Archive for November, 2010

Stuxnet: and The Truth Shall Set You Free

November 13, 2010 Leave a comment

A recent post on Symantec’s security Blog revealed a very crucial piece of information about Stuxnet, The information should definitely stop who ever is denying the fact that Stuxnet is a state sponsored “sabotage-ware” targeting a very special someone.

Symantec with the help of a Dutch Profibus expert can now prove that Stuxnet is looking for two specific Frequency converter drives one made by (Fararo Paya) of Iran and the other is (Vacon) of Finland.



Quote from Symantec’s blog: “Since our discovery that Stuxnet actually modifies code on PLCs in a potential act of sabotage, we have been unable to determine what the exact purpose of Stuxnet is and what its target was.”

“However, we can now confirm that Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific vendors, one headquartered in Finland and the other in Tehran, Iran. This is in addition to the previous requirements we discussed of a S7-300 CPU and a CP-342-5 Profibus communications module.”

and then they add: “Stuxnet monitors the current operating frequency of these motors, which must be between 807 Hz and 1210 Hz, before Stuxnet modifies their behavior. Relative to the typical uses of frequency converter drives, these frequencies are considered very high-speed and now limit the potential speculated targets of Stuxnet. We are not experts in industrial control systems and do not know all the possible applications at these speeds, but for example, a conveyor belt in a retail packaging facility is unlikely to be the target. Also, efficient low-harmonic frequency converter drives that output over 600Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment. We would be interested in hearing what other applications use frequency converter drives at these frequencies.”

So FACTs so far are the following:

– We are now able to describe the purpose of all of Stuxnet’s code.

– Stuxnet requires particular frequency converter drives from specific vendors, some of which may not be procurable in certain countries. ( In other words countries under international sanctions ).

– Stuxnet requires the frequency converter drives to be operating at very high speeds, between 807 Hz and 1210 Hz. (According to the US nuclear Commission – more than 600 Hz can be used in Uranium enrichment)

-While frequency converter drives are used in many industrial control applications, these speeds are used only in a limited number of applications. (Nuclear Applications is one of them).

-Stuxnet changes the output frequencies and thus the speed of the motors for short intervals over periods of months. Interfering with the speed of the motors sabotages the normal operation of the industrial control process. (Sabotage is the purpose)

– Stuxnet’s requirement for particular frequency converter drives and operating characteristics focuses the number of possible speculated targets to a limited set of possibilities. (The Special Someone Speaks Iranian)

The original Symantec Blog post HERE

Siemens Official Communication Slides on Stuxnet – Pulled Offline

November 7, 2010 1 comment

CERT Finland took offline the original set of slides , But here is a copy

The_Stuxnet_Malware – Siemens Slides

© Siemens AG 2010. All Rights Reserved.

Siemens Official Slides on Stuxnet

November 4, 2010 1 comment

A couple of days ago Siemens Internal CERT released some slides about Stuxnet as a form of “Official Communication” within their constituents.

Siemens Stuxnet Slides

Siemens Stuxnet Slides

In the official slides (Here) , Siemens confirmed that its a targeted attack by using terms like “targeting a very specific configuration, certain PLC blocks and specific processes or (project)“. These bold statements simply means that Stuxnet makers had (one target) in mind, and this should eliminate any theory out there denying that its a state sponsored malware.

The slides confirmed that the malware is capable of transferring data outside of the infected system back to the command and control servers, yet nothing has been proven specially that the two C&C servers ( • www[.]mypremierfutbol[.]com • www[.]todaysfutbol[.]com ) were brought down by Symantec.

Then the slides claim that all known infections are now clean and zero plant damages reported. yet they didn’t specify their definition of “damage”, is it seeing the plant up in flames or few bytes of data going out ?

The slides go on listing the great deeds of siemens since the discovery of the malware : “white papers, cleaning tools, contacting customers, working with top AV vendors, even magazine interviews”. isn’t this what they are paid to do ?

What really got on my nerves was their genius conclusion that future infections are “Unlikely” , and that is because the malware pattern is now detected by up to date Anti Virus programs. Eureka !!

Yes, future “Stuxnet” infections might be unlikely, but this is certainly not the end of this type of attacks as long as top vendors like Siemens still use “Hard coded & publicly available” passwords on critical systems in the year 2010 and dont even admit that this is the REAL problem.

Another statement that also reflects severe undermining of the terms “due diligence, and responsibility ” is a question they highlighted in yellow : “Has the customer done all he can ? “.

Imagine a car manufacturing company that sold you a very expensive car, supposedly equipped with a seatbelt, then you run into an invisible wall that someone deliberately put in front of you and built it in a very special way, using specific materials that takes advantage of known and published weaknesses in your seatbelt buckle lock design. Imagine yourself sitting in the hospital wondering how on earth you gonna fix this messed-up face of yours, then the car makers dudes comes up and tell you that its partially your fault for not trying to do all you can, perhaps you could have tried holding the buckle with your teeth !

Interesting Post about Stuxnet

November 1, 2010 1 comment

An Interesting post, found on a Stuxnet discussion thread – Tweeted by mikkohypponen

Stuxnet Post

Stuxnet Post