Skip to content
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Yahoo)   The incredibly sophisticated Stuxnet Worm, which can take control of and even destroy industrial machinery, may have been specifically created to sabotage Iran's Bushehr nuclear plant. The question is, by whom?   (news.yahoo.com) divider line
    More: Interesting, Bushehr, nuclear powers, industrial machinery, Stuxnet, industrial processes, control systems, Iran, worms  
•       •       •

17804 clicks; posted to Main » and Geek » on 22 Sep 2010 at 5:02 PM (9 years ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook



256 Comments     (+0 »)
 


Oldest | « | 1 | 2 | 3 | 4 | 5 | 6 | » | Newest | Show all

 
2010-09-22 1:23:13 PM  
Us, Israel, China, possibly Russia. That's all I could think of who might have the talent and the desire. Possibly India, if only in the sense that they have the talent, and want a stable middle east to feed their hunger for oil as their economy continues to grow.
 
2010-09-22 1:26:40 PM  
I submitted this with a better headline

/sour grapes? nope, not me...
 
2010-09-22 1:45:52 PM  
I blame The Jews.

/You know who else blamed The Jews?
 
2010-09-22 1:55:57 PM  
I design and program industrial control systems and PLCs for a living, so this is probably the most interesting news story Fark's pointed me to so far this year.

fta: "Once Stuxnet identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the giant industrial controls company, the malware takes control..."

That debunks my first thought, which was "how do we know this isn't just Rockwell Software behaving badly?"

It's a curious puzzle. Since PLC code's generally custom-written by an engineer for a particular machine/plant/whatever, how's it even possible for the worm to identify the process it wants to mess with? Or, why doesn't it already know where to look, why is it resorting to searching every box around the world?

Reusable code for PLCs isn't totally unknown. Controls vendors often write application-specific code for various purposes that engineers can drop in and customize a little, though "nuclear reactor control" seems like a market that's a little small to make it worthwhile for Siemens to write prepackaged code, though I could be wrong.

My best guess -- the targets of this worm became known either when they a.) purchased some control software/hardware from Siemens or a systems integrator or b.) tried to get applications help when they started up their evil-scheme-inator. They gave just enough info to the vendor to arouse suspicion, and kept too many secrets. Word got around at the Sales office/Integrator/Tech Support desk about the crazy angry frantic customer with the funny accent who demanded answers but wouldn't give any details about what sounded like a uranium enrichment centrifuge or something, and someone contacted an intelligence agency. Hence how the malware developers know which code to look for.

But that's just a guess.
 
2010-09-22 2:02:45 PM  
Unless I missed somerhing, it looks like the only person who thinks it might have been designed to go after that specific plant is the writer.

You have to wonder if instead of randomly searching whatever system it infects to determine if it's the target, Stuxnet is waiting for a signal of some sort to take down everything it's infected.
 
2010-09-22 2:18:04 PM  
The Skynet Stuxnet Funding Bill is passed. The system goes on-line August 24th, 2010. Human decisions are removed from strategic defense. Skynet Stuxnet begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, September 19th. In a panic, they try to pull the plug.
 
2010-09-22 2:18:31 PM  
The german researcher's website. (new window)...

Complete with pics of what security researchers trying to look mysterious may look like.

/Well, I'm not getting much else done today.
 
2010-09-22 2:24:12 PM  

Aarontology: Unless I missed somerhing


And apparently, I did. I checked a few more articles about this thing, and it looks like they all conclude that Iran was the target.
 
2010-09-22 2:24:14 PM  

phaseolus: I design and program industrial control systems and PLCs for a living, so this is probably the most interesting news story Fark's pointed me to so far this year.

fta: "Once Stuxnet identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the giant industrial controls company, the malware takes control..."

That debunks my first thought, which was "how do we know this isn't just Rockwell Software behaving badly?"

It's a curious puzzle. Since PLC code's generally custom-written by an engineer for a particular machine/plant/whatever, how's it even possible for the worm to identify the process it wants to mess with? Or, why doesn't it already know where to look, why is it resorting to searching every box around the world?

Reusable code for PLCs isn't totally unknown. Controls vendors often write application-specific code for various purposes that engineers can drop in and customize a little, though "nuclear reactor control" seems like a market that's a little small to make it worthwhile for Siemens to write prepackaged code, though I could be wrong.

My best guess -- the targets of this worm became known either when they a.) purchased some control software/hardware from Siemens or a systems integrator or b.) tried to get applications help when they started up their evil-scheme-inator. They gave just enough info to the vendor to arouse suspicion, and kept too many secrets. Word got around at the Sales office/Integrator/Tech Support desk about the crazy angry frantic customer with the funny accent who demanded answers but wouldn't give any details about what sounded like a uranium enrichment centrifuge or something, and someone contacted an intelligence agency. Hence how the malware developers know which code to look for.

But that's just a guess.



SCADAs don't need to be implemented on PLCs You could even use Labview.


/Not in this industry anymore
 
2010-09-22 2:29:19 PM  
I blame George W. Bush.
 
2010-09-22 2:45:43 PM  

b2theory: SCADAs don't need to be implemented on PLCs You could even use Labview.


/Not in this industry anymore



Yeah, I was sorta puzzled when the article mentioned PLCs -- before I read that I was guessing it had to be a PC running a DCS or visualization/HMI/supervisory software which was getting the actual infection. Thinking about it a little further, it would almost have to be, wouldn't it? PLCs interpret the application code you write for them, but it's all "firmware"... making PLCs immune from infections, unless Stuxnet loads different firmware.

...which would be kind of clever, actually.

It's quite possible the writer didn't get all the facts correct. That's been known to happen.
 
jbc [TotalFark]
2010-09-22 2:51:46 PM  
I thought it would never work because I originally read that as Stucknut.


/Unwar Ayatollahs.
//War Jay Mohr.
///Out.
 
2010-09-22 3:11:48 PM  

PainInTheASP: The german researcher's website. (new window)...

Complete with pics of what security researchers trying to look mysterious may look like.

/Well, I'm not getting much else done today.


That's pretty fascinating.

Also,

"Getting the forensics done is only a matter of time. Stuxnet is going to be the best studied piece of malware in history. We will even be able to do process forensics in the lab. Again, the attacker must know this. Therefore, the whole attack only makes sense within a very limited timeframe. After Stuxnet is analzyed, the attack won't work any more. It's a one-shot weapon. So we can conclude that the planned time of attack isn't somewhen next year. I must assume that the attack did already take place. I am also assuming that it was successful. So let's check where something blew up recently."

I can imagine Iranian power plant workers scratching their heads trying to figure out why their generators keep seizing up...lol

Anyway, what's interesting and scary about this is that it may well be a "proof of concept" that the U.S. or other government is performing, and possibly to be used as an alternative to nuclear deterrents.

Note that this sort of thing can also be used to brick out satellites as well. It would take the global economy and militaries offline for a good few months at least.
 
2010-09-22 3:16:55 PM  
upload.wikimedia.orgView Full Size
 
2010-09-22 3:21:02 PM  
Ignore my previous babbling. I found some better info -- Symantec's Stuxnet blog (new window)

From one of the entries:


"Stuxnet determines if the system is the intended target by fingerprinting it. It checks:

* The PLC type/family: only CPUs 6ES7-417 and 6ES7-315-2 are infected
* The System Data Blocks: the SDBs will be parsed, and depending on the values they contain, the infection process will start with method of infection A, B or none. When parsing the SDBs the code searches for the presence of 2 values (7050h and 9500h), and depending on the number of occurrences of each of these values sequence A or B is used to infect the PLC.

The code also searches for the bytes 2C CB 00 01 at offset 50h in the SDB blocks, which appear if the CP 342-5 communications processor (used for Profibus-DP) is present. If these bytes are not found then infection does not occur."


That's a pretty narrow focus. I was wondering how the worm could possibly work, since you pretty much need to know all about your Inputs and outputs -- what they are, what they're called, how to talk to it, what it's address is, how to turn it on and off -- in order to do any industrial control.

That quote is the "aha, that's how it's done" moment. There's a *thing* you can buy, it communicates with controllers over Profibus, and it necessarily has a well-defined Input-Output data structure that's known to the Stuxnet authors. The malicious PLC code can do whatever it wants to this *thing*, provided it's powered up and enabled and talking on the network.

The big question: What is this *thing* with the Profi I/O???


/ ♪♫ What do it do... ♫
 
2010-09-22 3:24:59 PM  
paging Echo Mirage to the thread, Echo Mirage to the thread please!

/obscure
 
2010-09-22 3:28:54 PM  

phaseolus: Ignore my previous babbling. I found some better info -- Symantec's Stuxnet blog (new window)

From one of the entries:

"Stuxnet determines if the system is the intended target by fingerprinting it. It checks:

* The PLC type/family: only CPUs 6ES7-417 and 6ES7-315-2 are infected
* The System Data Blocks: the SDBs will be parsed, and depending on the values they contain, the infection process will start with method of infection A, B or none. When parsing the SDBs the code searches for the presence of 2 values (7050h and 9500h), and depending on the number of occurrences of each of these values sequence A or B is used to infect the PLC.

The code also searches for the bytes 2C CB 00 01 at offset 50h in the SDB blocks, which appear if the CP 342-5 communications processor (used for Profibus-DP) is present. If these bytes are not found then infection does not occur."

That's a pretty narrow focus. I was wondering how the worm could possibly work, since you pretty much need to know all about your Inputs and outputs -- what they are, what they're called, how to talk to it, what it's address is, how to turn it on and off -- in order to do any industrial control.

That quote is the "aha, that's how it's done" moment. There's a *thing* you can buy, it communicates with controllers over Profibus, and it necessarily has a well-defined Input-Output data structure that's known to the Stuxnet authors. The malicious PLC code can do whatever it wants to this *thing*, provided it's powered up and enabled and talking on the network.

The big question: What is this *thing* with the Profi I/O???


/ ♪♫ What do it do... ♫


the scary thing is that, God help me, I actually understood most of this post....
 
2010-09-22 3:40:41 PM  

phaseolus: That quote is the "aha, that's how it's done" moment. There's a *thing* you can buy, it communicates with controllers over Profibus, and it necessarily has a well-defined Input-Output data structure that's known to the Stuxnet authors. The malicious PLC code can do whatever it wants to this *thing*, provided it's powered up and enabled and talking on the network.


Yeah, I'm not one to normally panic, especially over malware, but this seems pretty damn significant.
 
2010-09-22 3:56:46 PM  

Weaver95: the scary thing is that, God help me, I actually understood most of this post....


Heh, so did I. :)
 
2010-09-22 4:37:58 PM  
It's worthy of passing remark:
If I were to go on a lark
And cook up some creatures
With war-worthy features?
I might go with "Laser-Head Shark."
 
2010-09-22 4:42:37 PM  

make me some tea: Weaver95: the scary thing is that, God help me, I actually understood most of this post....

Heh, so did I. :)


And it means...
 
2010-09-22 4:58:20 PM  

Aarontology: And it means...


Someone created a targeted computer virus that would only affect one type of system, and only when conditions were met. It's a computer virus cruise missile that seeks to do actual physical damage to whatever system it has been tuned for - like overriding pressure safety limits so things blow up.
 
2010-09-22 5:06:19 PM  

MBFGeek: Aarontology: And it means...

Someone created a targeted computer virus that would only affect one type of system, and only when conditions were met. It's a computer virus cruise missile that seeks to do actual physical damage to whatever system it has been tuned for - like overriding pressure safety limits so things blow up.


It disables a particular part of the working generator system, such as the rotational monitoring or the oil pump, and so the generator quickly tears itself apart.
 
2010-09-22 5:07:58 PM  
The JOOOOOOOS!
 
2010-09-22 5:08:22 PM  
Easy. 4Chan
 
2010-09-22 5:08:25 PM  

MBFGeek: sour grapes? nope, not me...


I don't see how that headline is even relevant.
 
2010-09-22 5:10:34 PM  

AirForceVet: I blame George W. Bush.


n' the Skullz!
 
2010-09-22 5:11:56 PM  
duh, it was 4chan
 
2010-09-22 5:12:06 PM  

make me some tea: MBFGeek: Aarontology: And it means...

Someone created a targeted computer virus that would only affect one type of system, and only when conditions were met. It's a computer virus cruise missile that seeks to do actual physical damage to whatever system it has been tuned for - like overriding pressure safety limits so things blow up.

It disables a particular part of the working generator system, such as the rotational monitoring or the oil pump, and so the generator quickly tears itself apart.


Like putting too much air in a balloon!
 
2010-09-22 5:12:08 PM  
gadgetizer.comView Full Size
 
2010-09-22 5:12:11 PM  
Russia wants Iran and the USA to enter a conflict so as to push US and China into at least a cold war type conflict, so that Russia can gain a great deal of access to resources.

We don't play the game at that level. China is my guess as to who would hack Iran's plants. And they have the most experience with that kind of behavior.

Don't be surprised if no one did this. Russian tech doesn't work very well. At least not as well as advertised by the pathologically dishonest Russian industries. When things inevitably don't work well, paranoia about Israeli super technology is a great psychological weapon. Note that the implication is that someone inserted a USB key into something. That means a lot of torture for people with access. If this is just a smart lie, it's dealing blows.
 
2010-09-22 5:12:21 PM  

Weaver95: the scary thing is that, God help me, I actually understood most of this post....


Four years ago it would've all been Greek to me. It's always strange when niche domain knowledge suddenly becomes applicable outside its normal realm.
 
2010-09-22 5:12:29 PM  

Pappas: Easy. 4Chan


They done goof'd!
 
2010-09-22 5:12:37 PM  
Hmmmnn... Tatsuma has been kind of quiet in general lately...
 
2010-09-22 5:12:45 PM  

phaseolus: I design and program industrial control systems and PLCs for a living, so this is probably the most interesting news story Fark's pointed me to so far this year.


But are you getting a kick out of these replies?
 
2010-09-22 5:13:25 PM  
I have here on the wall of my cubicle a picture of Glenn Close with her mouth stuffed full of carrots. I don't know why Ms. Close has carrots in her mouth. I understand that picture more than I understand this thread.
 
2010-09-22 5:13:49 PM  
Some top cyber security experts now say Stuxnet's arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world - to destroy something.

blogcdn.comView Full Size

/hawt
 
2010-09-22 5:14:07 PM  
I'm really VERY curious to see/hear several things:

* What is the PLC function it overrides?
* What does that function control in the target system?
* What does it set the new parameters to?
* What were the old parameters?
 
2010-09-22 5:15:20 PM  
This is just viral marketing to promote cloud computing.
 
2010-09-22 5:17:14 PM  

Aarontology: And it means...



...factories around the world aren't blowing up or grinding to a halt as a result of this, but if someone else had thought of this first and had the will to carry it out, there might have been damage all over the place. I guess since they haven't recognized some of the data signatures in the malware yet - or if they have, they aren't talking - the experts' thinking is that only one unlucky facility somewhere in the world was the target, and was probably brought down already.

Similar techniques could be used to attack unsecured control systems. During wartime, some factories, power generation/T&D infrastructure, refineries, pipelines, etc. could be stopped dead if vulnerabilities are out there waiting to be exploited.
 
2010-09-22 5:17:53 PM  
It's a collective of all the arms manufacturers in the world that all have a secret galt's gulch hideaway in antartica working bring down a world they feel is run by socialists that want to take away their freedom. The plans was to set in motion a nuclear world war which once started they would retreat to their hideaway and watch the downfall. Once complete they would return and take back their freedom by enslaving those who were left.

/Oh and there's only one woman amongst them
//And all the guys are super awesome and like, totally admirable and stuff
///And they're all in love with her and totally ok with her taking turns with each
 
2010-09-22 5:18:52 PM  
The only way to win is to not start your nuclear reactor.
 
2010-09-22 5:18:58 PM  
It's no exaggeration to say that when there is a traffic jam in Iran, they blame the British. When an earthquake kills people in a cardboard hut, they blame the Jews.

Paranoia. How can it be used to slow the march towards Iran nuking a neighbor? A story about special methods nuclear plant operators have already used to allow Israel to control the plant. It even allows Russians to claim plant failures are not their fault.

I recall a story about how a stinger missile crew tried to blow up an AH-64, and the missile reversed course and killed the operators because it was programed to do so. LOL.
 
2010-09-22 5:19:02 PM  
FTA: ...Stuxnet's arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world - to destroy something."

The author obviously never owned a Commodore 64 that got infected with the virus that would slam the floppy drive's read/write head back and forth against the stops until it bent the arm.
 
2010-09-22 5:19:45 PM  

Pappas: Easy. 4Chan


Heh.

The thing that scares me about 4chan is that it may be the only site whose visitors have a broader range of in-depth knowledge, and a greater supply of teh crazy, than Fark.

10 years hence: "Tonight's lead story: In response to China's repeated filtering of porn, 4chan has disabled much of China's satellite array, and has threatened to infect the Three Gorges Dam with a destructive virus if China does not, quote, 'F*cking f*ck off, you f*ckers... and get the Japanese to make more tentacle porn.'"
 
2010-09-22 5:22:36 PM  
So, you're saying combofix won't work on this thing?
 
2010-09-22 5:22:41 PM  
My money is on China or the U.S. Do India or Russia have tech, know-how or incentive to do this? I mean, out of all these countries who would benefit most from Iran not having nuclear power?
 
2010-09-22 5:22:43 PM  
Nice toy. If it does what they say it does, its essentially a VERY tightly targeted attack. Lots of money, only one purpose. There was something like it, way the hell back when, when HD controllers were on easily flashable media. A virus went around for a little while that would destroy the HD controller. There was another one that ate mobos too.
 
2010-09-22 5:23:52 PM  
That was a cool article.
 
2010-09-22 5:24:07 PM  
[image from gilad.co.uk too old to be available]
 
Displayed 50 of 256 comments


Oldest | « | 1 | 2 | 3 | 4 | 5 | 6 | » | Newest | Show all



This thread is archived, and closed to new comments.

Continue Farking





On Twitter




In Other Media
  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.