What was Stuxnet? Part One

free association thing technology colds viruses. How about I talk about a famous virus. So we're going to really dive in to the story behind stucks net, a famous piece of malware that made headlines in and I've talked about it before on this show. In fact, Chris Palette and I did an episode about stucks net several years ago, but at the time not as much information was available about what was going on. Tech Stuff technically launched two

years before stocks Net made headlines. So this is actually an opportunity for me to look back at something that developed over the course of the history of this show and learn more about where it came from, what's purpose was, and how that whole story unfolded. Before I really dive into the story, I want to mention one of the

sources I used when I was researching these two episodes. Uh, this would be a book titled Countdown to Zero Day, stucks Net and the Launch of the World's First Digital Weapon. The book goes into great detail regarding the story of

stocks Net. It also gives wonderful background information on the key figures of cryptography researchers, cybersecurity researchers, all these people who were very much instrumental in discovering and uncovering stuck s net and figuring out what it did and and who was probably behind it since that was never something that was officially acknowledged, but come on, we know who it actually was. I'll talk about that in these episodes.

That's a great book. If you want more information about stucks Net after this episode, go check that out, count Down to Zero Day, stucks Net and the Launch of the World's First Digital Weapon. It goes into way more

detail than I'm going to cover in these episodes. Now, these episodes are also going to contain a lot of history and politics in them because stucks net, unlike many other examples of malware was not intended to be a type of uh computer virus to create monetary gain for the people who designed it, or even just make people irritated.

It wasn't that kind of malware. You may have a counter and malware that was meant to try and extort money from someone where it locks down a computer and the only way to get access, at least according to the messengersy receive, is to pay a ransom to the hackers. We call that ransomware. Stuck's Net was not that type of malware. Nor was it just some sort of capricious code that someone created in order to turn computer hard drives into giant concrete blocks. It was neither of those things.

It had a very specific intent, and it was very much a at least all signs at least pointed to it being very much a state sponsored piece of software, meaning that some government agency or agencies was behind the development of this. So it sets it apart from a lot of other versions of malware. And in order to understand it, I think it's good to begin with a quick history lesson of Iran's nuclear program, because that was

the ultimate target of stocks net back in the nineteen fifties. Iran, under the leadership of shaw Mohammad Reza PALAVII, had received the nod from the world community to pursue a nuclear power program. At that same time, nuclear powers like the United States, we're trying to discourage other nations from developing

nuclear weapons. So they were essentially saying, hey, nuclear power, tots cool nuclear weapons, Let's not make this worse because nuclear proliferation was becoming a big fear among various powers in the world and of course populations in the world. So it was sort of an Atoms for Peace kind of initiative, saying, let's go and develop nuclear power for a country's that's great. That way you can generate electricity,

but let's stay away from building the bombs. Iran's program was launched with the understanding that the country was only going to build these power plants, not weaponry, although all indications showed that the long term plan for Iran was in fact to develop nuclear weapons at some point. As part of this early agreement, the United States would sell to Iran the enriched uranium its power plants would need as fuel, so Iran wouldn't need to create its own

uranium enrichment facilities. It would just purchase enriched uranium ready to go from the United States. And in fact, the US, Germany, and France were all totally supportive of Iran's efforts, perhaps because those countries also stood to benefit from it. They were all going to make a boatload of cash by selling equipment and fuel to Iran, so there was a financial incentive to support Iran's efforts to create nuclear power plants.

All of this was despite the fact that the tools used to create nuclear power plants could receivably be put to use to build nuclear weapons. So you could have someone say, hey, I just need this technology because I want to make a power plant, but in reality they might be using that technology to make boom booms. So the thing that the U United States said that kind of justified their choice to support this program was, Hey, the Shah, he's awesome. We get along so well, we're

like besties. And so there's no way that Iran, even if they did develop nuclear weapons, would be a threat to US, their their allies. So let's go ahead and go all in. Let's go ahead and make some money. Come on, capitalism, woo. It's not like Iran will ever have a problem with the United States. And then nineteen seventy nine happened. In nineteen seventy nine, the Ayatollah Ruala Kamaney overthrew the shop. Now Kamany did not share the Shah's opinion of the United States, and suddenly the U

S was tugging at its collar and saying yikes. So Germany in the US withdrew their support for Iran's nuclear program and the Komani Aetola. Komani was not terribly interested in pursuing a nuclear power program either, so the power plants were pretty much abandoned for a few years. They were also the frequent target of bombing raids during various conflicts that Iran got into over the course of the eighties.

Now that Aatola would eventually renew the nuclear program. In the nineteen eighties, after rumors spread that Iraq was developing nuclear weapons and Saddam Hussein, the leader of Iraq at the time, had already used chemical weapons against Iran during the Iran Iraq War, the Aetola hired on an engineer from Pakistan to help Iran, using plans for centrifuges that

the engineer had stolen from European companies. So This engineer had worked on behalf of these European companies and then essentially did a little industrial theft, stealing the plans for centrifuges so that they could create a similar program in nations like Pakistan. This was all happening in secret, obviously, but Iran had gotten word of it, and so they contacted this Pakistani engineer who agreed to help out Iran. In nineteen Iran entered into a contract with Russia to

complete a nuclear power reactor at Boucher. This site in Iran had been one of the original plan power plants way back in nineteen fifty seven, but the various conflicts between fifty seven and ninety five had delayed and even destroyed the work that had been done on the location.

Iran and Russia were going to also build a uranium enrichment plant kind of co located with this nuclear power plant, but the United States stepped in and said to Russia, hey, we think that's like a bad idea man, and Russia eventually said dah and backed off. And that was supposedly that, except it totally wasn't just that. In two thousand, Iran started building a new facility at Natan's another site in Iran.

Iranian officials claimed that this facility was a desert eradication location, but satellite imagery eventually showed that something else was up in that site. The design of the facility suggested it was going to house something super secret that was to

be protected from missile strikes and air strikes. And the reason they were drawing this conclusion was that Iran was clearly excavating a lot of land building a large underground facility something that needed to be uh insulated from potential air attack, and the entrance hallway into the facility had a big U turn in it. It wasn't a straight shot down into the heart of the facility. That you turn was an indication that perhaps this was a way to avoid a smart missile flying down the entryway and

hitting a target. If it had to turn nine degrees or eighty degrees, then chances are no missile would actually be able to do that, and it was thus a tactic to avoid damage in the case of an air strike. But why would you need that for some innocent desert eradication facility. Why would it need to be underground and have these kind of measures in place In two thousand two, some whistleblowers alerted the u N that this facility would

actually be a uranium enrichment plant. Now, Iranian officials eventually said, okay, yeah, but we were gonna tell you about it. We just hadn't done that yet because there wasn't really any need to. Were still months away from going online, so it's not like there's any chance that this thing is is already producing enriched uranium. We just want to have a facility to create nuclear fuel that we're going to use for our power plants. We want to be self sufficient, is all.

We don't want to have to buy our fuel from other nations. The u N stepped up inspections of the facility, or at least attempted to, although it initially encountered a lot of resistance from Iran. The u N would say, all right, well, we're ready to come in and investigate this facility, and then the people in Iran would say, sorry,

it's not ready yet. Come back next month. And then they would come back next month and say, all right, we're ready to look at the facility and say, you know what, we lost the keys, don't know where the

keys are. Could you come back maybe another day, and it became increasingly clear, at least to the the investigators, that something was up, and that there was a lot of activity going on, perhaps to cover tracks, perhaps to get rid of evidence, although it's impossible to say, because unless you actually are there to witness what is happening, you don't really know, but it seemed to imply that

there was something hainky going on. Eventually they were able to set up a regular inspection schedule of this facility, and they were there to make sure that the uranium that was being produced was meant for nuclear power and not nuclear weapons. And meanwhile, countries like the United States were getting awfully antsy about Iran. On July six, two thousand nine, Wiki Leaks hosted a note written by founder Julian Assange that referenced some sort of serious nuclear accident

that had happened at the uranium enrichment facility. Now this would have been shortly after the stux Net virus would initially be released, but at this time, no one outside of the people involved in stocks Net would have possibly known about the virus and become public knowledge. Yet, in January, a United Nations agency called the International Atomic Energy Agency or I a e A. Began to notice that something unusual was happening to the centrifuges at Iran's Natan's uranium

enrichment plant. They saw that there was a failure rate that was unusually high. The agents would inspect the facilities at least once a month and then occasionally with some surprise inspections, and the whole point was just to make sure that nothing illegal was happening, that Iran was in fact not trying to stockpile enriched uranium in the effort

to build bombs. This was an important uh thing that the U N was doing, but it also was not the most efficient way of doing it if you wanted to recognize trends, because they would swap out who went to investigate the facility each time. That kind of makes sense. You don't want one group to get compromised in any way or fooled in some way. Sending new people sends

new sets of eyes. But it also meant that until you were looking at aggregated data, you could not necessarily see that something unusual is happening, And something unusual was happening specifically to the centrifuges. Now to understand that. It also helps to understand what the heck the centrifugures were being used for in the first place, Like what is

their purpose in the process of refining uranium. Well, first, nuclear fuel needs to be made up of between three and a half to five percent uranium two thirty five isotope. So isotopes are two or more forms of the same element, in which the atoms of the different isotopes have a different number of neutrons. Chemically, the two atoms behave the same way, but they'll have different atomic masses because of the difference in neutrons uh, and they'll have different decay

rates and things of that nature as well. So there are three may jr isotopes of uranium that occur naturally uh within the Earth's crust. So if you mine uranium, you're gonna come up with a mixture of different isotopes at different concentrations. Most of it, in fact, more than nine of the stuff that occurs naturally is uranium two thirty eight, less than one percent of it is uranium two thirty five, and then you get a ten ty

tiny bit that's uranium two thirty four. If you want to make nuclear fuel, you need a much higher percentage of uranium two thirty five than what you find in nature. In nature it's less than a percent, and fuel you need it to be at least three and a half to five percent. By the time you're getting into the

enrichment process. You need the uranium to be in gas form, so you would get uranium or you would refine that down to uranium oxide, and then you would take that to a conversion plant that would take the uranium oxide and turn it into a gas called uranium hexafluoride. This gas has various isotubes of uranium in it. You have both uranium two thirty eight and two thirty five, and you have it in the concentrations you would expect because it's from the stuff you mind from the ground. You

then feed that gas into tubes inside a centrifuge. Centrifuges spin and they can spend it really high velocities. We're talking tens of thousands of revolutions per minute now. When they spin, it separates out the materials of different weight within those tubes. The heavy stuff moves towards the edges of the tubes, the sides of the tubes, and the

lighter stuff will move towards the center. So if you spend the centrifugures at the right speed and you then effectively scoop out the middle of the tube, you can separate the uranium two thirty five from the uranium two thirty eight. Now you actually have to do this in a lot of different stages. You put them through one centrifuge, you do the scooping process, you doing about another centrifuge. You have to do this multiple times in order to

really get the right concentrations. Eventually you can do this enough to manufacture the uranium pellets that you would use for nuclear fuel. If you wanted to make a nuclear weapon, you'd follow the same process, but you need way more uranium two thirty five. Nuclear weapons typically have a proportion of or more uranium two thirty five in them. Sometimes it's or greater, so you need a lot more uranium, and then you have to refine a lot of it and rich a lot of it in order to get

to that level of uranium two thirty five. But it is exactly the same process, it's just a matter of more stuff. Centrifuges, as they turn out, are are delicate. They're the ones that Iran was using. We're supposed to have a ten year lifespan, but these are moving pieces of machinery. They have mechanical parts, and they work at high speeds, so eventually they'll fail. They may fail because of mechanical error, human error, all sorts of different stuff

could cause them to break down. And because of that, typically in a year you might have to replace about ten of the centrifugures you have, even if they're brand new.

But the thing that the i a e A. Discovered eventually after they looked at aggregated data, was that the number of centrifuges that they were replacing at this uranium and enrichment facility was much higher than that they had centrifugures at this point, So you would expect about eight hundred and seventy of them need to be replaced every year, but apparently the number was actually much higher than that, perhaps as high as two thousand or more, although the

actual figures were never published. But the i a e A. Was keeping track of this stuff. They just didn't notice the trend until they were looking at again a sequence of these visits and then realized, hey, that that seems like a pretty high number to place that many centrifuges. Wonder what's happening with this? Well, while this was going on, uh, there were other things happening that we're indicating that something

unusual had been unleashed in the world of computers. The folks at I A e A at this point did not suspect any kind of computer virus. They weren't sure

what was causing the centrifuges to fail. It could have just been that they were really bad centrifugus, that Iran had purchased them from a bad source, although Iran was stating that they had actually made the whole thing themselves, that the centrifugures were based off their own design, although again the United Nations officials the investigators were not buying it. They said, wow, these things look an awful lot like the ones that were being used in Europe a few

years ago. In fact, if I didn't know any better, I would say that these were direct copies of that and that they were based off stolen information. But Iran's messaging was that no, these were of our design and we built them at any rate. I A e A wasn't sure why these centrifuges were starting to fail at that same time, or actually a little bit later. In June, there was a cybersecurity professional named Seragei Ulasson in Belarus who was investigating some really weird computer behavior that had

been reported in an Iranian computer. The computer in question was caught in an endless crash and reboot cycle and they weren't really sure what was causing it. The culprit looked like it might have been the anti virus software that was on the computer, that something was not compatible, and the antivirus software came from the company that uh Sarageulawson was working for. He was working for this company called virus Block Ada. The Iranian computer had that anti

virus program on it. It was purchased originally from a reseller, so it wasn't purchased directly from the Belarus company, but rather an Ira Auny and company that had the right to re sell this anti virus software, and originally the person who owned the computer or the the agency that owned the computer contacted the reseller and said, I'm getting this error. It's the computer just keeps crashing and trying to reboot. What's going on the reseller eventually fielded that

question up to Lawson. Lawson got permission to log into this problematic computer using a remote log in, and he began to look around to see what the heck was going on, and he eventually suspected the machine had been infected by some malware and that this malware included a root kit quick refresher. A root kit is software that gives an unauthorized party access to control of a computer system. Hackers use this to get a back door access and get information on computers, or they do it to create

boton nets. Moreover, a root kit masks this activity. It acts as like a shield to hide it from the host computer in an effort to escape detection. So a good root kit is doing all this allowing someone to remotely access your computer, but you can't tell because it's hiding all that activity from you. Well, like all malware, root kits are only useful if the targeted machine doesn't

have suitable anti virus protection on it. It could be out of date, or it might not have antivirus software on it at all, or it might be so new that antivirus software doesn't yet have a profile on that type of root kit. Which means that it will escape the anti virus software's detection because it doesn't know to look for it. Once anti virus software companies learn of a piece of malware, they can then adjust their software

to identify and block those programs. But if there is a gap there, the malware can go for a while without detection, and it means that all machines can be vulnerable to those attacks until someone catches on. And that seems to be what was going on in this case. Now I have a lot more to say about the early detection of stucks net, but before I get into that,

let's take a quick break to thank our sponsor. Alright, So a lawson realized that whomever was responsible for creating this malware that was causing this this computer to crash repeatedly, had done so by finding what is called a zero day exploit. A zero day exploit is a vulnerability within a piece of software code that has not yet been identified by anybody else, including the people who made the software code in the first place. The software coders are

likely completely unaware of it. In fact, that's that's really what makes it zero day is the fact that you know, you come out with like a new version of of an operating system, for example, and you are not aware that that part of that operating system has this glaring flaw in it that uh could be exploited. That's a zero day exploit, and that ignorance is an incredibly powerful

weapon for hackers. They will end up writing code that can exploit this vulnerability, and they know that there's no protection against it because the responsible parties for the software have not even realized that there's a potential for exploitation. The lawson figured out that the malware had to have

been distributed by a USB thumb drive initially. Later on, researchers would figure out that the code would allow up to three machines to be infected by the same USB flash drive before the malware would prompt a computer to delete the contents of the flash drive, so it's kind of like a self destruct button. After three infections, the

drive would be wiped. F a propagation could happen across a compromised network through computer computer connections, and later on they discovered even other different ways that the virus can move from computer to computer. It did not, however, move across the Internet. This was a piece of malware that was designed to infect computers that were on local networks but perhaps not connected to the Internet at large. So that was why they were using USB drives in the

first place. Now, that did come with a disadvantage. It means that you have to get physical access to a machine to get the malware from the USB drive onto the computer, and that drastically reduces the number of computers you could potentially infect. So why would you do this, Well, one reason to go with the USB delivery mechanism is to target computers that have an air gap. And that air gap is what I was talking about a second ago.

That's a computer or even a network of computers that has no direct connection to the wider Internet at large. As an air gap between the Internet and the computer or system of computers, it's kind of like a self contained island. It's cut off from the rest of the world, and it keeps the system safe from most forms of hacker intrusions. If there are no pathways that lead to the system, there's not a whole lot of hacker can do. A true air gap system would have no connectivity to

the Internet at all. Now, some systems have what we call an air gap but they really have limited and controlled access to the Internet, typically through a computer or router. The acts as a gatekeeper or portal. But if you put your malware on a USB stick and then you convince someone with a physical access to the machine to insert the USB drive and air gap isn't really a problem. It might, however, mean that you, as a hacker, will

remain unaware of your success. If the target machine has no way to phone home, if there's no way for the target machine to indicate hey, success, then you may just be hoping that whatever you planned on doing was working. So, like I said, all the vectors of attack for stocks net were based off of either USB or local network connections, but not over the Internet. And also the USB stick attack did not use auto run, at least not after

the first initial wave of attacks. There were three separate waves of attacks, and the second and third one did not use the auto run feature. A lot of malware does depend on auto run, and that's a feature that will automatically launch a program from something like a USB drive or an optical drive once you insert the media.

You're probably familiar with this. Let's say that you've got a DVD, an actual movie on a DVD and you put it into your computer, and the computer automatically launches the DVD player software so that you can watch it as soon as the DVD has gone into the optical drive. Well, that speeds things up for the user, makes it more convenient,

you don't have to hunt for the right program. But it does present a security risk because if the software on the media is malicious, the computer is just automatically launched bad software. But here's the thing. You can turn off the auto run feature and a lot of systems will do that because it is a way to limit the risk and the vulnerability of those systems. You just turn off auto run and then your planned form of

attack is not going to work. Someone puts that media into a computer where the auto run has been switched off, they'll get prompted or they'll they'll have the chance to run that stuff themselves. But chances are you go, if you don't recognize a program, you're not just gonna launch it. You might do some snooping first and find out if this is in fact something you want to run. So to remove that possibility, you might want to not use auto run feature to launch your malware. So that's what

the hackers responsible for stucks net did. They decided that they would use a different approach. They targeted what are called l n K files. So an l n K file carries the information to display icons next to file types and applications like Windows Explorer. So if you've opened up a file directory type of program and you've seen those little icons next to file names, that's due to an l n K file. This was a pretty sophisticated form of attack, and as far as Lawson could figure out,

it was the first of its type. Not turned out that it was not the very first of its type, but the previous implementations of this attack had not really received widespread coverage, so it was still really new. Adding to this sophistication was the fact that there were four different versions of the l en k files on those USB sticks, and that meant that they could affect up

to seven different versions of Windows. That increased the number of potential targets for the mal where so if a computer was running one version of Windows, or maybe the next one or the next one, it still might be vulnerable. The only real thing that limited it was it needed to be a thirty two bit installation of Windows. If it were a sixty four bit installation, the virus was not going to work on it. Later on, researchers at the security firm Kaspersky UH discovered other zero day exploits

that the virus took advantage of. So there wasn't just one zero day vulnerability that stucks net could glom onto. There were three more that Kaspersky found at that point.

One exploited a print spooler vulnerability, and it would propagate the virus across networks that had a shared network printer and a lot of a lot of networks do the other two vectors use something called privilege escalation, which is where a program is able to leverage exploits to gain eventually a system level control over computer is even if

those computers have been locked down. The combination of all the exploits suggested that the people responsible for the virus were serious heavy hitters who really desperately wanted to target specific computers. And it raised some really big questions why would you use four zero day exploits because common logic said you should just stick to one at a time. Once a zero day exploit is discovered, the clock is ticking before someone patches that respective software to plug up

that vulnerability so that the exploit won't work anymore. So the zero day exploit is only really valuable until people discover it. If you have more than one zero day exploit involved in your malware, then you run the risk of someone discovering all of those exploits if the malware itself becomes evident, and if they find all of those exploits, that all of those can be patched, which means you lose all of those vectors of attack in a single

cell swoop. So this was kind of considered a big gamble. Why would you throw all of your eggs into this basket having all of four zero day exploits. By the way, there was a fifth one actually that they had not yet discovered, though that one ended up getting patched after the first wave of attacks, uh not because of stocks net.

The fifth vulnerability had been independently discovered through other means and had been patched, But ultimately that did mean five different zero day vulnerabilities were used when designing stucks net. Over the course of the life of stucks neet. On top of those zero day exploits, the virus used four other means to copy and send itself along to other machines. So in total it had nine different methods to spread the virus. One of them leveraged of vulnerability in special

Semens software to gain system level privileges. Siemens is a company it's in Germany that creates all sorts of different kinds of software. The software in particular that stocks net was concerned with was for something called p lcs programmable

logic circuits, so are controllers rather logic controllers. So these are little implementations that allow computers to communicate with various devices, typically that are used in industrial applications, so it might be like a conveyor belt or valve system, that kind of thing, which is a pretty odd thing for viruses to target. Typically, there was another clever way that the malware could spread. It would create a file sharing server folder on every computer it infected if that computer were

connected to other infected machines. So it's a computer on a network and other computers on the network also got infected by stocks net. They would chat with each other and they would com hair notes. They would say, hey, one version of stucks net are you running. I've got one point two and they might say, well, I've got one point to one. Hey, your version is more current than my version is, Give me some of that sweet stucks net, And sure enough the system would propagate the

latest version of stucks net across its network. So it was kind of appear to appear approach to spreading the latest and greatest version of stuck set. And if someone came in and infected a new computer with an even more recent version of stocks net, then shortly that version of stucks net would propagate across the other infected computers on the network. It was a way of making sure everyone was on the same page, even without them being

aware of it. The malware would install two driver modules on the infected computer, and uh these driver modules were they were posing as as software drivers. Software drivers are lee aisons between a computer and some other piece of hardware. So, for example, if you have a separate computer mouse, or a microphone that you plug into your computer, or a webcam that you plug into your computer, the driver is what allows for meaningful communication between that device and your computer.

You may have occasionally had an issue where one of your peripherals no longer seems to work on your computer, and it's because the driver is out of date. It may be that there was an update to the operating system and that update has broken that communication channel between your peripheral and your computer, and it requires that you update your software drivers so that now the two machines can talk to each other again. That's what the malware

would install. These these apparently innocent, at least on casual glance, driver modules onto the infected computer. Now normally, later versions of Windows would send an alert to a user whenever an up of software was to be installed. If you've used Windows seven or later than you know about this. You get that little window that pops up and says, hey, I see that you're trying to install this thing. Is

that really your intention? Because it gives you the chance to say, heck no, I didn't know that was happening, stop it, and then you could investigate, and if it were malware, you would know something was up and you can maybe do something about it. So the goal of the hackers is not to have this window pop up. So this malware stocks Net was a lot more insidious than just a fake driver. It contained a digital certificate from a legitimate Taiwanese hardware company called real tech Semiconductor

digital certificates are like authorized signatures. These are away for companies to authenticate that the software they distribute in fact actually comes from them, and big players that are trusted can use those certificates to authenticate. Driver is another software machines without the need for that pop up notification. You're not gonna get it every time, because essentially what's happening is Microsoft says, hey, there's this software that wants to

execute on this machine. Oh wait, this software is from such and such company, and I know they're cool, And it's a digital certificate that tells me that it's absolutely from that company because they protect their certification process, so I know it's not from anyone else, so I don't need to worry the user. I'm not gonna send that pop up because everything's totally on the up and up, so as long as the software is authenticated as being from a trusted source, there's no extra step in there.

But that created a pathway for potential attacks, though at the time not very many people were considering that. One person who was was a security expert with the Finnish company f Secure. That is a company from Finland, not a company that finished things, and in July he pointed out that if a hacker were to get access to digital certificates, they could potentially sneak in malware onto computers using that, which was exactly what was going on with

stucks net. Now, this researcher wasn't aware of stocks neet at the time. He was just saying, hey, this is a potential problem. And as it turns out, it wasn't just a potential problem, it was a real problem that was going on at that very moment. Moreover, digital certificates have an expiration date, and this is to help make

sure that they remain secure. You have to renew your certificate so that it doesn't stick around long enough for bad actors to get hold of it and then leverage it the way the malware authors had done in the case of stocks net. So you end up creating a certificate that has an expiration date on it. After the expiration date, you you then administer a new certificate that has new code on it, but it still has that authentication.

And that way, if anyone tries to use the old certific of get, then an operating system like Windows can say wait a minute, that certificate is out of date. Uh, I'm going to alert the user because that could be an indication that someone had gotten a hold of an old authentication certificate and they're trying to pass it off as legitimate. So anytime a certificate expires, it's no longer

really useful for the case of malware distributors. So some companies will hire out their certificates, like they'll create certificates, and then other parties will come to them and say, hey, we have created the software. We would like to say that we created it in partnership with you, and in return, you can put your authentication certificate on this software, which will help us out a lot. Uh So some companies will actually do that. Others are way more protective of

their digital certificates. No one was sure at this point if Real Tech had their certificate stolen somehow, if if the hackers had managed to uh illegally get hold of this digit at all certificate, or if there had been some other form of transaction involved, if fuel Ticket perhaps licensed out essentially they're certificate. Circumstantial evidence suggested that it

was a stolen certificate. Looking at the malware code, it appeared that one of the driver modules had its certification signed to it just six minutes after the original code had been compiled. This was found out by converting the code into binary and then being very meticulous about looking

for the data for any sort of time stamp information. Now, it is possible to fudge things like the date and time of compiling, but that's not necessarily easy to do, so you could say that the compiled dates not really a smoking gun, but it does suggest that the certification had been sticking around in the pocket of whomever had been designing stucks net and then immediately slapped onto stucks

net once the code was compiled and ready to go. Now, I've got a lot more to say in the first episode about stuck s net, but before I continue, let's take another quick break to thank our sponsor. Lawson would reach out to both real Tech and Microsoft to alert both companies of this vulnerability because it had that digital certification from real Tech and it was affecting Microsoft based machines. He had not figured out what the malware was actually

for yet that would be the payload. He was understanding a little bit of how the malware would infect machines, but he didn't know what it was supposed to do. He didn't know it could potentially infect millions of computers around the world because that digital certification gave it kind of a v I P pass onto machines, and if it was meant to steal information or cause mischief, he

wanted to nip that in the bud. One interesting tidbit is whomever it des I in the malware have been really careful to do it in such a way that the major anti virus packages out there wouldn't suspect a thing. It was compatible with all the major anti virus packages, so most people wouldn't have any way of telling that something hinky was going on. Clearly, the hackers who designed this had worked with computers that had these anti virus software packages installed on them to make sure that it

would slip under the radar. But Virus Block Ada was a small operation, and it may have been able to have this this incompatibility problem where it was causing the computer to crash and reboot over and over again, simply because the people who were designing the stux Net virus had never really encountered this particular anti virus platform before, and they weren't able to make sure that stux Net would not be picked up by it, and so it

was a real enigma. Lawson couldn't even get the virus to regularly replicate the problems he was seeing, so he wasn't really certain what was happening. Uh. It was largely a matter of luck that this happened at all and brought people's attention to it. After two weeks without hearing anything back from Microsoft Real Tech Who, Lawson posted information about what he had found both to his company's website and on an English speaking cyber security forum. He did

that on July twelve, two thousand and ten. That was the same day that the Finnish security firm was talking about how digital certificates from trusted sources could become a vector for malware on July. Just a few days later, security researcher and tech journalist Brian Krebs posted about the malware, and it quickly became the talk of the cyber security

sphere at that point. Microsoft is the company that actually gave the malware its name, and the company named it that by combining some elements of code that were found in the virus itself, including the file name for one of the driver modules, which was m R x net dot sis. At this time, virus Block Ada had updated its anti virus software to sniff out stucks net. It was looking for any sort of markers that would identify stucks net, and the company discovered that the malicious code

had infected many computers across the Middle East. In particular, on July, a Slovakian security firm called e Set e s Et discovered a new driver module that seemed to be very similar to the stocks net one that was previously identified. This one had a digital certificate from a different company called j Micron Technology, which was also from Taiwan and in fact was located just a couple of

blocks away from Real Tech. The malware appeared otherwise to be pretty much the same as its predecessor, So why did it have a different digital certificate? Well, part of the reason was that the real tex orti get had expired in June two thousand and ten, so you couldn't infect new computers using it. Windows would not allow a driver with an expired digital certificate to install itself on a computer without notifying the user. The new legitimate digital

certificate from j Micron Technology could sidestep that problem. The new attack may have launched on July four, just two days after Ulison had made his findings public, and it's possible that the malware was released hurriedly in reaction to the announcement, and it what might have been an attempt to infect as many computers as possible before Microsoft could

patch the vulnerability. There's some evidence to support this hypothesis, as the code in this release was a little less buttoned down than the original attack had been back in two thousand nine. And by some evidence, I mean there

were some sloppy mistakes. The digital certificate contained a block of information about the company that issued the certificate, kind of like a you know, a little bit of information about J Mikron, and that bit of information included a u r L to a J Mikron website, except there was a typo in the u r L, and so any attempt to visit that particular address would return a

Server not Found error. Uh. If anyone had tried it, they might have said, well, this is kind of strange that a company would issue a digital certificate and yet have the wrong u r L in there. You would think that for something that important they would make absolutely certain they had correct information included so that was one red flag. There were also fields within the certificate that had the value change me written in them instead of

whatever information should have been there. Now clearly that was a note written by a hacker to his or her team as a placeholder, you know, don't let this go out before you change it, but it was never actually replaced or changed. Those elements suggest the malware was rushed out the door ahead of plan. Researchers later determined that the original attacks happened in three waves. June of two thousand nine was the first one and used an auto

run attack. March and April were the second two attacks, and then after that you end up with these approaches that we're using a different digital certificate. It didn't appear to have anything to do with identity theft, didn't have anything to do with creating a botan net, So why would you design code that can infect millions of machines but it didn't actually cause harm to the host computers

or do anything else of any real consequence. Frank Baldwin, a cybersecurity expert in Germany, discovered the first clues as two stucks nets purpose. Baldwin had analyzed the code and noticed that appeared to have been designed to target computers that had a particular type of software on it. That

software came from the German company Siemens that I mentioned earlier. Now, they make lots of different stuff, including software for other businesses and particular software, or to be more specific, the two programs that this virus was searching for. Whenever it would infect a computer, it would look to see if one or both of these programs was installed. Also on

that computer, there were for industrial control systems. It's the sort of thing you would find in a manufacturing facility, so again like the controllers for things like valves or conveyor belts or other simple interconnected systems. Now, Baldwin's hypothesis was that the malware was a type of industrial espionage. He thought perhaps a company had created this malware in an attempt to spy on competitors and learn how they operate in an effort to gain a market advantage over them.

That wasn't exactly the right track, but at least showed that this malware was meant for a very specific reason. What that reason was I've kind of alluded to already, but we're going to dive into more of that in our next episode to really look at how ducks Net unraveled and what were the motivations behind it, who was responsible, and what was the fallout from this stuff. Uh, there's no pun in that there was no nuclear fallout. I want to be clear about that, because otherwise this would

be a very dark series of episodes. As it stands, it's still pretty scary because we're talking about cyber warfare at this point, using computers to create real world physical effects, which is pretty phenomenal. Up to this point, most people thought of that as being just theoretical, that computers could do a lot of damage to data and could create a nuisance, but couldn't necessarily cause physical damage to the real world around us. Stocks Net proved we shouldn't be

so sure about that again. I'll talk about that more in our next episode. If you guys have suggestions for tech topics I should cover in the future, maybe it's a company, maybe it's a specific technology, maybe it's a per soon in tech who you think I should profile, let me know. Or if there's someone you think I should interview or have on as a guest co host, let me know that as well. You can get in touch with me through email. The address for the show is tech stuff at how stuff works dot com, or

draw me a line on Facebook or Twitter. The handle for both of those is tech stuff hs W. Follow us on Instagram, and of course you can watch me record this show live at twitch dot tv slash tech stuff. I typically record on Wednesdays and Friday's. There's a chat room there. You can join in on the merry band and have fund high spirited conversation about that weird thing I just said and had to go back and fix so that the podcast listeners will never know, but you'll

know because you're pretty darn cool. Well that's it for me for now. I'll talk to you again really soon for more on this and thousands of other topics. Is that how stuff works dot com m