Stuxnet: Anatomy of a Computer Virus — An infographic video dissecting the nature and ramifications of Stuxnet, the first weapon made entirely out of code.
posted by netbros at 5:22 PM on July 11, 2011 [1 favorite]

a rootkit dropper (which lets the virus do whatever it wants on the computer—as one hacker explains, “ ‘Root’ means you’re God”) and an injector for a payload of malicious code that was so heavily encrypted as to be, to Ulasen, inscrutable.

Jesus. Just... Jesus.
posted by stavrogin at 5:48 PM on July 11, 2011

Jesus. Just... Jesus.

For those of us for whom this is technobabble, can you clarify the reasons for your disbelief?
posted by His thoughts were red thoughts at 6:03 PM on July 11, 2011 [1 favorite]

Holy crap those articles were both turgid and terrible. Now I know more about Ralph Langner's preferences in shoes and socks, and Liam OMurchu's birthday party, than I do about Stuxnet. That Vanity Fair article was particularly bad. I am reminded of a review I read of some unrelated writings, accusing an author of "trying to be a stupid guy's idea of a smart guy."
posted by charlie don't surf at 6:28 PM on July 11, 2011 [3 favorites]

Oh, you smug nerds. You're so adorable.

I'll be over here, cherishing the modest perceived increase in my overall knowledge about Stuxnet, as I wait for you to actually tell me what was so bad and wrong about the articles.

In the meantime, some near-future reportage:

They set a Slamhound on Turner's trail in New Delhi, slotted it to his pheromones and the color of his hair. It caught up with him on a street called Chandni Chauk and came scrambling for his rented BMW through a forest of bare brown legs and pedicab tires. Its core was a kilogram of recrystallized hexogene and flaked TNT.
posted by Sebmojo at 6:33 PM on July 11, 2011 [7 favorites]

I'll be over here, cherishing the modest perceived increase in my overall knowledge about Stuxnet, as I wait for you to actually tell me what was so bad and wrong about the articles.

Me too. I'll buy the first round, Sebmojo. And I'll get a bowl of hexogene for your slamhound.
posted by His thoughts were red thoughts at 6:39 PM on July 11, 2011

According to Wired, "Liam O Murchu" went to the "College of Dublin". There's no such place, and his name is spelled Liam Ó Murchú. Wired has apparently limited fact checking and limited ability to reproduce acute accents. After failing to get a name and an alma mater correct, I honestly can't read any more because I can't trust that *any* of the information isn't hopelessly garbled.
posted by meehawl at 6:52 PM on July 11, 2011 [3 favorites]

Tortured metaphors may work in cyberpunk fiction, but in an article claiming to provide a technical analysis, it is fatal. Stuxnet is a virus, a worm, a zero day exploit, a ticking time bomb (a blockbuster), a warhead, a syringe, an eyedropper, a payload, a kid with a fake ID trying to get into a bar, a stealth drone, a cyber-weapon, an act of war, a false flag, an infection, a game, a blueprint, Hiroshima. And that is just the Vanity Fair article. Couldn't they pick just one metaphor and stick with it? The VF article is patronizing to its audience, as if they are too dumb to understand the technology, so they need glitzy metaphors and emphasis on irrelevancies like a virus researcher's mismatched socks. The Wired article is patronizing in a different way, it tries too hard to make the reader think he IS techy enough to understand it. So they larded up the article with meaningless but pseudo-technical statements like "The vulnerability was in the LNK file of Windows Explorer, a fundamental component of Microsoft Windows." And then they focused on the colorful irrelevancies, like the employment history and birthday party of some coder. Ooh isn't that cool. Aren't we all so cool, having read it?

No.
posted by charlie don't surf at 6:56 PM on July 11, 2011 [7 favorites]

Ok, here's a non-nerd translation:

So, like, these guys decided to break the stuff the bad guys were using to make bombs and stuff. They made a magic knife to make the stuff go "owie," but they were so good, the bad guys didn't know they were going "owie." The bad guys thought they were just good at breaking their own stuff. But then some smart guys started figuring out what was happening, and ruined the whole thing, because they're just so fucking smart. And now the bad guys are back to making bombs again. The end.
posted by crunchland at 6:57 PM on July 11, 2011 [7 favorites]

RISC architecture is gonna change everything.
posted by furiousxgeorge at 7:02 PM on July 11, 2011 [8 favorites]

Thanks, Crunchland :) I'm glad I didn't have to read all 100 pages to get that
posted by rebent at 7:05 PM on July 11, 2011

Vanity Fair comes with a self-descriptive warning in its title: it's about people's self-importance in relation to the news of the world, in a Pale Fire kind-of-way. It's really a hoot if you don't take it too seriously, especially if you don't subscribe to the every-other page suggestion to buy an expensive Swiss watch modeled by the Hollywood whore-of-the-moment. It's fun to read how important people think they are, and see how flattering of a picture poor Annie Leibovitz can take of them. But I wouldn't read it to figure out "how things really are in the world."
posted by eegphalanges at 7:14 PM on July 11, 2011 [1 favorite]

That isn't quite what those articles said, crunchland. The worst part of those articles, journalistically, is that there is no proof whatsoever that any of this is true. The VF article's sole proof of US involvement is a guilty look and eye contact between a technician and a publicist. There isn't even any proof of problems in Iran's nuclear program, just some speculation. The Wired article is even worse, I can't even read it. It's what Ted Nelson dubbed "Cybercrap." In other words, if you can't dazzle them with brilliance, baffle 'em with bullshit. They lost me when they put a big bold section of code with a few characters ominously highlighted: meaningless. Then they used a metaphor of trying to kill Osama Bin Laden by giving his wife a disease. What rubbish.

So here's my translation of those articles:

Windows is full of bugs, but it runs the world. So a bunch of geeks mucked around with Windows bugs and and did some stuff, but nobody can prove anything. There is rampant speculation, so let's all go to the extreme, consider it the Worst Thing Ever, so the geeks look even more fucking amazing. You can never be as awesome as those geeks, but the authors who rubbed elbows with them were almost as awesome.
posted by charlie don't surf at 7:17 PM on July 11, 2011 [3 favorites]

And I'll get a bowl of hexogene for your slamhound.

Sweet Christ, what I wouldn't give to have my old pancreas back.
posted by moss at 7:32 PM on July 11, 2011 [2 favorites]

Here's the thing: Whoever designed the trojan had to know exactly HOW the Iranian centrifuges were configured at the PLC level. They had to know that is was 33 motors connected to 6 controllers, of a specific manufacture, etc. That knowledge is not exactly something your average script kiddie has access to.
posted by roboton666 at 7:39 PM on July 11, 2011 [3 favorites]

I've spent a year thinking about this, I am a network engineer by trade, security is big focus of my job, now I do advocate reality-based thinking as opposed to fear, or awe-based thinking when it comes to security, but this is the real deal folks, it IS unprecedented.
posted by roboton666 at 7:54 PM on July 11, 2011 [1 favorite]

They lost me when they put a big bold section of code with a few characters ominously highlighted: meaningless

What? They clearly explain the meaning of the highlighted characters in the text. Step7, a hardcoded Siemens password and a reference to May 9, 1979.
posted by loquax at 8:02 PM on July 11, 2011

I think the problem with that quoted excerpt above is probably that by definition, any meaningful encryption is inscrutable. If it's scrutable, it's not encrypted, is it?
posted by feloniousmonk at 8:02 PM on July 11, 2011

Actually, as someone with a reasonably deep technical background who has only been following the Stuxnet story out of the corner of my eye, as it were, I thought the Wired article did a pretty good job summarizing the story, and building up a Cuckoo's Egg style narrative around it. The code is obviously not meant to be read and understood by the general audience the article is aimed at, it's just (admittedly, dubious) graphic design. I'm baffled by how people can object to it so strenuously, I feel like I could send it to non-technical friends and they'd have a pretty good grasp on the story.

(I haven't read the Vanity Fair article, being generally allergic to that magazine.)
posted by whir at 8:08 PM on July 11, 2011 [1 favorite]

Yeah, the Wired article didn't read so bad. It sounds plausible too in the way that the Symantec folks had no clue what they were dealing with in the payload. One wonders whether someone at Siemens was involved in the scheme. An incredible amount of insider knowledge - the controllers and the centrifuges - was needed to construct the worm. And they had to configure a lab with the requisite hardware to test it all out....
posted by storybored at 8:32 PM on July 11, 2011

Here's a decent infographic video about stuxnet. It's simplified and accessible, but it may offer some perspective on how much of a big deal stuxnet really is. (I can't find the original video, but I believe it's been licensed under creative commons, which is why there's so many copies on youtube.)

In all reality it's way beyond my tech skills, but everything I've seen and read about it is pretty damn scary. There are a lot of alarming things about it, and not just the part about it hitting industrial targets.

Basically it looks like not only did someone make what is arguably the world's first truly militarized computer virus, but it's not just for a single target. It's like a Swiss army knife or multitool, and has a variety of industrial and infrastructure targets. It's just that the variant that was released specifically targeted the Iranian centrifuges. As I understand it it has modules that can be turned on to attack lots of different infrastructure, and these switches could be remotely controlled and turned back on via the heavily encrypted command and control portion of the virus.

The number of "zero day" exploits that it uses really is entirely unheard of in a virus. The wikipedia article says four, but I've heard claims of as many as twenty zero day exploits were used. This is very uncommon.

Now, a "zero day" isn't anything special in itself. All "zero day" really means is "a new vulnerability that the system developer doesn't yet know about." But most zero day exploits worth knowing are ones that compromise remote administrative access to a computer, giving full access to installing or modifying all useful contents of the computer. And "zero day" doesn't mean anything about time. A zero day is a zero day from the moment of discovery by an attacker to the day it's initially known to the public or the person or company who developed the operating system - in this case Microsoft, obviously. But some may define it as when the exploit is revealed to the general public. It stops being a zero day at that point and the clock starts ticking as a fix is being created. Hopefully.

Anyway, most viruses don't even need a zero day. Most don't use even one. They just need a working exploit that hasn't been patched or secured yet, or an unsecured machine they can easily access. Most viruses replicate easily through unsecured machines or user error. Few really spend the time actually trying to attack a machine. With a billion computers or so on the planet it's just easier to try the next door down the street and see if it's unlocked.

So, zero days are very valuable. They're more valuable when kept secret, so a fix isn't developed, or so that even criminal hackers can't develop countermeasures to protect their own botnets or computers. The more secret and less obvious a strong zero day is, the more it's worth.

So "spending" somewhere between 4 and 20 zero day exploits on this one virus makes it one bad motherfucker quite capable of attain either user or root status on most Windows machines. With that many zero day exploits, it would be reasonable to assume it can more or less waltz right through even properly secured and updated Windows machines.

It's so active and so capable of infecting even supposedly secure machines that it stands to reason that it could have been released in the wild nearly anywhere in the world on the internet and it would have naturally found its way to the targeted Iranian centrifuges just through dispersal and diffusion - but it also stands to reason if the attacker really wanted to get the job done they would have had someone intentionally bring it in on a USB drive, or even just infect the home computer of a worker or contractor.

It all adds up to a major industrial power funding the project. This isn't something some bright kid whipped up in mom's basement with his buddies over IRC. There's almost no way it couldn't have been created by a military or government program - and it probably wasn't Russia. Many analysts believe it was made right here in the USA.

Sketchy stuff.
posted by loquacious at 9:05 PM on July 11, 2011 [7 favorites]

What? They clearly explain the meaning of the highlighted characters in the text. Step7, a hardcoded Siemens password and a reference to May 9, 1979.

Fair enough. I had to use a search to find that reference, the article descends into meaningless technobabble before that point.
posted by charlie don't surf at 9:12 PM on July 11, 2011

I am not a coder, or anything other than a guy who can fuss with his own installation of Windows, but I understood the story from day one. These articles, while not particularly well written do a decent job of making their audience understand. Think about who is typically reading Vanity Fair. It is someone who liked Domminick Dunne's crime reporting and stories about the Royals in the Kingdom or Hollywood types here in the colonies. Wired should be written to a slightly more computer literate crowd.

The evidence is classified and/or circumstantial on who did it, but who cares in this particular case? Ok, I do in that it signifies a new level of warfare being waged. But I never lived under the delusion that I am safe anyway. I know that I am not either in a physical sense (car bombs, 9/11 type attack, bio warfare) or in a privacy sense. I may be paranoid, but if they really want to get me they can and will. I rely on the fact that there is no reason to get me.

Finally, I am not sure how this story fits in, but every time I heard about Stuxnet it reminds me of a discussion I had in the early 80's about stealth technology and radar. At the time, it was first reported that our new stealth fighter jets had the radar foot print of a large bird. At first I thought, "Wow". Then my friends and I figured that if we were manning the guns and ever saw a bird flying at 500 mph, we may not know what it was, but we would certainly shoot at it.
posted by JohnnyGunn at 9:17 PM on July 11, 2011

I think you understand Stuxnet better than you understand stealth. :P
posted by furiousxgeorge at 9:30 PM on July 11, 2011

Symantec has a good set of technical documents and videos, mostly penned by the engineers who did the heavy lifting.

To summarize:
* targeted very, very specific industrial control systems, almost certainly (from evidence) at a specific Iranian nuclear enrichment facility.
* extremely sophisticated; used four "zero-day" exploits to silently infect computers which could be used to infect these industrial controllers, even though the computers in question were not connected to the Internet in any way. Stuxnet could travel via infected USB data sticks, or via network connections.
* changed the behavior of the industrial control systems in such a was as to damage expensive and difficult to replace centrifuges running very specific Siemens software
* the antivirus community had never seen anything this sophisticated before, and still hasn't figured out everything Stuxnet does after a couple of years of analysis.
* hid itself extremely successfully for a relatively long time.
posted by blob at 10:23 PM on July 11, 2011

Here's an interesting TEDTalk about Stuxnet from a security consultant involve in the analysis of the worm.

It left me with the impression that there is definitely state-sanctioned, Manhattan-Project level hacking going on.

At one point he says something about the worm's development requiring years of man hours by highly sophisticated engineers.
posted by diogenes at 6:29 AM on July 12, 2011

The years of development is bogus. That's like saying building a bridge is 2000 years of man hours because we count what the Roman's learned about the arch.

All the parts that made stuxnet, SAVE the PLC exploit, are old hat and already out there in other malware. Hell, the wired article as much said every one of the zero day were previously published by someone.

The two interesting parts are the PLC code and the stolen certificates that were used to sign the driver. That's where real time and manpower were invested. Everything else was pretty much off-the-shelf stuff.
posted by k5.user at 8:20 AM on July 12, 2011

every one of the zero day were previously published by someone. --- "Zero day" by definition, is unknown to others, especially the developer.
posted by crunchland at 8:27 AM on July 12, 2011

Then quibble that the term zero day was used incorrectly. But, again, the wired article said the exploits were previously published somewhere.

- LNK was used before in a different virus.
- Print spooler published by Polish researchers.
- Hard coded password was published by a hacker.

So, quibble on the words, but I stand by the fact that those aspects were hardly "years of man hours".
posted by k5.user at 8:36 AM on July 12, 2011 [1 favorite]

Yeah, it seemed more like Stuxnet's authors spent time doing research into finding exploits that had been published in one way or another, but not yet patched, than that they'd spent time doing original security work (eg, finding new zero-day exploits). This also fits in to the semi-white hat, military nature of the worm, along with its very specifically targeted triggering factors and its built-in limitations on spreading too widely.

The Wired article mentions that Stuxnet would phone home to mypremierfutbol.com and todaysfutbol.com, which seem like they would ripe targets for investigation - anyone know if any research has been done in that direction?
posted by whir at 11:21 AM on July 12, 2011

but this is the real deal folks, it IS unprecedented.

So far as we know, roboton666.
posted by IAmBroom at 2:06 PM on July 12, 2011

"The vulnerability was in the LNK file of Windows Explorer, a fundamental component of Microsoft Windows."

While in general I agree with your point, charlie don't surf, this statement is enough information to find CVE-2010-2568 if you're interested.
posted by atbash at 2:18 PM on July 12, 2011

Symantec has a good set of technical documents and videos, mostly penned by the engineers who did the heavy lifting.

To summarize:
* targeted very, very specific industrial control systems, almost certainly (from evidence) at a specific Iranian nuclear enrichment facility.
* extremely sophisticated; used four "zero-day" exploits to silently infect computers which could be used to infect these industrial controllers, even though the computers in question were not connected to the Internet in any way. Stuxnet could travel via infected USB data sticks, or via network connections.
* changed the behavior of the industrial control systems in such a was as to damage expensive and difficult to replace centrifuges running very specific Siemens software
* the antivirus community had never seen anything this sophisticated before, and still hasn't figured out everything Stuxnet does after a couple of years of analysis.
* hid itself extremely successfully for a relatively long time.

All of which I got from the Wired article. Suggesting that it did a reasonable job of summarising a complex story.

The line above about how failing to accurately reproduce two Gaelic accents on a name makes the entire article is exactly 1x10^-15 of what is terrible about the Internet.

I just checked.
posted by Sebmojo at 2:26 PM on July 12, 2011 [1 favorite]

**makes the entire article worthless**
posted by Sebmojo at 4:23 PM on July 12, 2011

Sebmojo: The line above about how failing to accurately reproduce two Gaelic accents on a name makes the entire article is exactly 1x10^-15 of what is terrible about the Internet.

Obviously, your life is only 1E-10 complete because you have yet to experience the majesty and splendour of the Gaeilge síneadh fada.

It's easy to get the name and college of a primary source correct. If you have any pretensions at journalism this is as basic as breathing. If you miss out on something so fundamental, how can I tell, honestly, if the rest of what you're writing is not also hopelessly garbled? Oh right, you might throw in several mutually incongruent, completely thematically unlinked analogies and metaphors per section. You may describe the cosmetic appearance of some of your technical sources. Or you might project onto them bizarre fantasies of alternative lives as DJs or hipsters in idealised international brand-name cities. Getting the name and college wrong was the least of the massive howelrs with that Wired article.
posted by meehawl at 11:56 AM on July 13, 2011

In fairness, the guy spells his own name without the accents on his own blog, and coverage of him online seems to largely use this form of his name (with the exception of the AP, and unsurprisingly, the Irish press). I suspect the variations have more to do with the limitations of various CMS software than with sloppy journalism.
posted by whir at 11:55 AM on July 14, 2011

I read at interesting article, learn something, come here for the interesting follow up discussion to find it's focussed on getting the name of UCD wrong and the fact that the accents were missed from one of the subject's name. Oh Metafilter.
posted by chill at 2:31 AM on July 17, 2011

Oh right, you might throw in several mutually incongruent, completely thematically unlinked analogies and metaphors per section. You may describe the cosmetic appearance of some of your technical sources. Or you might project onto them bizarre fantasies of alternative lives as DJs or hipsters in idealised international brand-name cities.

All of which is completely orthogonal to the question of whether the article did its fucking job.

Which it did.

So yes, Chill, I'm with you.
posted by Sebmojo at 3:28 PM on July 18, 2011