Hacking: Who's Behind the Worm?

The Black Flag Cafe is the place travelers come to share stories and advice. Moderated by Robert Young Pelton the author of The World's Most Dangerous Places.

Moderator: coldharvest

Who is Behind The Worm?

the U.S. stupid
5
25%
Israel you moron
5
25%
China of course
3
15%
Some programmer dude who hit "send" by mistake
7
35%
 
Total votes : 20

Re: Hacking: Who's Behind the Worm?

Postby RYP » Tue Sep 28, 2010 10:26 pm

Yellow ?

Damn I am down in the bunker with the hatch closed now.
User avatar
RYP
Ownerus Websiteus Authorus
 
Posts: 27725
Joined: Thu Mar 25, 2004 3:42 am

Re: Hacking: Who's Behind the Worm?

Postby Rapier09 » Tue Sep 28, 2010 10:53 pm

RYP wrote:Yellow ?

Damn I am down in the bunker with the hatch closed now.


I am going to assume that would be your regular reaction to overhearing anyone speaking in Russian.Not because of a hax attack.
Rapier09
 

Re: Hacking: Who's Behind the Worm?

Postby thewalrus » Wed Sep 29, 2010 1:28 am

JamesInTheWorld wrote:I was just saying that the engineers who work in clandestine cyber warfare for the US government are a pretty talented crew (most are contractors) - for them to fuck up so bad that a newspaper caught their sloppy code seems unlikely (but not imposable)


~JITW


I don't think anybody actually has the source code to this worm. If you create a highly successful self-replicating win32 virus/worm that spreads by USB drives and network socket connections to services that are exploitable (the much mentioned four zero day exploits), of course security professionals from around the world are going to put it in a sandbox and see what its behavior is. I doubt the people that created it expected it to -not- be noticed. It's pretty easy to see when a FAT32 flash drive is infected with something, grab a copy of the "something", and install it in a virtual machine to see what it does. Typically VM#1 is installed "behind" VM #2 which is running a full tcpdump capture of all the network traffic from the intentionally infected VM.
User avatar
thewalrus
BFCus Regularus
 
Posts: 2172
Joined: Sat Jan 13, 2007 6:43 pm
Location: Earth

Re: Hacking: Who's Behind the Worm?

Postby JamesInTheWorld » Thu Sep 30, 2010 7:28 am

I did it - I was trying to make a worm that would comb the internet for stewardess porn



~JITW
International Civilian Contractor Jobs
High Paying International Jobs
Iraq - Afghanistan - Asia - Europe
www.CivilianContractorJobs.com
User avatar
JamesInTheWorld
I HOPE YOU GET HIT BY A BUS
 
Posts: 7924
Joined: Sun Dec 18, 2005 9:58 am
Location: My Job is More Interesting Than Your Vacation

Re: Hacking: Who's Behind the Worm?

Postby muskrat » Thu Sep 30, 2010 8:08 am

Maybe this guys a CIA mole?

Image

Cheers M.
the Rat is less about criminality per se but the importance and sheer fun of using one's intellect, skill and willpower to carve a survival niche into whatever inhospitable environment one finds oneself. Damn the imposed morality of the overlords. F
User avatar
muskrat
BFCus Regularus
 
Posts: 2339
Joined: Thu Mar 25, 2004 7:17 am
Location: get lucky country

Re: Hacking: Who's Behind the Worm?

Postby JohnnyFishfinger » Thu Sep 30, 2010 10:51 am

I am thinking of retracting my vote from Israel to US. I mean if I srael would have made actually made it...then I doubt someone like...Siemens...would have found the bug. given this kind of incompetence I am more inclined to go for the US
I don't want to know who you use, as long as they're not complete muppets


http://www.youtube.com/watch?v=SJpyHbcXTIs
User avatar
JohnnyFishfinger
Alien Pircay
 
Posts: 2014
Joined: Fri Mar 28, 2008 9:20 pm
Location: at the margin

Re: Hacking: Who's Behind the Worm?

Postby coldharvest » Thu Sep 30, 2010 10:56 am

muskrat wrote:Maybe this guys a CIA mole?

Image

Cheers M.

If by CIA you mean Canadian Idiot Agency
I know the law. And I have spent my entire life in its flagrant disregard.
User avatar
coldharvest
Abdul Rahman
 
Posts: 25677
Joined: Thu Mar 25, 2004 2:36 am
Location: Island of Misfit Toys

Re: Hacking: Who's Behind the Worm?

Postby muskrat » Thu Sep 30, 2010 11:40 am

Its probably not China as the infection has gone viral in China today.

The Man is sticking it up the axis of evil & those commie bastards.

Cheers M.
the Rat is less about criminality per se but the importance and sheer fun of using one's intellect, skill and willpower to carve a survival niche into whatever inhospitable environment one finds oneself. Damn the imposed morality of the overlords. F
User avatar
muskrat
BFCus Regularus
 
Posts: 2339
Joined: Thu Mar 25, 2004 7:17 am
Location: get lucky country

Re: Hacking: Who's Behind the Worm?

Postby JohnnyFishfinger » Sun Oct 03, 2010 11:44 am

The Stuxnet outbreak
A worm in the centrifuge
An unusually sophisticated cyber-weapon is mysterious but important
Sep 30th 2010


IT SOUNDS like the plot of an airport thriller or a James Bond film. A crack team of experts, assembled by a shadowy government agency, develops a cyber-weapon designed to shut down a rogue country’s nuclear programme. The software uses previously unknown tricks to worm its way into industrial control systems undetected, searching for a particular configuration that matches its target—at which point it wreaks havoc by reprogramming the system, closing valves and shutting down pipelines.

This is not fiction, but fact. A new software “worm” called Stuxnet (its name is derived from keywords buried in the code) seems to have been developed to attack a specific nuclear facility in Iran. Its sophistication suggests that it is the work of a well-financed team working for a government, rather than a group of rogue hackers trying to steal secrets or cause trouble. America and Israel are the obvious suspects. But Stuxnet’s origins and effects are unknown.

Stuxnet first came to light in June, when it was identified by VirusBlokAda, a security firm in Belarus. The next month Siemens, a German industrial giant, warned customers that their “supervisory control and data acquisition” (SCADA) management systems, which control valves, pipelines and industrial equipment, were vulnerable to the worm. It targets a piece of Siemens software, called WinCC, which runs on Microsoft Windows.

For security reasons SCADA systems are not usually connected to the internet. But Stuxnet can spread via infected memory sticks plugged into a computer’s USB port. Stuxnet checks to see if WinCC is running. If it is, it tries to log in, to install a clandestine “back door” to the internet, and then to contact a server in Denmark or Malaysia for instructions. (Analysis of traffic to these servers is continuing, and may offer the best chance of casting light on Stuxnet’s purpose and origins.) If it cannot find WinCC, it tries to copy itself on to other USB devices. It can also spread across local networks via shared folders and print spoolers.

Initially, Stuxnet seemed to be designed for industrial espionage or to allow hackers to blackmail companies by threatening to shut down vital systems. But its unusual characteristics suggest another explanation. WinCC is a rather obscure SCADA system. Hackers hoping to target as many companies as possible would have focused on more popular systems. And Stuxnet searches for a particular configuration of industrial equipment as it spreads. It launches an attack only when it finds a match. “The bad news is that the virus is targeting a specific process or plant,” says Wieland Simon of Siemens. “The good news is that most industrial processes are not the target of the virus.” (Siemens says it knows of 15 plants around the world that were infected by Stuxnet, but their operations were unaffected as they were not the intended target.)

Another odd feature is that Stuxnet uses two compromised security certificates (stolen from firms in Taiwan) and a previously unknown security hole in Windows to launch itself automatically from a memory stick. The use of such “zero-day vulnerabilities” by viruses is not unusual. But Stuxnet can exploit four entirely different ones in order to worm its way into a system. These holes are so valuable that hackers would not normally use four of them in a single attack. Whoever created Stuxnet did just that to boost its chances. They also had detailed knowledge of Siemens’s industrial-production processes and control systems, and access to the target plant’s blueprints. In short, Stuxnet was the work neither of amateur hackers nor of cybercriminals, but of a well- financed team. “Behind this virus there are experts,” says Mr Simon. “They need money and know-how.”

So what was the target? Microsoft said in August that Stuxnet had infected more than 45,000 computers. Symantec, a computer-security firm, found that 60% of the infected machines were in Iran, 18% in Indonesia and 8% in India. That could be a coincidence. But if Stuxnet was aimed at Iran, one possible target is the Bushehr nuclear reactor. This week Iranian officials confirmed that Stuxnet had infected computers at Bushehr, but said that no damage to major systems had been done. Bushehr has been dogged by problems for years and its opening was recently delayed once again. Given that history, the latest hitch may not have been Stuxnet’s work.

A more plausible target is Iran’s uranium-enrichment plant at Natanz. Inspections by the International Atomic Energy Agency, the UN’s watchdog, have found that about half Iran’s centrifuges are idle and those that work are yielding little. Some say a fall in the number of working centrifuges at Natanz in early 2009 is evidence of a successful Stuxnet attack.

Last year Scott Borg of the United States Cyber-Consequences Unit, a think-tank, said that Israel might prefer to mount a cyber-attack rather than a military strike on Iran’s nuclear facilities. That could involve disrupting sensitive equipment such as centrifuges, he said, using malware introduced via infected memory sticks.

His observation now looks astonishingly prescient. “Since the autumn of 2002, I have regularly predicted that this sort of cyber-attack tool would eventually be developed,” he says. Israel certainly has the ability to create Stuxnet, he adds, and there is little downside to such an attack, because it would be virtually impossible to prove who did it. So a tool like Stuxnet is “Israel’s obvious weapon of choice”. Some have even noted keywords in Stuxnet’s code drawn from the Bible’s Book of Esther—in which the Jews fight back to foil a plot to exterminate them.




Cyberwar
The meaning of Stuxnet
A sophisticated “cyber-missile” highlights the potential—and limitations—of cyberwar
Sep 30th 2010


IT HAS been described as “amazing”, “groundbreaking” and “impressive” by computer-security specialists. The Stuxnet worm, a piece of software that infects industrial-control systems, is remarkable in many ways. Its unusual complexity suggests that it is the work of a team of well-funded experts, probably with the backing of a national government, rather than rogue hackers or cyber-criminals (see article). It is designed to infect a particular configuration of a particular type of industrial-control system—in other words, to disrupt the operation of a specific process or plant. The Stuxnet outbreak has been concentrated in Iran, which suggests that a nuclear facility in that country was the intended target.

This is, in short, a new kind of cyber-attack. Unlike the efforts to disrupt internet access in Estonia or Georgia (blamed on Russia), or the attacks to break into American systems to steal secrets (blamed on China), this was a weapon aimed at a specific target—it has been called a “cyber-missile”. One or more governments (the prime suspects are Israel and America) were probably behind it. After years of speculation about the potential for this sort of attack, Stuxnet is a worked example of cyberwar’s potential—and its limitations.

Much of the discussion of cyberwar has focused on the potential for a “digital Pearl Harbour”, in which a country’s power grids and other critical infrastructure are disabled by attackers. Many such systems are isolated from the internet for security reasons. Stuxnet, which exploits flaws in Microsoft Windows to spread on to stand-alone systems via USB memory sticks, shows they are more vulnerable than most people thought. The outbreak emphasises the importance of securing industrial-control systems properly, with both software (open-source code can be more easily checked for security holes) and appropriate policies (banning the use of memory sticks). “Smart” electricity grids, which couple critical infrastructure to the internet, must be secured carefully.

Stuxnet is also illuminating in another way: it reveals the potential for cyber-weapons that target specific systems, rather than simply trying to cause as much mayhem as possible. It infected several plants in Germany, for example, but did no harm because they were not the target it was looking for. Such specificity, along with the deniability and difficulty of tracing a cyber-weapon, has obvious appeal to governments that would like to disable a particular target while avoiding a direct military attack—and firms interested in sabotaging their rivals.


Cyberwar is not declared

But the worm also highlights the limitations of cyber-attacks. Iran admits that some computers at its Bushehr nuclear plant were infected, but says no damage was done. The target may have been the centrifuges at its nuclear refinery at Natanz. Last year the number of working centrifuges at Natanz dropped, though it is unclear whether this was the result of Stuxnet. Even if it was, the attack will only have delayed Iran’s nuclear programme: it will not have shut it down altogether. Whoever is behind Stuxnet may feel that a delay is better than nothing. But a cyber-attack is no substitute for a physical attack. The former would take weeks to recover from; the latter, years.

Stuxnet may have failed to do the damage its designers intended, but it has succeeded in undermining the widespread assumption that the West would be the victim rather than the progenitor of a cyber-attack. It has also illustrated the murkiness of this sort of warfare. It is rarely clear who is attacking whom. It is hard to tell whether a strike has been successful, or indeed has happened at all. This, it seems, is what cyberwar looks like. Get used to it.

Leaders
I don't want to know who you use, as long as they're not complete muppets


http://www.youtube.com/watch?v=SJpyHbcXTIs
User avatar
JohnnyFishfinger
Alien Pircay
 
Posts: 2014
Joined: Fri Mar 28, 2008 9:20 pm
Location: at the margin

Re: Hacking: Who's Behind the Worm?

Postby IT_whipping_boy » Wed Oct 06, 2010 6:23 pm

Pro espionage hacks use extreme stealth.

Crimal hacks focus on the largest user base to max profits.

This was somebody looking to spread a message. I'd guess its a pissed Seimanns programmer.
“Thinking that merely a positive attitude will bring you success is like parachuting with a handkerchief.”
User avatar
IT_whipping_boy
BFCus Regularus
 
Posts: 1270
Joined: Thu Aug 10, 2006 6:49 pm
Location: 127.0.0.1

Re: Hacking: Who's Behind the Worm?

Postby Kurt » Thu Oct 07, 2010 12:20 am

IT_whipping_boy wrote:Pro espionage hacks use extreme stealth.

Crimal hacks focus on the largest user base to max profits.

This was somebody looking to spread a message. I'd guess its a pissed Seimanns programmer.


I doubt it was a pissed former or current Siemens programmer (or I would be really shocked if it was). I work with these systems (not WinCC) and I know the programmers and how Siemens manages them and they have really frikken sweet lives as far as programmers go. For most it is their first and last job and people I know who visited Vienna for training with the programmers were amazed at their houses, cars, amount of vacation time and the fact they never had worked anyplace else.

Your guess would be a good and accurate one if it was for any company other than Siemens and their SCADA systems.
User avatar
Kurt
In Manus Manus
 
Posts: 19791
Joined: Mon Mar 08, 2004 6:29 am
Location: New York City

Re: Hacking: Who's Behind the Worm?

Postby Papadoc » Thu Oct 07, 2010 4:12 am

[quote="IT_whipping_boy"]Pro espionage hacks use extreme stealth. /quote]

Not really possible, with the way this thing spreads. There simply aren't that many ways to move evil via a USB device, and almost all of them are detectable. You either make your own hardware, and place it in a supply chain, or toss the dice with visible software delivered in any one of 100 risk-free ways, and count on your target having shitty security (a common, and good bet).

If this is "pro", it would fall under the category of covert, vs. clandestine. You may be able to find it (obviously, it was found), but tracing the sponsorship is another problem. Suggests that the designers cared more about it working than remaining hidden. Stealth is just one tool, not a rule. If the objective was achieved, then absolutely it could be "pro", regardless of how quietly it happened.

If a government coup works, you can't hide that it happened, you just try to conceal the sponsorship. This software may be a digital equivalent. The news and analysis don't seem to be able to point out the clear objective of this thing: be it espionage, sabotage, proof-of-concept, or just a shot across Persian bows.

Include a message saying, "next time, we expose the gay people of Iran to youtube" or switch calls to prayer with Lady Gaga, just for nuclear brinkmanship lulz.
User avatar
Papadoc
 
Posts: 29
Joined: Wed Sep 29, 2010 11:16 pm

Previous

Return to Black Flag Cafe

Who is online

Users browsing this forum: No registered users and 2 guests