.

Stuxnet - very interesting read / insight

<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sun Nov 28, 2010 11:14 am

Stuxnet - very interesting read / insight

Thought this was an interesting read, this morning:

http://www.foxnews.com/scitech/2010/11/ ... ambitions/

Interesting that it targeted Iran's nuclear program, the way it did.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 570

Joined: Sat Apr 17, 2010 12:12 pm

Post Sun Nov 28, 2010 6:00 pm

Re: Stuxnet - very interesting read / insight

I read that article as well. I find it interesting, if this is a cyber weapon, it seems its deployment was not well planned, the widespread infections were bound to get noticed, and now the analysis of it points back to us. At a time when we are trying to make the rules of cyber warefare, it seems that we seem to be making our own rules. However, based on recently available information, it would appear the world would support us in such an endeavor... which helps me sleep at night.
sectestanalysis.blogspot.com/‎
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Sun Nov 28, 2010 7:35 pm

Re: Stuxnet - very interesting read / insight

I was on a team of 26 professionals from Academia, Government, Private Industry etc., who performed an analysis on Stuxnet (http://www.alienvault.com/docs/CSFI_Stu ... ort_V1.pdf also see http://www.isssource.com/stuxnet-mitiga ... th-needed/ for suggestions) and we concluded slightly different from the "spin" brought forth by the "big boys" (Symantec, Faux News, etc).

Personally, because I've seen, studied, analyzed the source code, I'm still of the opinion that it IS NOT what the happy go lucky media is portraying it out to be. In fact, I want to state that I believe it is something cobbled together for potential blackmailing.

The theory/notion that a nation state would "shut down" nuclear reactors in the methods described by the boogeyman-like hollywood version put out by Symantec (http://www.symantec.com/connect/blogs/s ... eakthrough) is not only insane, but stupidly far-fetched. Symantec states: "Stuxnet changes the output frequency for short periods of time to 1410Hz and then to 2Hz and then to 1064Hz" yet no other researcher on the planet can corroborate these findings. If you take a moment to look at their Hollywood production, one of a few things are going to occur 1) You're a CxO and you're immediately going to contact them for protection. "OMG Only Symantec can stop this!" Or... You will take a logical approach to the ludicracy involved with this event...

1) Government colludes to create a "cyberweapon" to "burst" a nuclear plant (a)
2) ZOMFG 5 0days!
3) Someone deploys it on a USB
4) Someone infiltrates a secure location IN IRAN (nuclear facility)
5) After infiltrating said area, they SPECIFICALLY load up malware on their systems (b)
6) Game over - they're discovered (c)

a) Causing a nuclear accident is insane because of the fallout. It would hit everyone eventually for hundreds of thousands of years.

b) What are the odds

c) Wasted money in the sense they could have had a better foot in the door bribing their way in or blackmailing someone at the opportune time

I got tired of Stuxnet about 1 1/2 months ago. Ever since people started skewing facts and fiction.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sun Nov 28, 2010 9:15 pm

Re: Stuxnet - very interesting read / insight

Yeah, the more you think about it all, it's kind of odd that it was spun to be such a specifically targeted attack.  Without having seen facts to the contrary, it would be easy for CxO's, as sil put it, to fall in line, and go in wholeheartedly with Symantec, etc.

One thing about the article that I found interesting, was that in a sense, it falls in line, at least a bit, with your take, sil - in that causing a nuclear accident would definitely be a bad thing, all around.  However, they speculate / state that it was designed to hinder the production processes and ruin the uranium.  IF that was truly the case, though, the planning and organization that would've had to go into the whole thing, IMHO (and I think we agree,) would've obscured things to the point that this current line of observation and analysis wouldn't be happening.  It only stands to reason that someone put it there to intentionally draw attention, perhaps, as sil noted, for blackmail purposes, or other, later.  Even if the plant of Stuxnet came well after the fact, and the Iranians were wanting to point fingers to justify their delays, etc.

If someone truly wanted to hit those systems, there are many more ways it could've been done than simply strategically planting Stuxnet, and hoping it'd find its way in.  The time, alone, to infection could've been long enough, that by the time it made its way in, it'd be too late to have the desired effect.  I also find it interesting that they're talking of said systems to be Windows 7.  To me, it's very hard to believe that a government funded, nuclear facility, in Iran, would be running Windows 7 on a critical system, due to too many reasons to list, here...  Also, with the amount of secrecy surrounding the program, I'd have to seriously question the whole piece of a USB key bringing the code in.

All just seems too good to be true, all parts considered.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Mon Nov 29, 2010 12:59 am

Re: Stuxnet - very interesting read / insight

Nice story. It would have been a nice hacker movie :)

My opinion is that if someone would have been smart enough to produce a virus to act like this, it wouldn't been caught. Also, the fact that the worm replied back from under the ground is a childish affirmation at least.

The press keeps this story to produce fear, and companies like Symantec in order to sell their s.itty products.
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 570

Joined: Sat Apr 17, 2010 12:12 pm

Post Mon Nov 29, 2010 5:42 am

Re: Stuxnet - very interesting read / insight

I wouldnt be so sure.

Sil, I haven't heard from the other side, can you give us the down and dirty on the real Stuxnet?

I still think it is defiantly possible this was designed as a weapon, based on the info I have (from the media).

There appears to be no risk of nuc. fallout, as we know Iran does not have a nuke currently, so if I wanted to disrupt the process, it would work (It supposedly has).

There is evidence that various countries were nervous about Iran's programs, now they can relax for a moment.

Here is what I find interesting, despite the so called "cyberweapon", noone is off to war, no one is REALLY pointing fingers. In addition, despite the so called danger, I am not aware of any changes in any government INFOCON levels during this time...

As for blackmailing, this is a strange theory. I have never heard of a country being blackmailed. And according to the CSFI opinion, the point of the worm was destabilization. This makes since when you consider that when the first variant was found, the creators changed the worm, rather than simply activating its malicious processes, almost as if they needed more time to achieve an objective.
sectestanalysis.blogspot.com/‎
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Nov 29, 2010 9:02 am

Re: Stuxnet - very interesting read / insight

Stuxnet is what it is. Its an exploit aimed at Windows based systems which automatically runs when inserted into a machine. Nothing more than a "USB Switchblade." It made everyone go "gaga" because of the use of "0days" and many didn't and STILL don't understand that this isn't very uncommon.

Scenario:

1) I create an application capable of autorunning and bypassing Antivirus, IPS, etc.
(Social Engineering Toolkit can provide me with this capability)
2) a few weeks go on and I upload and add what I want to make my application more covert, more effective
3) Few more weeks pass and I add and modify more capabilities undetected
4) OMG my application is discovered

Because of 1 - 3, there isi no way for someone to make conclusively make a statement that I created Application X with N amount of 0days. The fact is, I could have loaded up a browser cocktail, infected a network, came back as time progressed and uploaded whatever I want. Because researchers came in at number 4, they concluded: "OMG so many 0days" when the reality is:

a) Its command and control - no one is sure how it was initially developed. It could have started out as a client side that was modified later on.
b) the so called "0-days" weren't even 0days. They were talked about on "many-a-full-disclosure" list for some time.

There is a difference between a "never seen before" attack vector and a security release that states "no known exploits." Sure there are no KNOWN exploits, but there is a visible problem that the security community knows about. For example, my moronic mushroomcloud attack. Completely toasts VMWare thanks to Trend Micro. The code has not been made public - this does not mean it isn't exploitable.

When you state "there appears to be no risk of a nuclear fallout" it all depends on whom you ask. Were you to believe Symantec's rendition of Stuxnet, a nuclear facility will keep running and running regardless of the safety mechanisms. This could and most likely WOULD lead to catastrophe. If you think spilled Uranium - whether enriched or not - is not serious, I suggest you read more about it (Uranium). Just because they don't have "weapons grade" Uranium doesn't minimize the threat from a fallout.

Now, when you read what was delivered via the CSFI report, you read what has been sanitized, scrubbed and made into a structured report. There was and is a lot I can't talk about and there is a vast "raise of the eyebrows" a-la "wait a minute" that went/and is going on. Destabilization is one way to put it althought ATTRIBUTION is key here... :

"The alleged ransom note posted on the PMP site claimed that the hacker had backed up and encrypted more than 8 million patient records and 35 million prescriptions and then deleted the original data." (http://www.computerworld.com/s/article/ ... emands_10M)


Would you say this incident "destabilized" this company? Who can we attribute it to? In the case of Stuxnet we have to look at what is involved in something of a "nation-state" program like this. Millions of dollars on what? A silver bullet that won't fire? It would be a tremendous loss of money period.

Research into something like this from "the pros" would have NOT used some of the payloads used in Stuxnet. For example, the attackers targeted the MS08-067 vulnerability yet many "hackers" know that this is an unstable target. Its likely to blue-screen. Would YOU as a director of some nation state program say: "Alright, so we've invested N amount of money to infiltrate this network covertly, what do you say we use this exploit that is known to bluescreen systems eh?"

Aside from that, there is other information that actually points to a few individuals capable of carrying something like this out. None have ties to "Israel" or some other government, yet they do/did have ties to RBN companies - and that's all I will/can say. This is fact - although because of NDA I cannot repost nor comment more on that statement. So we have a few distinct views alongside backchannel talks about "whodunnit." At the end of the day... Unless someone is arrested and comes clean, it's all speculatory
<<

n1p

Jr. Member
Jr. Member

Posts: 89

Joined: Tue Mar 16, 2010 5:31 pm

Post Mon Nov 29, 2010 9:18 am

Re: Stuxnet - very interesting read / insight

sil wrote:I was on a team of 26 professionals from Academia, Government, Private Industry etc., who performed an analysis on Stuxnet (http://www.alienvault.com/docs/CSFI_Stu ... ort_V1.pdf also see http://www.isssource.com/stuxnet-mitiga ... th-needed/ for suggestions)


Where is the in-depth analysis in these reports or is it provided?
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Nov 29, 2010 1:45 pm

Re: Stuxnet - very interesting read / insight

I think sil's last post pretty much sums it up.  Those who DO know, specifically, what's in the code (post analysis) are under NDA, so in the end, sil and the others on that team aren't going to disclose any more than they have (nor should they.)  Thanks, sil, for giving a bit more on the subject to the thread.  I posted the original MOSTLY to get the community take, on EH, on the story.  I pretty much agree with you, at least, as to the finger pointing and over-blowing of the whole thing.  Not having seen code, myself, I won't speculate or go beyond that, except to say that, as always, I love your breakdown on things...

"Scenario:

1) I create an application capable of autorunning and bypassing Antivirus, IPS, etc.
(Social Engineering Toolkit can provide me with this capability)
2) a few weeks go on and I upload and add what I want to make my application more covert, more effective
3) Few more weeks pass and I add and modify more capabilities undetected
4) OMG my application is discovered"

LOL!  ;D  You've pretty much summed it up there, and this is exactly why, if someone was truly using this to target Iran's program, specifically, we'd both agree that it wouldn't even be THAT obvious!

For the others on the thread, read sil's comments closely, and you'll realize his points are very valid.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Nov 29, 2010 2:05 pm

Re: Stuxnet - very interesting read / insight

@hayabusa - there is a lot involved but what I see coming from mainstream is hollywood and hype alongside politricks. Unless someone came forward and accepted responsibility, it is all speculation. We can track back who "might" have done it based on a lot of parameters. So much so that there would be enough circumstantial evidence to warrant arrest, but that in itself could be reckless. Far too many false flags can be thrown into the equation:

http://infiltrated.net/framingryan.html 10 years old
http://infiltrated.net/framingpackets.html 10 years old
http://infiltrated.net/framingpgp.html 10 years old
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Nov 29, 2010 3:42 pm

Re: Stuxnet - very interesting read / insight

sil wrote:Far too many false flags can be thrown into the equation:

http://infiltrated.net/framingryan.html 10 years old
http://infiltrated.net/framingpackets.html 10 years old
http://infiltrated.net/framingpgp.html 10 years old



I'd read those long ago, but it's amazing how, as time passes, you pretty much forget about things.  Again, based on your synopsis, as someone at least more than 'basically' in the know, I'm more than confident that folks are glorifying this whole scenario.  And once you get some of the info from folks who truly ARE in the know, and not media, things sure become much clearer, when there are facts and at least a little explanation behind them.

Edit - and I hadn't realized those were yours!!!
Last edited by hayabusa on Mon Nov 29, 2010 3:44 pm, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Nov 29, 2010 4:17 pm

Re: Stuxnet - very interesting read / insight

hayabusa wrote:Edit - and I hadn't realized those were yours!!!


Didn't my horrible grammar give it away
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Nov 29, 2010 10:14 pm

Re: Stuxnet - very interesting read / insight

sil wrote:
hayabusa wrote:Edit - and I hadn't realized those were yours!!!


Didn't my horrible grammar give it away


Nah, but then again... <jk>
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Tue Nov 30, 2010 3:44 pm

Re: Stuxnet - very interesting read / insight

In addition to the report that was put out, we have a 15-minute video of Stuxnet on the CSFI website. You can get to it from the main page.

http://www.csfi.us
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Nov 30, 2010 6:03 pm

Re: Stuxnet - very interesting read / insight

Hummm, this is more and more interesting.

Like alucian mentioned higher, this could be a good movie!

Sil, you are truly above everyone else on this site and it is very interesting reading your posts. Like hayabusa often say, you always bring very good arguments to back your points.

And for me, if I were to invade my enemy's nuclear facilities, I would stay hidden as long as possible, just gathering information! Remember, during WW2, when the British cracked enigma, they let some of their troops being attack without warning so the enemy would know they broke their code!! So "IF" Israel were to get into Iran's facilities, they would much rather know how much enriched uranium they have, where it is located, etc...

Any, these were my thoughts on that.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
Next

Return to Cyber Warfare

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software