October 8, 2010
Halpern: Virtual warfare is real. The first victim? Iran
by Micah Halpern
Issue of October 8, 2010/ 30 Tishrei 5771
The future is online and it is virtual.
Virtual news, virtual shopping, virtual education — even virtual, online, war.
Want proof? Look no further than the Spuxnet, the computer virus that is burning through headlines and news stories as fast as it is infecting the computer programs of Iran.
The first real virtual cyberspace battle has been in play since June when the Spuxnet virus was released. The past few weeks have signaled to the world-at-large that this new form of warfare has the potential to be an enormously effective tool, especially against certain types of enemies and certain types of offensive weapons — weapons like nuclear technology.
Make no mistake about it. The Spuxnet and the imitators it will spawn are not mere war-games, the Spuxnet is war-fare. The cyber wars made famous through the Star Wars franchise have come alive. What we once thought farfetched and fantastical has become real. And the truth, even the virtual truth, is much scarier that the celluloid version.
World War I was fought differently than was World War II. Korea was different from Vietnam. As with other, more conventional wars, new rules must be instituted to fight the virtual, cyber war. Rules already in place in the Geneva Convention, rules that emphasize engaging in war while minimizing civilian casualties are a good and important start.
To the best of our knowledge, right now, Iran is the sole target of the Spuxent virus.
More specifically, the target of this online virus is the SPADA (Supervisory Program and Data Acquisition), the elements of the Iranian nuclear technology infrastructure. The virus is so specific that it only attacks Siemens technology, and technology exclusively connected to nuclear-based equipment.
http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices
Excerpt:
Excerpt:
As we’ve explained in our recent W32.Stuxnet blog series, Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems. Industrial control systems consist of Programmable Logic Controllers (PLCs), which can be thought of as mini-computers that can be programmed from a Windows system. These PLCs contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory. Programmers use software (e.g., on a Windows PC) to create code and then upload their code to the PLCs.
Previously, we reported that Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.
In particular, Stuxnet hooks the programming software, which means that when someone uses the software to view code blocks on the PLC, the injected blocks are nowhere to be found. This is done by hooking enumeration, read, and write functions so that you can’t accidentally overwrite the hidden blocks as well.
Stuxnet contains 70 encrypted code blocks that appear to replace some “foundation routines” that take care of simple yet very common tasks, such as comparing file times and others that are custom code and data blocks. Before some of these blocks are uploaded to the PLC, they are customized depending on the PLC.
By writing code to the PLC, Stuxnet can potentially control or alter how the system operates. A previous historic example includes a reported case of stolen code that impacted a pipeline. Code was secretly “Trojanized” to function properly and only some time after installation instruct the host system to increase the pipeline's pressure beyond its capacity. This resulted in a three kiloton explosion, about 1/5 the size of the Hiroshima bomb.
Thus, in addition to cleaning up the Stuxnet malware, administrators with machines infected with Stuxnet need to audit for unexpected code in their PLC devices. We are still examining some of the code blocks to determine exactly what they do and will have more information soon on how Stuxnet impacts real-world industrial control systems.
Finally, we’ve reserved the in-depth technical details on how Stuxnet achieves this rootkit functionality for a future technical whitepaper, which will delve into other features of Stuxnet as well that we haven’t had a chance to blog about. For example, a couple of other interesting things include the fact that it uses an infection counter before deleting itself (it is set to ‘3’) and also can use MS08-067, the same vulnerability used by Downadup (a.k.a. Conficker) to spread.
So, please stay tuned.
http://www.symantec.com/connect/symantec-blogs/security-response/11761/all/all/all/all
Excerpt:
標的型攻撃
Hydraq(別名 Aurora)が初めて見つかり、企業ネットワークにアクセスして機密情報を盗み出すことが目的と思われる標的型攻撃の一部として使われたのは、今からちょうど 1 年前のことです。Hydraq は、電子メールの添付ファイルを経由してコンピュータに侵入したり、悪意のある Web サイトなどのその他の脅威によってダウンロードされたりします。Hydraq が実行されると、トロイの木馬によってバックドアがインストールされ、攻撃者はコンピュータを制御して、さまざまな行為を実行できるようになります。たとえば、ファイルの改ざん、実行、削除、悪意のあるファイルの実行のほか、最も深刻なものとして、侵入先の企業ネットワークにアクセスして、標的にさらなる攻撃を加えることが挙げられます。
昨年 7 月に注目を集めた Stuxnet は...
Previously, we reported that Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.
In particular, Stuxnet hooks the programming software, which means that when someone uses the software to view code blocks on the PLC, the injected blocks are nowhere to be found. This is done by hooking enumeration, read, and write functions so that you can’t accidentally overwrite the hidden blocks as well.
Stuxnet contains 70 encrypted code blocks that appear to replace some “foundation routines” that take care of simple yet very common tasks, such as comparing file times and others that are custom code and data blocks. Before some of these blocks are uploaded to the PLC, they are customized depending on the PLC.
By writing code to the PLC, Stuxnet can potentially control or alter how the system operates. A previous historic example includes a reported case of stolen code that impacted a pipeline. Code was secretly “Trojanized” to function properly and only some time after installation instruct the host system to increase the pipeline's pressure beyond its capacity. This resulted in a three kiloton explosion, about 1/5 the size of the Hiroshima bomb.
Thus, in addition to cleaning up the Stuxnet malware, administrators with machines infected with Stuxnet need to audit for unexpected code in their PLC devices. We are still examining some of the code blocks to determine exactly what they do and will have more information soon on how Stuxnet impacts real-world industrial control systems.
Finally, we’ve reserved the in-depth technical details on how Stuxnet achieves this rootkit functionality for a future technical whitepaper, which will delve into other features of Stuxnet as well that we haven’t had a chance to blog about. For example, a couple of other interesting things include the fact that it uses an infection counter before deleting itself (it is set to ‘3’) and also can use MS08-067, the same vulnerability used by Downadup (a.k.a. Conficker) to spread.
So, please stay tuned.
http://www.symantec.com/connect/symantec-blogs/security-response/11761/all/all/all/all
Excerpt:
標的型攻撃
Hydraq(別名 Aurora)が初めて見つかり、企業ネットワークにアクセスして機密情報を盗み出すことが目的と思われる標的型攻撃の一部として使われたのは、今からちょうど 1 年前のことです。Hydraq は、電子メールの添付ファイルを経由してコンピュータに侵入したり、悪意のある Web サイトなどのその他の脅威によってダウンロードされたりします。Hydraq が実行されると、トロイの木馬によってバックドアがインストールされ、攻撃者はコンピュータを制御して、さまざまな行為を実行できるようになります。たとえば、ファイルの改ざん、実行、削除、悪意のあるファイルの実行のほか、最も深刻なものとして、侵入先の企業ネットワークにアクセスして、標的にさらなる攻撃を加えることが挙げられます。
昨年 7 月に注目を集めた Stuxnet は...
Read more
http://www.infowars.com/stuxnet-false-flag-launched-for-web-takeover/
Excerpt:
Paul Joseph Watson
Infowars.com
September 27, 2010
Israel and the United States have emerged as the prime suspects behind the Stuxnet worm attack, which has infected the Iranian nuclear plant at Bushehr, following the discovery that a “wealthy group or nation” must have been responsible for the malware assault.
http://www.infowars.com/stuxnet-false-flag-launched-for-web-takeover/
Excerpt:
Stuxnet False Flag Launched For Web Takeover
Paul Joseph Watson
Infowars.com
September 27, 2010
Israel and the United States have emerged as the prime suspects behind the Stuxnet worm attack, which has infected the Iranian nuclear plant at Bushehr, following the discovery that a “wealthy group or nation” must have been responsible for the malware assault.
No comments:
Post a Comment