Tag Archives: Virus

Stuck on Stuxnet

By Jeremy Wagstaff (this is my weekly Loose Wire Service column for newspaper syndication)

We’ve reached one of those moments that I like: When we’ll look back at the time before and wonder how we were so naive about everything. In this case, we’ll think about when we thought computer viruses were just things that messed up, well, computers.

Henceforward, with every mechanical screw-up, every piston that fails, every pump that gives out, any sign of smoke, we’ll be asking ourselves: was that a virus?

I’m talking, of course, about the Stuxnet worm. It’s a piece of computer code–about the size of half an average MP3 file–which many believe is designed to take out Iran’s nuclear program. Some think it may already have done so.

What’s got everyone in a tizzy is that this sort of thing was considered a bit too James Bond to actually be possible. Sure, there are stories. Like the one about how the U.S. infected some software which a Siberian pipeline so it exploded in 1982 and brought down the whole Soviet Union. No-one’s actually sure that this happened–after all, who’s going to hear a pipeline blow up in the middle of Siberia in the early 1980s?–but that hasn’t stopped it becoming one of those stories you know are too good not to be true.

And then there’s the story about how the Saddam Hussein’s phone network was disabled by US commandos in January 1991 armed with a software virus, some night vision goggles and a French dot matrix printer. It’s not necessarily that these things didn’t happen–it’s just that we heard about them so long after the fact that we’re perhaps a little suspicious about why we’re being told them now.

But Stuxnet is happening now. And it seems, if all the security boffins are to be believed, to open up a scary vista of a future when one piece of software can become a laser-guided missile pointed right at the heart of a very, very specific target. Which needn’t be a computer at all, but a piece of heavy machinery. Like, say, a uranium enrichment plant.

Stuxnet is at its heart just like any other computer virus. It runs on Windows. You can infect a computer by one of those USB flash drive thingies, or through a network if it finds a weak password.

But it does a lot more than that. It’s on the look out for machinery to infect—specifically, a Siemens Simatic Step 7 factory system. This system runs a version of Microsoft Windows, and is where the code that runs the programmable logic controllers (PLCs) are put together. Once they’re compiled, these PLCs are uploaded to the computer that controls the machinery. Stuxnet, from what people can figure out, fiddles around with this code within the Siemens computer, tweaking it as it goes to and comes back from the PLC itself.

This is the thing: No one has seen this kind of thing before. Of course, we’ve heard stories. Only last month it was reported that the 2008 crash of a Spanish passenger jet, killing 154 people, may have been caused by a virus.

But this Stuxnet thing seems to be on a whole new level. It seems to be very deliberately targeted at one factory, and would make complex modifications to the system. It uses at least four different weaknesses in Windows to burrow its way inside, and installs its own software drivers—something that shouldn’t happen because drivers are supposed to be certified.

And it’s happening in real time. Computers are infected in Indonesia, India, Iran and now China. Boffins are studying it and may well be studying it for years to come. And it may have already done what it’s supposed to have done; we may never know. One of the key vulnerabilities the Trojan used was first publicized in April 2009 in an obscure Polish hacker’s magazine. The number of operating centrifuges in Iran’s main nuclear enrichment program at Natanz was reduced significantly a few months later; the head of Iran’s Atomic Energy Organization resigned in late June 2009.

All this is guesswork and very smoke and mirrors: Israel, perhaps inevitably, has been blamed by some. After all, it has its own cyber warfare division called Unit 8200, and is known to have been interested, like the U.S., in stopping Iran from developing any nuclear capability. And researchers have found supposed connections inside the code: the word myrtle, for example, which may or may not refer to the Book of Esther, which tells of a Persian plot against the Jews, and the string 19790509, which may or may not be a nod to Habib Elghanian, a Jewish-Iranian businessman who was accused of spying for Israel and was executed in Iran on May 9, 1979.

Frankly, who knows?

The point with all this is that we’re entering unchartered territory. It may all be a storm in a teacup, but it probably isn’t. Behind all this is a team of hackers who not only really know what they’re doing, but know what they want to do. And that is to move computer viruses out of our computers and into machinery. As Sam Curry from security company RSA puts it:

This is, in effect, an IT exploit targeted at a vital system that is not an IT system.

That, if nothing else, is reason enough to look nostalgically back on the days when we didn’t wonder whether the machinery we entrusted ourselves to was infected.

Phishing Victim Fights Back

It had to happen some time. Phishing victims are fighting back — against their banks. A Miami Businessman is sueing Bank of America according to AccountingWEB.com and other sources:

 Joe Lopez, a Miami businessman who regularly conducts business over the Internet, is suing Bank of America for negligence and failure to provide protection for online banking risks of which he claims the bank was aware. Last April, Mr. Lopez’s computer system was hacked into and $90,348.65 was wired from his account at Bank of America to a bank in Riga, Latvia without his approval.

Ralph Patino, Mr. Lopez’s lawyer, claims Bank of America had knowledge of a virus called coreflood, a Trojan horse virus known for infiltrating and compromising security systems and enabling unauthorized access to infected computers, and therefore the bank had a responsibility to inform its customers of the virus.

Coreflood, according to The Register, is primarily designed to conduct Denial of Service (DoS) attacks, but the theory is that the backdoor access it enabled criminals to extract banking passwords and account details entered into Lopez’s PC. This remains unproven.

This makes the case a bit more complicated than if Lopez was hoodwinked by a phishing email designed to look like something from Bank Of America. Still, the the AccountingWeb piece quotes Avivah Litan, vice president and research director for research firm Gartner Inc. and an online fraud expert, as saying

banking cybercrime cases such as this one may result in banks adopting stricter security measures in the future. “Banks can’t reasonably expect consumers to protect themselves from cybercriminals,” said Ms. Litan. She believes that consumers need banks to offer greater security if they want online banking to increase. Gartner Inc. predicts that within two years, “50 percent of today’s stronger methods for customer authentication will no longer be strong enough to be a safeguard against phishing and malware.”

In other words, banks have got to find a better way to keep their customers secure, and arguing that cases like Lopez’ are nothing to do with them may not impress customers already increasingly nervous about doing business and banking online.

This week’s column – Beat the bugs

This week’s Loose Wire column is about cleaning viruses:

IF YOUR COMPUTER is infected by a virus, Trojan, worm or some other nasty slice of code, never fear: Worst comes to worst, you can call on a 60-year-old retired Australian lab technician who goes by the on-line nickname of Pancake.

Though he wouldn’t put it this way himself, Ed Figg (his real name) is living proof of the failure of anti-virus companies, firewall manufacturers and Microsoft to keep us safe from viruses. Given that we each spend about $100 a year for software to protect our computers, you’d think that would leave us safe. But no. Ed the Pancake, and dozens like him, spend up to eight hours a day on-line as unpaid experts helping other users with problems–most of them viruses that have slipped past their computer’s defences. So what should you do if you think it’s happened to you?

Full text at the Far Eastern Economic Review (subscription required, trial available) or at WSJ.com (subscription also required). Old columns at feer.com here.

A Directory of Virus Removal Tools

Some sites offering free tools for removing viruses, trojans and worms. Any additions/changes welcome.

McAfee’s Virus Report Card – Grim

It’s been a busy six months for the virus-writing folk.

McAfee says the first half of this year has seen more serious viruses than in the whole of last year (sorry, no URL available yet). A large part of this has been the war between the Bagle and Netsky authors, a war that has seen their viruses appear in 215 countries.

What’s perhaps surprising is that this bucks a trend in virus production, where McAfee saw a steady decline in the rate of viruses produced from 2000 to 2003, down to a 5% year over year growth. That seems to be all over, for now at least.

Another weak spot: McAfee noted in the first half of 2004 11 exploits targeting four Microsoft vulnerabilities against 15 exploits targeting seven Microsoft vulnerabilities in the whole of 2003. In other words: More folk making trying to make the most out of fewer holes.

The Virus Turf War

More on who’s behind the latest wave of virus attacks.

Mary Landesman of About.com looks at text strings contained in the viruses of Bagle (sometimes Bagel) and MyDoom to show how ”a battle is waging between three groups of virus writers, each attempting to prove superiority over the other.” It’s a very good piece.

But it’s not quite that simple, I suspect. While she quotes a virus analyst at Norman Data Defense Systems, the excellently named Snorre Fagerland, as saying, “We suspect that several virus authors – or factions of virus authors – are competing in creating the most successfully spreading worm. So far we see three different groups or persons, each responsible for their own worm family; NetSky, Bagle, and MyDoom. Text messages inside these worms points in this direction. It seems like they are accusing each other of stealing ideas and code, in an attempt to achieve the highest number of copies spread on the Internet as fast as possible.”

I believe it’s more complex than that. A message in Bagle.J goes: “Hey,NetSky, [expletive] off you [expletive], don’t ruine our bussiness, wanna start a war?” This, Landesman points out, is apparently in response to a string contained in Netsky.C that reads, “]MyDoom.F is a thief of our idea! – -“

My belief is this: A lot of viruses nowadays are business ventures, cobbled together by an informal cabal of computer nerds and folk who want to make money (spammers, scammers). Of course some viruses are just kids in dorms and bedsits messing about for fun. But when the guy(s) behind Bagle.J say ‘don’t ruin our business’ they’re not speaking metaphorically. The Internet is like any other turf, and there’s only so much to go round. What we’re seeing here, I believe, is a turf war among criminals, or possibly between criminals and script kiddies (amateur, and amateurish, virus writers who do it for fun.)

Do Anti-Virus Companies Love Viruses?

Are anti-virus companies behind the viruses?

Avecho, Britain’s ‘complete worry-free mail service’, reckons “the world needs to wake up to the fact that the anti-virus industry is not an anti-virus industry, it is a definition-selling industry and they just love these viruses. The more afraid you are, the more money you spend with them.”

This problem is solvable, quickly, according to avecho. It points to avecho’s own ThreatCENSOR, which “applies a wonderful, simple piece of logic which has stopped MiMail, SoBig, MyDoom and all variations of Bagel and NetSky. It is not rocket science, it is simple and fool-proof. It is based upon the reality of how we work.” ThreatCENSOR works on the simple premise that:

  • viruses are executable code — in other words, globs of computer programs that attach themselves to emails and try to get you, the recipient, to open them.
  • 99% or more of all normal communications do not contain any executable code. “These are documents, graphics, sounds or text. If you want a piece of executable code, you invariably know that you want it, and from whom.”
  • by applying a simple rule ‘I will only accept executable code from people I know – and that I am expecting’, ThreatCENSOR stops over 98% of all viruses, with no traditional anti-virus at all.

It’s not a bad idea, a bit like one mentioned in this blog a week or so back. Of course, avecho have an axe to grind, and they’ve been doing it entertainingly for months, if their press releases are anything to go by (all links are to PDF files):

  • industry passes the blame for infection and propagation of email viruses onto the users;
  • Are viruses here to stay? Only 18 months left for the £2bn traditional anti-virus industry;
  • avecho.com stopped sobig A technology has existed for over a year which could have completely stopped Sobig. Why are the AV vendors still beating the same old drum?
  • On Wednesday 6th August 03 avecho GlassWall stopped a variation of the MiMail virus that had already successfully passed through a leading industry virus scanner, with up to date virus definitions.

But they do have a point. Somehow we’ve got to find a better way to stop viruses than using updating libraries. What I want to know is: Is there something like this that can work on end-users’ machines, or does everything have to be server based?

Is Zip The Way To Thwart Viruses?

I like this idea from a Slashdot poster: Eliminate most viruses by zipping everything.

It works (I think) like this: Most viruses arrive as an attachment to an email. These are called executables in that if you click on them, something happens. (As opposed to a file attachment such as a Word document, or a web page, which just opens — although it may contain some malicious script.) Some email programs, like Microsoft Outlook, block these executables by default, but many other programs don’t, or else users change the default setting because they find they cannot access one or two attachments which are kosher. Result: virus mayhem like MyDoom.

The poster suggests that if all attachments are zipped. Zip files by definition have to be unzipped before they can be launched, opened or whatever. Most unzipping programs will open those files to a specific folder, during which time they’ll be checked for viruses. More importantly, this process gives the user a chance to view the contents of the file before clicking on it, and may perhaps give them pause for thought.

Of course a lot of people do this already, but they tend to be people who aren’t going to be send viruses around, and they’re also not the kind of people to open dodgy attachments. In short, the people who zip aren’t the people we’re worried about. Somehow, we’ve got to convince ordinary folk to zip up, preferably by making it an automatic part of the email program. Attach a file to an email? The thing is automatically zipped.

The poster then suggests that email systems are set to delete or quarantine any executable that’s not zipped. That should remove most virus threats (of course some viruses arrive as zipped files, and rely on some social engineering to persuade the unwitting user to open and execute them, but there’s not much you can do if someone is suicidal enough to do all that.) The last point he makes: Encourage zip program vendors to work closer with anti-virus companies “to provide better protection from viruses in zip archives”.

I can’t see much wrong with this. I think zip programs could be easier to use (ironically, Microsoft’s inbuilt zip viewer in Windows XP seems to work best), but if they can be persuaded to integrate seamlessly with email clients, we may go some way to stemming the virus flood.

Homeland Virus Alerts – What Happened?

The big anti-virus vendors often stand accused (rightly) of exaggerating the danger and impact of viruses; Not surprising they do that, they make money out of protecting people from viruses. But why would the U.S. government do it?

Here’s a great piece by Mary Landesman of about.com complaining about US CERT, a newly formed partnership between the U.S. Department of Homeland Security’s National Cyber Security Division and the CERT Coordination Center (CERT/CC) run by Carnegie Mellon University. After quoting their blurb — “We have taken great care to be accurate, fair, and honest about the security risks you face, and we feel a tremendous professional obligation to bring you the best, most trustworthy advice we can to help you protect your systems” — she then quotes their first alert (TA04-028A), which was sent out twice: “MyDoom.B Rapidly Spreading”.

Er, no. MyDoom.A — the original version — was big, . MyDoom.B, in her words, is “barely a blip on the radar”. Here’s the data so far:

  • Sophos: er, one copy.
  • Messagelabs: er, 7 copies.
  • Trend Micro: er, 1 copy.

You get the idea. MyDoom.A was big. MyDoom.B is not. So what went wrong? Well it’s early days, so perhaps we can put it down to teething troubles. But it’s not that simple. What I find a bit disturbing is that US-CERT, it appears, have not so much corrected their error as pretended it never happened. The original, incorrect, alerts can only be found on other sites (Google search) but only an ‘updated’ version (without the ‘rapidly spreading’ bit) can be found on US-CERT. Good that they’ve realised their error, but they don’t seem to be acknowledging it: The revision history for this report refers only to a version on Feb 2 that “Updated hosts file and www.microsoft.com information, changed heading formats”.  Nothing about “removing misleading and horribly incorrect information about spread of virus”. From where I’m sitting (and I may be wrong here), this looks like someone has tried to forget the original reports ever existed.

There are, quite obviously, a few problems with this. What happens to all those folk who have acted on the original reports? I can see it posted at more than 300 sites, where presumably people are cowering under their desks, switching off computers, and wearing gas-masks. How are these people going to know the original report was wrong if you pretend it never existed?

It’s all about credibility. Commercial anti-virus firms do a good job of analysing viruses and a slightly less good job of quickly updating your software so you don’t get infected. They also try to give an accurate idea of how far and how fast the virus is spreading. But do we believe them when they put out press releases saying how much damage viruses cost? Not usually, because we know these folk make money based on how big the problem is. The whole point of something like US-CERT is to bring some impartialitiy to the scene. But that’s not going to work if a) the original reports are horribly wrong and b) if the error is compounded by not ‘fessing up to the error and letting people know what you’ve corrected.

I’ve sought clarification from US-CERT.

What Is This Virus REALLY All About?

Further to my outburst about how network administrators and anti-virus companies may be making the whole MyDoom thing worse, here’s a similar take, albeit more detailed and informed than mine, from Attrition.org. The message: Treat all emails ‘notifying’ you that you have a virus as spam and inform the administrator/company/ISP accordingly. Thanks to the excellent TechDirt for pointing this one out. CNET have a similar report as does The Register.

My tuppennies’ worth? Sue anybody who accuses you of harbouring a virus. It’s defamation pure and simple.

Some other tidbits about the virus: It seemed to have originated in Russia, and may not actually contain an attack on SCO.com, so there’s a strong school of thought growing that all that SCO/Linux stuff is a ruse, and that the real purpose is a good old fashioned Mafia-originating password-stealing scam. If so, it’s reassuring to know that a) the open source crowd haven’t gone bad and b) it’s still just about da money. Slashdotters discuss the matter here.

That said, there’s a lot about MyDoom we don’t know about it, and writing it off as a variation of earlier worms I think misses the point. Viruses may often be built on old ones, but it doesn’t mean they do the same thing. Microsoft Monitor calls it “one of the more sophisticated viruses in recent memory” and says antivirus companies are only starting to learn about what it may do.