Friday, March 04, 2011

Cyberwar just jumped from the of rock-throwing level to the level of machine guns and barbed wire

What does cyberwar look like in the 21st century? Remember the anonymously-sourced denial of service attacks on the entire Internet in Georgia a few years ago that accompanied the Russian military attack on that nation? Today that's as primitive as throwing rocks. Vanity Fair has an excellent article describing the Stuxnet worm attack on the hidden Iranian nuclear program. Stuxnet is the most sophisticated piece of computer malware ever written. It has a unique delivery system put together with an extremely sophisticated attack payload and it is much too large and sophisticated to have been assembled by a single hacker or even a small independent team. The events first appeared in public in July 2009. Here's what happened :
A self-replicating computer virus, called a worm, was making its way through thousands of computers around the world, searching for small gray plastic boxes called programmable-logic controllers—tiny computers about the size of a pack of crayons, which regulate the machinery in factories, power plants, and construction and engineering projects. These controllers, or P.L.C.’s, perform the critical scut work of modern life. They open and shut valves in water pipes, speed and slow the spinning of uranium centrifuges, mete out the dollop of cream in each Oreo cookie, and time the change of traffic lights from red to green.

Although controllers are ubiquitous, knowledge of them is so rare that many top government officials did not even know they existed until that week in July. Several major Western powers initially feared the worm might represent a generalized attack on all controllers. If the factories shut down, if the power plants went dark, how long could social order be maintained? Who would write a program that could potentially do such things? And why?


One month before that midnight summons—on June 17—Sergey Ulasen, the head of the Anti-Virus Kernel department of VirusBlokAda, a small information-technology security company in Minsk, Belarus, sat in his office reading an e-mail report: a client’s computer in Iran just would not stop rebooting. Ulasen got a copy of the virus that was causing the problem and passed it along to a colleague, Oleg Kupreev, who put it into a “debugger”—a software program that examines the code of other programs, including viruses. The men realized that the virus was infecting Microsoft’s Windows operating systems using a vulnerability that had never been detected before. A vulnerability that has not been detected before, and that a program’s creator does not know exists, is called a “zero day.” In the world of computer security, a Windows zero-day vulnerability signals that the author is a pro, and discovering one is a big event. Such flaws can be exploited for a variety of nefarious purposes, and they can sell on the black market for as much as $100,000.

The virus discovered by Ulasen was especially exotic, because it had a previously unknown way of spreading. Stick a flash drive with the virus into a laptop and it enters the machine surreptitiously, uploading two files: a rootkit dropper (which lets the virus do whatever it wants on the computer—as one hacker explains, “ ‘Root’ means you’re God”) and an injector for a payload of malicious code that was so heavily encrypted as to be, to Ulasen, inscrutable. The most unsettling thing about the virus was that its components hid themselves as soon as they got into the host. To do this, the virus used a digital signature, an encrypted string of bits that legitimate software programs carry to show that they come in peace. Digital signatures are like passports for software: proof of identity for programs crossing the border between one machine and the next. Viruses sometimes use forged digital signatures to get access to computers, like teenagers using fake IDs to get into bars. Security consultants have for several years expected malware writers to make the leap from forged signatures to genuine, stolen ones. This was the first time it was known to have actually happened, and it was a doozy of a job. With a signature somehow obtained from Realtek, one of the most trusted names in the business, the new virus Ulasen was looking at might as well have been carrying a cop’s badge.


Ulasen couldn’t figure that part out—what the payload was for. What he did understand was the basic injection system—how the virus propagated itself—which alone demanded an alert. Ulasen and Kupreev wrote up their findings, and on July 5, through a colleague in Germany, they sent a warning to the Microsoft Security Response Center, in Redmond, Washington. Microsoft first acknowledged the vulnerability the next day. Ulasen also wrote to Realtek, in Taiwan, to let them know about the stolen digital signature. Finally, on July 12, Ulasen posted a report on the malware to a security message board. Within 48 hours, Frank Boldewin, an independent security analyst in Muenster, Germany, had decrypted almost all of the virus’s payload and discovered what the target was: P.L.C.’s. Boldewin posted his findings to the same security message board, triggering the all-points bulletin among Western governments.

The next day, July 15, a tech reporter named Brian Krebs broke the news of the virus on his blog. The day after that, Microsoft, having analyzed the malware with the help of outside researchers, issued the first of several defenses against the virus. At this point it had been detected in only a few sites in Europe and the U.S. The largest number of infections by far—more than 15,000, and growing fast—was found in Asia, primarily in India, Indonesia, and, significantly, Iran.


Kaspersky [founder of the computer security company called Kaspersky] is a 1987 graduate of the Soviet Institute of Cryptography, Telecommunications and Computer Science, which had been set up as a joint project of the K.G.B. and the Russian Ministry of Defense.


Analysts at Kaspersky and Symantec quickly found that Stuxnet exploited not a single zero-day flaw but in fact four of them, which was unprecedented—one of the great technical blockbusters in malware history.

As the zero days piled up, Kaspersky says, he suspected that a government had written Stuxnet, because it would be so difficult and time-consuming for an outsider to find all these flaws without access to the Windows source code.


Stuxnet appears to be the product of a more sophisticated and expensive development process than any other piece of malware that has become publicly known. A Symantec strategist estimated that as many as 30 different people helped write it. Programmers’ coding styles are as distinctive as writers’ prose styles. One expert estimated that the worm’s development took at least six months. Once Stuxnet was released into the wild, other technicians would have maintained the command-and-control servers in Denmark and Malaysia to which Stuxnet phoned home to report its current locations and seek updates.

Most curious, there were two major variants of the worm. The earliest versions of it, which appear to have been released in the summer of 2009, were extremely sophisticated in some ways but fairly primitive in others, compared with the newer version, which seems to have first circulated in March 2010. A third variant, containing minor improvements, appeared in April. In Schouwenberg’s view, this may mean that the authors thought Stuxnet wasn’t moving fast enough, or had not hit its target, so they created a more aggressive delivery mechanism. The authors, he thinks, weighed the risk of discovery against the risk of a mission failure and chose the former.


Langner [His Hamburg-based company is a big name in the small world of industrial-control-systems security] had been reverse engineering the payload of Stuxnet throughout August, and he was the first analyst to announce that it contained two components that he called “warheads.” Langner had come to believe that Stuxnet was aimed at Iran’s nuclear program. Iran has been suspected of trying to build a nuclear bomb for several years, and in 2003 it failed to disclose details regarding uranium-enrichment centrifuges to inspectors from the International Atomic Energy Agency. Western governments have been trying to stop Iran’s nuclear program ever since, using diplomatic pressure, trade embargoes, and covert operations.

Stuxnet had initially grabbed the tech world’s attention as a hack of the Windows operating system—a virus that exploited an unknown vulnerability. This was like learning that someone had found his way into your house, and figuring out how they got inside. Next, Frank Boldewin had discovered what valuables the intruder was after—programmable-logic controllers. Specifically, the target was P.L.C.’s made by the German engineering conglomerate Siemens. Finally, Langner figured out the rudiments of what Stuxnet’s payload did—that is, how the intruder went about his work. When Stuxnet moves into a computer, it attempts to spread to every machine on that computer’s network and to find out whether any are running Siemens software. If the answer is no, Stuxnet becomes a useless, inert feature on the network. If the answer is yes, the worm checks to see whether the machine is connected to a P.L.C. or waits until it is. Then it fingerprints the P.L.C. and the physical components connected to the controller, looking for a particular kind of machinery. If Stuxnet finds the piece of machinery it is looking for, it checks to see if that component is operating under certain conditions. If it is, Stuxnet injects its own rogue code into the controller, to change the way the machinery works. And even as it sabotages its target system, it fools the machine’s digital safety system into reading as if everything were normal.

Industrial-control systems have been sabotaged before. But never have they been remotely programmed to be physically altered without someone’s fingers on a keyboard somewhere, pulling the virtual trigger. Stuxnet is like a self-directed stealth drone: the first known virus that, released into the wild, can seek out a specific target, sabotage it, and hide both its existence and its effects until after the damage is done. This is revolutionary. Langner’s technical analysis of the payload would elicit widespread admiration from his peers. Yet he also found himself inexorably drawn to speculation about the source of the malware, leading him to build a detailed theory about who had created it and where it was aimed.


There is a marked difference in design style between Stuxnet’s injector and its payload. Tom Parker, a Washington, D.C.- based security researcher, argues from this fact that two nations were involved in the worm’s creation, implying that a major Western power, such as the U.S., may have developed the sleek warheads and that another nation, such as Israel, was responsible for the injector program.
We have a unique attack delivery system that appears to have required knowledge of the confidential code in the Microsoft operating system. The program is extremely complex certainly too much so to have been the product of any single individual. In fact, the program is so complex that it, requiring a very elaborate team, and the style of different segments rather clearly indicates that not only were there multiple teams,they were probably from different nations. Finally, the payload that does the damage is written to exploit the characteristics of a very narrowly defined target which is almost certainly the Iranian nuclear program.

There is a lot more in this very interesting article from Vanity Fair. the lengthy segment of the article which compares the development of Stuxnet to the published political events related to Iran and the rest of the world is worth the whole article. There will be a lot more to come out about Stuxnet. But what really matters is that cyberwar has stepped up to new levels, far above those of merely distributed denial of services. Stuxnet is a team-based (meaning national) approach to targeted malware specifically released on the Internet, very probably in coordination with other military and diplomatic efforts to stop the Iranians from achieving a nuclear weapon. The future arrived back in Summer of 2009 and we are now way off into unknown territory.

One more thing. The target, pretty clearly the Iranian nuclear program, is something the Iranians do not admit exists. So they cannot admit that it was effectively trashed by the Stuxnet worm. Nothing in the media on this subject can be trusted. It is part of the cyberwar and its associated diplomatic and psychological warfare attacks and counterattacks.

This Vanity Fair story is a report from the field about a very new form of combat. The technology of the worm itself is fascinating, but what is really important is that a whole new battlefield has now been opened up.

Finally, like targets of blackmail, the apparent target/victim remains silent because do do otherwise is to admit to committing a larger crime. They are building a nuclear weapon and they are lying to the world about that. So there's a lot left to this story.

1 comment:

digital signatures said...

good analysis.It was quite interesting to read how it all started and latter what were solutions.Now this area has evolved so well but there are many things yet to be done to make it secure.As