WarSclerotic

Iran spy chief: We are able to fight off Stuxnet computer worm – Haaretz Daily Newspaper | Israel News.

Heidar Moshlehi quoted by Iranian state TV as saying authorities have arrested several nuclear spies.

By The Associated Press

Iran’s intelligence minister said the country has learned how to fight off a complex computer worm that some foreign experts have speculated was designed to target Tehran’s nuclear program, state television reported Saturday.

Heidar Moslehi was also quoted as saying authorities have arrested several nuclear spies, but he gave no details and it wasn’t clear if the developments were related.

Over recent months, the malicious Stuxnet computer code has also affected industrial systems in India, Indonesia and the U.S. But it has spread the most in Iran, including to several personal computers of workers at Iran’s first nuclear power plant, which is to go online later this year.

The destructive Stuxnet worm has surprised experts because it is the first one specifically created to take over industrial control systems, like those at power plants, rather than just steal or manipulate data.

Moslehi did not reveal where or when the suspected spies were arrested, saying only that Iran has “always faced sabotage” by foreign intelligence services.

Iran periodically announces the arrest of nuclear spies without giving details.

The state TV report did not carry any remarks from Moslehi linking the arrests with the investigation into the computer worm.

“Iran’s intelligence department has found a solution for confronting (the worm) and it will be applied,” he was quoted as saying. “Our domination of virtual networks has thwarted the activities of enemies in this regard.”

A week ago, Iran said the stuxnet code was found on several laptops belonging to staff at the Bushehr nuclear power plant but that the plant’s main systems were not affected.

The plant has stood outside the current controversy over Iran’s nuclear program since Russia will be providing the fuel for the plant and supervising its disposal.

	The reactor building of the Bushehr nuclear power plant is seen, just outside the southern city of Bushehr, Iran, Saturday, Aug. 21, 2010
	Photo by: AP

But other aspects of Iran’s nuclear work, especially its enrichment of uranium, are of concern to the United States and other world powers. Enrichment can be used to produce weapons as well as make fuel for power plants. Iran says it only has peaceful nuclear aims, such as generating electricity.

Who created the Stuxnet code and what its precise target is, if any, remains a mystery.

The web security firm Symantec Corp. says the computer worm was likely spawned by a government or a well-funded private group. It was apparently constructed by a small team of as many as five to 10 highly educated and well-funded hackers, Symantec says.

Robby is long gone and the mouse is roaring for real.

IN MAY, I wrote about cyber terrorism and hacking. It turns out what I wrote was mild. We appear now to be in an accelerated international cyber war, undeclared and anonymous.

World leaders are grappling with this new kind of war. Unable to police the internet, governments may eventually close it down to save lives. Virulent “malware” is out of control, transferred by the internet or hard drives.

I first got a thrill from robots as a kid watching Robby the Robot in MGM’s Forbidden Planet. Robby was programmed so he would never kill a human. I then graduated to HAL, the first celebrity rogue computer, in Stanley Kubrick’s 2001: A Space Odyssey. Soft spoken, campy HAL turned psycho on his human crew, foreshadowing hostile cyber attacks. Then the mad heterosexual computer Proteus, in Demon Seed, opted to impregnate Julie Christie, the first digital rape on screen.

Today, the keyboard is snarling and the mouse is roaring for real. The terrifying, weirdly named Stuxnet is a digital attack entity that infiltrates computers and can disastrously interrupt and change instructions in industrial machines. MGM didn’t create this one. Stuxnet appeared worldwide, but mostly in Iran. The conspiracy theorists are salivating about the prospect of the US or Israel as the culprit. But no one knows where it came from or where it’s going. Stuxnet has no voice, silently recreates and multiplies itself ad infinitum.

Britain’s Financial Times and others made this “logic bomb” front page last week, revealing that the complexity of this fiendish creation and its grasp of Microsoft Windows and Siemens systems shouts of substantial resources behind it to hack these giants. Stuxnet infiltrates industrial computers, finds Siemens software and sends new instructions, reverses commands and disrupts operations. Experts posit the virus would take at least 10 programmers six months of full-time work to create.

Symantec claims nearly 60 er cent of computers in Iran are infected, implying a possible concerted attack on that country’s infrastructure. According to National Public Radio in the US, governments are pushing for a cyber-disarmament agreement to control the net. Even tweeting is regarded by some countries as ideological or other warfare.

Russia, for example, raised cyber warfare as a problem in 1998. Cyber security is a worldwide emergency.

Stuxnet’s news debut reflected intelligence alarms underlining the stark reality of active cyber war. Science fiction morphs to science fact and when some horrible geeks create silent, self-reproducing computers to kill humans, films like A Space Odyssey start looking like the History Channel.

The success of the internet is based on the fact that no one really owns it. Governments of any ideological bent, from democratic to autocratic, simply detest this aspect. By definition, governments want control in various degrees over their own population. Now, control of the internet is a national security issue for governments.

Freedom of information on the net could disappear fast once digital murders erupt. The cyber-killer viruses use computers and the internet to violate the society generously allowing them access.

The lone eccentric hacking into the Pentagon to find photos of aliens is history. Known nations – state hackers – are also with us. Earlier in the year China was accused of launching myriad cyber attacks on Western sites to spy and/or disrupt. But these digital attacks are technically without a home address.

So far, it appears that the cyber war has fewer casualties than a weekend in Afghanistan. But it’s only a matter of time until some militarised geeks actually kill people with rogue missions.

The Manhattan Project to create the atomic bomb in the 1940s was a well-kept secret, so one can assume any ultra cyber virus, or weaponised digital element, would be under wraps. We know these computer viruses act like search-and-destroy aliens, can hide out, camouflage themselves, and operate HAL-like independently of the computer user. Technology in warfare is nothing new, and computers themselves advanced in huge jumps in World War II. So you could argue the first essential computer victory was the Allied win in WWII.

Like all wars, this one may cost us some freedoms to win.

Iran ‘detains western spies’ after cyber attack on nuclear plant | World news | guardian.co.uk.

Iranian government accuses the west of launching an ‘electronic war’ following sophisticated Stuxnet worm attack

Iran’s intelligence minister, Heydar Moslehi, has blamed western ‘spy services’ for the sophisticated cyber attack on the Bushehr nuclear reactor. Photograph: Atta Kenare/AFP/Getty ImagesIran has detained several “spies” it claims were behind cyber attacks on its nuclear programme.

The intelligence minister, Heydar Moslehi, said western “spy services” were behind the complex computer virus that recently infected more than 30,000 computers in industrial sites, including those in the Bushehr nuclear power plant, appearing to confirm the suspicion of computer security experts that a foreign state was responsible.

The announcement also suggests that the attack involving the Stuxnet worm virus, which computer experts believe may have been designed to spy on Iran’s nuclear facilities rather than destroy them, has caused more alarm in the regime than has so far been acknowledged.

In remarks carried on Iranian state television and the Mehr news service, Moslehi said Iran had discovered the “destructive activities of the arrogance [of the west] in cyberspace”, adding that “different ways to confront them have been designed and implemented”.

“I assure all citizens that the intelligence apparatus currently has complete supervision on cyberspace and will not allow any leak or destruction of our country’s nuclear activities.

“Iran’s intelligence department has found a solution for confronting [the worm] and it will be applied. Our domination of virtual networks has thwarted the activities of enemies in this regard.”

Moslehi gave no details of when the arrests had taken place or whether those detained were Iranians or foreign citizens.

According to experts the Stuxnet worm, designed to be delivered through a removable drive like a USB stick, is one of the most complex pieces of malicious code ever deployed. It was written specifically to attack Siemens industrial control units of the kind used in the Iranian nuclear programme.

Suspicion for responsibilty for the attack has inevitably focused on Israel and the US, although there is little evidence to support this.

The announcement of the arrests, intended to reassure Iranians, follows comments last week by another senior Iranian official, Mahmoud Liaii, who said: “An electronic war has been launched against Iran.”

Iran has denied that the worm damaged the main control systems at Bushehr, rather infecting the laptops of some workers at the plant. However, the disclosure of the attack coincided with an announcement that the plant’s inauguration has been delayed until at least next year because of continuing technical problems.

It was confirmed earlier this week that Iran will start fuelling the Bushehr nuclear reactor with enriched uranium fuel over the next few days, months later than had been originally announced.

The vice-president, Ali Akbar Salehi, maintained the delay had nothing to do with the computer worm and said the plant had not been affected in any way.

“We hope to load the fuel into the Bushehr reactor by early October and the necessary groundwork for this is coming together, God willing, so it [the fuel] will be completely put in place in the heart [of the reactor] by November,” he told the semi-official ISNA news agency.

In recent years Iran has announced the arrest of nuclear spies on a periodic basis. Three years ago it announced it had broken up a spy ring that had handed nuclear intelligence to the UK.

New Clues Point to Israel as Author of Blockbuster Worm, Or Not | Threat Level | Wired.com.

Symantec Puts ‘Stuxnet’ Malware Under the Knife | News & Opinion | PCMag.com.

By: Larry Seltzer

It’s not often that malware like Stuxnet comes around. Stuxnet appears to be the new black at the Virus Bulletin 2010 conference, currently ongoing in Vancouver. Everyone’s talking about it.The mountain of research and just plain blabbing about Stuxnet there includes a paper from Symantec entitled Win32.Stuxnet Dossier. It summarizes what we know (or rather what Symantec knows) on the matter and adds some interesting new details dug out of the innards of the code. There’s also a great Stuxnet Questions and Answers from F-Secure.

Some summary characteristics of Stuxnet from the paper:

• * It self-replicates through removable drives exploiting a vulnerability allowing auto-execution. Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732)
• *It spreads in a LAN through a vulnerability in the Windows Print Spooler.Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073)
• *It spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).
• *Copies and executes itself on remote computers through network shares.
• *Copies and executes itself on remote computers running a WinCC database server.
• *Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded.
• *Updates itself through a peer-to-peer mechanism within a LAN.
• *Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed.
• *Contacts a command and control server that allows the hacker to download and execute code, including updated versions.
• *Contains a Windows rootkit that hide its binaries.
• *Attempts to bypass security products.
• *Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system.
• *Hides modified code on PLCs, essentially a rootkit for PLC.

Stuxnet was discovered in July but seems to have existed for at least a year prior. Microsoft said at VB2010 that there’s evidence that Stuxnet code dates back to January 2009. This is both impressive in and of itself, and confirmation of the sophistication of the programming in Stuxnet.

But Stuxnet is not without technical criticism. Threatpost quotes Trend Micro virus researcher Ivan Macalintal expressing surprise that the worm’s authors allowed it to escape and attack elsewhere, even in the US. “It should have been more successful and stayed off the radar,” said Macalintal. In a press call Friday morning Liam O’Murchu, researcher at Symantec Security Response. joined Macalintal in this position.

O’Murchu added that there are many controls built into Stuxnet to prevent it from spreading haphazardly. The USB stick infector keeps a counter and only allows 3 infections per stick. Once running on a system it only attempts to spread for 21 days. These were clearly put in because the authors wanted for Stuxnet not to spread beyond it’s target.

I feel a bit obtuse for saying so, but I don’t understand why it’s so hard to see it spreading. It seems clear to me that it didn’t spread widely until fairly late in life, and that’s why it was finally uncovered. And with 7 different infection mechanisms (including USB, weak network shares, Conficker/Downadup, the print spooler vulnerability), even with the infection throttling built in, it was only a matter of time before someone accidentally took it outside a secured network.

Who wrote it? There’s still no rock-solid evidence there, although the Symantec report includes two new points which, they say, vaguely implicate Israel. The first:

In the driver file, the project path b:\myrtus\src\objfre_w2k_x86\i386 \guava.pdb was not removed.
Guavas are plants in the myrtle (myrtus) family genus. In addition, according to Wikipedia, “Esther was originally named Hadassah. Hadassah means ‘myrtle’ in Hebrew.” Esther learned of a plot to assassinate the king and “told the king of Haman’s plan to massacre all Jews in the Persian Empire…The Jews went on to kill only their would-be executioners.”

Right. Or maybe the author likes yummy guavas. Symantec agrees and adds: “Symantec cautions readers on drawing any attribution conclusions. Attackers would have the natural desire to implicate another party.”

Even better, F-Secure’s Mikko Hypponen has asked “Maybe the Stuxnet path name is NOT “Myrtus” but “My RTUs”? Would make much more sense..”

The other concerns a registry value named “NTVDM TRACE” maintained by Stuxnet:

If this value is equal to 19790509 the threat will exit. This is thought to be an infection marker or a “do not infect” marker. If this is set correctly infection will not occur. The value appears to be a date of May 9, 1979. While on May 9, 1979 a variety of historical events occurred, according to Wikipedia “Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community. He was the first Jew and one of the first civilians to be executed by the new Islamic government. This prompted the mass exodus of the once 100,000 member strong Jewish community of Iran which continues to this day.”

Once again, they don’t want to make too much of it: “Symantec cautions readers on drawing any attribution conclusions. Attackers would have the natural desire to implicate another party.”

Sophos’s Graham Cluely speculates that someone with “inside knowledge of how Siemens’ systems work” was responsible, at least for the PLC programming parts. This seems somewhat reasonable, as you can’t write such programs without at least the ability to test them on the hardware. But that doesn’t mean that the person with knowledge of how to program Siemens PLCs did or did not work for Siemens.

None of this is really takes us all that much further. The “myrtle” reference seems like it could be a lot of things and the date could be someone’s birthday. I’m sure there are lots of dates one could point to as somehow connected to some party involved with this. And more to the point, at this quality level of espionage one shouldn’t be surprised to find misdirection. Why would so professionally-written a piece of software, one which goes to great lengths to hide its origins, have clues like this built into it? Surely the authors knew that if it was uncovered it would be disassembled and the details analyzed.

Fundamentally we still don’t know anything for sure about who wrote it. I can think of quite a few groups I would think capable of it, although getting it into the facilities to infect them is beyond the capacity of even the most talented programmer who lacks Iranian secrecy clearances. This is why it’s highly likely, if not certain, that some state actor with first-class espionage capabilities is responsible.

[Note: I have in the past, and continue to write for VeriSign, which is now a part of Symantec, including on matters related to Stuxnet.]

Worm that turned breaks new ground – World – NZ Herald News.

Computers can go wrong and everyone is used to it. But that’s at home.

We assume that the machines controlling the infrastructure that makes everything tick – power stations, chemical works, water purification plants – have rock-solid defences in place to deal with unexplained crashes or virus attacks.

Now, though, a new kind of online sabotage has reached its zenith with a self-replicating “worm” that started on a single USB drive and has spread rapidly through industrial computer systems around the world.

So sophisticated that many analysts believe it can only be part of a state-sponsored attack, the Stuxnet worm – or “malware” – is the first such programming creation designed with the specific intention of causing real world damage.

And if the experts are right, it could herald a new chapter in the history of cyber warfare.

The worm, designed to spy on and subsequently reprogramme industrial systems running a specific piece of industrial control software produced by German company Siemens, has now been detected on computers in Indonesia, India and Pakistan, but more significantly Iran; 60 per cent of current infections have taken place within the country, with some 30,000 internet-connected computers affected so far, including machines at the nuclear power plant in Bushehr, due to open in the next few weeks.

Hamid Alipour, deputy head of Iran’s Information Technology Company, warned that nearly four months after it was identified, “new versions of the virus are spreading”.

And he claimed that the hackers responsible must have been the result of “huge investment” by a group of hostile nations.

Despite intense scrutiny of the code, malware experts have so far been unable to discover exactly what the intended target of Stuxnet may be, or has been. But Alan Bentley, international vice president at security firm Lumension, is in no doubt that it is “the most refined piece of malware ever discovered”.

The motive is certainly not, as is usual with such attacks, financial gain or simple tomfoolery; Stuxnet is intelligent enough to target specific kinds of industrial computer systems configured in a certain way and then, if it finds what it’s looking for, seek new orders to disrupt them.

Two potential targets of the worm may have been nuclear facilities within Iran at Bushehr and Natanz; indeed, a document on the website Wikileaks suggests that a nuclear accident may have occurred at Natanz during early July last year, followed shortly afterwards by the unexplained resignation of the head of Iran’s Atomic Energy Organisation.

But if that was Stuxnet’s intended target, it has continued to spread regardless, causing consternation at industrial facilities worldwide. Melissa Hathaway, a former United States national cybersecurity co-ordinator, has expressed particular concern at the availability of Stuxnet’s code and the techniques it employs to the wider internet community, saying: “We have about 90 days to fix this before some hacker begins using it.”

Security software firm Symantec has estimated that Stuxnet would have taken between five and 10 specialists about six months to compile – a resource not within the means of the average internet criminal.

One of the engineers working on unpicking the code expressed his surprise at the sophistication of the project, and said: “This is what nation states build if their only other option would be to go to war.”

Iran’s deeply controversial nuclear ambitions throw up any number of likely suspects but a number of fingers have pointed at Israel, and in particular its intelligence corps, Unit 8200.

Last year, Reuters reported on Israel’s burgeoning cyber-warfare project, with a recently retired Israeli security cabinet member stating that Iran’s computer networks were vulnerable.

Scott Borg, director of the US Cyber Consequences Unit, added that “a contaminated USB stick would be enough” to commandeer the controls of sensitive sites such as uranium enrichment plants – a rather prescient prediction.

The ramifications of this incident are considerable. Not only are there worries about the effects of Stuxnet upon computers that are critical to people’s everyday lives but there’s also great concern over the poor level of computer security being employed by those operating such machines.

Stuxnet made its way into computer systems via vulnerabilities in Microsoft’s Windows operating system, before taking control of the Siemens software via its default password.

That something as mundane as a password issue could have such a critical effect has also caused consternation amongst commentators and analysts – as has the unnerving announcement from Siemens to its customers not to change that password lest it “impact plant operations”.

Siemens has offered a free download on its website to remove Stuxnet; while this is a common procedure for many viruses, it is alarming that a nuclear facility would have to do such a thing to ensure its stability.

Stuxnet has kicked off an additional debate over exactly how prevalent this kind of cyber-attack may already be. Russian websites were attacked during the South Ossetia war in 2008. In 2007, the US suffered a vast data theft in what one senior official dubbed “an espionage Pearl Harbour”. And when Israel attacked a suspected Syrian reactor in the same year, it may have used an “off switch” buried in the Syrian radar system to allow its aircraft to travel undetected.

And yet not every aspect of these attacks goes smoothly. For all the sophistication of the Stuxnet worm, one school of thought suggests that something actually went wrong; after setting itself a particular task, it has spread accidentally to thousands of machines it never intended to attack, thus bringing it to wider attention and opening eyes to the possibility that this kind of activity may have been going on undetected for some time.

Iran’s official IRNA news agency reports that only personal machines have been affected at the Bushehr plant, with the main operating system unaffected. It is nonetheless safe to say that the new potential for industrial sabotage could soon make an old-fashioned error message seem like small fry indeed.

– INDEPENDENT

PBS reports on the Stuxnet.

Vodpod videos no longer available.