February 14, 2015

Countdown to zero day by Kim Zetter

Countdown to zero day by Kim Zetter

Stuxnet and the launch of the world’s first digital weapon

In January 2010, inspectors with the International Atomic Energy Agency noticed that centrifuges at an Iranian uranium enrichment plant were failing at an unprecedented rate. The cause was a complete mystery—apparently as much to the technicians replacing the centrifuges as to the inspectors observing them.

A small time anti-virus firm in Belarus (VirusBlokAda) got a call from their resellers in Iran who reported a persistent problem with a customer’s machine in that country.  The infected computer was caught in a reboot loop, crashing and rebooting repeatedly while defying the efforts of technicians to control it.

The Belarus team identified a malware and that spreads via USB flash drives. Even though the team had seen similar infection, this was very peculiar. When it was infected a Windows 7 machine, the malicious driver module (malware) installed without any warning. Windows 7 has a security feature that was supposed to tell users if an unsigned driver or one signed with an untrusted certificate was trying to install itself on their machines.  That was because, VirusBlokAda team found out that the malicious driver was using a signed certificate of  a company called RealTek Semiconductors in Taiwan.

The VirusBlokAda team published their finding and almost immediately an antivirus firm in Slovakia names ESET spotted another malicious driver that appeared to be related to Stuxnet (named after the malicious driver name) and this new malicious driver was signed from a company called JMicron technologies, in Taiwan, a maker of electronic circuits.

The hacker who created the malware hacked these two companies digital signing keys (private keys) and certificates.When deeply examined, the attackers appeared to be searching for computers that had one of two Siemens proprietary software program called SIMATIC WinCC. This program are part of industrial control system (ICS) to work with Siemens programmable logic controllers (PLC).

Each time Stuxnet infected a system, it ‘phoned home’ to one of two internet domains masquerading as soccer fan sites - mypremerfutbol.com and todaysfutbol.com. The domain names, registered by someone who used fake names and fraudulent credit cards, pointed to servers to Denmark and Malaysia that served as command-and control stations for the attack.

But of all the information Stuxnet reported to its masters, the Siemens data was the most important because, as the researchers would soon learned, if Stuxnet found itself on a system that didn’t have the Siemens software installed, it simply shut itself down.

Symantec team who got involved in this malware tracking program, contacted the DNS service provider of these two domains and asked them to redirect all the traffic to Symantec servers. When they analyzed the traffic coming into their servers, out of the initial 38,000 machines they tracked, more than 22,000 were based in Iran.

Once in the malware is in place, whenever an engineer tried to send commands to PLC, Stuxnet made sure its own malicious command code got sent and executed instead. The second aprt of the attack was even ingenious. Before Stuxnet’s malicious commands went into action, the malware sat patiently on the PLC for about two weeks, sometimes longer, recording legitimate operations as the controller sent status reports back to monitoring stations. Then when Stuxnet’s malicious commands leapt into action, the malware replayed the recorded data back to operators to blind them to anything amiss on the machines. While Stuxnet sabotaged the PLC, it also disabled automated digital alarms to prevent safety systems from kicking in and halting whatever process the PLC was controlling if it sensed the equipment was entering a danger zone. Stuxnet modifying the data the safety system relied on, the system was blind to dangerous conditions and never had a chance to act.

While reverse engineering the malware, the Siemens engineers reached a startling conclusion. Stuxnet wasn’t just attacking two specific models of Siemens PLC, it was attacking a specific facility where the PLCs was used. The PLC has to be configured in a very precise way.  Right before Stuxnet unleashed its destructive payload on a 315 PLC, it searched the PLC for three magic values and it had reached its target when it found all three.

Three months into the discovery of Stuxnet, the rest of the world now knew about the mysterious code that had evidently targeted iran. yet speculation that it had specifically targeted the uranium enrichment program at ntanz remained just that speculation.

While this news was available outside, Iranian officials revealed for the first time that computers at Bushehr (nuclear plant in Iran) had indeed been hit by Stuxnet.

Symantec had resolved the mystery of the devices the digital weapon attacked, Albright had made the final connections between Stuxnet and the centrifuges at Natanz and although the US government still hadn’t made a formal admission of responsibility for the attack, the New York Times had confirmed what everyone suspected - that the United States and Israel were behind it.


The revelations began that April 2012, when a virus began running wild on computers at the Iranian Oil Ministry and the Iranian National Oil Company, wiping out the hard drive of every system it touched. The damage was systematic and complete, destroying gigabytes of data at a time. First, the malware eliminated documents and data files, then it went after system files, zapping core parts of the hard drive to cause them to crash and burn. The name given to the virus was Flame.

Stuxnet had tipped the scales at 500 kilobytes when compressed, but Flame was at least 20 megabytes with all of its components combined and consisted of more than 650,000 lines of code.

Flame appeared to be a multipurpose espionage tool created to meet every need, depending on the mission. A 6MB starter kit got loaded onto many infected machines first, which included a back door through which the attackers could install new spy modules from their command server at will.

The infrastructure is set up to support Flame was also massive and like nothing the researchers had seen before. They found at least eight domains operating as command servers in Germany, Netherlands, Switzerland and elsewhere through which the attackers controlled infected machines and collected siphons documents from them.

The Microsoft info-sec team was inspecting the Flame virus in detail, they realized they were looking at something much worse than a zero day - Flame was performing a sophisticated attack against part of a Microsoft Windows Update system to spread itself between machines on a local machine.

Like the Windows software, the update tool itself gets periodically updated by Microsoft. Each time the tool launches on a customer’s machine, it sends out a kind of beacon to Microsoft servers to see it a new version of itself is available. Microsoft distributes the updates through a series of so-called . CAB files signed with a Microsoft certificate to verify their legitimacy.

The attackers subverted this process by first infecting one machine on a victim’s network with Flame. Then when the update client on any other machine on the victim’s network sent out a beacon to Microsoft servers to check for updates to the Windows update tool, the infected machine intercepted the beacon and sent a malicious Flame file, masquerading as  a legitimate Microsoft .CAB file, to the new machine instead, thus infecting it with the spy tool. This wasn’t the most sophisticated part of the attack. To pull off the hijack, the attackers had signed their malicious .CAB file with a legitimate Microsoft certificate - except in this case the certificate indicated that the company it belonged was ‘MS’ not Microsoft Corporation as it should have said.

It turned out the attackers had pulled this off using something called an MD5 hash collision. Exploited the weakness in MD5 and thus faking it as these updates are original updates from Microsoft.

Operation Olympic Games were a covert and still unacknowledged campaign of sabotage by means of cyber disruption, directed at Iranian nuclear facilities by the United States and likely Israel. As reported, it is one of the first known uses of offensive cyber weapons.Started under the George W. Bush administration in 2006, Olympic Games was accelerated under President Obama, who heeded Bush’s advice to continue cyber attacks on Iranian nuclear facility at Natanz. Bush believed that the strategy was the only way to prevent an Israeli conventional strike on Iranian nuclear facilities.[Wikipedia]