Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

#Stuxnet, Lying Liars Neener Neener Neener!

with 4 comments

I cruised some of the .ir range yesterday and came up with a non DNS site for the Iranian Nuclear program (and much much more.. but that is for another time and another post) The above picture is a capture from a post from one of those sites back in July. The translation is as follows:

Here’s the translation by an Iranian coworker: The Stuxnet attacks are still happening and the virus is getting updated continuously. It also says they are monitoring the attacks and try to control it. They were expecting to clean the virus in 1-2 month but the virus has a dynamic nature and since start of cleaning process 3 new version of virus is published. They are also organizing some groups that help industrial centers to clean the virus. Also a helpdesk center has been setup that provide further information about cleaning etc..

So it seems that they were hit pretty hard.. But you won’t hear that from them.. Unless you start to crawl their shit. Seriously, the sites out there are on average running on IIS6 and poorly constructed. It’s a wonder they have any capacity at all to fight off the least of the malware out on the Internet today!

Meanwhile… Back at the Security Ranch….

The FUD, Snark, and Stupid factors have amped up on the whole Stuxnet thing out there on the intertubes. Look folks, its happened before! There is nothing about this that is revolutionary! Might I cite a little story about a Russian Pipeline back in the 80’s?

Disguised as an automated system test, the software instructed a series of valves, turbines, and pumps to increase the pipeline’s pressure far beyond its capacity, putting considerable strain on the line’s many joints and welds over a period of time. One day [in 1982], somewhere in the cold loneliness of Siberia, the overexerted pipeline finally succumbed to the pressure.

As satellites for the North American Aerospace Defense Command (NORAD) watched from orbit, a massive explosion rocked the Siberian wilderness. The fireball had an estimated destructive power of three kilotons, or about 1/4 the strength of the Hiroshima bomb.

It would be fourteen years before the real cause of the event would be revealed. When investigators in the USSR eventually discovered that the event had been triggered by sabotaged software, the KGB leadership were furious, but unable to lodge any official protest regarding the deliberate defect since that would also expose their own large-scale espionage efforts.

Upon realizing that the CIA was serving imitation intelligence, the other recent problems with US-derived designs were no longer so mysterious. Given the dramatic results of the pipeline bug, all of the burgled Western technology was immediately cast under suspicion, a situation which mired the Soviet’s borrowed progress in a pit of uncertainty and suspicion.

I remember this story from back in the day… Well, the 90’s as someone told me about it being an actual attack on a system with code by the CIA. Yep, I believe they even made it a subplot in a Bond film during the Brosnan years too.. So, Stuxnet was likely an attack on someone’s directed systems. Iran denied having Siemens systems and in fact Siemens said they did not sell equipment to them! However, a shipment out of Dubai was captured and in it was Siemens equipment that was confiscated.. So..

Hmmm We ALL knew they had the equipment to code to. Just as this document shows their connection to Siemens as wanting or actually doing business with them.

Meh.

Ok security community, time to get off the #Stuxnet FUD thing.. Here are the salient points and lets move on shall we?

  1. It was coded for a specific purpose for SCADA actions with Siemens PLC code
  2. Iran, India, Indonesia.. Well lets say “Asia” seems to have been affected the most
  3. We will NEVER know who made it.. Until it is declassified WAY WAY WAY in the future
  4. Iran’s nuclear facilities including Natanz are likely in paralysis still with it.
  5. All this one upsmanship on decoding and analysis is BS.. Finish the job before you go announcing shit at conferences
  6. Myrtus = Phallus in the eye.. In Jewish mysticism, the myrtle represents the phallic, masculine force at work in the universe. The end product here? Someone gave Iran an “Angry Pirate” with a circumcised penis!
  7. 19790509 = ANYTHING YOU WANT IT TO! It’s all subjective folks and just like Myrtus, likely a red herring!

Seriously, do you think that Israel is gonna put that much data into a code for the Iranians to latch onto substantiating that they did it? Ugh… Might as well paint a bullseye on their backs and pin a sign on that says “kick me”

To conclude, this is nothing new… It’s information warfare, only the means have changed with networked pc’s and new operating systems with 0days.

Give it up…

CoB


Written by Krypt3ia

2010/10/01 at 13:28

4 Responses

Subscribe to comments with RSS.

  1. An awesome piece of work. I refer to your investigative stuff and the Stux creator(s).

    Stay frosty.

    J

    th3j35t3r

    2010/10/01 at 19:19

  2. Awesome. I didn’t recall that incident with the pipeline. Missed that somehow.
    Nice work. 🙂

    Kristi Gilleland

    2010/10/04 at 20:13

  3. I was suprised when I found the tidbit about the pipeline event. I had a feeling that the ICS portion of Stuxnet had been around for a long time. While a nation-state may be responsible for the final planting, I don’t believe it was consrtucted from the ground up that way. It is most likely borrowed code built in layers with the most expensive or time-investment being in the zero-day exploits employed. And the myrtus reference requires too much conjecture and translation to point to Israel. My guess is it’s a path for code complilation within Visual Studio with the possibility of the programmer seeing the myrtus at the beggining used that as a basis for naming convetion leading to the guava.pdb file name. RTUs(from path data) and PLCs(attacked by Stuxnet) use the same/similar programming.

    Tom

    2010/10/15 at 18:15

  4. […] previous posts: #Stuxnet retrospective: http://tinyurl.com/377vujshttp://tinyurl.com/2g7xjyg http://tinyurl.com/34ojqb6http://tinyurl.com/3276s5q in […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: