Stuxnet on Omid Farhang

Stuxnet Missing Link Found, Resolves Some Mysteries Around the Cyberweapon

Wed, 27 Feb 2013 16:12:00 +0000

Cross-posted from WIRED.

As Iran met in Kazakhstan this week with members of the UN Security Council to discuss its nuclear program, researchers announced that a new variant of the sophisticated cyberweapon known as Stuxnet had been found, which predates other known versions of the malicious code that were reportedly unleashed by the U.S. and Israel several years ago in an attempt to sabotage Iran’s nuclear program.

The new variant was designed for a different kind of attack against centrifuges used in Iran’s uranium enrichment program than later versions that were released, according to Symantec, the U.S-based computer security firm that reverse-engineered Stuxnet in 2010 and also found the latest variant.

Narilam Worm manipulates databases in Iran

Sat, 24 Nov 2012 12:37:00 +0000

h-Online: Security firm Symantec has discovered a specialised worm called W32.Narilam that can compromise SQL databases. Symantec reports that the malware “speaks” Persian and Arabic and appears to target mainly companies in Iran. Narilam is, therefore, reminiscent of Stuxnet and its variants.

Narilam spreads via USB flash drives and network shares. Once inside the system, the worm searches for SQL databases that are accessible via the Object Linking and Embedding Database (OLEDB) API. Rather than steal found target data for intelligence purposes, the worm proceeds to modify or delete the data and can, says Symantec, cause considerable damage. Stuxnet similarly served no intelligence purpose and was designed to sabotage its target – an uranium enrichment facility in Natanz, Iran.

On Stuxnet, Duqu and Flame

Sun, 03 Jun 2012 09:26:00 +0000

F-Secure wrote:

When we went digging through our archive for related samples of malware, we were surprised to find that we already had samples of Flame, dating back to 2010 and 2011, that we were unaware we possessed. They had come through automated reporting mechanisms, but had never been flagged by the system as something we should examine closely. Researchers at other antivirus firms have found evidence that they received samples of the malware even earlier than this, indicating that the malware was older than 2010.

FAQ: Flame, the "super spy"

Thu, 31 May 2012 12:51:00 +0000

Copied from H-Online: Source

The spyware worm Flame is being billed as a “deadly cyber weapon”, but a calmer analysis reveals it to be a tool by professionals for professionals that doesn’t actually have that many new features compared to, say, the widespread online-banking trojan Zeus.

What is Flame?

Flame is the code name for a spyware program that is built to be very modular and which is also known as Flamer and sKyWIper. Flame was just recently discovered, and it will be some time before all of its components are analyzed. Anti-virus software companies estimate that Flame has infected about 1,000 computers, mostly in the Middle East.

Flame worm – Iran claims to discover new Stuxnet-like malware

Mon, 28 May 2012 14:57:00 +0000

Naked Security wrote:

The Iranian Computer Emergency Response Team (MAHER) claims to have discovered a new targeted malware attack attacking the country, which has been dubbed Flame (also known as Flamer or Skywiper).

In a statement, researchers say that they believe the malware is “a close relation” to Stuxnet, and claim that Flame is not detected by any of 43 anti-virus products it tested against, but that detection was issued to select Iranian organizations and companies at the beginning of May.

Duqu, Son of Stuxnet?

Thu, 20 Oct 2011 22:23:00 +0000

Schneier on Security: A newly discovered piece of malware, Duqu, seems to be a precursor to the next Stuxnet-like worm and uses some of the same techniques as the original. Link to Source

Symantec: W32.Duqu: The Precursor to the Next Stuxnet
Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility. Read Full Article

Stuxnet and WikiLeaks – What do they have in common?

Sat, 04 Dec 2010 21:41:00 +0000

At first glance, two recent security stories, the Stuxnet attack on Iran’s nuclear industry and the WikiLeaks breach of US State Department communications, don’t seem to have much in common, but they do. They are united by a vector, a method of transmission and that vector is removable media.

I am sure that the Iranians felt pretty secure with air-gapped systems, but like a spark from the burning house next door that finds its way into your shingles, the right USB found its way into the right PC and then suddenly all those uranium enrichment centrifuges running at 807-1210 hz started to act funny and fail in unexpected and reportedly fairly energetic ways (you can see some pics of failed centrifuges here http://web.mit.edu/charliew/www/centrifuge.html and here http://www.chem.purdue.edu/chemsafety/NewsAndStories/CentrifugeDamages.htm).

Fake Stuxnet cleaner literally cleans up your computer

Fri, 15 Oct 2010 15:12:00 +0000

W32.Stuxnet has been a subject of much discussion amongst security researchers and media, and we posted a series of blogs on the subject. As you may already be aware, Stuxnet is hot topic as the threat targets industrial control systems in order to take control of industrial facilities and systems, such as manufacturing assembly lines and even power plants.

Because Stuxnet is such major news, the miscreants who like to spread malware are not wasting much time taking advantage of this for their malicious activities. In our investigations we have discovered that various forums are discussing a free Stuxnet removal tool but unfortunately the tool is actually a piece of malware. We successfully obtained a sample of this tool and our analysis supported our sense of danger: Bottom line is, do NOT run the tool.

Stuxnet Questions and Answers

Wed, 06 Oct 2010 22:32:00 +0000

Stuxnet continues to be a hot topic. Here are answers to some of the questions we’ve received.

Q: What is Stuxnet?
A: It’s a Windows worm, spreading via USB sticks. Once inside an organization, it can also spread by copying itself to network shares if they have weak passwords.

Q: Can it spread via other USB devices?
A: Sure, it can spread anything that you can mount as a drive. Like a USB hard drive, mobile phone, picture frame and so on.

Stuxnet in the news

Thu, 30 Sep 2010 22:34:00 +0000

The Stuxnet Trojan is very well covered in the media as more and more details about its sophisticated code become public. It abuses four previously unknown security vulnerabilities in Windows to enter the system and is specialized on attacking Siemens processing systems. An interesting information which didn’t get much attention yet comes from heise Security: The nuclear plant in Busheer isn’t really the target of the worm as rumours say, as the attacked systems aren’t approved for usage in nuclear plants.