A: It's a Windows worm, spreading via USB sticks. Once inside an organization, it can also spread by copying itself to network shares if they have weak passwords.
Q: Can it spread via other USB devices?
A: Sure, it can spread anything that you can mount as a drive. Like a USB hard drive, mobile phone, picture frame and so on.
Q: What does it do then?
A: It infects the system, hides itself with a rootkit and sees if the infected computer is connected to a Siemens Simatic (Step7) factory system.
Q: What does it do with Simatic?
A: It modifies commands sent from the Windows computer to the PLC. Once running on the PLC, it looks for a specific factory environment. If this is not found, it does nothing.
Q: Which factory is it looking for?
A: We don't know.
Q: Has it found the factory it's looking for?
A: We don't know.
Q: What would it do if it finds it?
A: It makes complex modifications to the system. Results of those modifications can not be detected without seeing the actual environment. So we don't know.
Q: Ok, in theory: what could it do?
A: It could adjust motors, conveyor belts, pumps. It could stop a factory. With right modifications, it could cause things to explode.
Q: Why is Stuxnet considered to be so complex?
A: It uses multiple vulnerabilities and drops its own driver to the system.
Q: How can it install its own driver? Shouldn't drivers be signed for them to work in Windows?
A: Stuxnet driver was signed with a certificate stolen from Realtek Semiconductor Corp.
Q: Has the stolen certificate been revoked?
A: Yes. Verisign revoked it on 16th of July. A modified variant signed with a certificate stolen from JMicron Technology Corporation was found on 17th of July.
Q: What's the relation between Realtek and Jmicron?
A: Nothing. But these companies have their HQs in the same office park in Taiwan. Which is weird.
Q: What vulnerabilities does Stuxnet exploit?
A: Overall, Stuxnet exploits five different vulnerabilities, four of which were 0-days:
LNK (MS10-046)
Print Spooler (MS10-061)
Server Service (MS08-067)
Privilege escalation via Keyboard layout file
Privilege escalation via Task Scheduler
Q: And these have been patched by Microsoft?
A: The two Privilege escalations have not yet been patched.
Q: Why was it so slow to analyze Stuxnet in detail?
A: It's unusually complex and unusually big. Stuxnet is over 1.5MB in size.
Q: When did Stuxnet start spreading?
A: In June 2009, or maybe even earlier. One of the components has a compile date in January 2009.
Q: When was it discovered?
A: A year later, in June 2010.
Q: How is that possible?
A: Good question.
Q: Was Stuxnet written by a government?
A: That's what it would look like, yes.
Q: How could governments get something so complex right?
A: Trick question. Nice. Next question.
Q: Was it Israel?
A: We don't know.
Q: Was it Egypt? Saudi Arabia? USA?
A: We don't know.
Q: Was the target Iran?
A: We don't know.
Q: Is it true that there's are biblical references inside Stuxnet?
A: There is a reference to "Myrtus" (which is a myrtle plant). However, this is not "hidden" in the code. It's an artifact left inside the program when it was compiled. Basically this tells us where the author stored the source code in his system. The specific path in Stuxnet is: \myrtus\src\objfre_w2k_x86\i386\guava.pdb. The authors probably did not want us to know they called their project "Myrtus", but thanks to this artifact we do. We have seen such artifacts in other malware as well. The Operation Aurora attack against Google was named Aurora after this path was found inside one of the binaries: \Aurora_Src\AuroraVNC\Avc\Release\AVC.pdb.
Q: So how exactly is "Myrtus" a biblical reference?
A: Uhh… we don't know, really.
Q: Could it mean something else?
A: Yeah: it could mean "My RTUs", not "Myrtus". RTU is an abbreviation for Remote Terminal Units, used in factory systems.
Q: How does Stuxnet know it has already infected a machine?
A: It sets a Registry key with a value "19790509" as an infection marker.
Q: What's the significance of "19790509"?
A: It's a date. 9th of May, 1979.
Q: What happened on 9th of May, 1979?
A: Maybe it's the birthday of the author? Then again, on that date a Jewish-Iranian businessman called Habib Elghanian was executed in Iran. He was accused to be spying for Israel.
Q: Oh.
A: Yeah.
Q: Is there a link between Stuxnet and Conficker?
A: It's possible. Conficker variants were found between November 2008 and April 2009. First variants of Stuxnet were found shortly after that. Both exploit the MS08-067 vulnerability. Both use USB sticks to spread. Both use weak network passwords to spread. And, of course, both are unusually complex.
Q: Is there a link to any other malware?
A: Some Zlob variants were the first to use the LNK vulnerability.
Q: Disabling AutoRun in Windows will stop USB worms, right?
A: Wrong. There are several other spreading mechanisms USB worms use. The LNK vulnerability used by Stuxnet would infect you even if AutoRun and AutoPlay were disabled.
Q: Will Stuxnet spread forever?
A: The current versions have a "kill date" of June 24, 2012. It will stop spreading on this date.
Q: How many computers did it infect?
A: Hundreds of thousands.
Q: But Siemens has announced that only 15 factories have been infected.
A: They are talking about factories. Most of the infected machines are collateral infections, i.e. normal home and office computers that are not connected to SCADA systems.
Q: How could the attackers get a trojan like this into a secure facility?
A: For example, by breaking into a home of an employee, finding his USB sticks and infecting it. Then wait for the employee to take the sticks to work and infect his work computer. The infection will spread further inside the secure facility via USB sticks, eventually hitting the target. As a side effect, it will continue spread elsewhere also. This is why Stuxnet has spread worldwide.
Q: Anything else it could do, in theory?
A: Siemens announced last year that Simatic can now also control alarm systems, access controls and doors. In theory, this could be used to gain access to top secret locations. Think Tom Cruise and Mission Impossible.
Q: Did Stuxnet sink Deepwater Horizon and cause the Mexican oil spill?
A: No, we do not think so. Although it does seem Deepwater Horizon indeed did have some Siemens PLC systems on it.
Q: Does F-Secure detect Stuxnet?
A: Yes.
Source: f-secure.com
The failure of Linux to catch on with mainstream PC users will come as no great surprise to most observers, but the reasons for its failure are often misunderstood or, at the very least, grossly misstated. Linux didn't fail on the desktop because it's "too geeky," "too hard to use," or "too obscure," as casual detractors so often claim in online forums. On the contrary, the best-known distribution--Ubuntu--has received high marks for usability from every major player in the technology press, and it features a menu layout nearly identical to that of Mac OS X.
Ultimately, Linux is doomed on the desktop because of a critical lack of content. And that lack of content owes its existence to two key factors: the fragmentation of the Linux platform, and the fierce ideology of the open-source community at large.
User expectations have shifted dramatically in the past few years, and it's no longer acceptable for any PC to fail at basic media viewing. DVD playback and video streaming from premium sites such as Netflix are now fundamental capabilities that any computer should have. But the politics of the open-source world make that a nearly hopeless dream for Linux.
"I share the hope with everyone that free and open-source software will rise to meet the requirements of content delivery," says longtime Linux developer Jeff Whatcott, senior vice president of marketing for Brightcove, a company that specializes in online video streaming. "But that's not happening."
"DRM is not popular with the open-source crowd," says Whatcott, lamenting that the open-source community at large remains so steadfastly opposed to digital rights management technologies. Without those systems, commercial content providers have no incentive to embrace Linux. And Whatcott points out that even if the open-source community were willing to go along, the DRM arena is dominated by "deep, deep patent pools," making a free, open-source alternative unlikely anyway.
Meanwhile, even common streaming technologies such as Flash--which Whatcott helped bring to Linux in his previous role as a Macromedia (and later Adobe) product manager--deliver poor results on Linux.
"It wasn't for lack of trying," Whatcott says. "At the time, Macromedia put extensive resources into figuring that out." But despite the hard work of a team of engineers "that loved Linux," the fragmentation of the Linux platform and the hurdles presented by what Whatcott describes as "alpha-quality" drivers for audio and video hardware made success elusive for the Flash development team.
More @
Related Posts:
Desktop Linux Is Dead
More @ linux.slashdot.org
More @ linux.slashdot.org
NYT Technology: How to Fight Health ‘Cures’ Online
NASA Image of the Day: Perseverance Rover Mated to...
NYT Technology: Massachusetts Sues Uber and Lyft O...
U.S. crude oil and natural gas production in April...
Air Force says service still needs to be bigger - ...
Facebook reportedly considers ban on political ads...
1 BTC equals 9310.0801 USD
NYT Technology: YouTube’s Factory Workers Are Angry
NASA Image of the Day: Hubble Sees a Star Called H...
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
February 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
April 2008
May 2008
July 2008
August 2008
September 2008
October 2008
November 2008
January 2009
May 2009
June 2009
July 2009
August 2009
September 2009
December 2009
March 2010
June 2010
July 2010
September 2010
October 2010
November 2010
January 2011
March 2011
February 2013
April 2013
September 2013
December 2013
August 2014
September 2014
October 2014
November 2014
January 2015
January 2016
September 2018
October 2018
November 2018
December 2018
January 2019
February 2019
March 2019
April 2019
May 2019
June 2019
July 2019
August 2019
September 2019
October 2019
November 2019
December 2019
January 2020
February 2020
March 2020
April 2020
May 2020
June 2020
July 2020