G
Guest
Guest
Bloomberg
A computer worm that has infected industrial computers around the world may be part of a campaign targeting nuclear installations in Iran, computer-security researchers said.
The highest concentration of affected systems -- almost 60 percent -- is in Iran, according to data from Symantec Corp., the maker of computer-security software based in Mountain View, California. The Stuxnet worm’s origins and purpose aren’t fully known, according to both Symantec and Frank Rieger, chief technology officer at GSMK, a maker of encrypted mobile phones.
The level of sophistication in the worm’s programming and its ability to hide itself suggest it may have been built by a government-sponsored organization in a country such as the U.S. or Israel, Rieger said.
He estimates that building the worm cost at least $3 million and required a team of as many as 10 skilled programmers working about six months.
“All the details so far to me scream that this was created by a nation-state,” Rieger said in a telephone interview. Iran’s nuclear facilities may have been targets, said Rieger and Richard Falkenrath, principal at the Chertoff Group, a Washington-based security advisory firm.
Iran, which has the world’s second-largest oil reserves, is under United Nations sanctions because it refuses to curtail uranium enrichment and the development of ballistic missiles that might carry a weapon. The country started a 1,000-megawatt nuclear-power reactor near the southern city of Bushehr in August.
‘Hides in Windows’
“It is theoretically possible that the U.S. government did this,” Falkenrath said during an interview today with Bloomberg Television. “But in my judgment, that’s a very remote possibility. It’s more likely that Israel did it.”
A message left at the Israeli embassy’s press office wasn’t immediately returned.
The worm initially infects computers running several editions of Microsoft Corp.’s Windows, including older versions such as Windows 2000, and recent ones such as Windows 7, using one of four vulnerabilities known only to the worm’s creators, said Liam O Murchu, manager of North American security-response operations for Symantec.
“It hides in Windows and then tries to spread itself to other computers running Windows,” O Murchu said. An infected computer shows no ill side effects and the worm ensures that no software running on the computer crashes, which is unusual, he said.
Specific System
As it spreads, the worm searches for connections to a device known as a programmable logic controller, which helps link Windows computers and computerized industrial control systems, converting commands sent from the Windows machine into a format the industrial machines can understand. The worm targets industrial software made by Munich-based Siemens AG, researchers said.
Once an industrial machine is infected, the worm lies dormant until certain conditions in the machine are met, O Murchu said. For example, when the temperature of a certain component gets hot, the worm might prevent a cooling system from functioning. What conditions the worm waits for are unclear, he said.
‘It was designed to go after a specific system set up in a very specific way,” O Murchu said. “What we don’t yet know is where such a system exists in the real world.”
Siemens’ Software Fix
Symantec estimated in July that 14,000 individual computers connected to the Internet worldwide had shown signs of Stuxnet infections. The highest concentration -- 59 percent -- were in Iran; 18 percent were in Indonesia; 8 percent in India and less than 2 percent in the U.S.
Siemens learned of the worm the same month and within a week, issued software to detect and remove it, said Alexander Machowetz, a company spokesman in Erlangen, Germany. The fix was downloaded 12,000 times, and 15 customers said they were affected.
No new cases of Stuxnet infections have been reported since the end of August, and Siemens was not able to determine the worm’s country of origin, Machowetz said.
Microsoft teamed up with researchers at Symantec and at Kasperksy Lab, a Moscow-based antivirus software firm, to create a removal tool for Stuxnet, Jerry Bryant, group manager for the Redmond, Washington-based company’s response communications, said in a company blog post dated Sept. 13. Since then “the threat has gone way down from the spike we saw in early August,” Bryant wrote.
Government Cyber Attacks
Symantec plans to publish more details from its analysis of the worm on Sept. 29.
There is historical precedent for cyber attacks by nation- states, according to a 2004 book by a former U.S. Air Force secretary.
Spies working for the U.S. Central Intelligence Agency inserted malicious software into computer-control systems for a Soviet natural-gas pipeline in Siberia, Thomas C. Reed wrote in “At The Abyss: An Insider’s History Of The Cold War.”
Ultimately the effort caused a massive explosion, said Reed, who was Air Force Secretary in the 1970s and later advised President Ronald Reagan on national security policy.
http://www.bloomberg.com/news/2010-09-24...rcher-says.html
A computer worm that has infected industrial computers around the world may be part of a campaign targeting nuclear installations in Iran, computer-security researchers said.
The highest concentration of affected systems -- almost 60 percent -- is in Iran, according to data from Symantec Corp., the maker of computer-security software based in Mountain View, California. The Stuxnet worm’s origins and purpose aren’t fully known, according to both Symantec and Frank Rieger, chief technology officer at GSMK, a maker of encrypted mobile phones.
The level of sophistication in the worm’s programming and its ability to hide itself suggest it may have been built by a government-sponsored organization in a country such as the U.S. or Israel, Rieger said.
He estimates that building the worm cost at least $3 million and required a team of as many as 10 skilled programmers working about six months.
“All the details so far to me scream that this was created by a nation-state,” Rieger said in a telephone interview. Iran’s nuclear facilities may have been targets, said Rieger and Richard Falkenrath, principal at the Chertoff Group, a Washington-based security advisory firm.
Iran, which has the world’s second-largest oil reserves, is under United Nations sanctions because it refuses to curtail uranium enrichment and the development of ballistic missiles that might carry a weapon. The country started a 1,000-megawatt nuclear-power reactor near the southern city of Bushehr in August.
‘Hides in Windows’
“It is theoretically possible that the U.S. government did this,” Falkenrath said during an interview today with Bloomberg Television. “But in my judgment, that’s a very remote possibility. It’s more likely that Israel did it.”
A message left at the Israeli embassy’s press office wasn’t immediately returned.
The worm initially infects computers running several editions of Microsoft Corp.’s Windows, including older versions such as Windows 2000, and recent ones such as Windows 7, using one of four vulnerabilities known only to the worm’s creators, said Liam O Murchu, manager of North American security-response operations for Symantec.
“It hides in Windows and then tries to spread itself to other computers running Windows,” O Murchu said. An infected computer shows no ill side effects and the worm ensures that no software running on the computer crashes, which is unusual, he said.
Specific System
As it spreads, the worm searches for connections to a device known as a programmable logic controller, which helps link Windows computers and computerized industrial control systems, converting commands sent from the Windows machine into a format the industrial machines can understand. The worm targets industrial software made by Munich-based Siemens AG, researchers said.
Once an industrial machine is infected, the worm lies dormant until certain conditions in the machine are met, O Murchu said. For example, when the temperature of a certain component gets hot, the worm might prevent a cooling system from functioning. What conditions the worm waits for are unclear, he said.
‘It was designed to go after a specific system set up in a very specific way,” O Murchu said. “What we don’t yet know is where such a system exists in the real world.”
Siemens’ Software Fix
Symantec estimated in July that 14,000 individual computers connected to the Internet worldwide had shown signs of Stuxnet infections. The highest concentration -- 59 percent -- were in Iran; 18 percent were in Indonesia; 8 percent in India and less than 2 percent in the U.S.
Siemens learned of the worm the same month and within a week, issued software to detect and remove it, said Alexander Machowetz, a company spokesman in Erlangen, Germany. The fix was downloaded 12,000 times, and 15 customers said they were affected.
No new cases of Stuxnet infections have been reported since the end of August, and Siemens was not able to determine the worm’s country of origin, Machowetz said.
Microsoft teamed up with researchers at Symantec and at Kasperksy Lab, a Moscow-based antivirus software firm, to create a removal tool for Stuxnet, Jerry Bryant, group manager for the Redmond, Washington-based company’s response communications, said in a company blog post dated Sept. 13. Since then “the threat has gone way down from the spike we saw in early August,” Bryant wrote.
Government Cyber Attacks
Symantec plans to publish more details from its analysis of the worm on Sept. 29.
There is historical precedent for cyber attacks by nation- states, according to a 2004 book by a former U.S. Air Force secretary.
Spies working for the U.S. Central Intelligence Agency inserted malicious software into computer-control systems for a Soviet natural-gas pipeline in Siberia, Thomas C. Reed wrote in “At The Abyss: An Insider’s History Of The Cold War.”
Ultimately the effort caused a massive explosion, said Reed, who was Air Force Secretary in the 1970s and later advised President Ronald Reagan on national security policy.
http://www.bloomberg.com/news/2010-09-24...rcher-says.html
