Posted on 09/30/2010 6:44:06 AM PDT by Sawdring
A computer virus dubbed the world's "first cyber superweapon" by experts and which may have been designed to attack Iran's nuclear facilities has found a new target -- China.
The Stuxnet computer worm has wreaked havoc in China, infecting millions of computers around the country, state media reported this week.
(Excerpt) Read more at breitbart.com ...
How long will it take to get here? That’s my question.
It is the Y2K of 2010. I don't think 14 year olds are making these viruses/worms in their bedrooms anymore.
It's probably already here.
The sad part is that it is relatively easy to avoid infection, even if you plug in an infected USB drive (which apparently is the initial vector of attack).
Windows XP can be configured to not "AutoPlay" a program on a USB drive. You just need the "TweakUI" utility from Microsoft.
Fortunately, it's been disabled by default in Windows 7.
I fail to see how a shotgun-blast-deployed virus can target a specific building or piece of infrastructure. Nor how this software can be “Weaponized” at all.
We have very good infrastructure protection measures in place.
http://www.infragard.net/
InfraGard is an information sharing and analysis effort serving the interests and combining the knowledge base of a wide range of members. At its most basic level, InfraGard is a partnership between the Federal Bureau of Investigation and the private sector. InfraGard is an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States. InfraGard Chapters are geographically linked with FBI Field Office territories.
Easy, target a specific IP range and or system type like SCADA systems.
Stuxnet Introduces the First Known Rootkit for Industrial Control Systems
http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices
As we’ve explained in our recent W32.Stuxnet blog series, Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems. Industrial control systems consist of Programmable Logic Controllers (PLCs), which can be thought of as mini-computers that can be programmed from a Windows system. These PLCs contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory. Programmers use software (e.g., on a Windows PC) to create code and then upload their code to the PLCs.
Previously, we reported that Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.
In particular, Stuxnet hooks the programming software, which means that when someone uses the software to view code blocks on the PLC, the injected blocks are nowhere to be found. This is done by hooking enumeration, read, and write functions so that you can’t accidentally overwrite the hidden blocks as well.
Stuxnet contains 70 encrypted code blocks that appear to replace some “foundation routines” that take care of simple yet very common tasks, such as comparing file times and others that are custom code and data blocks. Before some of these blocks are uploaded to the PLC, they are customized depending on the PLC.
By writing code to the PLC, Stuxnet can potentially control or alter how the system operates. A previous historic example includes a reported case of stolen code that impacted a pipeline. Code was secretly “Trojanized” to function properly and only some time after installation instruct the host system to increase the pipeline’s pressure beyond its capacity. This resulted in a three kiloton explosion, about 1/5 the size of the Hiroshima bomb.
Thus, in addition to cleaning up the Stuxnet malware, administrators with machines infected with Stuxnet need to audit for unexpected code in their PLC devices. We are still examining some of the code blocks to determine exactly what they do and will have more information soon on how Stuxnet impacts real-world industrial control systems.
Finally, we’ve reserved the in-depth technical details on how Stuxnet achieves this rootkit functionality for a future technical whitepaper, which will delve into other features of Stuxnet as well that we haven’t had a chance to blog about. For example, a couple of other interesting things include the fact that it uses an infection counter before deleting itself (it is set to ‘3’) and also can use MS08-067, the same vulnerability used by Downadup (a.k.a. Conficker) to spread.
good
Hmmm...let’s see...Iran, the Chicoms. If I see Venezuela, North Korea or Russia hit next (and not us)....that would give me pause.
According to information I've read elsewhere, this worm looks for a specific process control system -- right down to a serial number. Otherwise, it does nothing but try to propagate itself to other systems on the network.
No one is sure exactly what system that is. But, I suspect an insider supplied the identification.
I remember this coming up as a topic of conversation a couple of years ago here.
Thank you for the information. After reading this, I will continue to read more.
Again, thanks !
This worm doesn't attack normal PC's does it? Especially those with VISTA?
When someone throws in a comment about it being 'only speculation', I assume the person is somewhat in the know...
If Israel did launch this thing sometime last year against Iran, is it taking a life of it's own given the spread, or is the spread intentional to muddy the waters a bit more as to the origin?
I can't imagine Obama being on board with this, his crowd thinks a nuclear Iran would serve to balance Israel, them being the oppressors and all...perhaps the true seeds of this lie prior to Bush leaving office if there is complicity between the US and Israel--assuming it is indeed a state-sponsored cyberwar hit, as described to us by experts
If Isreal did target Iran, China, and others, without doing the same here, it would further serve to help them if retaliation my conventional military means (lo-tech as it may be) did take place on the US and Israel.
If this thing has morphed and gotten out of control, do your preps folks, things could get ugly real quick.
It depends on what you mean by "attack".
If you mean "install itself and try to propagate to other systems on the network", yes. It goes into dormancy, watching for the targeted industrial control system to appear. However, it doesn't try to crash or corrupt your Windows system.
It doesn't "spring into action" until it finds the process control system it wants. And then, it's not clear what it does.
I don't know if Vista has "Autoplay" disabled by default.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.