Comments: What if Stuxnet is Just the Start?

Hard to believe it takes a state of the art technology attack to knock a country firmly entrenched in the stone age.

Posted by TexasRainmaker at September 29, 2010 10:42 AM

Impressive work.

Posted by Chris Short at September 29, 2010 10:46 AM

Hmm? Who would have figured? Chilling analysis.
Thier reactor is loaded and ready for ops but if they try and start it it will just go China syndrom. Guess it will be a while before they get it up and running. Good thing.

Posted by ron at September 29, 2010 10:59 AM

So... you're saying this is sort of like the "Exciter" missions the Air Force flew (flys?) where the purpose was to make the potential enemy forces light up their air defenses.... so that the Rivet Joint circling off the coast could record everything?

Interesting theory.

Posted by Foamer at September 29, 2010 12:28 PM

Actually, a lot of people believe that the first known attack was on the Iraqi air defenses in 1991, that apparently worm was hard wired into HP printer residing on the PCs that interfaced with the air defense network.

Posted by Phelps at September 29, 2010 06:43 PM

I wouldn't believe anything posted at DEBKA. That site has a very low reliability rating.

Even if the linked article is correct, this whole matter of the Stuxnet worm is making less and less sense as it goes along. The way to remove a virus, any virus, is simple:

1) isolate the infected machine

2) boot from a clean system CD

3) run a remover/protector program like Malwarebytes.

I have trouble believing that the Iranians have been so lax about cybersecurity that they can't do this. Or that the Stuxnet worm is so smart there's no way to remove it. Or that they can't restore from clean system backups or system images. I think there's a lot more going on here than anyone has yet said.

Posted by wolfwalker at September 29, 2010 07:37 PM

Wolfwalker,

It's a bit more complex than that when you're dealing with a massive - and massively infected network, especially if you're not sure when the infection occurred.

What if the infection occurred prior to the oldest backup in the sequence? No one keeps backups for more than a month or three - or even if they did, that's a MASSIVE loss of time and effort; all the work of MONTHS is G O N E.

The amount of time and effort involved to wipe and restore each individual machine is also going to be huge. Especially if you're going to try to save some or all of the data on each machine - and ensure that your backups don't become infected.

If they haven't been able to block the worm from infecting computers on the 'Net (or even if there's a risk - say it's polymorphic), you have to keep it off the 'Net until ALL the 'net is clean - or rebuild your network one machine at a time, again a massive effort and loss of time.

Either way, it looks like they're pretty well screwed. Especially if say, part of the worm's payload was simply to push various industrial components (e.g. valves, pipes, other control systems) past tolerance, requiring inspection or replacement. That's an awful lot of piping and other components buried in an awful lot of concrete.

And an awful lot of infected components outside of just the computers that are carriers of the virus. Assuming there's only one.

I have a feeling this thing shouldn't have been named Stuxnet but Ebolanet.

Orion

Posted by Orion at September 29, 2010 09:35 PM

I wonder if this virus speaks Hebrew.

Posted by Stan at September 29, 2010 10:52 PM

And what if the stuxnet virus was aided by a sleeper IT agent, or three, buried deep within Iranian network services? Iran is a Persian country; the Mullahs are not universally loved.

The thought of someone letting all the minks "go free" in and among several key networks, makes me shudder(with delight, since I love the target!)

Posted by Earl T at September 29, 2010 11:12 PM

Well,

"I have trouble believing that the Iranians have been so lax about cybersecurity that they can't do this. Or that the Stuxnet worm is so smart there's no way to remove it. Or that they can't restore from clean system backups or system images. I think there's a lot more going on here than anyone has yet said. "

All I can say is when Saudi Bdes visit, we upload nothing, attach no stick, and receive no CDs. Their machines are infected with any and all malware known to mankind.

Just remember, to a 3rd world country, this is still 'magic'.

Posted by Mike at September 30, 2010 12:49 AM

And remember this thing apparently has infected not just PCs but through those has taken root in the PLSs that control things like centrifuges in Iran's enrichment plants.
Can't simply reboot those thing.

It wouldn't in fact surprise me at all if those were the origin of the attack, and were delivered from the factory with the trojan already installed in both themselves and their control software, in which care reinstalling from the original installation package would have no effect whatsoever.

Another theory I've been playing with is that this is an Iranian worm aimed at the USA or other western countries that somehow got out of control during testing (or was deliberately launched into their own systems in order to be able to blame Israel or the US, because everyone knows Iran is too backwards to make something like that, right?).

Posted by JTW at September 30, 2010 04:34 AM

PLC's use Windows? Last I heard, even the Stuxnet worm/virus was a Windows program that couldn't run on anything else.

[brief interlude to look at Wikipedia's article on Stuxnet]

[blink] Wow. Okay, if the wikipedia article is right, this thing is a damnsight smarter than I thought. Infecting Windows machines and then rewriting EEPROM in attached PLCs? That would require proprietary system information, the kind that only the company should have.

This passage also leaped out at me:
'Once inside the system it uses the default passwords to command the software.[3] Siemens however advises against changing the default passwords because it "could impact plant operations".'

As security holes go, that one's big enough to drive a starship through. Something really stinks now -- that bit makes it look more and more like a coordinated plan among multiple entities. What self-respecting programmer would write a security system that contains such an obvious hole?

Posted by wolfwalker at September 30, 2010 07:40 AM

wolfwalker, if you've worked in IT very long, odds are you've known plenty of people who write software with holes like that.

Posted by Dr. Horrible at October 2, 2010 03:21 PM

Uh, you'd definitely want to think that the people writing software for nuclear power plants would be able to get their act together to code a functioning password system. That bit of "advice" from Siemens is bizarre to say the least. What happens if you change the password? Nuclear meltdown? What idiot designed that?

Posted by JS at October 2, 2010 04:56 PM

What self-respecting programmer would write a security system that contains such an obvious hole?

One looking to sell it to imbeciles.

Posted by Purple Avenger at October 2, 2010 09:18 PM