Stuxnet Missing Link Found, Resolves Some Mysteries Around the Cyberweapon

Cross-posted from WIRED.

Ahmadinejad-at-Natanz-in-2008

As Iran met in Kazakhstan this week with members of the UN Security Council to discuss its nuclear program, researchers announced that a new variant of the sophisticated cyberweapon known as Stuxnet had been found, which predates other known versions of the malicious code that were reportedly unleashed by the U.S. and Israel several years ago in an attempt to sabotage Iran’s nuclear program.

The new variant was designed for a different kind of attack against centrifuges used in Iran’s uranium enrichment program than later versions that were released, according to Symantec, the U.S-based computer security firm that reverse-engineered Stuxnet in 2010 and also found the latest variant.

The new variant appears to have been released in 2007, two years earlier than other variants of the code were released, indicating that Stuxnet was active much earlier than previously known. A command-and-control server used with the malware was registered even earlier than this, on Nov. 3, 2005.

Like three later versions of Stuxnet that were released in the wild in 2009 and 2010, this one was designed to attack Siemens PLCs used in Iran’s uranium enrichment program in Natanz.

But instead of changing the speed of spinning centrifuges controlled by the PLCs, as those later versions did, this one focused on sabotaging the operation of valves controlling the flow of uranium hexafluoride gas into the centrifuges and cascades — the structure that connects multiple centrifuges together so that the gas can pass between them during the enrichment process. The malware’s goal was to manipulate the movement of gas in such a way that pressure inside the centrifuges and cascade increased five times the normal operating pressure.

“That would have very dire consequences in a facility,” says Liam O’Murchu, manager of security response operations for Symantec. “Because if pressure goes up, there’s a good chance the gas will turn into a solid state, and that will cause all sorts of damage and imbalances to the centrifuges.”

The new finding, described in a paper released by Symantec on Tuesday (.pdf), resolves a number of longstanding mysteries around a part of the attack code that appeared in the 2009 and 2010 variants of Stuxnet but was incomplete in those variants and had been disabled by the attackers.

The 2009 and 2010 versions of Stuxnet contained two attack sequences that each targeted different models of PLCs made by Siemens being used in Iran’s uranium enrichment plant — the Siemens S7-315 and S7-417 models of PLC.

In these later variants of Stuxnet, however, only the 315 attack code worked. The 417 attack code had been deliberately disabled by the attackers and was also missing important blocks of code that prevented researchers from determining definitively what it was designed to do. As a result, researchers have long guessed that it was used to sabotage valves, but couldn’t say for certain how it affected them. There were also mysteries around why the attack code was disabled — was it disabled because the attackers had failed to finish the code or had they disabled it for some other reason?

The 2007 variant resolves that mystery by making it clear that the 417 attack code had at one time been fully complete and enabled before the attackers disabled it in later versions of the weapon. And because the 2007 variant only contained the 417 attack code — with no code attacking the Siemens 315 PLC — it appears that the attackers disabled the 417 code in later versions because they wanted to change their tactics, dropping their focus on sabotaging the valves in order to focus instead on sabotaging the spinning centrifuges.

Natanz_Satellite2Symantec discovered the 2007 variant a few months ago during a routine search of its malware database while looking for files that matched patterns of known malware.

Though the variant was only recently found, it had been in the wild at least as early as Nov. 15, 2007, when someone uploaded it to VirusTotal for analysis. VirusTotal is a free online virus scanner that aggregates more than three-dozen brands of antivirus scanners and is used by researchers and others to determine if a file discovered on a system contains signatures of known malware. It’s not known who submitted the sample to VirusTotal or in what country they were based, but Symantec believes the 2007 version was very limited in its reach and likely only affected machines in Iran.

Until now, the first known variant of Stuxnet uncovered was released in June 2009, followed by a second variant in March 2010 and a third in April 2010. Researchers always suspected that other variants of Stuxnet existed, based on the version numbers the attackers gave their code, as well as other clues.

The June 2009 variant, for example, was labeled version 1.001. The March 2010 variant was 1.100, and the April 2010 variant was 1.101. The gaps in version numbers suggested that other versions of Stuxnet were developed, even if they were not released into the wild. That theory bore out when the researchers discovered the 2007 variant, which turned out to be version 0.5.

Though Stuxnet 0.5 was in the wild as early as 2007, it was still active when the June 2009 version was released. Stuxnet 0.5 had a stop date of July 4, 2009 coded into it, which meant that after this date it would no longer infect new computers, though it would still continue to sabotage machines it had already infected, unless it got replaced with a new version of Stuxnet. The 2007 version was also programmed to stop communicating with command-and-control servers on Jan. 11, 2009, five months before the next version of Stuxnet was released. It’s possible that when the June 2009 version was released, which had the ability to update older versions of Stuxnet via peer-to-peer communication, it replaced the older 2007 version on infected machines.

Stuxnet 0.5 was much less aggressive than later versions in that it used fewer spreading mechanisms. The researchers found no zero-day exploits in the malware to help it spread, which is probably one reason it never got caught.

By contrast, the 2010 variants of Stuxnet used four zero-day exploits as well as other methods that caused it to spread wildly out of control to more than 100,000 machines in and outside of Iran.

Stuxnet 0.5 was very surgical and spread only by infecting Siemens Step 7 project files — the files that are used to program Siemens’ S7 line of PLCs. The files are often shared among programmers, so this would have allowed Stuxnet to infect core machines used to program the 417 PLCs at Natanz.

If it found itself on a system that was connected to the internet, the malware communicated with four command-and-control servers hosted in the U.S., Canada, France and Thailand.

The domains for the servers were: smartclick.org, best-advertising.net, internetadvertising4u.com, and ad-marketing.net. All of the domains are now down or registered to new parties, but during the time the attackers used them, they had the same home page design, which made them appear to belong to an internet advertising firm called Media Suffix. A tag line on the homepage read, “Deliver What the Mind Can Dream.”

Like later versions of Stuxnet, this one had the ability to deliver updates of itself to machines that were not connected to the internet, using peer-to-peer communication. Though later versions used RPC for the peer-to-peer communication, this one used Windows mailslots. All the attackers had to do was use the command-and-control server to update the code on one infected machine that was connected to the internet, and others on the local internal network would receive the update from that machine.

Stuxnet-CC-Home-Page

Once Stuxnet 0.5 found itself on a 417 PLC, and determined that it had found the right system, the attack proceeded in eight stages, sabotaging 6 out of 18 centrifuge cascades.

In the first part, Stuxnet simply sat on the PLC watching normal operations in the cascades for about 30 days and waiting for the systems to reach a certain state of operation before the attack progressed.

In the next part, Stuxnet recorded various data points while the cascades and centrifuges operated normally, in order to replay this data to operators once the sabotage began and prevent them from detecting changes in the valves or gas pressure.

Each cascade in Natanz is organized in 15 stages or rows, with a different number of centrifuges installed in each stage. Uranium hexafluoride is pumped into cascades at stage 10, where it spins at high speed for months. The centrifugal force causes slightly lighter U-235 isotopes in the gas (the desired isotope for enrichment) to separate from heavier U-238 isotopes.

Centrifuge-Stages_SymantecThe gas containing the concentration of U-235 is then siphoned out of the centrifuges and passed to stage 9 of the cascade to be further enriched, while the depleted gas containing the concentration of U-238 isotopes is diverted to cascades in stage 11. The process repeats for a number of stages, with the enriched uranium becoming more concentrated with U-235 isotopes at each stage until the desired level of enrichment is achieved.

There are three valves on a cascade that work in unison to control the flow of gas into and out of centrifuges, as well as auxiliary valves that control the flow of gas into and out of each stage in a cascade and into and out of the cascade itself.

When the sabotage kicked in, Stuxnet closed and opened various centrifuge and auxiliary valves to increase the gas pressure, thereby sabotaging the enrichment process. Stuxnet closed valves on six out of 18 cascades and modified other valves on randomly chosen individual centrifuges to prevent operators from detecting a pattern of problems. In the final step of the attack, the sequence was reset to begin the attack over again at the first stage.

It’s long been suspected by some experts that Stuxnet was already sabotaging cascades at Natanz sometime between late 2008 and mid-2009. The new finding from Symantec supports that theory.

Stuxnet 0.5 was looking for a system in which cascade modules were labeled A21 through A28. Natanz has two cascade halls — Hall A and Hall B. Only Hall A was operating in 2008 and 2009 when Stuxnet would have been active on infected machines.

Hall A is divided into cascade rooms that are labeled Unit A21, Unit A22, etc up to Unit A28. Iran began its installation of centrifuges in two rooms in Hall A in 2006 and 2007 — Unit A24 and Unit A26 — and later expanded to other rooms. In February 2007, Iran announced that it had begun to enrich uranium at Natanz.

According to reports released by the UN’s International Atomic Energy Agency, which monitors Iran’s nuclear program, by May 2007, Iran had installed 10 cascades, consisting of a total of 1,064 centrifuges, in Hall A. By May of 2008, Iran had 2,952 centrifuges installed, and Iranian President Mahmoud Ahmadinejad announced plans to increase the number of centrifuges to 6,000. The numbers did increase throughout 2008 and early 2009, with gas being fed into them shortly after they were installed. But the number of cascades that were being fed gas and the amount of gas being fed began to drop sometime between January and August 2009 when Iran appeared to be having problems with some of its cascades. In late 2009, IAEA inspectors noticed that technicians at Natanz were actually removing centrifuges from cascades and replacing them with new ones. All of this would seem to coincide with the timing of Stuxnet.

ISIS-chartOne final interesting detail of note about the new variant — during the installation process of Stuxnet 0.5, the malware created a driver file that caused a forced reboot of a machine 20 days after the malware infected it. It did this by generating a BSoD (Blue Screen of Death) — the infamous blue screen that appears on Windows machines when they crash.

Stuxnet was first discovered in June 2010 because some machines in Iran on which it was installed kept crashing and rebooting. Researchers were never able to determine why those machines crashed and rebooted, because other machines infected by Stuxnet did not respond in this way.

Though the version of Stuxnet found on those machines was not Stuxnet 0.5, it raises the possibility that multiple versions of Stuxnet might have infected those machines even though only one was recovered when they were examined. O’Murchu thinks it’s unlikely, however, that VirusBlokAda — the antivirus firm that first discovered Stuxnet — would have missed another variant on the machines.

Narilam Worm manipulates databases in Iran

narilam-iranh-Online: Security firm Symantec has discovered a specialised worm called W32.Narilam that can compromise SQL databases. Symantec reports that the malware “speaks” Persian and Arabic and appears to target mainly companies in Iran. Narilam is, therefore, reminiscent of Stuxnet and its variants.

Narilam spreads via USB flash drives and network shares. Once inside the system, the worm searches for SQL databases that are accessible via the Object Linking and Embedding Database (OLEDB) API. Rather than steal found target data for intelligence purposes, the worm proceeds to modify or delete the data and can, says Symantec, cause considerable damage. Stuxnet similarly served no intelligence purpose and was designed to sabotage its target – an uranium enrichment facility in Natanz, Iran.

nirlam-infectionThe purpose of Narilam, or that of the worm’s authors, remains unknown. However, Symantec says that its analysis suggest that the saboteurs appear to have targeted corporate data records. Apparently, the worm’s translated instructions include object names such as “sale”, “financial bond” and “current account”. Due to the malware’s level of specialization, Symantec rates the infection risk as low. The security firm notes that current analysis results indicate “that the vast majority of users impacted by this threat are corporate users.”

Some of the worm was written in the Delphi programming language. Symantec says that the worm takes its name from its own attributes, because it searches for SQL databases with three specific names: alim, shahd and maliran.

Source

Panetta Sounds Alarm on Cyber-War Threat

I just read this and I decided to share with you:

panetta

In the hour-long session with the magazine’s editors, he said:

– “We are facing the threat of a new arena in warfare that could be every bit as destructive as 9/11 — the American people need to know that. We can’t hide this from the American people any more than we should have hidden the terrorism-attack threat from the American people.”

– “The three potential adversaries out there that are developing the greatest capabilities are Russia, China, Iran.”

– “Out of a scale of 10, we’re probably 8 [in cyber-war skills. But potential foes] are moving up on the scale – probably the others are about a 3, somewhere in that vicinity, but they’re beginning to move up.”

He also said the U.S. military is stepping up its offensive cyber war capability:

– “I think we have to develop the ability to conduct counter-operations against a country we know, or anticipate, that they’re going to launch that kind of attack. So we have to have both defensive and offensive capabilities.”

Continue Reading full story here: http://nation.time.com/2012/10/12/panetta-sounds-alarm-on-cyber-war-threat/#ixzz29IDBhoJv

Grand Ayatollah Ali Khamenei Joins Instagram, Posts Pics

Ayatollah

Mashable: Iran’s Grand Ayatollah Ali Khamenei joined Instagram last week and so far has posted four photos. Iran’s supreme leader since 1989 chose to share shots that likely show scenes of Ramadan.

It comes as a surprise to some that a person who has been slow to get onboard with social media trends — not to mention Iran’s stance toward its citizens’ use of the social media — has joined Instagram. His Twitter account has 4,337 followers so far, and links to his Instagram account. Also posted on his Twitter account are links to YouTube videos and stories about his visits with other world and religious leaders.

It’s no surprise that his Twitter account has received some flack from those who say it’s hypocritical for a public figure in a country that has imposed strict Internet control over its citizens to be involved in social networking. This is the same regime that continues to block social networking sites and restrict Internet access for its citizens. Three years ago, before a mass protest, the Internet was down due to government actions.

It was reported in April that Iran had plans to shut down the Internet country-wide in August in favor of a “clean Internet,” that will filter news and information to its citizens. Agence France Presse reported shortly after that initial story ran that Iranian government officials said the clean Internet reports were “baseless.”

See Also: How Iran Silences Its Citizens on the Web

Madi Malware: Another Trojan Targets Organizations from the Middle East [Updated]

This article is copied from Softpedia:

Researchers from Symantec, Kaspersky and Seculert have all come across Madi (Madhi), a relatively new piece of malware that mainly targets organizations from the Middle East.

Madi-Malware-Another-Trojan-Targets-Organizations-from-the-Middle-East-2Before we take a look at Madi and compare it to other infamous Trojans such as Stuxnet, Duqu, or Flame, let’s take a quick look at its name.

According to Wikipedia, Mahdi is considered to be the redeemer of Islam who will rid the world of tyranny, injustice and wrongdoings.

So, will this malware be able to rule for seven, nine or nineteen years before the Day of Judgment as some prophecies say? Let’s see what the experts believe.

First observed in December 2011, Madi has mainly targeted computer systems from Iran, Israel, Saudi Arabia and Afghanistan, but also from other parts of the globe such as United States, New Zealand and Greece.

The organizations attacked with the aid of the Trojan include government agencies, financial houses, critical infrastructure engineering firms, oil companies, and think tanks.

After it’s installed on a device, Madi is able to take screenshots, record audio, retrieve disk structures, delete data, and update the backdoor. As expected, it also has keylogging functionality that allows it to collect all sorts of sensitive data.

While the locations of the targets indicate that this may be a state-sponsored campaign, other evidence found by Symantec leads researchers to believe that the attacks may actually be conducted by a “Farsi-speaking hacker with a broad agenda.”

However, there is something far more interesting about this virus. Unlike Flame, Duqu or Stuxnet – which leveraged zero-day exploits and other advanced techniques – Madi mainly relies on social engineering to infect machines.

The attacks start with enticing content such as news articles, religious images, controversial videos, and PowerPoint presentations that unleash the nasty Trojan.

So far, experts identified a number of 800 victims, communicating with four command and control servers.

Update 1: Iran: If the Madi cyber-strike was us it would’ve been another Stuxnet

Iran replied: “If this was a product of Iran it would be professional and at least as advanced as Stuxnet and Flame,” an English language editorial carried by the semi-official FARS news agency said.

AVAST software blocked its services for embargoed countries

avastPetr Chocholous in response to Iranian users contacting avast saying they are unable to open website or update their antivirus said:

AVAST Software a.s. is currently blocking access to port 80 (that effectively means websites and updates of avast! software) of its servers from following countries: Iran, Sudan, Cuba, Syria, North Korea and Burma/Myanmar. AVAST Software a.s. [and its subsidiaries/sister companies] must not provide any services in these countries because of policies and regulations that are applicable to AVAST Software a.s.

Blog and forum are available, because we hope they are information source/personal communication service and because of this they have exclusion from these regulations.

We are sorry for any caused inconvenience.

http://forum.avast.com/index.php?topic=98853.msg789135#msg789135

Flame worm – Iran claims to discover new Stuxnet-like malware

Naked Security wrote:

iran-flames-170The Iranian Computer Emergency Response Team (MAHER) claims to have discovered a new targeted malware attack attacking the country, which has been dubbed Flame (also known as Flamer or Skywiper).

In a statement, researchers say that they believe the malware is “a close relation” to Stuxnet, and claim that Flame is not detected by any of 43 anti-virus products it tested against, but that detection was issued to select Iranian organizations and companies at the beginning of May.

MAHER also says that it has produced a removal tool for the malware. Whether this is built into the recently announced “Iran’s self-built anti-virus” is unclear.

Continue Reading: http://nakedsecurity.sophos.com/2012/05/28/flamer-iran-malware/

Update:

Now there are more resource about this:

Update 2:

Read the newer posts in my blog about that:

Fake Google Iranian domain defaced by Algerian Script Kiddies

TheHackerNews: Google got Pwned ? NO Few Algerian Script Kiddies try to spread fake rumors that they Hack and Deface the Giant Search engine “Google Iranian” domain http://www.google.co.ir/ . As the screenshot shown a Algerian flag on it and Page Titles :H4Ck3D By vaga-hacker dz and DR.KIM”.

Google IRAN hacked_thumb[1]

As mentioned by hacker, the team include hackers named : “V4Ga-Dz,Dz0ne,DR-KIM King-Dz,BroX0 aghilass elite jrojan password kha&mix wasim -dz” . It is not confirmed that, either these are member from some Anonymous Hackers but they try to use Anonymous Hackers Tag line : We Dont Forget , We Dont Forgive, Expect Us! to get some publicity.

According to further investigation by “The Hacker News” Technical Team, we found that “google.co.ir” possibly not belongs to GOOGLE because site rank is “3141379”  , that means the site should have less than 100 Visitors/Day approx. Also we check WHO.IS records of this domain and found that Domain Holder is “Ganjineh ofogh omid gostar laleh eshragh” which is registered using a Google mail “[email protected]” and Phone No. is : 09377705008 .

May be some Readers are thinking that Hacking a Google domain is not possible, so here we have something for you from past, last year Google Bangladesh website (Google.com.bd) was also Hacked by [email protected] using DNS hijacking method.

Iran makes its own anti-virus software – would you buy it?

binary-iran-170SophosLabs: According to reports, Iran has started making its own anti-virus software.

It is said that experts from Shiraz Computer Emergency Response Team of APA (Academic Protection and Awareness) of Iran have been working on the project to help better protect the country’s digital defenses.

Of course, Iran is no stranger to malware. It found itself thrust into the spotlight in 2010 when the infamous Stuxnet worm was widely reported to have infected industrial plants (including nuclear plants) in the country with the seeming intention to target and sabotage SCADA systems.

This understandably led to some excitable – but not always accurate – headlines.

standard-stuxnet1

According to Mohammad Hossein Sheikhi, assistant professor of the Department of Electrical and Computer Engineering at the University of Shiraz, work on the anti-virus software began in 2010 after the Stuxnet crisis, and has since undergone testing.

According to reports, if the anti-virus software is confirmed to be a success it may be made commercially available at a later date.

It’s unclear how Iran will determine if their home-grown anti-virus has been a true success or not.

Will they submit if for testing by independent tests by the likes of AV-Test.org? Will they send it to the folks at Virus Bulletin in the hope of winning a VB100 award for 100% detection of in-the-wild viruses with no false alarms? Will they test it on a wide variety of operating system versions and measure its impact on performance?

But the real question that springs to my mind is this – would you buy an anti-virus program officially written by your own country? How about a foreign country?

One thing’s for sure – be careful if you are tempted to buy an anti-virus written by the Greek authorities. They do have a history of trojan horses after all..

If Iran *did* make its anti-virus software available, wouldn’t other governments test it? After all, if you know that a country’s infrastructure is partly reliant on a particular anti-virus product wouldn’t any attacker automatically test if its malware and/or vulnerability exploit could bypass it?

Iran oil terminal suffers malware attack

oilrefineryThe BBC is reporting that websites belonging to the Iranian oil ministry and national oil company are offline after suffering a malware infection this weekend.

Iran has disconnected all of its oil processing facilities as a precaution, including the facility at Kharg Island which processes more than 90% of Iran’s exports.

The semi-official news agency, Mehr, reported that information about users of the websites had been stolen, but no sensitive data had been accessed.

Iran’s Revolutionary Guard claims to have created a “hack-proof” network for all sensitive data. I have yet to see a hack-proof network and if they have convinced themselves it’s true, perhaps that is part of the problem.

Iran seems to be forthcoming about admitting hack attempts against the country as part of its ongoing propaganda campaign, yet nothing ever causes serious damage like Stuxnet.

One issue for the Iranians in effectively defending its networks may be the embargoes which prohibit most western companies from providing security solutions.

Many AVs proactively detected the Stuxnet worm, yet despite its protestations Iran appears to have been penetrated by the malware.

One thing is clear, whether you are an oppressive regime, or simply an average small business, anyone who depends upon the internet will face malware threats and hacking attempts.

Defense is the best offense even if you aren’t harboring a secret nuclear program, keeping your protection up to date and staying alert is a great start to staying safe.