What is Stuxnet?

I actually know where that comes Oh yeah, wow, I can't believe you've seen that one. I haven't. I just know where it comes from. All right, Well, we're going to launch directly into a little listener mail. This listener mail comes from Patrick, who says, Dear text Stuff, I really think an appropriate topic for discussion would be the infamous stucks net that has been all over the news these past few months. Thank you, and I hope to

hear from more from you guys. Well, Patrick, we thought we'd tackle stucks net to We've talked about a couple of times in other podcasts, just kind of mentioning it off hand, and of course we've done podcasts about viruses and worms before. But the stucks net is it's is a particularly interesting form of malware. Yes, yes, it is in fact a worm um and UH one of the reasons it's so interesting is because it is extremely complex.

It seems to be targeted at a specific purpose, and if if not a specific purpose, as a specific location. And uh, no one officially knows where it came from. Somebody knows, but it's It does also seem to be a state sponsored um virus, or at least some department in some country appears to be responsible for it, based upon the various investigations that have gone on since the discovery of stocks net. Yeah. Now, it's important to note that we have to be careful when we talk about

that because we don't know for sure. And as we have mentioned many times before, probably most notably in our hacking of Google and China discussions that we've had before, UM, it is possible to make an attack look like it came from someone it didn't, and that'll that will come up later in our discussion too. But UM, you know it it appears that way, but there's really no way for UH to tell for sure. And and and we've had some very dedicated computer security experts looking into this.

So some seriously talented people have been evaluating this the stucks net worm and have been unable to determine that for sure. So do you want to uh, should we start? I guess we This really all started back in two thousand nine as far as we know, Yes, yes, So let's let's give a brief overview of what stucks net

is and what it's meant to do. So stocks net is a worm, is a Windows based worm, so it's this isn't This is not a you know, that doesn't target Lenox, it doesn't target mac os, targets machines running various forms of the Windows operating system. And as far as we are able to determine it by the time of this recording, it originally spread through USB sticks or

USB drives. Yes, it is not. It is not propagated primarily over the Internet, right, And the reason for that is because the intended target of stocks net that tends to be disconnected from the Internet, so you can't target it from the Internet. That that specific target is well.

Stocks net is able to attack factory systems. Yes, it actually targets a series of vulnerabilities in the Windows operating system, which I understand have been patched at this time at the time the ducks net virus was written, or the original one was written. Um, it was aimed at several vulnerabilities and use those vulnerabilities to get at industrial control systems for gas pipelines and power plants right and aimed

as very specific hardware connected to Windows networks. And in fact the ultimate target for this turned out to be some centrifuges in Iranian uh nuclear facilities. So these were centrifugures that were designed to to process uranium, and the idea here apparently was to infect systems so that an outside controller could gain access to the systems and overload them in such a way as to cause possibly irreparable damage to the facilities. Now, as it turns out, that

does not seem to have happened. It doesn't look like the damage was was as deva stating as it could have been, and there's some interesting explanations for why that is. One of which is that some security experts have said stucks net is kind of like a double layer worm,

the core of which is incredibly complex. One of the most sophisticated worms possible, but the outer layer of which is less complex and that because of the the reduced complexity, this is the layer that is that's specifically designed to help hide stucks net from prying eyes and discovery. Because it was less sophisticated, it was not as difficult to discover, although it took an entire year before anyone saw it. Um, it's not it's not so hard to discover that is

impossible to weed it out. So if the outer layer had been as sophisticated as the inner layer, it may even be that we still would not know what stucks

net is so infecting, you know. The idea here is that you you send in some sort of infected USB uh media, whether that's a USB stick or a an external drive or some other device that could contain the stuck net code in it, connected to a computer that's within this network that's not connected to the Internet necessarily, or maybe there's like a couple of machines on the periphery that are connected to the Internet, but the main

machines aren't. You infect the machine within that network, then the worm spreads within inside that network until it hits those critical systems that that are connected to the the factory environment right now. UM I I read an interview with security expert Ralph Langner who spoke with Eleanor Mills of c net UM and Langner said a good way to get this virus in place would be to infect a one of the contractors who worked with these power systems um SO a contractor in this case a trusted

business partner. Hey can you come in and fix this machine? So if you can infect UH somebody else and have you know their machines or at a USB drive and have them take the virus in on foot with a USB stick and put it on a computer inside the power plant. UM then this person who already had clearance is you know, you don't have to worry about getting it into the impregnable. You don't have to do hard impossible type thing to get in there and plant this stuff.

You can use a lower point of security for that. And the reason he thinks that, I'm sorry to interrupted the reason he thinks that, based on on my readings of his theory, UM there were other UH countries that were infected to including Indonesia, India and Pakistan who all used this one same contractor, a Russian contractor who worked on the the Bush Air nuclear power plant in Iran. So the same contractor worked at all those places and

Stuck snat surfaced and all those locations. So I think, based on that you've got you've got yeah, I mean he's that that's a logical idea. Yeah, So I think based on on that information, he said, well, you know what, I bet that's how they did it. And the goal here is that at least one of those machines within that network has to have some sort of connection to the Internet. If it doesn't, then you cannot control from outside the network. You cannot control what's going on inside

the factory. But but the in general, the the factory systems themselves are not connected the Internet. There's a gap there, it's air gap. That's what it's often called um. But as long as you can get control of the network that is, in turn connect to the factory systems, you might you have the oportunity to infect them. And what's interesting is the original version of Stuck's net required use auto run to initiate itself, but you can turn auto

run off on your machine. So if you are let's say you work for a facility where security is a major concern. You may have a policy that auto run must be disabled, so that way nothing no malware that uses auto run would automatically upload itself to your system. Well, the the next generation of stucks net, which, by the way, but the first two generations of stuck snet were deployed before we ever knew that they existed. Well, anyone not connected to the the the scheme had no idea they existed.

We didn't know they existed until I wasn't July of two when it first showed up. But they think it could have been out in the wild and looking for targets as or I shouldn't say that, because we were just saying that it doesn't spread of the internet. It was available and ready to go as uh, possibly even a year earlier, but they don't know for sure. Well, essentially a full year had passed since it had been first deployed and when it was first discovered. That's true. Yeah,

they first spotted it in the summer of two thousand nine. Well, the later generations used a vulnerability in l n K which allows the exploit to essentially install itself. Basically, what happens is you plug your USB stick that happens to be UM infected with the stuck s net virus into your computer, and then you decide to use uh explorer to look at what is on that that memory stick.

Just by using Explorer to open up the memory stick, you have uh that that's all it takes for stocks net to then in fact that computer, now your basic computer. Like you guys out there who are using your computers, stucks net would not do anything to your machine. You wouldn't get any you know, you're not you're not being spied on, You're not being uh, your your computer is not gonna start acting weird. The whole purpose of stuck

snet is to affect these factory systems, not individual users computers. Yes, and in fact it's looking specifically for a semen sematic wind c C step seven uh software. And most of us don't have that. No, I don't I I don't have it on my Windows installations. No, it's not even in Minecraft. So yeah, if you don't have that, then

it's not going to target you. But if you are running a very large system like a water facility, power facility, nuclear power facility, which of course that was the main target, UM, then you'd have to be concerned about this, and the the other part of this that was really interesting is that,

like Chris said, it targeted several vulnerabilities, not just one. Right, your typical virus or worm, especially if it's developed by someone who just you know, knows an enough to get into trouble, but not like enough to make a really sophisticated tool. Those tend to target a single vulnerability, but Stuck's net was much more sophisticated, and it used a

series of vulnerabilities to spread itself. The one of the other things that that the reasons why it was able to install itself without checking for a certificate is because it stole certificates. Yes, And that's that's another interesting point too, because originally it had used and used an official certificate yes, that had been stolen and uh, they revoked that certificate, and it surfaced very shortly thereafter with another yes exactly,

so it appears to be completely legit. And the two certificates came from two companies that exist within a few miles of each other in Taiwan. Interesting. Yeah, interesting huh. So that suggests that someone, maybe another contractor, was specifically stealing electronic certificates from other from companies in order to

mask this stuff. And that's the thing is that if you if you've told your computer or your if your network administrator has told all the computers to trust UH software that comes from a particular source, and it bears that certificate, then there's no reason for the computer to say, Hey, I see you're trying to upload stuck snet. Are you sure you want to continue? Thanks clippy. UM, you see you're trying to bring down the system from within. Do you need help with that? And when I'm trying to

think of something to say, don't sorry now um. And that's that's funny that you mentioned the Taiwanese connection, because when stuck snet is in operation, it is it actually makes tries to make contact with two control servers in Malaysia in Denmark, and it does use a peer to peer scheme to compare versions of itself and update to the most recent version. So it is it is checking. It may not necessarily have an Internet connection, but if it's UH, if it can find other versions of itself

on the intra net where it is located, it will try. UM. The diversions will try to update themselves to the most current version to take advantage of any vulnerabilities that might be available to it. UM. And this is I mean, it's it's really fascinating stuff. UM. I also read another article uh with security expert Bruce Schneier, who uh some of you might have heard of. Actually he's a pretty

outspoken guy. UM. You know, information suggests that uh, you know it uh may have infected as many as a hundred thousand or even more computers worldwide, but about six that was in uran UM, which suggests that Iran was in fact the target, and specifically, Ralph Langer had found and in his partners at his firm had found data structures in the netens facility UH in Iran that that

matched that specifically matched the stucks net code. So it is possible that uh, it was aimed at that particular facility, and you know, in particular was totally redundant, un repetitive. But let me reiterate, there was a there were several articles. The Telegraph, UM and New York Times have published articles that suggest uh that uh, you know that that that's

facility in particular was the target. And the idea here is that it would it was an effort to disrupt Iran's nuclear program, and that, like I said, the idea was that you would uh make the centrifuges that are um processing the uranium in these facilities to spend too fast and to essentially break them UM. And what's really fascinating to me is that stucks Net didn't just what wasn't just designed to go there and just immediately ramp

everything up. It actually would analyze the operations of the facility for several days for two reasons. One to determine what would be the most disruptive course of action. So, in other words, if the centrifuges are turning in a certain number of revolutions per second, how many more does it need for it to be the perfect amount to

be disastrous without immediately setting off all the alarms. The second was that the reason it was observing for several days was to create a kind of partitioned system so that when people are looking at their monitors and are trying to upload code to fix the problem, that it all is um. It's a it's all segregated from those factory systems. So if you're looking at the screen, if you're an engineer looking at your screen trying to fix

the problem. What you see looks like the problems fixed, that the code you've uploaded has gone in and that's been incorporated and that's taking care of the problem. But in reality, those centrifutures are still spinning like crazy. And that was the really clever thing. It's the idea of like you pull this mask down or that you know, you you shield what's really happening, and all the the monitoring systems don't show that anything's going wrong at all.

That that's pretty devious and that was another reason why security experts call this a very sophisticated attack, because it wasn't just that it was able to infect systems, you know, efficiently, it was able to mask that infection somewhat. And there's also it also involved a root kit, so if you've listened to our root kit podcast, there was a root kit element to this as well. And m yeah, I thought that was a pretty neat idea. The and and

a lot of the the attribution for this. As we said, we still don't know for sure who did it, no right, but you'll if you if you do research on it and you start looking around at articles that were published this year, you'll see that the there's some common elements popping up that at least one Western power was involved in this, and that Israel was involved in it. Yes, a lot of a lot of fingers initially pointed to the United States government, UM, and which is still a possibility,

which is you know, yeah, as is the British government. UM. Bruce Snyer. It's so hard to say. Bruce Schneier said that he thinks that around eight to ten people spent about six months, maybe a little longer on creating this UM and uh, you know, they think that Israel has mentioned I read one article from Schneier that suggested had had a number of references in it. UM. There bits of code that have dates in them that appeared to be yes, dates important dates in Iranian Israeli relationship, and

in an incredibly negative way. We're talking like dates of assassinations and things of that and things like that. UM. Some people have said that they just happened to be the code that you needed to get that done, the particular function in the software done, and it just so happened to end up like that, which is possible, Which is completely possible if you've ever seen any of those theories, any numerology theory where they say this number is significant

because blah blah blah. Uh. A lot of that ends up being confirmation bias, which is that's a logical fallacy. That's when you look at something and you count all the hits and you ignore all the misses. So it's possible that this is another case of that. So we have to keep that in mind too. Yeah, I don't suggest ignoring the misses because she's going to get really angry with you. Well, she's gonna be gone for a week,

so just I can't really pay attention to her anyway. Um. Joking aside, though, UM, I have a quote from Schneier who said, quote whoever wrote stuck s net was willing to spend a lot of money to ensure that whatever job it was intended to do would be done end quote. So uh, it's a professional job. It's it's not something that script kitties, which are you know, hackers who do this for the fun of hacking and not for a monetary purpose or for bringing down governments or you know,

the high level hacking people are doing it for fun. Um. You know, this is not a casual hacking project. This is something serious the amount of code was something like one point five megabytes, which is actually huge for a worm. Yeah, because worms and viruses tend to be very tiny bits of code, just like just like you can imagine a virus, you know, and virus that can affect an organism is very tiny. Well, typically your viruses that affect computers tend

to be tiny too. They might be a tiny part of a larger program, and the larger programs designed, but the larger program is just an infection method. It's not actually part of the virus or worm necessarily. Another article I saw that may point to Israel as as being a potential source for this attack, and again we don't know for sure, was in the New York Times. It published on January fift and it's called Israeli test on

worm called crucial in Iran nuclear delay. And in this UH article it the writer's state that m Israel has this UH nuclear facility in Demona, that UM one of those facilities is designed to be essentially a copy of the main target in Iran. Right, I remember that article. And the idea here is that just because you create something that can infect a factory system doesn't mean that you can you know, really rereak havoc because you need to know how the machines within that that facility work.

So in this case, we're talking about the centrifuges. So they had a facility using the same centrifuge technology that the Iranian facility was using, so that in theory, they could test the stucks net uh worm out to make sure that it would be effective and that they could indeed control these centrifugures from a remote location. Now granted, these are again these are all allegations and and uh theories.

So well, I think if I'm not mistaken, that's the article by William J. Brod, John Markoff, and David E. Sanger Um. And yeah, they they added that Siemens, Remember I said that that was a specific Siemens controller and software that it targets UH. Siemens had done had cooperated with the United States government on some research on that kind of equipment, on on the equipment used in the Iranian nuclear program. So that just that just adds fuel to the fire. Now, I mean, again, this could all

be coincidence. These things happen. Semens makes a lot of different kinds of industrial equipment that's used all over the world. So you know, you could say that and it it. You know, I don't think that's anything that UH is a definitive finger pointing at the United States government involved in that, and personally, UM, if it were me and I were trying to do something like this, I wouldn't want anything that that even revealed this. In fact, I

would want to um obfuscate. I would try to cover up or maybe point to finger at someone else, which is why some I agree with the people who say that those little hints that might be in the code that seemed to point to Israel, if I were trying to blame somebody, I would try to blame somebody that that would be an obvious UH target for that kind of attention, and Israel would be obviously interested in discontinuing

Iranian's nuclear program. So if I were you know, Antarctica, I picked that because it's not a government that's likely to do that, and it's run by penguins. Um. But penguins are very much anti nuke they are, so yeah. I mean, if if another country wanted to disable that UH, and I were running that country, I would say, let's point to finger someone else, throw some throw some red herrings in the code to make it look like it's these guys over here and not me. So I wouldn't

be a bit surprised. I can't imagine that you would want and something this sophisticated. Why would you want anything that would attract attention to yourself as as the creator of this worm, Why would you create a system that could, in theory reset itself at the year two thousand. Well, I'm just saying sometimes people aren't as smart as we give them credit for. So, yeah, there's I totally agree

that your argument is valid. I mean there we cannot leap to the conclusion that this is necessarily the source of the attack. Yeah, And I don't mean to h to sound like I've reached conclusions. I just I it seems illogical to me to point the finger at yourself. Um I think that, if anything, that's probably code that needed to be there in order to make the software work, rather than hints to that. Um So, I actually think it's all due to aliens and Roswell. That's that's who

did it, and they got so ticked off. What happened was they finally got Independence Day and they said, what taking us down with a virus written on an Apple computer. No less will show you an Apple computer from the dark ages of Apple computer to um. So maybe we should talk about the fact that, um, the you may have heard on the news about hackers releasing a decrypted version of stuck snet code. Okay, that happened. Okay, I hadn't.

I hadn't realized that. The only other thing I was going to add was that stucks neet is designed to become inactive on June. Yes, actually does have a a an expiration date, which is kind of funny. So if you try the stucks net after that point, it may

make you a little sick to your stomach. Right. So the that you may have heard, again, like I said, that hackers have released this decrypted code, which, on its surface, if that's all you hear, you think, wow, that's scary, because now this incredibly sophisticated weapon that was designed by people who apparently really knew what they were doing, has just been distributed around the world for free, and now we're gonna see chaos rain. Well, there's a couple of

things you need to keep in mind. One is that a lot of the vulnerabilities that stuck s net initially targeted have been patched. Since then I read that all have all of them have been have they? Okay? So yeah, the latest information I had was a couple of months old, so and that at the time when it was written, there was still one remaining to be patched. But I would imagine by that time that has happened. Well, frankly, UM.

Another indication that UM, this is written by somebody very sophisticated is as as one of the security researchers point out, UM, vulnerabilities are something that true hackers prize. Once you have a hole in the code that you know about and and hasn't been patched yet, UM, that's your ticket to generating something a success, a successful attack. UM. And the fact that they had multiple vulnerabilities UM targeted sort of suggests that these people were not fooling around. UM. So yeah,

I mean that's you. We're talking several opportunities to uh to make a dent in the nuclear program of Iran. So well, getting back to to the hackers just really briefly, UM, first of all, can you can you take a wild guess at who at the the name of the group of hackers that stole this information is the start with an A it does does it end with it anonymous?

Yes it does, so it's our It's it's the group Anonymous, the group that UM you know has has has some connections to other Internet what or websites, things like four chan. But Anonymous has sort of become like Internet vigilantes and they banded together and uh, they they enact virtual what they see as virtual justice on targets that they perceive

as being ah antithetical to what the values they hold. So, for example, when wiki leaks was under um under fire and was starting to get uh support yanked out from under it financial support from from various companies, then Anonymous began to target those companies and really hit them hard. Well, in this case, they target targeted a security company called HB Gary and they stole a decrypted version of the stuck net virus. Now this means that you could actually

study the stuck s neet virus. It's not it's not a kind version of the virus where you would be able to actually infect a computer. It's more so that you can study it and see how it um it took advantage of these vulnerabilities, and uh, it was really meant for academic purposes, and hp Gary actually points out the company points out that if you want a truly dangerous version of stuck net, it's already out there. You

don't have to steal it from a security company. You just have to find a computer infected with it, and then you reverse engineer it. You get the binary code, you get the raw code for stuckx net. You don't get a translated version. So you may have heard about this anonymous attack. It's definitely a embarrassing story for HP Gary because that's a you know, it's a computer security firm and they had their system compromised. So that's that's part.

That's the real, big part of the story is the fact that something that was on their systems was able to to you know, Anonymous was able to get access to it and spread it around the world. Um, but the actual version of stuck's net that Anonymous distributed was not the kind that's going to plunge the world into some sort of virtual warfare. Now we're probably seeing the end of of stucks nets true effectiveness in the field.

As long as companies realize the dangers of stocks nets and they update their systems, you know, they make sure they have the latest security patches that plug those holes that stucks net took advantage of. So I mean there is definitely some measures they have to these companies have to take in order of companies and governments have to take in order to remain safe. It's not like you automatically become safe just because this this hole was patched.

You have to install the patch, right. Um, but stucks net is probably starting to wind down for the most part, just because everyone's aware of it. However, it probably also marks the beginning of some serious cyber warfare stuff that goes beyond the level of a small group of hackers who share a particular philosophy and they all you know,

aim the aim their efforts at a single target. This may be the mark of some pretty serious UH warfare tactics, not out and out warfare either, but you know, subversion tactics to to really take advantage and UH and cripple companies are countries, infrastructures. Well, it is interesting too that um, something that appears to have been so targeted for specific purpose,

it did leak over and damage other systems too. I mean, there is the possibility I read that India's insight four B which failed UH in July, may have been due to a Stuxnet infection UM and you know, it did spread around the world, so it is possible um that that it caused a lot of collateral damage in the process of taking out its original target. And their estimates do suggest that Iran's nuclear program has been set back for years as a result of the ducks Net infection.

It's interesting assuming that it was the intended target, which it seems to have been, right, it all depends on the source you look at, because I looked at several where there were some sources that said, yeah, this problem has really set the Iranian program back by a few years, but that all seemed to be statements from other governments representatives, whereas I I also saw claims that said that Iran managed to produce the same amount of uranium essentially weapons

grade uranium UM by at the end of the year as it had the year previous. And so it didn't it didn't ramp up production. Production had not increased year year, but it hadn't set it back to the point where it was making less than it had before. So that suggests that you know, any setbacks that Iran encountered were

temporary in nature. So it all depends on who you ask and you know who you believe, And it may be difficult to know because Iran is not known for being completely transparent with its nuclear program, and other governments aren't known for um you know, giving shooting straight when talking about that. It may pay politically to underplay something. So what's the truth? Difficult to know, but um, it is.

It is a fascinating subject. Yes, I mean, just because we've talked about viruses and worms and all kinds of other malware and this is this is a different kind of malware. Yeah, and we may we may see more attempts at that hackers try and take two um, to try and and take advantage of multiple vulnerabilities within the same operating system environment, just because it's been proven to

be really effective. You know, using that multi pronged attack means that you're your your attack is gonna be much more efficient and it's gonna be harder to prevent just through a single patch. So yeah, that's it's kind of scary. Um. Fortunately, like I said, the stucks net virus itself is not going to directly impact you unless the worst should happen.

Let's hope that doesn't come to pass. And again this is a reminder always to patch your computer with the later security latest security updates, no matter what what operating system you're running, and back up your hard drive because eventually something will come after you. Right, Yeah, like my wife. See that's what happens when you're in order. Yeah, she'll come back. I would ignore the misses woman scorned. All right,

So we're gonna wrap this up. Guys. If you have any other questions about stuck snet, or you have any topic suggestions you would like to shoot us, let us know on Twitter and Facebook that handle it is tech Stuff hs W, or you can email us that emailoge uses tech stuff at how stuff works dot com and Chris and I will talk to you again really soon. For more on this and thousands of other topics. Is it how stuff works dot com. To learn more about the podcast, clock on the podcast icon in the upper

right corner of our homepage. The How Stuff Works iPhone app has arrived. Download it today on iTunes. Brought to you by the reinvented two thousand twelve camera. It's ready, are you