More on this book
Community
Kindle Notes & Highlights
by
Kim Zetter
Read between
August 4 - August 15, 2018
Kernel-level rootkits aren’t uncommon, but it takes sophisticated knowledge and a deft touch to build one that works well. And this one worked very well.6
Footnote suggests that the reason the virus was detected was the repeated crashes due to incompatibility with this particular organization’s antivirus software (virus-blokada) with the malware-containing driver. And that the creators had likely tested extensively with other more widespread antivirus. But even in cyberwarfare, testing is both critical and impossible to do comprehensively.
He couldn’t believe it. VirusBlokAda, a tiny security firm that few in the world had ever heard of, had just discovered that rarest of trophies for a virus hunter.
As mentioned earlier, it’s probably because they were so small that their software wasn't tested by attackers and thus were able to observe the reboot loop failure mode.
That was because, Ulasen realized with alarm, they were signed with what appeared to be a legitimate digital certificate from a company called RealTek Semiconductor.10
Didn’t work on 64-bit windows according to footnote. Note: these footnotes are great so far...they should’ve been added to the main text!
There were clues that the attackers had missed a few steps while signing the driver with the JMicron cert, which suggested they may indeed have been in a hurry to get their attack code out the door and onto machines.
Footnote says among other things that they left “change me” in several of the cert fields :)
The attackers must have been looking to steal a competitor’s factory design or their product blueprints. It was an assessment that many in the tech community were all too happy to embrace. Stuxnet appeared to be targeting only systems with the Siemens software installed, which meant that any computer not using the Siemens programs was presumably safe, and their owners could relax.
Good strategy perhaps to let the specific attack simmer a little longer?
slapped together sloppily or crafted skillfully with care. Stuxnet was obviously the latter. It appeared to be a dense and well-orchestrated collection of data and commands that contained an enormous amount of functionality. What those functions were was still a mystery, but O’Murchu’s interest was immediately piqued.
Curious to see how much of it was necessary for the rootkit vs worm vs exploit of the Siemens micro controllers. Or was there red herring code and well to slow down the analysis? Guess once it’s been identified, you’re pretty much done, so they probably didn’t worry too much about speed of identification of stuxnet’s actual intent?
To thwart this, smart attackers design custom packers that aren’t easily recognized or removed. But Stuxnet’s creators hadn’t bothered to do this. Instead they used an off-the-shelf packer called UPX—short for “Ultimate Packer for eXecutables”—that was easily identified and eliminated.
Ok, guess they weren’t trying to hide its purpose, or even to slow development of antivirus patterns?
to the number of machines Stuxnet would infect via a USB flash drive before the USB exploit would shut down.1
Is it common for worms/viruses to control vitality like this? Does that help it in some way? Slow it down so it’s not as visible and can go undetected longer?
[Later suggests/states this is true. Makes sense]
Ordinarily this wouldn’t work because when Stuxnet tried to call up this code, the operating system wouldn’t recognize the names or would look for the oddly named files on disk and not be able to find them. But Stuxnet “hooked” or reprogrammed part of the Windows API—the interface between the operating system and the programs that run on top of it—so that anytime it called on these oddly named files, the operating system would simply go to Stuxnet, sitting in memory, to obtain the code instead.
If an antivirus engine grew suspicious of the files in memory and tried to examine them, Stuxnet was prepared for this as well. Because it controlled parts of the Windows API responsible for displaying the attributes of files, it simply tricked the scanner into thinking the files were empty, essentially telling it, “Nothing to see here, move along.”3
rather than calling and executing its code directly, it planted the code inside another block of code that was already running in a process on the machine, then took the code that was running in that process and slipped it inside a block of code running in another process to further obscure it.
Not sure I can translate this into precise enough language to understand what's really going on. inserting blocks of instructions into other DLLs that have already been loaded into memory? I'm so amateur (but also, this description is pretty vague).
Each time Stuxnet infected a machine, it contacted the servers to announce its conquest and communicate intelligence about the latest victim. The communication was encrypted to prevent anyone from casually reading it, but the encryption the attackers had used was surprisingly weak and easily cracked. Once Chien and O’Murchu unlocked it, they were able to see that Stuxnet was reporting the machine’s computer and domain names to the attackers, as well as the internal IP address, the version of Windows it was running, and whether or not it had the targeted Siemens software installed on it.
Again why? Wanted it to be semi clear that it was harmless to most systems?
the Siemens data was the most important because, as the researchers would soon learn, if Stuxnet found itself on a system that didn’t have the Siemens software installed, it simply shut itself down.
So well behaved.
O’Murchu contacted the DNS (domain name system) service providers for the two command-and-control domains and asked them to stop the traffic going to the attackers and divert it to a sinkhole—a computer dedicated to receiving hostile traffic—that Symantec controlled instead.
Later footnote says they’d already mapped the domains to 127.0.0.1. Was this after stuxnet was uncovered I assume?
As Hannes Alfvén, a Swedish Nobel laureate in physics once said, “Atoms for peace and atoms for war are Siamese twins.”
During the war, the commander of Iran’s Revolutionary Guard urged the Ayatollah Khomeini to launch a nuclear weapons program to fend off Iraq and its Western allies. But Khomeini refused, believing that nuclear weapons were anathema to Islam and a violation of its basic moral principles.
Wow, did not know this. Or maybe it’s revisionist (this passage uncited)?
He helped arrange a secret meeting in Dubai between Iranian officials and other members of the Khan supply network. In exchange for $10 million, the Iranians walked away with two large suitcases and two briefcases filled with everything they needed to kick-start a uranium enrichment program—technical designs for making centrifuges, a couple of disassembled centrifuge prototypes, and a drawing for the layout of a small centrifuge plant containing six cascades.
Only 10 mil?
Initially, Iran lacked money to do much of anything with the designs, but in 1988, after the Iran–Iraq war ended and its resources were freed up, the country began pouring money into an enrichment program, buying high-strength aluminum and other materials to build its own centrifuges,
Hm, Iran-Iraq war was worth something after all? Are we done meddling in regional conflicts and making things worse yet? Curious how history will look upon Syria (as long as Putin-Tump doesn't write it).
Stuxnet, for example, would have been much more difficult to decipher had the attackers used better obfuscation to thwart the researchers’ forensic tools—such as more sophisticated encryption techniques that would prevent anyone except the target machines from unlocking the payload or even identifying that Stuxnet was targeting Siemens Step 7 software and PLCs.
Maybe they paid handsomely for exotic attacks but patched them together amateurishly because the authors were not nearly as sophisticated as the zero day providers?
Stuxnet also used weak encryption and a standard protocol to communicate with its command-and-control servers instead of custom-written ones that would have made it more difficult for researchers to establish their sinkhole and read the malware’s traffic.
“I really hope it wasn’t written by the USA,” he wrote, “because I’d like to think our elite cyberweapon developers at least know what Bulgarian teenagers did back in the early 90s.”
As for securing the payload better, there may have been limitations that prevented them from using more sophisticated techniques, such as encrypting it with a key derived from extensive and precise configuration data on the targeted machines so that only those machines could unlock it.
When I first read in this book about the encryption layers, I thought/assumes that it would use data/confit from the target configuration as the encryption key as well. Maybe they feared they didn’t know the target systems accurately enough to depend on that (and maybe why they wanted the config data sent to the c&c servers?), but the footnote points out that a later version of stuxnet DID use config data as the key and thus hasn’t been decrypted (openly at least).
O’Murchu estimated it took at least three teams to code all of Stuxnet—an elite, highly skilled tiger team that worked on the payload that targeted the Siemens software and PLCs; a second-tier team responsible for the spreading and installation mechanisms that also unlocked the payload; and a third team, the least skilled of the bunch, that set up the command-and-control servers and handled the encryption and protocol for Stuxnet’s communication.
Each time Stuxnet encountered a potential new victim, before it began the process of decrypting and unpacking its files, it checked the Windows registry on the machine for a “magic string” composed of a letter and numbers—0x19790509. If it found the string, Stuxnet withdrew from the machine and wouldn’t infect it.
(See next highlight)
Chien did a quick Google search for the day in question and was only half surprised when one of the results revealed a connection between Israel and Iran. The 1979 date was the day a prominent Iranian Jewish businessman named Habib Elghanian was executed by firing squad in Tehran shortly after the new government had seized power following the Islamic Revolution.
(see prior highlight)
Prior to the war, the IAEA had certified that Hussein’s cooperation with the agency was “exemplary.”3 So inspectors were shocked to discover after the war that they had been completely duped. By some estimates, Iraq had been just a year away from having enough fissile material to produce a nuclear bomb and two to three years away from having a full-scale nuclear arsenal.
This is the first gulf war. And might explain a bit how a decade later Cheney, Bush W, Rumsfeld could have been so certain that Iraq was developing wmd even though they could find no direct evidence? Because of his similar thinking, why I fear Bolton so much.
Although the NIE report also noted that Iran could reverse the decision to halt its weapons program at any point, and a classified version of it discussed evidence that didn’t make it into the public version—that Iran might still have more than a dozen other covert nuclear facilities doing illicit enrichment and weapons development—
Still remember thinking this was very odd conclusion in the NIE. Feels like it was a top-down diplomatic move that looked bad in the short term but opened the door for the joint agreement later with Europe and Iran by letting Iran save some face and declare a small moral victory?
The statements in the classified version seem to contraindicated making the unclassified version public as well?
To spread an update, Stuxnet installed a file-sharing server and client on each infected machine, and machines that were on the same local network could then contact one another to compare notes about the version of Stuxnet they carried; if one machine had a newer version, it would update the others. To update all the machines on a local network, the attackers would have only had to introduce an update to one of them, and the others would grab it.
Also clever: auto-updates for malware.
Chien and O’Murchu wondered if a team of curators had scouted hacker forums and security sites to collect information about holes and exploits that the Stuxnet attackers could use in their assault or if they had simply purchased the exploits readymade from brokers.
Many (if not all?) the zero-days and other exploits like the Siemens hardcoded passwords were already out there (though MS hadn’t noticed or patched—or were paid to suppress patches?). So looks like the authors might not have found any vulns on their own. Might explain the sloppiness elsewhere?
There's later discussion of just how wide open the PLCs were. Widely known firmware-stored passwords as backdoors through the sole authentication mechanism (pwds), no digital signing, no encryption etc.
In looking at modifications the attackers made from 2009 to 2010, it appeared to Chien and O’Murchu that the attack had been deliberately altered to become more aggressive over time, beginning conservatively in 2009, then amping it up in 2010 by adding more spreading mechanisms—perhaps in a desperate bid to reach their target more quickly or to reach different machines than they had hit in their first attack.
As the worm slithered its way through machines in search of its target, it logged the IP address and domain name of each of its victims, as well as a timestamp of when the infection occurred based on the machine’s internal clock. It stored the data, about 100 bytes in size, in the log file, which grew as the worm passed from machine to machine. Thus, every copy of Stuxnet collected from infected machines contained a history of every computer it had infected up to that point, leaving a trail of digital breadcrumbs that Chien and O’Murchu could trace back to the initial victims.
Goldmine for the analysts! Wish we had such good metrics collection....
One of the first hints of the free-market commercialization of zero days appeared in December 2005, when a seller named “fearwall” posted a zero-day vulnerability for sale on eBay and sparked fears that legitimate security researchers and bug hunters would soon go the way of mercenaries and sell their skills and wares to the highest bidder instead of handing information about software holes over to vendors to be fixed. Before putting his Windows Excel zero day on the auction block, fearwall did disclose information about the vulnerability to Microsoft, as “responsible” researchers were
...more
This is the flourishing gray market of digital arms dealers—defense contractors and private marketeers—whose government customers have driven up the price of zero days and enticed sellers away from the vendor bounty programs where the holes will be fixed and into the arms of people who only want to exploit them. The market is “gray” only because the buyers and sellers are presumed to be the good guys, acting in the interest of public safety and national security.
The future/present of exploits markets
Computer attacks typically evolved over time and developed incrementally. Hackers first pulled off simple attacks that required the least amount of effort and skill to succeed, and security firms and software makers responded with fixes to stop them. The attackers then found alternative paths into systems, until the defenders defeated these as well.
This is more of the sporting type hacking though right? Doing it to prove ability to access, less about specific objectives. So they’re motivated to find path of least resistance rather than most stealthy and most precise control.
Stuxnet’s authors might not have intended to injure or kill anyone with their attack, but copycat hackers who learned from Stuxnet’s techniques might not be so careful.
Exactly.
Langner estimated there were maybe a few dozen people in the world who had the level of Siemens control-system knowledge needed to design this kind of attack, and three of them were sitting in his office. But even they could not have pulled it off with the sophistication the attackers did.
This isn’t suggesting any cooperation from Siemens itself, right? Just that the attackers must have access to some high quality hacking.
It wasn’t searching for just any S7-315 and S7-417 PLC it could find: the PLCs had to be configured in a very precise way. Embedded in the attack code was a detailed dossier describing the precise technical configuration of the PLCs it sought.
the configuration Stuxnet was looking for was so precise that it was likely to be found in only a single facility in Iran or, if more than one, then facilities configured exactly the same, to control an identical process. Any system that didn’t have this exact configuration would remain unharmed; Stuxnet would simply shut itself down and move on to the next system in search of its target.
How are they able to determine that the configuration corresponded to Bushehr? I assume the configuration of their PLCs are not public (part of why this attack is impressive). [later described that they came to the conclusion not based on technology but on betting on who would go to such lengths to attack specific PLCs and work hard to conceal themselves—more of a top-down guess than based on hard evidence. Still impressive thinking and dot-connecting]
Governments probably can access snapshots through espionage, but data might get out of date as things change? Maybe they had live assets to keep them updates?
“Yes, I know,” Langner replied. “For example, in Iran. That’s exactly why I’ve called you. Because we’re analyzing Stuxnet.” “I’m sorry,” the man responded firmly. “I can’t tell you anything about centrifuges; it’s all classified.”
This from a client with extensive nuclear experience.
That was enough for Langner. He told Rosen and Timm that they had to go public with the news immediately. If Bushehr was the target, then someone should be able to confirm it once they did. Stuxnet and its target were like a key and lock. There was just one lock in the world that the key would open, and once they published details about the key’s design, anyone with a lock should be able to see if their facility matched.
Still seems irresponsible to make public declaration. This was still an informed hunch.
And while Stuxnet’s authors had skillfully designed their attack to avoid collateral damage on machines that weren’t its target, subsequent attacks might not be as carefully crafted or controlled.
Especially because it took so much extra effort to do so. Most hackers wouldn’t bother it seems. Get the score and don’t worry too much if there’s collateral damage. Especially if the attackers are of terrorist bent.
In fact, a group of DHS analysts had completed most of their own examination of Stuxnet within a couple of days after it was exposed in July and knew even before Symantec and Langner did that Stuxnet was sabotaging PLCs.
They were also curious to know if McGurk’s team could tell who the intended target was. And finally they asked if there was anything in the code that gave away its source. McGurk told them no, there were no clues revealing who was behind the attack.
nsa asked the researchers into stuxnet if they could tell the target or the source of the worm.
Later says it wouldn’t have been appropriate for researchers to ask CIA/NSA if the world was the US’s work (though they were certainly curious and speculating)
But later McGurk says, “Never did I get the impression that, you know, they already knew this … and they were just hoping that I would go away.” So either they didn’t know or the IC leadership were really good poker players.
Never did I get the impression that, you know, they already knew this … and they were just hoping that I would go away.”
Israel wasn’t the only one urging an attack. Behind closed doors, its Arab neighbors were just as adamant about halting Iran’s nuclear program, according to secret government cables released by WikiLeaks. “We are all terrified,” Egyptian President Hosni Mubarak told US diplomats at one point.
As early as 2003, Israel and others were pushing for air attacks to take out Natanz enrichment facility.
Saudi Arabia’s King Abdullah privately urged the United States to do them all a favor where Iran and Ahmadinejad were concerned and “cut off the head of the snake.”2 A nuclear-armed Iran threatened the peace of the entire region, not just Israel, Mohammad bin Zayed, crown prince of Abu Dhabi said. If Iran got the bomb, “all hell will break loose,” he said, warning that Egypt, Saudi Arabia, Syria, and Turkey would all seek nuclear weapons to maintain parity.
means. It could also take out centrifuges not just in known facilities but in unknown ones. You couldn’t bomb a plant you didn’t know about, but you could possibly cyberbomb it.
Consideration around 2006-7 of US-led digital attack on Natanz and other nuclear facilities (some of which were potentially being built inside a mountain and less accessible to conventional weapons, even new bunker busters from US to Israel)
The daring and sophisticated scheme, which combined both covert and clandestine activities, was reportedly conceived by US Strategic Command—the Defense Department division that operates and oversees the country’s nuclear weapons—with Gen. James Cartwright as one of its architects.
But once he gave the go-ahead for the covert operation to advance, it reportedly took just eight months to finalize the scheme.
Wow does that mean they designed built and tested in that time?
The military already had its first taste of their capabilities in the 1980s, when a German named Markus Hess, who was reportedly recruited by the KGB, hacked into hundreds of military systems and research facilities, such as Lawrence Berkeley National Laboratory, in search of intelligence about satellites and the Star Wars defense system.
Cliff Stoll and /The Cuckoo’s Egg/ : suggest reading if you haven’t. True-thriller.
