Tag Archives: Microbiology

Stuck on Stuxnet

By Jeremy Wagstaff (this is my weekly Loose Wire Service column for newspaper syndication)

We’ve reached one of those moments that I like: When we’ll look back at the time before and wonder how we were so naive about everything. In this case, we’ll think about when we thought computer viruses were just things that messed up, well, computers.

Henceforward, with every mechanical screw-up, every piston that fails, every pump that gives out, any sign of smoke, we’ll be asking ourselves: was that a virus?

I’m talking, of course, about the Stuxnet worm. It’s a piece of computer code–about the size of half an average MP3 file–which many believe is designed to take out Iran’s nuclear program. Some think it may already have done so.

What’s got everyone in a tizzy is that this sort of thing was considered a bit too James Bond to actually be possible. Sure, there are stories. Like the one about how the U.S. infected some software which a Siberian pipeline so it exploded in 1982 and brought down the whole Soviet Union. No-one’s actually sure that this happened–after all, who’s going to hear a pipeline blow up in the middle of Siberia in the early 1980s?–but that hasn’t stopped it becoming one of those stories you know are too good not to be true.

And then there’s the story about how the Saddam Hussein’s phone network was disabled by US commandos in January 1991 armed with a software virus, some night vision goggles and a French dot matrix printer. It’s not necessarily that these things didn’t happen–it’s just that we heard about them so long after the fact that we’re perhaps a little suspicious about why we’re being told them now.

But Stuxnet is happening now. And it seems, if all the security boffins are to be believed, to open up a scary vista of a future when one piece of software can become a laser-guided missile pointed right at the heart of a very, very specific target. Which needn’t be a computer at all, but a piece of heavy machinery. Like, say, a uranium enrichment plant.

Stuxnet is at its heart just like any other computer virus. It runs on Windows. You can infect a computer by one of those USB flash drive thingies, or through a network if it finds a weak password.

But it does a lot more than that. It’s on the look out for machinery to infect—specifically, a Siemens Simatic Step 7 factory system. This system runs a version of Microsoft Windows, and is where the code that runs the programmable logic controllers (PLCs) are put together. Once they’re compiled, these PLCs are uploaded to the computer that controls the machinery. Stuxnet, from what people can figure out, fiddles around with this code within the Siemens computer, tweaking it as it goes to and comes back from the PLC itself.

This is the thing: No one has seen this kind of thing before. Of course, we’ve heard stories. Only last month it was reported that the 2008 crash of a Spanish passenger jet, killing 154 people, may have been caused by a virus.

But this Stuxnet thing seems to be on a whole new level. It seems to be very deliberately targeted at one factory, and would make complex modifications to the system. It uses at least four different weaknesses in Windows to burrow its way inside, and installs its own software drivers—something that shouldn’t happen because drivers are supposed to be certified.

And it’s happening in real time. Computers are infected in Indonesia, India, Iran and now China. Boffins are studying it and may well be studying it for years to come. And it may have already done what it’s supposed to have done; we may never know. One of the key vulnerabilities the Trojan used was first publicized in April 2009 in an obscure Polish hacker’s magazine. The number of operating centrifuges in Iran’s main nuclear enrichment program at Natanz was reduced significantly a few months later; the head of Iran’s Atomic Energy Organization resigned in late June 2009.

All this is guesswork and very smoke and mirrors: Israel, perhaps inevitably, has been blamed by some. After all, it has its own cyber warfare division called Unit 8200, and is known to have been interested, like the U.S., in stopping Iran from developing any nuclear capability. And researchers have found supposed connections inside the code: the word myrtle, for example, which may or may not refer to the Book of Esther, which tells of a Persian plot against the Jews, and the string 19790509, which may or may not be a nod to Habib Elghanian, a Jewish-Iranian businessman who was accused of spying for Israel and was executed in Iran on May 9, 1979.

Frankly, who knows?

The point with all this is that we’re entering unchartered territory. It may all be a storm in a teacup, but it probably isn’t. Behind all this is a team of hackers who not only really know what they’re doing, but know what they want to do. And that is to move computer viruses out of our computers and into machinery. As Sam Curry from security company RSA puts it:

This is, in effect, an IT exploit targeted at a vital system that is not an IT system.

That, if nothing else, is reason enough to look nostalgically back on the days when we didn’t wonder whether the machinery we entrusted ourselves to was infected.

A Bad Day for Social Media

You may be forgiven for thinking I’m a fan of social media, and, in particular, Twitter.

Headlines like “Twitter: the future of news” and “Twitter, the best thing since the invention of the thong” may have given the misleading impression I thought Twitter was a good thing.

In which case I apologize. The truth is I think Twitter is bumping up against its limits. It’s possibly just a speed bump, but it’s a bump nonetheless.

The problem as I see it is that we thought that social media would scale. In other words, we thought that the more people got involved, the more the crowd would impose its wisdom.

We saw it happen sometimes: Wikipedia, for example, is a benign presence because it (usually, and eventually) forces out the rubbish and allows good sense and quality to take control.

But it doesn’t always work.

Take, for example, Twitter.

Twitter works great for geeky stuff. Fast moving news like an iPhone launch.

And, in some cases, news. Take earthquakes. Twitterers—and their local equivalents–beat traditional news  to the Szechuan (and the less famous Grimsby) earthquakes last year.

But these may be exceptions.

When stories get more complex, social media doesn’t always work. The current swine ‘flu scare, for example, is highlighting how rumor and, frankly, stupidity can drown out wisdom and good sense. As well as traditional reporting media.

Twitter, you see, allows you to monitor not just the output of those people you “follow”—i.e., whose updates you receive—but also to track any update that includes a keyword.

Follow “swineflu” and you get a glimpse into an abyss of ignorance and lame humor.

At the time of writing this tweets on swine ‘flu—updates from Twitter, from someone, somewhere containing the words—are appearing at the rate of more than one a second.

image

Screenshot from Twist, Monday April 27 GMT 02:00

Most of these updates are, to put it charitably, less than helpful:

31 minutes past my appointment time, still sitting in doc’s waiting room, probably inhaling pure swine flu.

The humor is poor:

If swine flu is only passed on by dirty animals I’ll be ok but I feel sorry for my ex-wife!

Viral marketing campaign: Swine Flu…it’s the next SARS!

Amid the noise is the occasional plea for usable information:

Can someone tell me how to avoid swine flu? I really don’t want to get it.

Some of it is weird:

Your ad on my swine flu mask. Live/work on Chicago’s northside. Will wear mask at all times when outdoors. No joke. [Message] me if interested.

I suppose we shouldn’t be too surprised about this.

Twitter is a wonderful way to share information. It is immediate and undiscriminating. Anyone can contribute, and a BBC tweet looks exactly the same as a tweet from that guy who lives next door who always has a toothpick in his mouth. It’s a great leveler.

So we believed—and still believe—that it’s a sort of global brain: a way to distribute news and information without censorship and without regard to the importance of the twitterer.

Which is fine if it’s an eyewitness account of a terrorist attack or an earthquake.

But with a potential pandemic it’s just an epidemic of noise.

Some argue it’s fostering panic. Evgeny Morozov of the Open Society Institute writes on the Foreign Policy website that

The “swine flu” meme has so far  that misinformed and panicking people armed with a platform to broadcast their fears are likely to produce only more fear, misinformation and panic.

I’m not sure that panic is the right word for what is going on. After all, nearly every mainstream media has put swine flu atop its bulletin for the past few days, so it’s actually not surprising.

Panic’s not the word. I’d say it’s more like a babble of noise—most of it poor attempts at humor–which drowns out the useful stuff.

One of the tenets of social media is that the more people involved, the smarter everyone gets. But Twitter doesn’t always work that way.

Twitter is a stream. A waterfall of words. Great if you’re just gazing, but not if you’re looking for information.

The sad thing is that amidst that tweet-a-second cascade are all the links necessary to understand what is going on.

They’re just not being  heard.

Sometimes the system works. A good example is what happened in Austin, Texas, when word spread on Twitter earlier this month of a gunman atop a bar. Within half an hour the local newspaper, the Austin American-Statesman was updating its twitter feed with the news. An hour or so later the paper was not only carrying what the police were saying; it was actively countering twitter reports of hostages being taken, and of someone getting shot, by saying what the police were not saying.

The reporter involved Robert Quigley, wrote on a blog that

once we confirmed what was actually happening, the rumors stopped flying (or at least slowed down). This is not meant to embarrass anyone – tweets from the public are what often alert us to news event, and they many times have been accurate and excellent reports. But in a case like this one, having a journalist who has access to the police and the habit of verifying information is valuable. It did turn out that the guy did not have a gun, and police now say he was never in danger of harming himself or others.

This worked, because it was a responsible journalist who understood the medium. More important, the volume was not so great that his voice prevailed.

This isn’t, so far, happening, with swine flu. There are news sites posting links to informed stories. And there’s the Centers for Disease Control, with its own twitter feed. (http://twitter.com/cdcemergency, if you’re interested.)

The problem: they’re only updating the feed every hour, meaning that for every tweet they’re sending out, there are about 4,000 other tweets out there.

In other words, it’s a problem of scale. Twitter works well when there are clearly authoritative voices which prevail. Perhaps when the weekend hubbub dies down, this will be the case with swine flu. Arguably, Twitter has done its job, because a lot of folk probably heard about the story not through traditional media but through their friends making lame jokes about it.

But I think, for now, this can’t be considered a victory for social media.

Podcast: Bacteria at Your Fingertips

Here’s another podcast from the BBC’s World Business Report: this one is on how to prevent the gunk in keyboards from killing you, and it derives from a Loose Wire piece I did for WSJ.com and The WSJ Asia on September 30. (Subscription only, I’m afraid.) Here’s a snippet:

The gunk in your keyboard could kill you. Really.

An exhaustive poll of my friends reveals that all sorts of stuff is being spilled over the average keyboard: biscuit crumbs, mango, fizzy beverage, the odd stray cornflake, nail varnish, rice, soy sauce, coffee, wine (red and white), hand cream. Under your keys lie a faithful record of every snack, lunch and beverage break you’ve had at your desk since you joined the company. It’s like typing on a pile of week-old dirty dishes.

This isn’t only somewhat gross (and likely to lead to the keyboard’s demise at some point) but it also makes your main data input device a Petri dish of bacteria and other microorganisms that could kill you before the job does. A study conducted by Charles Gerba, a professor of environmental microbiology at the University of Arizona, concluded that the computer keyboard was the fifth most germ-contaminated spot in an office. (Topped only by your phone, your desktop — home to an impressive 10 million bacteria — and the handles on the office water fountain and microwave door.) Out of 12 surfaces studied the toilet seat came in cleanest, in case you’re wondering where to have your next lunch break.

Download keyboards.mp3

This week’s column – Beat the bugs

This week’s Loose Wire column is about cleaning viruses:

IF YOUR COMPUTER is infected by a virus, Trojan, worm or some other nasty slice of code, never fear: Worst comes to worst, you can call on a 60-year-old retired Australian lab technician who goes by the on-line nickname of Pancake.

Though he wouldn’t put it this way himself, Ed Figg (his real name) is living proof of the failure of anti-virus companies, firewall manufacturers and Microsoft to keep us safe from viruses. Given that we each spend about $100 a year for software to protect our computers, you’d think that would leave us safe. But no. Ed the Pancake, and dozens like him, spend up to eight hours a day on-line as unpaid experts helping other users with problems–most of them viruses that have slipped past their computer’s defences. So what should you do if you think it’s happened to you?

Full text at the Far Eastern Economic Review (subscription required, trial available) or at WSJ.com (subscription also required). Old columns at feer.com here.

A Directory of Virus Removal Tools

Some sites offering free tools for removing viruses, trojans and worms. Any additions/changes welcome.

McAfee’s Virus Report Card – Grim

It’s been a busy six months for the virus-writing folk.

McAfee says the first half of this year has seen more serious viruses than in the whole of last year (sorry, no URL available yet). A large part of this has been the war between the Bagle and Netsky authors, a war that has seen their viruses appear in 215 countries.

What’s perhaps surprising is that this bucks a trend in virus production, where McAfee saw a steady decline in the rate of viruses produced from 2000 to 2003, down to a 5% year over year growth. That seems to be all over, for now at least.

Another weak spot: McAfee noted in the first half of 2004 11 exploits targeting four Microsoft vulnerabilities against 15 exploits targeting seven Microsoft vulnerabilities in the whole of 2003. In other words: More folk making trying to make the most out of fewer holes.

Do Anti-Virus Companies Love Viruses?

Are anti-virus companies behind the viruses?

Avecho, Britain’s ‘complete worry-free mail service’, reckons “the world needs to wake up to the fact that the anti-virus industry is not an anti-virus industry, it is a definition-selling industry and they just love these viruses. The more afraid you are, the more money you spend with them.”

This problem is solvable, quickly, according to avecho. It points to avecho’s own ThreatCENSOR, which “applies a wonderful, simple piece of logic which has stopped MiMail, SoBig, MyDoom and all variations of Bagel and NetSky. It is not rocket science, it is simple and fool-proof. It is based upon the reality of how we work.” ThreatCENSOR works on the simple premise that:

  • viruses are executable code — in other words, globs of computer programs that attach themselves to emails and try to get you, the recipient, to open them.
  • 99% or more of all normal communications do not contain any executable code. “These are documents, graphics, sounds or text. If you want a piece of executable code, you invariably know that you want it, and from whom.”
  • by applying a simple rule ‘I will only accept executable code from people I know – and that I am expecting’, ThreatCENSOR stops over 98% of all viruses, with no traditional anti-virus at all.

It’s not a bad idea, a bit like one mentioned in this blog a week or so back. Of course, avecho have an axe to grind, and they’ve been doing it entertainingly for months, if their press releases are anything to go by (all links are to PDF files):

  • industry passes the blame for infection and propagation of email viruses onto the users;
  • Are viruses here to stay? Only 18 months left for the £2bn traditional anti-virus industry;
  • avecho.com stopped sobig A technology has existed for over a year which could have completely stopped Sobig. Why are the AV vendors still beating the same old drum?
  • On Wednesday 6th August 03 avecho GlassWall stopped a variation of the MiMail virus that had already successfully passed through a leading industry virus scanner, with up to date virus definitions.

But they do have a point. Somehow we’ve got to find a better way to stop viruses than using updating libraries. What I want to know is: Is there something like this that can work on end-users’ machines, or does everything have to be server based?

Homeland Virus Alerts – What Happened?

The big anti-virus vendors often stand accused (rightly) of exaggerating the danger and impact of viruses; Not surprising they do that, they make money out of protecting people from viruses. But why would the U.S. government do it?

Here’s a great piece by Mary Landesman of about.com complaining about US CERT, a newly formed partnership between the U.S. Department of Homeland Security’s National Cyber Security Division and the CERT Coordination Center (CERT/CC) run by Carnegie Mellon University. After quoting their blurb — “We have taken great care to be accurate, fair, and honest about the security risks you face, and we feel a tremendous professional obligation to bring you the best, most trustworthy advice we can to help you protect your systems” — she then quotes their first alert (TA04-028A), which was sent out twice: “MyDoom.B Rapidly Spreading”.

Er, no. MyDoom.A — the original version — was big, . MyDoom.B, in her words, is “barely a blip on the radar”. Here’s the data so far:

  • Sophos: er, one copy.
  • Messagelabs: er, 7 copies.
  • Trend Micro: er, 1 copy.

You get the idea. MyDoom.A was big. MyDoom.B is not. So what went wrong? Well it’s early days, so perhaps we can put it down to teething troubles. But it’s not that simple. What I find a bit disturbing is that US-CERT, it appears, have not so much corrected their error as pretended it never happened. The original, incorrect, alerts can only be found on other sites (Google search) but only an ‘updated’ version (without the ‘rapidly spreading’ bit) can be found on US-CERT. Good that they’ve realised their error, but they don’t seem to be acknowledging it: The revision history for this report refers only to a version on Feb 2 that “Updated hosts file and www.microsoft.com information, changed heading formats”.  Nothing about “removing misleading and horribly incorrect information about spread of virus”. From where I’m sitting (and I may be wrong here), this looks like someone has tried to forget the original reports ever existed.

There are, quite obviously, a few problems with this. What happens to all those folk who have acted on the original reports? I can see it posted at more than 300 sites, where presumably people are cowering under their desks, switching off computers, and wearing gas-masks. How are these people going to know the original report was wrong if you pretend it never existed?

It’s all about credibility. Commercial anti-virus firms do a good job of analysing viruses and a slightly less good job of quickly updating your software so you don’t get infected. They also try to give an accurate idea of how far and how fast the virus is spreading. But do we believe them when they put out press releases saying how much damage viruses cost? Not usually, because we know these folk make money based on how big the problem is. The whole point of something like US-CERT is to bring some impartialitiy to the scene. But that’s not going to work if a) the original reports are horribly wrong and b) if the error is compounded by not ‘fessing up to the error and letting people know what you’ve corrected.

I’ve sought clarification from US-CERT.

What Is This Virus REALLY All About?

Further to my outburst about how network administrators and anti-virus companies may be making the whole MyDoom thing worse, here’s a similar take, albeit more detailed and informed than mine, from Attrition.org. The message: Treat all emails ‘notifying’ you that you have a virus as spam and inform the administrator/company/ISP accordingly. Thanks to the excellent TechDirt for pointing this one out. CNET have a similar report as does The Register.

My tuppennies’ worth? Sue anybody who accuses you of harbouring a virus. It’s defamation pure and simple.

Some other tidbits about the virus: It seemed to have originated in Russia, and may not actually contain an attack on SCO.com, so there’s a strong school of thought growing that all that SCO/Linux stuff is a ruse, and that the real purpose is a good old fashioned Mafia-originating password-stealing scam. If so, it’s reassuring to know that a) the open source crowd haven’t gone bad and b) it’s still just about da money. Slashdotters discuss the matter here.

That said, there’s a lot about MyDoom we don’t know about it, and writing it off as a variation of earlier worms I think misses the point. Viruses may often be built on old ones, but it doesn’t mean they do the same thing. Microsoft Monitor calls it “one of the more sophisticated viruses in recent memory” and says antivirus companies are only starting to learn about what it may do.

Happy Birthday, SoBig

A press release from email security folks MessageLabs points out that tomorrow is the first anniversary of the SoBig.A worm’s debut. SoBig.A (the A bit means it was the first of a stream of worms that were somehow based on the SoBig worm) wasn’t just any kind of worm, MessageLabs point out. SoBig.A was unique in being the first virus to use convergence techniques to create maximum havoc.

Basically this means SoBig.A didn’t just do one thing. It incorporated both spamming and virus writing techniques — infecting hundreds of thousands of computers worldwide, installing open proxies on compromised machines, which were then used to disseminate spam — unknown to the users. To date, MessageLabs has intercepted 727,102 copies of the worm in 183 countries, and it continues to spread.

SoBig was so successful it’s now into version F, the most prolific virus to date. The SoBig family, MessageLabs say, has also served as the model for other viruses using convergence techniques, such as the Fizzer worm. MessageLabs predicts that this style of virus writing will be extensive during 2004.

Needless to say, this all helps blur the boundary between spammers, scammers, virus writers (and, probably, the Mob). Says David Banes, MessageLabs’ Technical Director Asia Pacific: “The success of SoBig has served as an inspiration to cyber criminals, and demonstrates what can be achieved when they work together.”