Sunday, September 26, 2010

Dark Avenger Redux: Stuxnet and the next generation of virtual warfare UPDATE: Target acquired?

Have you ever heard of Stuxnet?  If not, you will soon.  It may be the most destructive piece of code to be released into the wild since the days of the Dark Avenger virus.

When I was running a FidoNet Bulletin Board System (BBS) in 1990, nothing struck dread in the heart of a BBS surfer more than seeing the following string of text, written randomly in sectors on his hard drive:

""Eddie lives... somewhere in time!"

Dark Avenger, nee Vesselin Bontchev (or, Todor Todorov?), is/was a computer programmer from Sofia, Bulgaria who authored the DOS program that bore his name.  The Dark Avenger virus was the seminal code that set off the whole war between virtual warhead and digital armor.  It’s infectiousness and its stealth mode of operation made it difficult to control, detect and destroy. During the debate surrounding researcher Sarah Gordon’s research on the Dark Avenger, there was considerable—and informed—speculation that the virus was developed by a team behind the Iron Curtain.

It’s 2010. Enter Stuxnet. 

Stuxnet is the world’s first virtual super weapon that was intentionally designed to take down a real-world target.  It could be a manufacturing facility, a chemical plant or… a nuclear power plant?


A gradual dawning of Stuxnet's purpose

Stuxnet surfaced in June and, by July, was identified as a hypersophisticated piece of malware probably created by a team working for a nation state, say cyber security experts. Its name is derived from some of the filenames in the malware. It is the first malware known to target and infiltrate industrial supervisory control and data acquisition (SCADA) software used to run chemical plants and factories as well as electric power plants and transmission systems worldwide. That much the experts discovered right away.

But what was the motive of the people who created it? Was Stuxnet intended to steal industrial secrets – pressure, temperature, valve, or other settings –and communicate that proprietary data over the Internet to cyber thieves?

By August, researchers had found something more disturbing: Stuxnet appeared to be able to take control of the automated factory control systems it had infected – and do whatever it was programmed to do with them. That was mischievous and dangerous.

But it gets worse. Since reverse engineering chunks of Stuxnet's massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown.

"Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world," says Langner, who last week became the first to publicly detail Stuxnet's destructive purpose and its authors' malicious intent. "This is not about espionage, as some have said. This is a 100 percent sabotage attack."


SCADA systems automate the controls of everything from a neighborhood package water plant to a massive steel manufacturing facility; from a candy factory to some of the world’s most sophisticated energy facilities:  Nuclear reactors.

As mentioned above, there was a lot of speculation that Dark Avenger and the variants that followed it were coded by Iron Curtain development teams, with the intention of releasing them into the wild and eventually, getting them to find their way across the pond into the nascent virtual networks (like FidoNet) and government networks, like ARPANet (that would be the Internet that Al Gore invented).

So where did Stuxnet come from?  Good question.  The experts say that the elegance of the code, the depth of the encryption and the specific nature of the program’s intended target indicate that it is the product of a program that could only be funded at the state level. 

Just like the same experts were saying about the Dark Avenger.

The real $64 trillion question is: “What facility was Stuxnet designed to destroy?”

UPDATE: Maybe the guided missile has homed in on it’s target. Via Fox News, the W32.stuxnet code has apparently infected computers at Iran’s Bushehr nuclear facility:


A complex computer worm capable of seizing control of industrial plants has affected the personal computers of staff working at Iran's first nuclear power station weeks before the facility is to go online, the official news agency reported Sunday.

The project manager at the Bushehr nuclear plant, Mahmoud Jafari, said a team is trying to remove the malware from several affected computers, though it "has not caused any damage to major systems of the plant," the IRNA news agency reported.

It was the first sign that the malicious computer code, dubbed Stuxnet, which has spread to many industries in Iran, has also affected equipment linked to the country's nuclear program, which is at the core of the dispute between Tehran and Western powers like the United States.

Experts in Germany discovered the worm in July, and it has since shown up in a number of attacks -- primarily in Iran, Indonesia, India and the U.S.

The malware is capable of taking over systems that control the inner workings of industrial plants.

In a sign of the high-level concern in Iran, experts from the country's nuclear agency met last week to discuss ways of fighting the worm.


Eddie lives, somewhere in time.  And maybe he’s figured out his purpose in “life.”

If Stuxnet’s target really is Bushehr, then all I can say is “happy hunting.”

0 comments :