VANCOUVER – A Symantec researcher filled in more critical details about the Stuxnet worm here, demonstrating the worm’s ability to take control of programmable logic controllers (PLCs) by Siemens Inc. and disable machinery connected to them.

Liam O’Murchu of Symantec, speaking at the Virus Bulletin Conference here,  provided the first detailed public analysis of the worm’s inner workings to an audience of some of the world’s top computer virus experts. O’Murchu described a sophisticated and highly targeted virus and demonstrated a proof of concept exploit that showed how the virus could cause machines using infected PLCs to run out of control.

O’Murchu said that Symantec analysts were able to reverse engineer the virus’s code and now understand exactly what Stuxnet does. However, without understanding what types of machinery the targeted logic controllers were connected to, it is impossible to know what harm the worm caused on infected industrial control systems – if any.

“We know what Stuxnet does on PLCs, but not the “real world effects of this code,” he said.

The worm used a novel method to compromise the PLCs, with the first ever root kit program designed to control PLCs. O’Murchu told attendees that Stuxnet was highly targeted, looking for systems using a specific type of network adapter card by Profibus and connected to specific models of programmable logic controllers, Siemens model S7-300 and S7-400 devices. The virus also compromised specialized software known as Step 7 to program the PLC for specific tasks, inserting a rootkit to intercept and modify instructions sent to and from the PLC.

The result for victims would be to secretly program PLCs, but deny
their owners the ability to know what code was really running inside the
devices, he said. To demonstrate the real world impact of that loss of
control, O Murch demonstrated the infection of an S7-300 PLC device
connected to an airpump. Using the Step 7 software, he programmed the
pump to run for three seconds, gently inflating a balloon attached to the
pump. O’Murchu then demonstrated how a Stuxnet infected PLC would
instruct the pump to run, instead, for 140 seconds, quickly bursting the
balloon.

“If this PLC was connected to an oil pipeline, you can see that the result would be much worse,” he said.

Speculation about the Stuxnet work has grown rampant in the last week, as everyone from computer security experts to political scientists to divinity experts have weighed in on details of the worm, which was first identified in July. The story burst into the popular media after security and industrial control experts – looking at the capabilities and infection statistics from the Stuxnet worm — suggested that it may have been a  targeted attack aimed at Iran’s nuclear enrichment facilities, and each day has brought new revelations about the impact of the worm and its possible origins.

Recent discussions have focused on Israel as a possible source of the virus, given its sophistication and in Israel’s stated interest in disrupting Iran’s development of a nuclear weapon and clues in the malware itself, including a reference to Myrtus, the biblical character of Miriam.

Though most of the conversation about Stuxnet is still based on conjecture, O’Murchu said that Symantec’s analysis of Stuxnet’s code for manipulating PLCs on industrial control systems by Siemens backs up both the speculation that Iran was the intended target and that Israel was the possible source of the virus. As for Iran, O’Murchu merely pointed to Symantec data that show the country was the source of the most Stuxnet infections. Iran has since blocked communications to Stuxnet’s command and control infrastructure, he said.

As for suggestions that Israeli intelligence may have authored the virus, O’Murchu noted that researchers had uncovered the reference to an obscure date in the worm’s code,  May 9, 1979, which, he noted, was the date on which a prominent Iranian Jew, Habib Elghanian, who was executed by the new Islamic government shortly after the revolution.

Anti virus experts said O’Murchu’s hypothesis about the origins of the virus were plausible, though some continue to wonder how the authors of such a sophisticated piece of malware allowed it to break into the wild and attract attention.

“It should have been more successful and stayed off  the radar,” said  Ivan Macalintal, a virus researcher at Trend Micro.  The virus is a “game changing event” for the anti malware industry, he said – expanding the scope of virus analysis into the political realm and beyond the purview of systems running the Windows operating system.

HED: Stuxnet analysis reveals ___
DEK: Researcher’s analysis of Stuxnet’s code reveals _____

VANCOUVER – A Symantec researcher filled in more critical details about the Stuxnet

worm here, presenting for the first time details of Stuxnet’s use of previously

unknown software holes to spread between systems running Microsoft’s Windows and

industrial control systems by Siemens.

Liam O Murchu of Symantec, speaking at the Virus Bulletin Conference here,  told an

audience of some of the world’s top computer virus experts that Stuxnet [details]

The worm used a novel method to compromise the programmable logic controllers

(PLCs), with the first ever root kit program designed to control PLCs. O Murchu told

attendees that Stuxnet [details]

Speculation about the Stuxnet work has grown rampant in the last week, as everyone

from computer security experts to political scientiests to divinity experts have

weighed in on details of the worm, which was first identified in July. The story

burst into the popular media after security and industrial control experts – looking

at the capabilities and infection statistics from the Stuxnet worm — suggested that

it may have been a  targeted attack aimed at Iran’s nuclear enrichment facilities,

and each day has brought new revelations about the impact of the worm and its

possible origins.

Recent discussions have focused on Israel as a possible source of the virus, given

its sophistication and in Israel’s stated interest in disrupting Iran’s development

of a nuclear weapon and clues in the malware itself, including a refernce to Myrtus

Though most of the conversation about Stuxnet is still based on conjecture, O Murchu

said that Symantec’s analysis of Stuxnet’s code for manipulating PLCs on industrial

control systems by Siems [backs updoes not back up] that suggestion.

[O murchu quote]

Categories: Data Breaches, Malware, Vulnerabilities

Comments (26)

  1. unclesmrgol
    1

    I feel sorry for the Jews still in Iran. The nature of this disclosure by Symantec brings them even greater danger. Personally, Symantec should not be publicizing claims of this nature given the manner in which Iran traditionally treats minorities.

  2. Anonymous
    2

    Posting a date, and then making a connection to the execution of a Jew in Iran is thin. It sounds like Nostradamus – pick a date and something, somewhere, somehow has or will happen. This is the best Symantec analysts could do?

    It was meant to be found.

     

     

  3. Evan
    3

    The date thing is thin indeed. I mean, pick a date, something bad happened to a Jew in Iran on that day.

  4. Richard Steven Hack
    6

    The 20,000-odd Jews in Iran aren’t in any particular danger. They’re constitutionally protected and have a seat in the government. Almost all have no desire to live anywhere else than Iran.

    The real issue here, IF someone in Israel is behind this, is the serious danger of “collateral damage” in releasing something like this targeted at a specific country. It’s reckless and stupid – and that squares with Israel’s usual approach to such matters.

    OTOH, at this point, supposedly according to antivirus company reports, the infections began elsewhere in the world – India and Indonesia. Still, that could just be a diversion to cover the real target. And of course, the “real” target could have been ANY country with Muslims.

  5. Anonymous
    7

    Israel and the US was the source you don’t need to be an engineer to know this. Both are leaders in cyber warfare, and despite of accusing others, they routinely do it themselves.

  6. Anonymous
    8

    Seriously? THAT’S the connection?

    … I didn’t think the Symantec guys were that silly. If someone is capable enough to make this kind of worm, do you think they’d leave hints as to their origin? By Symantec’s own admission, the worm shouldn’t have been found considering that level of competence.

     

    Using my brilliant detective skills of addition: those hints were made to be found. Therefor, it was probably some company wanting to screw with Siemens’ business in Iran… and considering the money Siemens make there, it shouldn’t be surprising.

  7. Anonymous
    9

    “most of the conversation about Stuxnet is still based on conjecture …”

    Including this part.

  8. O
    10

    Also from the dossier they published (page 14), regarding this 19790509 value, in case this wasn’t obvious for some:
    “Symantec cautions readers on drawing any attributions conclusions. Attackers would have the natural desire to implicate another party.”

  9. Anonymous
    11

    I do believe it was an Israeli or American cyber-attack. And if it was we should all thank their efforts to stop these crazy Iranians from getting nuclear weapon. Just remember what we’re dealing with. It’s not just Israel who is threatened here but the entire western countries like Europe, the USA and its allies like japan and South Korea who these crazy Muslim fanatics are referring to as heretic and crusaders.  

  10. Anonymous
    12

    One of the primary tasks of committing a “cyber crime” is covering your tracks, not leaving any kind of calling card. That’s like the difference between Richard Kuklinski and the tagging crew downtown. Whoever wrote it, if they put those references in there, put them in there as a red herring. Script kiddies leave calling cards. Juveniles who think an SQL injection is top shelf leave calling cards. Someone who writes a worm designed for an OS with a ridiculously small install base to target industrial installations? No, I don’t think someone who can do that would leave even the slightest shred of evidence as to who they are. 

  11. Anonymous
    13

    Obscure numerology and Da Vinci Code-style hints are now used as evidence? Seems like someone is drawing the target around the arrow.

  12. Fry
    14

    Firstly, I agree that those hints, if hints they be, were meant to be found.

    My initial reaction was to dismiss them as pointing fingers at the Israelis by whichever external party actually wrote the code, but one of the commenters in the Slashdot posting of this article makes an interesting point:

    The whole idea could be is that it doesn’t prove anything, but still
    tells everyone who’s responsible. Perhaps a threat veiled enough to not
    be actionable legally, but still heard loud and clear. I see pulling
    that off as evidence of smarts, not stupidity.

  13. NoToBankers_AnIranian
    15

    The real issue between Iran and West is not nuclear as they have lived many already holders of this capability. Jews control money suppply of West and that money is backed by nothing. Now to keep this monopoly this money should be attahed(backed) by blood of system(oil), plus Iranians have not been surrunded to monetary system of west. Controlling Iran will be last chain to control the world, because china and india will be subjected to obey. Israel is a proxy(mad dog) to implement Albert Pike vision to controling world through three world wars. Welcome to new world(slave) order.

  14. dan
    16

    Some other analyst pointed to China being the source, even though they have 6 million infected addresses(?) , with it’s moon shot rivalry with India – this thing allegedly knocked out the India sattelite and Iran is collateral damage, although there is an industrial park in Taiwan was it where Siemens and 2 other companies involved sit next door t one another….. no one jump to any conclusions – rather hasty. For all we know, there is another one out there which has not yet revealed itself and this is a red herring.

    Another reason to look at China is the ability to ruin the US Navy with this thing – check the old news from 2008 about the USB hack attack on our military. Hmmmm…….

  15. Anonymous
    17

    It was a former governer (female) of Alaska.  She did it with her little hands, and all alone­. 

  16. Anonymous
    18

    If Israel did it, there would be no trace and Symentec would still be looking for the reasons and would still be debugging the code. Ditto if the culprit was the USA.

    It was done, if it originated in India first, then wake up.  The culprits were individuals that were enemies of Siemans.  (In Germany, there are many).

     

     

  17. Anonymous
    19

    9 may 1997 : El Salvador cathedral bloodbath (anti goverment protests )

    what i dont get is, the whole world is against Iran’s nuclear development, on who’s side do the capitalist antivirus companies work? ; just be glad it was done; it almost blew

    It was a rusian job, they have skilled hackers; they only wanted money for building irans nuclear facilites they never intended to give iran real power, even the russians couldnt allow that to happen another atomic army in that region. Rusia depends on Irans oil but doesnt like it to become to powerfull.Its Rusia that rules not Iran..

    Decembrists impale Revolution upon Capitalists….

  18. Anonymous
    20

    “If someone is capable enough to make this kind of worm, do you think they’d leave hints as to their origin? “

    How many time previously these cyber terrorists succeed to conceal there identity?

  19. Anonymous
    21

    I have never seen a piece of code that did not have personal and cultural references of the programmer embedded in them; you need to create a million names in your career, where do you draw them from? Most programmers are actually pretty undisciplined which is why languages like Java exist to force discipline on them. It is not possible for the majority of programmers to be disciplined enough to leave no cultural references in their code or even to leave so few. This screams government actor, even more so if the scant clues are misdirection.

    The most important part of this story, however, still seems just under everyone’s radar. In a fight you do not throw a knife at your enemy; if you don’t kill him you have armed him against you unless he is stupid enough to throw it back. The root kit for the Siemans controllers is out there now in hackers hands. Whoever wrote this code just threw a knife at our enemies and our infrastructure is now at risk. THIS IS A VERY BIG DEAL!!!

  20. Anonymous
    22

    “…and clues in the malware itself, including a reference to Myrtus, the biblical character of Miriam. “

    You mean Esther, not Miriam.

  21. Anonymous
    23

    Any one of the guesses expressed here as to the identity of the developing entity is plausible.

    We all in the free world should rejoice that someone on our side has the possibility to attack and destroy the nuclear facilities built by the reckless Iranian regime. We are all under threat here. And if we can do it without spilling blood – using the virus – even better. Whoever designed this exhibited both amazing technological prowess and high moral standards.

  22. Eloise N. Moscow
    24

    Symantec might as well pull out their Tarot cards and tea leaves at the rate they are producing intelligent analysis. Maybe it was Frodo Baggins from his super secret lab beneath the Shire. That would be news. 8|;0P

    Followed by a sigh…

  23. Anonymous
    25

    Seriously? Enough of the dirty acts of Israel and the Mossad are covered up already, so please stop defending your bastard nation built on stolen land.

  24. Anonymous
    26

    You are correct, history repeats itself. In this case the story of Esther is a very accurate description of events as they are re-unfolding in middle-eastern history. Ahmadinejad is definately in for more than a tripple folded cookie with an appricot center…

    http://www.cs.utah.edu/~draperg/stories/ester/ester_3.html 

    The king Ahasuerus held a feast, where he called for his wife, but she would not come. So he decided to find a new queen. The king chose Esther to be his new queen. Esther did not tell him that she was a Jew. Mordecai, Esther’s cousin, saved the king’s life by telling Esther about a plot to kill the king. Mordecai refused to bow down to Haman, a high official, because it was against the commandments. So Haman made a plan to kill all the Jews. Haman convinced the king to decree that all Jews should be killed. Mordecai told Esther, and told her to talk to the king about it. Esther asked the Jews to fast for her. Then she went to talk to the king, although it was against the law to visit the king uninvited. Esther is received by the king, and invited King Ahasuerus and Haman to two banquets. The king remembered that Mordecai had not been rewarded for saving his life. He asked for suggestions from Haman, and Haman unknowingly plans Mordecai’s reward, as Haman was secretly planning to hang Mordecai. At the banquet, Esther revealed Haman’s plot to kill the Jews. Haman was hanged on the gallows he had planned for Mordecai.

Comments are closed.