More on this book
Community
Kindle Notes & Highlights
by
Kim Zetter
Read between
October 1 - November 23, 2023
Not only was it using a skillful rootkit to cloak itself and make it invisible to antivirus engines, it was using a shrewd zero-day exploit to propagate from machine to machine—an exploit that attacked a function so fundamental to the Windows operating system, it put millions of computers at risk of infection.
Exploits are attack code that hackers use to install viruses and other malicious tools onto machines.
Zero-day exploits, however, aren’t ordinary exploits but are the hacking world’s most prized possession because they attack holes that are still unknown to the software maker and to the antivirus vendors—which means there are no antivirus signatures yet to detect the exploits and no patches available to fix the holes they attack.
Although more than 12 million viruses and other malicious files are captured each year, only about a dozen or so zero-days are found among them.
Rootkits come in several varieties, but the most difficult to detect are kernel-level rootkits, which burrow deep into the core of a machine to set up shop at the same privileged level where antivirus scanners work.
Kernel-level rootkits aren’t uncommon, but it takes sophisticated knowledge and a deft touch to build one that works well.
Digital certificates are trusted security documents, like digital passports, that software makers use to sign their programs to authenticate them as legitimate products of their company.
Responsible disclosure dictated that researchers who find vulnerabilities in software notify the relevant vendors before going public with the news to give the vendors time to patch the holes, so Ulasen dashed off e-mails to both RealTek and Microsoft, notifying them of what his team had found.
Of the more than 1 million malicious files Symantec and other security firms find each month, most are copycats of known tools that hackers simply tweak to alter their fingerprints and try to outrun antivirus scanners.
Malware containing, or suspected of containing, a zero-day exploit always gets examined by hand,
Packers are digital tools that compress and mangle code to make it slightly harder for antivirus engines to spot the signatures inside and for forensic examiners to quickly determine what a code is doing.
Antivirus engines can tell when a malicious file has been run through a known packer and can then unpack it on the fly to hunt for the signatures beneath. To thwart this, smart attackers design custom packers that aren’t easily recognized or removed.
Each time Stuxnet infected a system, it “phoned home” to one of two internet domains masquerading as soccer fan sites—mypremierfutbol.com and todaysfutbol.com.
ALTHOUGH THE NATANZ facility was new, Iran’s nuclear activities actually went back more than forty years. They had their roots in the regime of the former shah, Mohammad Reza Pahlavi, during a time when the United States and other Western nations fully supported Iran’s nuclear aspirations.
Under the treaty, which divided the world into nuclear haves and have-nots, the nonweapons nations would be given aid to develop civilian nuclear programs as long as they agreed to foreswear building nuclear weapons and similarly agreed to regular inspections by the IAEA to ensure that materials and equipment intended for the civilian programs were not diverted for nuclear weapons development.
many of the components and facilities for civilian nuclear programs were dual-use and could also be used for a nuclear weapons program,
The subsequent Iran–Iraq war wasn’t kind to the abandoned reactors. Throughout the eight-year war, which ran from 1980 to 1988, Iraq bombed the two towers more than half a dozen times, leaving them in ruins.21 During the war, the commander of Iran’s Revolutionary Guard urged the Ayatollah Khomeini to launch a nuclear weapons program to fend off Iraq and its Western allies. But Khomeini refused, believing that nuclear weapons were anathema to Islam and a violation of its basic moral principles. He apparently changed his mind, however, after Saddam Hussein unleashed chemical weapons on Iranian
...more
Iran turned to a Pakistani metallurgist named Abdul Qadeer Khan for help. Khan had been instrumental in helping Pakistan build its nuclear weapons program in the mid-1970s, using centrifuge technology he had stolen from Europe. Khan had worked for a Dutch company that conducted centrifuge research and development for Urenco, a consortium formed by Germany, Great Britain, and the Netherlands to develop centrifuges for nuclear power plants in Europe. As part of his job, Khan had access to sensitive centrifuge designs that he copied and took back to Pakistan. He also absconded with lists of
...more
Europe began tightening export controls on dual-use equipment and components. The controls didn’t deter Iran, however; they just forced its covert program further underground. To protect research and production facilities from being discovered, officials began spreading the work out among various sites around the country, some of them on protected military grounds, others hidden in plain sight in unassuming offices and warehouses.
Like conventional weapons, most digital weapons have two parts—the missile, or delivery system, responsible for spreading the malicious payload and installing it onto machines, and the payload itself, which performs the actual attack, such as stealing data or doing other things to infected machines. In this case, the payload was the malicious code that targeted the Siemens software and PLCs.
Stuxnet wasn’t just hunting for systems with Siemens Step 7 or WinCC software installed; they also had to be using a specific line of Siemens PLCs—the company’s S7-315 and S7-417 programmable logic controllers.
ATTRIBUTION IS AN enduring problem when it comes to forensic investigations of hack attacks. Computer attacks can be launched from anywhere in the world and routed through multiple hijacked machines or proxy servers to hide evidence of their source. Unless a hacker is sloppy about hiding his tracks, it’s often not possible to unmask the perpetrator through digital evidence alone. But sometimes malware writers drop little clues in their code, intentional or not, that can tell a story about who they are and where they come from, if not identify them outright. Quirky anomalies or footprints left
...more
Was the May date in Stuxnet a “Remember the Alamo” message to Iran from Israel—something like the missives US soldiers sometimes scribbled onto bombs dropped on enemy territory? Or was it an effort by non-Israeli actors to implicate the Jewish state in the attack in order to throw investigators off their trail? Or was it simply a case of Chien having an active imagination and seeing symbols where none existed?
The IAEA had come a long way since its inauguration in 1957, when it was created to promote the peaceful development of nuclear technology. Its other role as nuclear watchdog—to ensure that countries didn’t secretly apply that technology to weapons development—was supposed to be secondary. But in the five decades since the agency’s inception, the latter task had gradually become its most critical, as one nuclear crisis arose after another. Unfortunately, the agency’s ability to fulfill this role was often thwarted by its limited authority to investigate or punish countries that violated their
...more
the CIA had infiltrated the nuclear supply network of A. Q. Khan by securing the allegiances of a few of his key European suppliers and turning them into moles. From them, the CIA learned that Khan had sold the designs for Pakistan’s P-1 centrifuge—the design stolen from Urenco—to Iran and had also sold prototypes for its more advanced P-2 centrifuge to Libya. If Khan sold the P-2 design to Libya, Heinonen reasoned, he must have given it to Iran as well. Iran hadn’t mentioned the advanced centrifuge in its detailed history, but if it did possess the centrifuges, then it was possible that
...more
Dolphin’s cache laid out in a very concise manner a series of projects that purportedly composed Iran’s secret nuclear weapons program. They included the country’s ambitious plans to make its own nuclear fuel by mining uranium ore from a mine in southern Iran, then processing it to produce uranium concentrate (or “yellowcake”), and finally converting the yellowcake into uranium tetrafluoride and uranium hexafluoride gas. Uranium tetrafluoride can be used to make uranium metal, which can be used for nonweapons applications but also for bombs.
Ehud Olmert warned in a public address that if Iran’s program wasn’t halted, Israel would act on its own. “Anyone who threatens us, who threatens our existence, must know that we have the determination and capability of defending ourselves,” he said. “We have the right to full freedom of action to act in defense of our vital interests. We will not hesitate to use it.”
Zero-day exploits weren’t the sort of thing you found just by opening a malicious file and peering at the code. You had to track each reference the code made to the operating system or to other software applications on the machine to spot any suspicious ways it interacted with them.
Stuxnet’s zero-day exploits raised a lot of troubling questions about the burgeoning role of governments in the secret sale and use of such exploits—questions that have yet to be considered by Congress or resolved in public debate, despite evidence that the practice is creating dangerous vulnerabilities for corporations, critical infrastructure, and individual computer users alike.
The thriving underground black market that caters to crooks and corporate spies sells not just zero-day vulnerabilities and exploits but also the payloads to weaponize the exploits—Trojan horses, spy kits, and other malicious tools designed to steal online banking credentials and company secrets or amass armies of zombie computers for a botnet.
But the underground criminal sales—troubling as they are—are rapidly being eclipsed by the newest market for zero-day vulnerabilities and exploits, one that critics predict will soon have a more serious effect on security than the criminal market. This is the flourishing gray market of digital arms dealers—defense contractors and private marketeers—whose government customers have driven up the price of zero days and enticed sellers away from the vendor bounty programs where the holes will be fixed and into the arms of people who only want to exploit them.
one person’s national security tool can be another’s tool of oppression, and there’s no guarantee that a government that buys zero days won’t misuse them to spy on political opponents and activists or pass them to another government that will.
A zero-day exploit for Adobe Reader can go for $5,000 or $30,000, while an exploit for the Mac OS can cost $50,000. But an exploit for Flash or Windows can jump to $100,000 or more because of the programs’ ubiquity in the marketplace.
It was also a time when vendors were less likely to thank researchers for disclosing a hole than threaten them with a lawsuit or criminal prosecution for probing their system or software to discover it.
he still sees nothing wrong with selling zero days to the government and gets annoyed when people talk about the ethics of it. “No one gets mad that, you know, companies sell the government guns and tanks,” he says, noting that while US researchers are selling zero days to their government, Chinese and Russian hackers are doing the same for their governments. It’s better for the United States to pay top dollar for exploits, he says, than allow them to get into the hands of enemies.
security firms and defense contractors who have made the development and sale of exploits for government part of the new military industrial complex.
Publicly, Endgame was offering services to protect customers against viruses and botnets, while privately selling vulnerability and exploit packages containing information that could “lead to actionable intelligence for CNA efforts.” CNA, or computer network attacks, is military-speak for hacking that manipulates or destroys data or systems or retards or halts the performance of systems.
The stolen e-mails described three different packages Endgame offered, called Maui, Cayman, and Corsica. For $2.5 million a year, the Maui package provided buyers with a bundle of twenty-five zero-day exploits. The Cayman package, which cost $1.5 million, provided intelligence about millions of vulnerable machines worldwide already infected with botnet worms like Conficker and other malware.
VUPEN’s researchers devote all their time to finding zero-day vulnerabilities and developing exploits—both for already-known vulnerabilities as well as for zero days. Bekrar won’t say how many exploits they’ve sold since they began this part of their business, but says they discover hundreds of zero days a year. “We have zero days for everything,” he says. “We have almost everything for every operating system, for every browser, for every application if you want.”
In 2012, several months after his team won the Pwn2Own contest, the NSA purchased a one-year subscription for VUPEN’s “Binary Analysis and Exploits (BAE)” service. The contract, released under a public records request, was heavily redacted and didn’t reveal the price paid for the subscription. But a business-consulting firm, which named VUPEN entrepreneurial company of the year in 2011, indicated the subscription runs about $100,000 a year. According to VUPEN’s website, the BAE service provides “highly technical reports for the most critical and significant vulnerabilities to understand their
...more
This highlight has been truncated due to consecutive passage length restrictions.
“You have to use exploits in respect of ethics, in respect of international regulations and national laws and you cannot use exploits in massive operations.” But ethics, of course, are in the mind of the beholder, and Bekrar acknowledges that he has no way to control how customers interpret ethical injunctions.
we only sell to democratic countries.”
Christopher Soghoian of the American Civil Liberties Union is one of VUPEN’s biggest critics. He calls exploit sellers like VUPEN “modern-day merchants of death” and “cowboys,” who chase government dollars to supply the tools and bullets that make oppressive surveill...
This highlight has been truncated due to consecutive passage length restrictions.
In 2013, initial steps were taken to try to regulate the sale of zero days and other cyberweapons. The Wassenaar Arrangement—an arms-control organization composed of forty-one countries, including the United States, the UK, Russia, and Germany—announced that it was for the first time classifying software and hardware products that can be used for hacking and surveillance and that “may be detrimental to international and regional security and stability” as dual-use products.
“crackme” files—code games that programmers wrote for one another to test their reverse-engineering skills. Coders would write small programs coated in an encrypted shell, and reverse-engineers would have to crack it open and bypass other protections to unearth the secret message hidden inside, then send it back to the author to prove that they had solved it. Viruses and worms were just another type of crackme file in one sense, though some were more sophisticated than others.
disassembler, a tool designed for translating binary code into assembly language, which was one step back from binary.
As researchers typically did when examining complex malware like this, Falliere combined static analysis (viewing the code on-screen in a disassembler/debugger) with dynamic analysis (observing it in action on a test system, using the debugger to stop and start the action so he could match specific parts of the code with the effect it was having on the test machine). The process could be excruciatingly slow under the best of circumstances, since it required jumping back and forth between the two machines, but it was all the more difficult with Stuxnet due to its size and complexity.
Whenever an engineer tried to send commands to a PLC, Stuxnet made sure its own malicious command code got sent and executed instead. But it didn’t just overwrite the original commands in a simple swap. Stuxnet increased the size of the code block and slipped its malicious code in at the front end. Then to make sure its malicious commands got activated instead of the legitimate ones, Stuxnet also hooked a core block of code on the PLC that was responsible for reading and executing commands.
Before Stuxnet’s malicious commands went into action, the malware sat patiently on the PLC for about two weeks, sometimes longer, recording legitimate operations as the controller sent status reports back to monitoring stations. Then when Stuxnet’s malicious commands leapt into action, the malware replayed the recorded data back to operators to blind them to anything amiss on the machines—like a Hollywood heist film where the thieves insert a looped video clip into surveillance camera feeds. While Stuxnet sabotaged the PLC, it also disabled automated digital alarms to prevent safety systems
...more
This highlight has been truncated due to consecutive passage length restrictions.
The fact that it was injecting commands into the PLC and trying to hide that it was doing so while at the same time disabling alarms was evidence that it was designed not for espionage but for sabotage.
