolution.com/security/?p=307

  5. George Smith said,

    September 30, 2010 at 9:17 am

    More reader mail:

    Question: How can Stuxnet be used to make money? Extortion, perhaps?

    11 Eastern Europeans Charged in UK Zeus Bust

    http://www.nytimes.com/external/idg/2010/09/30/30idg-11-eastern-europeans-charged-in-uk-zeus-bust-85886.html?ref=technology

    They worked as Web designers, supermarket workers, day laborers, some were unemployed. But U.K. police say that the group of Eastern Europeans,picked up in early morning raids Tuesday also made millions by operating a network of bank-robbing Trojan horse programs.

    Yuriy Korovalenko, 28 a Ukrainian Web designer

    Yevhen Kulibaba, 32, a Ukrainian property developer

    Karina Kostromina, 33, unemployed, from Latvia

    Aleksander Kusner, 27, unemployed, from Estonia

    Roman Zenyk, 29, a laborer from Ukraine

    Eduard Babaryka, 26, a driver from Belarus

    Milka Valerij, 29, a laborer from Ukraine

    Iryna Prakochyk, 23, unemployed, from Ukraine

    Ivars Poikans, 29, a Latvian supermarket worker

    Kaspars Cliematnieks, 24, a Latvian supermarket worker

    Another man, Zurab Revazishvili, 34, of Georgia was charged with violating the UK’s Identity Cards Act.

  6. Tweets that mention Dick Destiny » Great cyberweapon or cyberfizzle? -- Topsy.com said,

    September 30, 2010 at 1:17 pm

    […] This post was mentioned on Twitter by Jonathan Abolins, alexlevinson. alexlevinson said: @TeaWithCarl Stuxnet: Great cyberweapon or cyberfizzle http://bit.ly/bUyNWB […]

  7. COfNoC said,

    October 4, 2010 at 6:37 am

    I find your reference to Bruce Ivins and the weaponized Anthrax from Fort Detrick a bit confusing, considering how many of his colleagues expressed significant doubt he was the source of the attacks.

    [deleted]

    You’ve come to the wrong place.

  8. Digital pickings » Blog Archive » Stuxnet: Great cyberweapon or cyberfizzle said,

    October 8, 2010 at 8:24 pm

    […] more here: Stuxnet: Great cyberweapon or cyberfizzle Posted on October 9th 2010 in Info […]

  9. Dick Destiny » Fancy Stuxnet Stuff: Effect still indiscernible said,

    November 16, 2010 at 10:43 pm

    […] limitations, previously at DD blog: I’d only add that the lack of substantial proof of success in offensive malware operations […]