I've just come from a presentation about the Stuxnet virus presented at the Virus Bulletin 2010 conference. I'm not in the best of moods. The presentation was little more than Security Theatre by a vendor who really ought to know better.
Let me admit that the analysts in the security team of the vendor concerned have done a sterling job in making sense of the arcane PLC code inside Stuxnet. PLC stands for Programmable Logic Controller, a specialised sort of industrial control computer widely used in environments such as industrial plants and factories to regulate and operate machinery.
The PLCs targeted by Stuxnet are programmed using Windows-based development software called Step 7. You write your PLC code in the Step 7 application, compile it, and download it to the PLC device. You can later suck code and data back from the PLC, using the same connector cable and software.
Stuxnet reconfigures your Step 7 setup so that downloads to, and uploads from, the PLC pass through a malicious DLL, installed by the virus. This DLL acts as a sort of rootkit: it quietly injects malicious PLC code into downloaded data blocks, and removes that same malicious code from data blocks which are read back in.
The VB2010 Stuxnet Security Theatre presentation used this rootkittery in a proof-of-concept "demo" of PLC malware. Clever demo: the downloaded code inflated a balloon for three seconds. Then the rootkit was activated and the same PLC code re-downloaded. But the rootkit silently tweaked the PLC code so that the 3-second limit was not imposed. This time...
...the balloon inflated for five or six seconds. And then (can you tell what happens next?) the BALLOON ACTUALLY BURST!
We were then invited to imagine this same sort of misbehaviour translated to an oil pipeline. Nice segue.
Then, to conclude, we were shown a graph of known active infections. The vast majority were from Iranian IP numbers. And we were told that the string 19790509 appears in the malware, and that this represents a date. Finally, we were told that on this date, according to a well-known search engine, Jewish businessman Habib Elghanian was executed in Iran.
Go figure.
But this same security vendor has also published information telling a very different story, with India and Indonesia accounting for 72% of systems on which Stuxnet was blocked. (Iran came in third here, at 20%)
Perhaps, then, Stuxnet targets countries with names beginning with "I". Residents of the Isle of Man, watch out!
Perhaps, even more reasonably, these figures tell us nothing more than that Iranians aren't very proactive with anti-virus precautions.
Given that this presentation was conducted in front of the cameras of the BBC, I would greatly have preferred the presenter to remind us of this potential conclusion, which teaches us that what we do (or don't do) in respect of security on our own computers ends up affecting all of us.
A cybercriminal injury to one is an injury to all!
2010-10-01
Stuxnet Security Theatre blows up balloon | Paul Ducklin's blog
via sophos.com