Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

STUXNET: Weaponized Code, Russians, Iranians, Indians, OH MY!

with one comment

Since July of this year a story has been brewing about “Stuxnet”, the ubiquitous malware that at first seemed to have been targeted at surveillance of SCADA networks and the computers that control them. In the case of this particular two versions of malware, the twist has been that since August, the decompiles have begun to show that not only were these two variants attempting to gather data, but also hosted code that lead us to believe that sabotage was also a function programmed into them.

The INFOSEC community of late has been abuzz with the usual shouts and murmurs from all sides. Those who don’t care, those who think its all just hype, and those who are more likely quietly marveling at the audacity of this malware coders chutzpa. I personally think that if these sources who have decompiled the code are valid, then the real aegis of this weaponized code had a specific set of purposes.

  • Limited propagation
  • Surveillance capacities
  • Code changes on the fly
  • Stealth
  • Directed sabotage at internal targets of choice once a bit was flipped

Now, was this a directed attack at say Iran? Well, the data seems to point in the direction of not only that but also of other countries like Indonesia and India as well… This is all predicated though on who’s data you are looking at where infection rates are involved. The consensus though data wise seems to point at higher infection rates in those afore mentioned countries. What do they all have in common?

They all have signed deals with Russia for assistance with their Nuclear programs (non aggressive of course) so they have this common denominator. One wonders what other commonalities they might have? The interesting thing is for me though, that if indeed this was weaponized code for a specific purpose (and the timing of the release and infections coincide with Iran’s Natanz facilities attempt at refining… which failed mysteriously) it did by all accounts seem to have done what it was supposed to do.. Until it became a target for AV.

Test/Proof of Concept?:

Now, since I do not have the code in front of me and I am relying on the scant data out there, I am going to have to speculate a bit here so bear with me. First off, could this have been a proof of concept? Well, I suppose it could have been, but, one would likely have tested this in a secure environment to see, but, how many of us out there have our own SCADA systems to work with? I would have to lean then toward an actual project that was planned out, and coded to be released into the wild for specific purposes. The thing about it though, as with any code that you put out there, there may be unintended side effects that negate the primary functions and protections created within the malware that allow for its detection and downfall. In this case, perhaps the window of time that was needed was in fact satisfied and the code hit its mark before the AV clients could stop it.. Thus I go back to Iran and the Natanz facility… You see, at that very point in time the pressure was on up to and perhaps beyond a very real air strike by Israel on the facility to prevent Iran from having the ability to enrich Uranium at all. It would seem though, that this attack (if indeed it was one) only set them back some time.

Actual “Cyber” Attack?:

Which brings me to the political motivations here. At the time of the release/detection of this malware there was a lot of worry about Iran and its nuclear capabilities as I mentioned above. A release of weaponized code that, if not detected right away, was coded so as to NOT be easily traced back to any one author (nation state or other) would do the job that needed to be done without the use of heavy bombs that likely, would not have done much damage to the Natanz facility. This type of attack would also not have the blowback that an air strike would have for the whole region, never mind the U.S. Imagine the tensions that would have arisen had Israel gone in and bombed the facility? Yeah, not so good, so this was a much cleaner way to perhaps take out their SCADA and put them back a bit.. Perhaps even give the U.S. more time to use more carrot and sitck (mostly stick please) against the Iranian regime?

Sanctions anyone?

Frankly, Stuxnet, even with its failure on the level of detection and all the fallout now, is still a “win/win” in my book.. And I am sure it is too to the boys in Fort Meade.

State Actors or SPECTRE?:

Ok, so you really kind of know where my head is on all this. The nay sayers out there will get on me as a “conspiracy theorist” and for the record, yes… I am. but, conspiracies exist and have been shown to  be even more outlandish than you could possibly imagine at times. So, I can buy into a nation state making a series of weaponized code to perform specific action sanctioned at the highest levels to stop something that would offset the balance of power within a very unstable region. A region I might remind one and all, filled with theocratic regimes that seem quite happy with the idea of going to their Gods and taking everyone else with them.

Yes… I can see this as a tip of the spear action.

What else would it be? Can you see yourself actually thinking that it was in fact the Russian mob that put this together? How about those crazy jiahdists out there trying to start their “cyberjihad” movements?

Me neither… Nope, this screams nation state… Just who’s one has to wonder. I find it really interesting though that the C&C servers were in Malaysia and points “Mos Eisley” What better place to have C&C’s huh?

The Mechanics:

Stuxnet was primarily transmitted by USB, but also reached out via NetBIOS shares. This is an interesting method of infection for a few reasons to attack SCADA networks. You see, SCADA is supposed to be “air gapped” but, as you all know, all too often this is not the case. Often one will find an internet facing device that has network connectivity to SCADA networks and voile, you have an Internet facing SCADA system potentially. By using the dual approach of USB infection and propagation as well as active network share detection/infection, the coders got the leverage they needed to propagate within a supposed air gapped network AND to get their C&C to work in the most effective P2P means of update and ex-filtration of data.

It is the surmise of more than a few, that an infected USB drive was the initial infection vector.. I would put it forth further that if my theory is correct, a USB stick was the vector, but, that stick was more than one. I believe that perhaps this malware was hidden within a distro that perhaps a Russian company has on their internal servers somewhere that is common to all systems that they design and implement for the customers..

Customers like Iran, Indonesia, and India…

It would be interesting to see if any of those Russian companies that are in fact working on those projects have had a lot of the malware issues surrounding Stuxnet infections. From the data I saw, Russia too was hit rather hard by this infection. Interesting no?

Of course, I hear you all out there.. “But it hit the US too! and Russia is not helping us with our nuclear facilities!” Ok, yes, I would agree with that. However, because the propagation of the malware included ANY usb stick put into an infected system, it is highly likely that it could have crossed onto networks via stick to share, and share to share from VPN access and the like. An alternate view could be put out there too, that a mass release would also lend a certain “cloudiness” to the whole picture as to who did it. Some plausible deniability if you like. I rather like that idea as the solution too because the malware seems to have been very specifically targeted to a Siemens system.

As well, I have yet to hear of any major damage to any systems out there in the US and other areas that would talk about it… The one hold out is Iran… Go figure.

Digital DNA:

Lastly, I will leave you all with the fact that in the end, once the malware has been parsed, poked, and prodded, the digital DNA might in fact shed some light on a coder.. Or “coders” However, I think that this is rather likely to be a dead end as this thing would seem to have had much thought put into it as well as the effort.

Time will tell.

But here’s my two cents… Iran ain’t makin any enriched U235 right now is it?

EDIT: You can download the unpacked code HERE email me for password

CoB

Written by Krypt3ia

2010/09/24 at 20:09

One Response

Subscribe to comments with RSS.

  1. […] previous posts: #Stuxnet retrospective: http://tinyurl.com/377vujshttp://tinyurl.com/2g7xjyg http://tinyurl.com/34ojqb6http://tinyurl.com/3276s5q in […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: