Son of Stuxnet virus a SERIOUS threat (Updated)

[kdfwr911]

A powerful new computer virus that some are calling the "Son of Stuxnet" has been discovered, and researchers are concerned about its potential for attacking critical infrastructure computers around the world.

The mysterious Stuxnet worm -- perhaps the most powerful ever created -- managed to infiltrate computer systems in Iran and do damage to that nation's nuclear research program. The new worm, dubbed Duqu, has no such targeted purpose. But it shares so much code with the original Stuxnet that researchers at Symantec Corp. say it must either have been created by the same group that authored Stuxnet, or by a group that somehow managed to obtain Stuxnet's source code. Either way, Duqu's authors are brilliant, and mean business, said Symantec's Vikrum Thakur.

"There is a common trait among the (computers) being attacked," he said. "They involve industrial command and control systems."

Symantec speculates that Duqu is merely gathering intelligence as a precursor to a future industrial-strength attack on infrastructure computers.

“Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party,” Symantec said in an announcement. “The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.”

At the moment, Duqu only creates a back door into infected systems, connecting them to a command computer somewhere in India. No marching orders have yet been given, Thakur said. But those who control the machines could do virtually anything they wanted, Thakur said.

"The kinds of consequences we could see ... if the computer is told download this file, it will download the file. If the file says shut off this service, and that had an effect on a power plant or a conveyor belt, it would do that," he said.

Duku is so similar to Stuxnet that F-Secure's antivirus program initially identified it as Stuxnet, said F-Secure's Chief Research Officer Mikko Hypponen.

"Duqu's kernel driver is so similar to Stuxnet's driver that our back-end systems actually thought it was Stuxnet," he said in a Tweet.

The mysterious Duku is designed to leave the back door open for precisely 36 days, and then self-destruct.

Symantec was first alerted to the existence of Duqu on Friday, when an unnamed security firm that had already worked with a Europe-based victim shared his research with the firm. Symantec researchers worked through the weekend trying to understand the virus, which they have since learned has infected industrial computers "around the globe," Thakur said. He wouldn't identify the initial victim or say how many known victims there are.

Symantec’s analysis shows the Duqu may have been used to surveil computers around the world as far back as December 2010.

McAfee researchers Guilherme Venere and Peter Szor said in a blog post that they are pretty sure Duqu was written by Stuxnet's authors, in part because both programs utilize fraudulent "stolen" digital certificates which had been issued to companies in Taiwan. The use of what appear to be real digital certificate keys make both programs particularly deceptive. It also proves the programmers are clever enough to fool Certificate Authorities who issued the certificates.

"It is highly likely that this key, just like the previous two, known cases, was not really stolen from the actual companies, but instead directly generated in the name of such companies at a CA as part of a direct attack," the blog entry said.

Duqu’s attack pattern differs dramatically from Stuxnet, which was designed to attack a very specific computer system -- one that was involved in critical nuclear research inside Iran. The virus’ target led many to speculate that the virus was invented by Israeli programmers, or a cooperative effort of government-backed Israeli and American computer hackers.

This "Son of Stuxnet," with its much wider focus, might call into question the origin of the virus, but Thakur wouldn't speculate on that.

"It's my personal belief that the guys who wrote Stuxnet knew exactly what they were doing, and if you thought they were good guys then, you probably don't have anything more to worry about now," he said. "But if you didn't, you probably have a lot to worry about."

Symantec isn't finished analyzing Duqu; it has several other samples of the virus from other victims which it is analyzing now.

"We wanted to put out the word so people know about the threat, and know what to watch out for, such as traffic to unknown servers or what files to look for so they can try to block them," he said. "In the coming days, we will look into information from other sources we have and see if we can get more information on what these guys are actually going for. The key thing missing here, unlike Stuxnet, is we don't know what they are looking for."

http://redtape.msnbc.msn.com/_news/2011 ... -worldwide

[kdfwr911]

I remember when Stuxnet hit the nuclear facilities in Iran and caused their centrifuges to go wildly out of control and destroy themselves. At the time I figured either us or Israel (or both) was behind it. Hope it isn't payback time.

[E_]

The data gathering is odd and could be really bad. What I also wonder is could it have been packaged with other code that created any accounts or other applications that thought that first program self destructed those others are there undetected to be used to gain future access for those system the data gathering found "interesting".

[katie]

I personally will be grateful if y'all just keep us informed, lol.... I have no freaking clue what you guys just said!
Kinda reminds me of....

wargames.jpg (4.01 KiB) Viewed 1591 times

[kdfwr911]

I'm not real geeky either Katie, just remember when Stuxnet hit the Iranian nuclear research facilites a year or so ago and did a lot of damage to their centrifuge machines by causing them to go wildly out of control. At the time it was speculated that due to the sophistication of the attacks they had to be state sponsored. In other words, the very first ever act of state sponsored cyber warfare (or cyber terrorisim if you want to call it that) against another nation. Since the attack was clearly targeted at damaging Iran's ability to develope nuclear weapons (and by all reports was pretty successful at it) it was widely speculated that Israel and/or the U.S. were behind it. I just hope this "Son of Stuxnet" virus isn't payback from the Iranians that targets and attacks our critical infrastructure like nuclear power plants.

[E_]

I'm At the time it was speculated that due to the sophistication of the attacks they had to be state sponsored.

LOL, Naaa most of the really sophisticated ones are still out there and have not been caught then most times forced (Kevin Mitnick comes to mind) to work for the government.

In other words, the very first ever act of state sponsored cyber warfare (or cyber terrorisim if you want to call it that) against another nation.

You don't believe that do ya? The Chinese have a entire division for this. The US has had some sort of Cyber team for quite a while as well.


I don't worry too much about Iran doing Cyber attacks back on us since most that are educated enough there to do such coding would be educated enough to no like their leadership anyway.

I hope at least.

[kdfwr911]

It was January 2010, and investigators with the International Atomic Energy Agency had just completed an inspection at the uranium enrichment plant outside Natanz in central Iran, when they realized that something was off within the cascade rooms where thousands of centrifuges were enriching uranium.

Natanz technicians in white lab coats, gloves and blue booties were scurrying in and out of the “clean” cascade rooms, hauling out unwieldy centrifuges one by one, each sheathed in shiny silver cylindrical casings.

Any time workers at the plant decommissioned damaged or otherwise unusable centrifuges, they were required to line them up for IAEA inspection to verify that no radioactive material was being smuggled out in the devices before they were removed. The technicians had been doing so now for more than a month.

Normally Iran replaced up to 10 percent of its centrifuges a year, due to material defects and other issues. With about 8,700 centrifuges installed at Natanz at the time, it would have been normal to decommission about 800 over the course of the year.

But when the IAEA later reviewed footage from surveillance cameras installed outside the cascade rooms to monitor Iran’s enrichment program, they were stunned as they counted the numbers. The workers had been replacing the units at an incredible rate — later estimates would indicate between 1,000 and 2,000 centrifuges were swapped out over a few months.

The question was, why?

Iran wasn’t required to disclose the reason for replacing the centrifuges and, officially, the inspectors had no right to ask. Their mandate was to monitor what happened to nuclear material at the plant, not keep track of equipment failures. But it was clear that something had damaged the centrifuges.

What the inspectors didn’t know was that the answer they were seeking was hidden all around them, buried in the disk space and memory of Natanz’s computers. Months earlier, in June 2009, someone had silently unleashed a sophisticated and destructive digital worm that had been slithering its way through computers in Iran with just one aim — to sabotage the country’s uranium enrichment program and prevent President Mahmoud Ahmadinejad from building a nuclear weapon.

But it would be nearly a year before the inspectors would learn of this. The answer would come only after dozens of computer security researchers around the world would spend months deconstructing what would come to be known as the most complex malware ever written — a piece of software that would ultimately make history as the world’s first real cyberweapon

http://www.wired.com/threatlevel/2011/0 ... xnet/all/1

[kdfwr911]

You don't believe that do ya? The Chinese have a entire division for this. The US has had some sort of Cyber team for quite a while as well.

Yeah I'd say we and many other countries have a host of geeks for this purpose. But I think Stuxnet was the first time one country actually ever committed what amounts to an act of cyber war against another country like that.

[kdfwr911]

SAN JOSE, Calif. — When a computer attack hobbled Iran's unfinished nuclear power plant last year, it was assumed to be a military-grade strike, the handiwork of elite hacking professionals with nation-state backing.

Yet for all its science-fiction sophistication, key elements have now been replicated in laboratory settings by security experts with little time, money or specialized skill. It is an alarming development that shows how technical advances are eroding the barrier that has long prevented computer assaults from leaping from the digital to the physical world.

The techniques demonstrated in recent months highlight the danger to operators of power plants, water systems and other critical infrastructure around the world.

"Things that sounded extremely unlikely a few years ago are now coming along," said Scott Borg, director of the U.S. Cyber Consequences Unit, a nonprofit group that helps the U.S. government prepare for future attacks.

While the experiments have been performed in laboratory settings, and the findings presented at security conferences or in technical papers, the danger of another real-world attack such as the one on Iran is profound.

The team behind the so-called Stuxnet worm that was used to attack the Iranian nuclear facility may still be active. New malicious software with some of Stuxnet's original code and behavior has surfaced, suggesting ongoing reconnaissance against industrial control systems.

And attacks on critical infrastructure are increasing. The Idaho National Laboratory, home to secretive defense labs intended to protect the nation's power grids, water systems and other critical infrastructure, has responded to triple the number of computer attacks from clients this year over last, the U.S. Department of Homeland Security has revealed.

For years, ill-intentioned hackers have dreamed of plaguing the world's infrastructure with a brand of sabotage reserved for Hollywood. They've mused about wreaking havoc in industrial settings by burning out power plants, bursting oil and gas pipelines, or stalling manufacturing plants.

But a key roadblock has prevented them from causing widespread destruction: they've lacked a way to take remote control of the electronic "controller" boxes that serve as the nerve centers for heavy machinery.

The attack on Iran changed all that. Now, security experts — and presumably, malicious hackers — are racing to find weaknesses. They've found a slew of vulnerabilities.

Think of the new findings as the hacking equivalent of Moore's Law, the famous rule about computing power that it roughly doubles every couple of years. Just as better computer chips have accelerated the spread of PCs and consumer electronics over the past 40 years, new hacking techniques are making all kinds of critical infrastructure — even prisons — more vulnerable to attacks.

One thing all of the findings have in common is that mitigating the threat requires organizations to bridge a cultural divide that exists in many facilities. Among other things, separate teams responsible for computer and physical security need to start talking to each other and coordinate efforts.

Many of the threats at these facilities involve electronic equipment known as controllers. These devices take computer commands and send instructions to physical machinery, such as regulating how fast a conveyor belt moves.

They function as bridges between the computer and physical worlds. Computer hackers can exploit them to take over physical infrastructure. Stuxnet, for example, was designed to damage centrifuges in the nuclear plant being built in Iran by affecting how fast the controllers instructed the centrifuges to spin. Iran has blamed the U.S. and Israel for trying to sabotage what it says is a peaceful program.

Security researcher Dillon Beresford said it took him just two months and $20,000 in equipment to find more than a dozen vulnerabilities in the same type of electronic controllers used in Iran. The vulnerabilities, which included weak password protections, allowed him to take remote control of the devices and reprogram them.

"What all this is saying is you don't have to be a nation-state to do this stuff. That's very scary," said Joe Weiss, an industrial control system expert. "There's a perception barrier, and I think Dillon crashed that barrier."

One of the biggest makers of industrial controllers is Siemens AG, which made the controllers in question. The company said it has alerted customers, fixed some of the problems and is working closely with CERT, the cybersecurity arm of the U.S. Department of Homeland Security.

Siemens said the issue largely affects older models of controllers. Even with those, the company said, a hacker would have to bypass passwords and other security measures that operators should have in place. Siemens said it knows of no actual break-ins using the techniques identified by Beresford, who works in Austin, Texas, for NSS Labs Inc.,

Yet because the devices are designed to last for decades, replacing or updating them isn't always easy. And the more research that comes out, the more likely attacks become.

One of the foremost Stuxnet experts, Ralph Langner, a security consultant in Hamburg, Germany, has come up with what he calls a "time bomb" of just four lines of programming code. He called it the most basic copycat attack that a Stuxnet-inspired prankster, criminal or terrorist could come up with.

"As low-level as these results may be, they will spread through the hacker community and will attract others who continue digging," Langner said in an email.

The threat isn't limited to power plants. Even prisons and jails are vulnerable.

Another research team, based in Virginia, was allowed to inspect a correctional facility — it won't say which one — and found vulnerabilities that would allow it to open and close the facility's doors, suppress alarms and tamper with video surveillance feeds.

During a tour of the facility, the researchers noticed controllers like the ones in Iran. They used knowledge of the facility's network and that controller to demonstrate weaknesses.

They said it was crucial to isolate critical control systems from the Internet to prevent such attacks.

"People need to deem what's critical infrastructure in their facilities and who might come in contact with those," Teague Newman, one of the three behind the research.

Another example involves a Southern California power company that wanted to test the controllers used throughout its substations. It hired Mocana Corp., a San Francisco-based security firm, to do the evaluation.

Kurt Stammberger, a vice president at Mocana, told The Associated Press that his firm found multiple vulnerabilities that would allow a hacker to control any piece of equipment connected to the controllers.

"We've never looked at a device like this before, and we were able to find this in the first day," Stammberger said. "These were big, major problems, and problems frankly that have been known about for at least a year and a half, but the utility had no clue."

He wouldn't name the utility or the device maker. But he said it wasn't a Siemens device, which points to an industrywide problem, not one limited to a single manufacturer.

Mocana is working with the device maker on a fix, Stammberger said. His firm presented its findings at the ICS Cyber Security Conference in September.

Even if a manufacturer fixes the problem in new devices, there's no easy way to fix it in older units, short of installing new equipment. Industrial facilities are loath to do that because of the costs of even temporarily shutting its operations.

"The situation is not at all as bad as it was five to six years ago, but there's much that remains to be done," said Ulf Lindqvist, an expert on industrial control systems with SRI International. "We need to be as innovative and organized on the good-guy side as the bad guys can be."

http://www.msnbc.msn.com/id/45007841/ns ... -security/