September 29, 2010

What if Stuxnet is Just the Start?

I read a fascinating article early this morning about about the Stuxnet worm, which most computer security experts seem to believe is the first targeted, militarized computer weapon. While capable of invading other systems, it seems purpose-designed to exploit the specific weaknesses of Iran's industrial and military computer infrastructure. Even more amazing? Like organic organisms, it apparently turns violent when attacked.

The impression debkafile sources gained Wednesday, Sept. 29 from talking to European computer experts approached for aid was that the Iranians are getting desperate. Not only have their own attempts to defeat the invading worm failed, but they made matters worse: The malworm became more aggressive and returned to the attack on parts of the systems damaged in the initial attack.

One expert said: "The Iranians have been forced to realize that they would be better off not 'irritating' the invader because it hits back with a bigger punch."

As Stuxnet continues to sink its hooks into Iran's infrastructure, it is apparently sending data back to its creators...whoever that may be. That brings about what I feel is the next logical question: What is Stuxnet isn't itself the weapon, but the scout?

The oldest and best military advice is to scout your enemy extensively, learn the disposition of their forces, and then hit them with overwhelming force where least expected.

What if stuxnet is just the scout, designed to probe Iran's network, raise their alarms, and provide feedback on their response so that a real and even more powerful weaponized virus can knock Iran catastrophically with the press of a button?

That, my friends, is the ultimate power and leverage. If stuxnet is merely the messenger—what comes next is nothing less than the binary version of Death itself.

Posted by Confederate Yankee at September 29, 2010 07:31 AM

Hard to believe it takes a state of the art technology attack to knock a country firmly entrenched in the stone age.

Posted by: TexasRainmaker at September 29, 2010 10:42 AM

Impressive work.

Posted by: Chris Short at September 29, 2010 10:46 AM

Hmm? Who would have figured? Chilling analysis.
Thier reactor is loaded and ready for ops but if they try and start it it will just go China syndrom. Guess it will be a while before they get it up and running. Good thing.

Posted by: ron at September 29, 2010 10:59 AM

So... you're saying this is sort of like the "Exciter" missions the Air Force flew (flys?) where the purpose was to make the potential enemy forces light up their air defenses.... so that the Rivet Joint circling off the coast could record everything?

Interesting theory.

Posted by: Foamer at September 29, 2010 12:28 PM

Actually, a lot of people believe that the first known attack was on the Iraqi air defenses in 1991, that apparently worm was hard wired into HP printer residing on the PCs that interfaced with the air defense network.

Posted by: Phelps at September 29, 2010 06:43 PM

I wouldn't believe anything posted at DEBKA. That site has a very low reliability rating.

Even if the linked article is correct, this whole matter of the Stuxnet worm is making less and less sense as it goes along. The way to remove a virus, any virus, is simple:

1) isolate the infected machine

2) boot from a clean system CD

3) run a remover/protector program like Malwarebytes.

I have trouble believing that the Iranians have been so lax about cybersecurity that they can't do this. Or that the Stuxnet worm is so smart there's no way to remove it. Or that they can't restore from clean system backups or system images. I think there's a lot more going on here than anyone has yet said.

Posted by: wolfwalker at September 29, 2010 07:37 PM


It's a bit more complex than that when you're dealing with a massive - and massively infected network, especially if you're not sure when the infection occurred.

What if the infection occurred prior to the oldest backup in the sequence? No one keeps backups for more than a month or three - or even if they did, that's a MASSIVE loss of time and effort; all the work of MONTHS is G O N E.

The amount of time and effort involved to wipe and restore each individual machine is also going to be huge. Especially if you're going to try to save some or all of the data on each machine - and ensure that your backups don't become infected.

If they haven't been able to block the worm from infecting computers on the 'Net (or even if there's a risk - say it's polymorphic), you have to keep it off the 'Net until ALL the 'net is clean - or rebuild your network one machine at a time, again a massive effort and loss of time.

Either way, it looks like they're pretty well screwed. Especially if say, part of the worm's payload was simply to push various industrial components (e.g. valves, pipes, other control systems) past tolerance, requiring inspection or replacement. That's an awful lot of piping and other components buried in an awful lot of concrete.

And an awful lot of infected components outside of just the computers that are carriers of the virus. Assuming there's only one.

I have a feeling this thing shouldn't have been named Stuxnet but Ebolanet.


Posted by: Orion at September 29, 2010 09:35 PM

I wonder if this virus speaks Hebrew.

Posted by: Stan at September 29, 2010 10:52 PM

And what if the stuxnet virus was aided by a sleeper IT agent, or three, buried deep within Iranian network services? Iran is a Persian country; the Mullahs are not universally loved.

The thought of someone letting all the minks "go free" in and among several key networks, makes me shudder(with delight, since I love the target!)

Posted by: Earl T at September 29, 2010 11:12 PM


"I have trouble believing that the Iranians have been so lax about cybersecurity that they can't do this. Or that the Stuxnet worm is so smart there's no way to remove it. Or that they can't restore from clean system backups or system images. I think there's a lot more going on here than anyone has yet said. "

All I can say is when Saudi Bdes visit, we upload nothing, attach no stick, and receive no CDs. Their machines are infected with any and all malware known to mankind.

Just remember, to a 3rd world country, this is still 'magic'.

Posted by: Mike at September 30, 2010 12:49 AM

And remember this thing apparently has infected not just PCs but through those has taken root in the PLSs that control things like centrifuges in Iran's enrichment plants.
Can't simply reboot those thing.

It wouldn't in fact surprise me at all if those were the origin of the attack, and were delivered from the factory with the trojan already installed in both themselves and their control software, in which care reinstalling from the original installation package would have no effect whatsoever.

Another theory I've been playing with is that this is an Iranian worm aimed at the USA or other western countries that somehow got out of control during testing (or was deliberately launched into their own systems in order to be able to blame Israel or the US, because everyone knows Iran is too backwards to make something like that, right?).

Posted by: JTW at September 30, 2010 04:34 AM

PLC's use Windows? Last I heard, even the Stuxnet worm/virus was a Windows program that couldn't run on anything else.

[brief interlude to look at Wikipedia's article on Stuxnet]

[blink] Wow. Okay, if the wikipedia article is right, this thing is a damnsight smarter than I thought. Infecting Windows machines and then rewriting EEPROM in attached PLCs? That would require proprietary system information, the kind that only the company should have.

This passage also leaped out at me:
'Once inside the system it uses the default passwords to command the software.[3] Siemens however advises against changing the default passwords because it "could impact plant operations".'

As security holes go, that one's big enough to drive a starship through. Something really stinks now -- that bit makes it look more and more like a coordinated plan among multiple entities. What self-respecting programmer would write a security system that contains such an obvious hole?

Posted by: wolfwalker at September 30, 2010 07:40 AM

wolfwalker, if you've worked in IT very long, odds are you've known plenty of people who write software with holes like that.

Posted by: Dr. Horrible at October 2, 2010 03:21 PM

Uh, you'd definitely want to think that the people writing software for nuclear power plants would be able to get their act together to code a functioning password system. That bit of "advice" from Siemens is bizarre to say the least. What happens if you change the password? Nuclear meltdown? What idiot designed that?

Posted by: JS at October 2, 2010 04:56 PM

What self-respecting programmer would write a security system that contains such an obvious hole?

One looking to sell it to imbeciles.

Posted by: Purple Avenger at October 2, 2010 09:18 PM