What was Stuxnet? Part Two

up a new era of cyber warfare. If you have not already listened to that episode, I recommend you go do it, because we're gonna pick up right where we left off now. In the previous episode, I set the ground by talking about how Iran had been pursuing a nuclear power strategy and potentially developing nuclear weapons as well, much to the constern nation of other nations like the United States, and that at some point at a uranium enrichment facility in Iran, people began to notice that centrifuges

were really acting up. They were breaking down way more frequently than they should have been considering their age and how much they were working. At the same time, there was this tiny little anti virus company that had found some sort of weird code on an Iranian machine that was having a problem. It was constantly crashing and rebooting, and that led to the discovery of some malware that

Microsoft would later name stuck s net. That malware would affect various machines running on different versions of Windows, and it seemed really really virulent, like it would very quickly infect a machine, but no one was really sure what it was doing. At this point. They they had not really unraveled the payload of the malware. They more or less understood how it was spreading, how it was going from one computer to the next, but they weren't sure why, like,

what was the purpose of it? What did it actually do? And that's kind of where we pick up now. The date we're talking about is July. This is less than a week after the news broke about stocks net actually being a thing, And there was a security analyst with Samantech named Liam Omerchu who took a look at the main stucks net file and he was gob smacked. The file was way larger than your typical malware would tend

to be. Malicious software is usually pretty simple. It's often inelegant, and it might only be fifteen kilobytes in size or less. It just needs to be big enough to do whatever it is the hacker intended for it to do, and smaller sizes are usually easier to slip in through something else than something that's larger. But Stuck's net was different. It was five kobyites, much larger than your typic a malware, and it didn't seem to contain any filler data in it.

It wasn't like there was some sort of extra piece of data to make it look like it was something else, like a JPEG or a music file or something along that. Oh Murchu saw that the file had been through a packer sort of like a ZIP application, something that would compress the file. What's more, the people who had made it used an off the shelf compressor called Ultimate Packer for execute Able or up X, so they didn't bother

to make their own tool. They used en off the shelf tool that made it very easy to unpack because all you had to do is have a copy of this tool. So oh Murchu was able to unpack this file without very much fuss. But here's the thing. Even though this wasn't a case where hackers had created a customized packer, which would make it more difficult to detect uh.

The simple compression was a bit of a h I don't want to say a trap, but it was certainly misleading because the rest of the file showed that they had gone to a considerable length to hide what was happening and to create a very sophisticated type of malware. The unpacked file ballooned in size to one point one eight megabytes. Remember it had been five kilobytes, so this is more than twice the size of that packed file.

At this stage, Omerchu saw what Baldwyn had noticed. Baldwyn, of course, was the analyst I talked about in the last episode who had discovered that there were references to two different pieces of software created by a German company called Siemens that made programs that were designed for other businesses. So this was the point where Omerchu saw that same information. The payload of the virus took the form of a d l L file. D l L stands for Dynamic

Link lie Bray. It's a file extension found in Windows machines. The stocks net DLLL contained smaller d l l's within it, and each of those layers were encrypted, so it was like unraveling it you found another puzzle, and inside that was another puzzle, and the puzzles all were using different strategies in order to encrypt them, so it made it very tricky to find out what it should actually this thing was supposed to do. He also saw the stocks

net was being incredibly sneaky. The malware was designed to live in a computer's memory, so instead of a computer referencing it's hard drive space in order to pull up information from the malware, which would make it easier to actually track down if you were looking for it, it would just reference it in its actual memory. And it altered the application programming interface for Windows so that it

could execute code without getting picked up by anti virus software. Essentially, when Windows would go to execute a process related to Stuck's Net, the altered a p I would direct that inquiry to the file resting in the computer's memory beneath detectable levels, so the computer would just from its perspective, look like everything was working perfectly, but in reality, things were getting re routed so that it was covering up

the viruses tracks. Stucks Net would also hide its processes within other processes, so it was abbuse skating what was going on, and it was really a confusing and effective way to hide what was actually happening. Oh Mrchue's conclusion was that the programmers who made this must have really known their stuff, and they must have worked really hard to make it difficult to detect stucks net even without

a thorough or even with rather a thorough investigation. Oh Virtue also saw that the code had been encrypted and that it contained further encrypted files within it, and whomever had set it up had gone to great pains to get very difficult to get at the raw code, and he noted that the malware had an expiration date on it as well. That date was June two thousand twelve, and that meant that the malware would actually consult a computers onboard clock and look and see what day it is,

what time it is. If the date was after June two thousand twelve, the malware wouldn't install itself on the target computer. So it was like a checklist, like, check the date is it before June two thousand twelve, It is gravy, let's go there. If it was after, like too late now and stop. So any computers previously infected with stucks net could continue and would continue to be compromised. They wouldn't magically become clear on June twelve, but no

new computers would get infected by stocks net. Oh Merchu and his team also found that the malware had a phone home kind of feature. Every single time it infected a new computer, the malware would attempt to send a message back to headquarters. The headquarters was masked by using two domains that appeared at least on casual inspection to

belong to soccer fans. One u r L was To Day's Football dot com Football spell fu t b o L, and the other was My Premieer My Premier Football dot com and again football Fu t b o L. The owner of the domains was unknown, but when they started to take a closer look at it, they realized that the registration had a fake name attached to it and that the credit cards associated with the account were fraudulent. The servers hosting the domains were in Malaysia and Denmark,

but that didn't really necessarily mean anything. It was just confusing. The phone home messages included a small amount of encrypted data. O Merchu's team was able to break the encryption, however, and they saw that an infected machine would send a message. They gave the server the infected machines internal I P address, which version of Windows the machine was using, and whether or not that machine also happened to have those two

Siemens programs installed on it. Eventually, the researchers figured out that stucks net would shut itself down if it could not find evidence of those Siemens programs on the host machine.

The virus would continue to try and infect other machines from its infected host if it were on a network system, but otherwise it would not unleash it's payload if the Siemens programs weren't present, which was also confusing because here you had some malware that was so specific that it only leapt into action if those two programs were on the host computer. Otherwise it wouldn't do anything at all. So it clearly wasn't meant to rek havoc across all machines.

It was still problematic that was infecting lots of different computers, because obviously you never want to have malware infect your computer. But if you didn't have those Siemens programs on your computer, it didn't do anything else apart from a tip to In fact, other computers network to yours. It didn't mess with your files, it didn't encrypt anything without your permission,

it didn't delete anything. Everything was fine. So a lot of the code and implementation suggested that stocks net was probably the product of years of work from at least one or two or maybe three teams of talented programmers. There were some gaps in the code and implementation, however, that led some security experts to call it perpect perplexing, lye sloppy, or careless. One of those was Nate Lawson, who's a cryptographer, who criticized the code and said that

it smacked of amateurism in many ways. And here's a direct quote. He said, I really hope it wasn't written by the USA, because I'd like to think our elite cyber weapon developers at least know what Bulgarian teenagers did back in the early nineties. Sick Burn Lawson. As part of their research, Ovirtua and his team over its Sumantech had contacted the domain name system service providers that were responsible for those two U r l's, and they decided

to create a new destination for all those communications. Uh. It was kind of like a just a redirect, so these messages that were supposed to go to these two u r l's that we're posing as soccer fan sites would instead end up going Samantech. And they were hoping that by looking at the messages that these computers were sending back, they might be able to figure out what

the heck this malware was trying to do. So they started looking for any patterns to get a better idea of what was going on, and one of the things they saw was that the majority of computers that were sending the messages were in Iran. Iran also had the most computers hosting the sought after Siemens programs, so that made them suspect that perhaps the people who made this

malware were targeting Iran specifically for some reason. And the path Iran computers had never really been at the high end of infection rates whenever malware would break out, so that suggested to the team that they must have been the intended target, otherwise their percentage would not be so high. Uh, someone had to be concentrating on them. Working with that information that Iran was in fact the intended target, and then the virus was specifically looking for machines that had

a particular type of industrial control software on it. They started to form hypotheses as to what the purpose of the malware could have been. So one possible explanation is that was part of an espionage project aimed at Iran's nuclear power program. Uh Natan's had attracted worldwide attention, as it could have been a front operation that appeared to be making nuclear fuel for power purposes, but in reality was secretly enriching uranium in order to make nuclear weapons,

So that was one of the possibilities. They also thought that maybe it was targeting perhaps gas pipelines or electric power grids. They weren't entirely sure. Also, the propagation methodology suggested that perhaps the programmers had wanted to infect machines belonging to engineers who were responsible for transferring commands to programmable logic controllers or p lcs. Those are the type

of controllers that the Siemens software would communicate with. Those commands would exist on air gapped systems, and typically you would transfer the commands by downlaying the commands the proper set of instructions onto a USB stick, and then you would transfer the commands to a computer responsible for controlling the p lcs via that USB stick, So you don't have the machine the kind of the overseer for all these plc's connected to the Internet, that would be a

security vulnerability. Instead, you would create the program instructions on a different machine, put it on USB stick, and then transferred over to the overseer computer. And uh. The problem was that stucks net would propagate it self and copy itself onto USB sticks that were inserted onto computers that had been infected by stocks net. So you could have an engineer who's just innocently trying to transfer some commands to another computer actually infect that computer, so the engineers

themselves became the carriers of the virus. If one worked from the hypothesis that the code was in fact meant to target computers at Iran's uranium enrichment facility, it narrowed

done the list of potential attackers. For one thing, the sophistication of the code, the links the hackers went to in order to avoid detection, and the rapid response to the presence of the code being announced to the world in general suggested that there must have been a state sponsored group, a government funded attempt, So whomever was doing

this had access to some pretty extensive resources. The candidates that people were identifying early on included Russia China, both of them had been working on date sponsored cyber warfare strategies for a few years. Israel was another possibility, and then there was, of course, the United States. There was also the chance that Iran had somehow developed this malware itself and then accidentally unleashed it on its own computers, but that was considered a lesser possibility. So who done it?

I'll talk more about that in a second, but first let's take a quick break to thank our sponsor. So while they were looking through the code, the semantic team noted that they saw something that looked like it was a date that was written out in Unix format. So when you unscramble that the date would have been May nine, nineteen seventy nine, and this was a potential hint as

to the origin of this malware. On May nine, the Iranian government executed a businessman named Habib El Ghanian by fire by firing squad so al Ghanian had been accused of spying on Iran on behalf of Israel. He was a philanthropist and a member of the Jewish community in Iran, and he was then accused by the government saying you aren't actually you're an Israeli spy. There was nothing in the code itself that would directly link to that event.

There were no mentions of the name El Ghanaian in there, but there was that date and that was something that kind of stood out to the team when they were thinking about They did a Google search on that date to see if anything notable had happened, and when they saw that, they thought, huh, because one of the entities we thought about as possibly being responsible for this was Israel, so maybe that's an implication there. So I thought maybe this is a actually a long run at some form

of retribution in response to that execution. There was another potential reference to Israel that was found in this code, although this one is definitely very tenuous, and that was in the form of one of the file directories and a file that was found within that stuck snet code. The file directory contained the words Murtis m y r

t u S and Guava. Murtis is the genus that Guava belongs to, and in Jewish history, there is a prominent figure named Queen Esther but before she became Queen Esther's name was Hadasa, which is the Hebrew word for myrtle or Murdis. Now, again, this was like a long shot connection if you're looking at this, but it was

a possible clue that maybe someone from Israel was involved. However, other people pointed out that there was another potential explanation for the Murtis name, that in fact it wasn't Murtis but my rt use because r TU could stand for remote riminal unit, So it wasn't, you know, a smoking

gun by any stretch of the imagination. The Semantic team also saw that the stucks net code contained a function that logged every machine the malware had infected along its way, So that instance of malware, once it passed from one machine to another, it would send a note back to h Q, and that note would include, hey, I jumped from machine A to machine B. So by looking at an instance of the malware, you could track all the

machines and it infected. In fact, you could trace the infection from the last point all the way to the very first one. So if you intercepted the message, as Semantic had been doing, because they had contacted those domain name servers to send that traffic to them instead of to those bogus soccer sites. You could actually trace back every infected machine to that point of infection, and from there you could look at the computers that were initially

targeted as the starting point. Using that method, they identified five companies in Iran that served as the insertion points for the malware, and according to Samantech, those five companies accounted for twelve thousand infected machines at those locations and were responsible for an additional one hundred thousand more machine infections in more than one hundred countries. Now, one of the reasons stucks net was uncovered so quickly, relatively speaking,

was because the designers had made it so viral. Using USB as an injection method helped reduce the target zone for the virus, but still the methods that stucks net depended upon to go from machine to machine pretty much guaranteed that it would eventually infect computers outside of its intended target zone. Most people agree that the stucks net

designers wanted to really contain the infection. They just wanted to surgically target specif efect machines, but they also really really wanted to get a hit, So it was kind of a balancing act. How do you make sure that your malware is virulent enough so that you are guaranteed to hit your target, but you don't want it spreading

throughout the world. They thought they got a good balance, especially with a USB delivery methodology, but as it turns out, it definitely expanded beyond Iran's borders, and that in turn made it more likely that someone was going to figure out that it existed. And once you know it exists, you can start to make countermeasures and protect yourself against it and try to remove the virus from infecting machines. So that computer that was caught in that crash reboot

phase ended up being a red flag. But even if that computer had not failed at that time, some other machine would surely have done something similar and then stucks that would have been uncovered. So it probably would have just been another month, maybe two months. It's impossible to say because history is already unfolded. But it wouldn't have gone unknown forever, because again, it was just it was too violent. It was moving beyond the intended audience or

intended targets. Even at the stage however, no one was totally sure what Stuck's net was actually doing. They knew what how it was doing things like how it was infecting machines, and they knew that it was looking for this Siemens software packages, but it didn't know why, what is its purpose? It was clearly searching for logic controllers, so stuff that was going to control industrial equipment. This was not something that was meant to infect the average

person's PC. It was very much an industrial approach and it was targeting Iranian companies that seemed to be clear and security researchers had figured out that stucks net would replace a legitimate DLL file for a Siemens software package with what appeared to be a duplicate, and in fact it could do all of the functionality of the original DLL file. It just had a few extra tricks up its sleeve, like it could overwrite instructions to logic controllers

which could be used to sabotage machinery. So, in other words, you send a command to a particular industrial device, this malware could potentially change that command. Not only could it change it, it could send feedback that the intended command was the one that went through, so to you when you review it it looks like, oh no, everything did exactly what was supposed to do. I mean, I told it to do X, and according to the computer log that's what happened. It did X. But in reality it

did Why. It's just that the Duck's net was such a clever, clever little piece of software. It could cover up its tracks and make you think that everything was working the way it was supposed to, and yet stuff was breaking. The malware would also sent dormant for about two weeks and just record all operations that would go

on during those two weeks, but it wouldn't change anything. Then, when the malware would start messing with stuff, start changing those operations, start changing those commands internally, it would replay the recordings of those operations from the previous two weeks.

This is kind of like movies, you know, like in Speed, where Keano Reeves's character is able to get the video footage of him on the bus repeated on a loop so that Dennis Hopper's character doesn't get wise that they're actually trying to get off the bus and instead they're just being really focused about going more than There are a ton of movies that do this where someone has messed with a security camera, so it's just showing a repeated loop of video while they go and do something sneaky.

That's exactly what this this virus was doing, except instead of being video footage, it's a recording of the operations that it was going through. On August, a Semantech team went public with the assertion that stuck net was designed to cause physical damage to infrastructure controlled by logic controllers. They still weren't sure exactly what type of systems might

be the targets. They suspected it was nuclear power plants or nuclear enrichment facilities, uranium enrichment facilities, but they weren't entirely certain. They said it could be gas lines, or it could be something else. But they figured the purpose was not to steal information, but rather actual sabotage to cause physical damage to targets, and that would be the

first documented case of actual cyber warfare. Five days later, a little bit later in August, Iranian officials ordered the outbound connections to those two dummy u r l's that had been gathering in from a on stocks net infective machines to be severed within the country. So, in other words,

that information would not go outside of Iran anymore. If it was being directed to those two domains, the machines were still infected, they just couldn't send back information to h Q. A security analyst named Ralph Langner, who specialized in p lcs those logic controllers that were being affected, was looking into stocks net. Now. Normally, he and his analysts wouldn't bother with computer viruses because that wasn't their field.

Their field was looking at logic controllers. But since stucks net targeted logic controllers through Windows based machines, he felt it was necessary to understand that malware a little bit better, and he deduced that the real purpose of the malware was to disrupt Iran's nuclear program. He published a few

blog posts about this in September. The first was titled Hack of the Century, and in those blog posts he laid out his hypothesis that Stuck's net was targeting centrifuges in Iran for the purposes of destroying them and disrupting Iran's plans at the very least now Mistakenly, he identified the nuclear power plant Bouchere as the target because he thought that the uranium enrichment facilities were co located at

the nuclear power plant. In reality, they were not, They were miles away in Natans, but he thought Boucher was probably the target at the time. It was later Frank Reager, who worked for a German security firm called g S m K, who identified Natans as the target for the malware rather than Boucher. As for who was behind it, well, all signs pointed to a joint United States Israeli operation. As early as two thousand five, advisors were asking President

George Bush to do something about Natans. Israeli officials were asking about an air strike, but Bush was not eager to go down that path. This is George W. Bush, by the way, the second George Bush. The United States was already at that time involved in armed conflicts in Iraq and Afghanistan. They were not going terribly well. It was very slow going and had a lot of negative publicity about it. So George W. Bush wasn't really eager

to also throw Iran into the mix. Cyber war experts suggested to the president that a digital strike was possible and laid out their idea for using code to disrupt critical operations in the Iranium enrichment facility and actually damage and destroy centrifuges just by using code. Now, at the time, this was still considered a pretty radical idea. They decided that this was a decent line of attack. They got to go ahead, got the code name Operation Olympic Games

behind the scenes, but uh yeah, and went ahead. And now it's never been officially acknowledged, but the reports that have come out since the time of stuck s net stated that President Bush had requested four hundred million dollars from Congress to fund covert operations with the purpose of interfering with Iran's nuclear program, and Congress said okey doke. Now, not all of that money went to the development of stuck snat, some of it went towards other efforts to

stir up trouble in Iran. The plan was to slow down Iran's uranium enrichment operations. There were no illusions that their efforts would destroy the facility, but rather gum up the works enough to keep Iran from making a lot of progress while they figured out another way to confront the situation. Reportedly, General James Cartwright of the U S Strategic Command and Keith Alexander, who was a former n s A director. Were in charge of the high level

planning for Operation Olympic Games. The n s A and an Israeli team from Defense Forces Unit AT eight two hundred, which is kind of their version of the n s A. We're responsible for actually developing the code. By changing the rotational speed of the centrifuges repeatedly, they could cause the machines to tear themselves apart. Now, there was no danger of a nuclear explosion. It wasn't like they were going

to trigger some sort of catastaclismic event. But the uranium was just a gas form, so if you made the centrifuges break, it would kind of disperse into the air. Now, it was dangerous for humans to be exposed to uranium gas, but it wasn't explosive or anything like that. It apparently took about eight months for the time the plan was approved to when it was ready to be implemented, which

was a really fast turnaround. The team presented pieces of a destroyed centrifuge to President Bush as proof that their idea of using computer code to tear physical machinery apart was legitimate. They had acquired sub centrifuges the exact saint kind that Iran had been relying upon, and they had run several tests using code to change up the frequency at which the centrifuge would rotate, and they changed it

repeatedly until it would literally spin itself into pieces. So they created an early build of what would become Stuck's net. Later on people would refer to it as Stuck's Net point five. This version of its some helm eventually found its way onto computers in Iran, though the version there

didn't target the spinning motor of the centrifuges. Instead, it was targeting valves that controlled the flow of uranium gas into and out of the centrifuges, So they can mess with the the gas pressure inside the centrifuge, but they could not change the rotation speed. When President Obama took office in two thousand eight, he was reportedly informed of the operation, and he decided to have it continue because a non military intervention in Iran's nuclear plan was still

preferred to the alternative. I got a little bit more to talk about as far as Stuck stat as concerned, but before I get into this last section, let's take another quick break to thank our sponsor. All Right, We've talked a lot about the payload. We talked a lot about the delivery system of stocks net. We talked about what it was meant to do. Was meant to disrupt Iran's nuclear program. So the question is did it actually succeed in what it was supposed to do well? That

is actually debatable. If we assume, as has been reported, that the goal of the malware was to slow down Iran's nuclear plan, the answer is a kind of succeeded. Despite stocks net and other strategies that were employed at the same time they were all designed to limit Iran's nuclear capabilities, the country was able to produce more enriched uranium in than it had in previous years. The country

made less of it than what they had anticipated. They had projected that they would make much more than what they did because of the setbacks they experienced from stocks net and other measures, but still, year over year, they produced more enriched uranium. So while Iran wasn't where the government officials wanted it to be in terms of its nuclear aspirations, it was still making progress, just more slowly

than what they wanted. Stocks Net also ended up opening up the possibility of a new era of cyber warfare. There had already been plenty of incidents of state sponsored hackers inserting malicious code into the infrastructure of other nations, so that was not new. But this stucks Net marked the first documented case of someone using computers to cause physical damage to a country's equipment. And once people saw what was possible, and there would be future attempts that

would be built on that same realization. So that's not great. One of stocks nets legacies was a warning that it's no longer just a world in which computers can be the targets. Programmable logic circuits are legit targets, and they're incorporated into all sorts of different critical infrastructure systems like power grids and gas pipelines, and unlike computers, there were no anti virus software packages that could protect p l c s. If you could protect the computers that interface

with those plc's, you'd be pretty safe. But stucks net had shown that it was possible to make this very hard to do, and it concerned a lot of folks in multiple industrial organizations as a result. Imagine that just a few lines of code could cause billions of dollars in damages by making critical pieces of infrastructure fall apart or overheat or otherwise fail. It's kind of scary. Another legacy was that hackers would use the stux Net vector

ers an approach in future malware attacks. It would use that same strategy, sometimes using the same vulnerabilities, because even though a operating system might patch a vulnerability once it's discovered, you still have to have that patch roll out to everybody. People have to update their operating systems. By the way, this is a good time to remind you to make sure your software is up to date, because if there are vulnerabilities that exist, those are active on your software

if you haven't patched yet. So while everyone else would be immune to an attack that has been patched, the vulnerability that the attack would rely upon has been patched out of existence. If you haven't uploaded or updated rather your software with that patch, you're still potentially a victim. So make sure your software is up to date. Another legacy, besides the fact that now we have the fear of Stuck's net, was that you could end up getting a

similar approach that had a different payload Entirely. One of those that seemed to fit this definition. At first, anyway was called Doku du key que you. Unlike stucks net, it did not have a payload aimed at programmable logic controllers or p lcs. Instead, it's payload had a key logger, and a key logger is a program that just records every key stroke made on the infected computer's keyboard. So it's a way to steal stuff like user names and passwords,

as well as other information. But while this payload was different, the delivery mechanism that the malware relied upon was nearly identical to stocks net, and like stucks net, Doku had a self destruct code built into it. The malware was set to the leade itself and all traces of itself

from a machine after thirty six days. As it turns out, it wasn't perfect that doing this, It actually would leave behind a few traces if you knew what to look for, but you had to find out about Dooku first, or else you wouldn't even know to look for the trace evidence it would leave behind. Now, the suggested to the Semantic team, the same team that had investigated the ducks Neat virus, that the code was intended as an advance scout to seek out target computers for the quote unquote

real attack that would be sure to follow. So, in other words, it wasn't necessarily meant as an attack all in of itself. It was meant to identify potential target computers. Dooku, as it turned out, appeared to be designed to attack certificate authorities. Now, these are the companies that create those digital certificates I mentioned in the previous episode, and it does this on behalf of other organizations, and those digital certificates act as an authentication, a proof that a piece

of software comes from a trusted source. So if you could compromise one of these organizations that creates these certificates, you could issue yourself seemingly legitimate certificates from all sorts of trusted sources and use that to deliver malware to many potential targets that would have next to no defense against it because their machines are trusting the source. They've been told by the operating system, Hey, you can let

this guy in. I know him, he's cool. Later on, investigation into Dooku indicated that it actually preceded Stuck's net. It was an older virus. It just wasn't discovered till after stucks net had been discovered. It may have actually served as a guide for the team who designed stucks net. They may have relied upon Dooku's architecture to build stucks net. It did not use USB sticks to infect computers, however.

Instead the code was hidden inside a bogus word document, and the document contained the malware that would explore eight a vulnerability in the font parsing engine for Windows. Dooku was suspected of gathering some of the information that stucks net would later capitalize on, but researchers also felt that the two malware packages had been designed by different teams

who were working from essentially the same foundation. Another malware suite dubbed Flame by Kaspersky used a similar approach to stuck's net in some ways, but this malware was modular, meaning different payloads could be attached to the delivery mechanism, so the virus could do different things depending upon which modules you attached to it. It would determine what the code would actually do once the machine that you were targeting was infected. Uh some modules would end up activating

a microphone so that you could record nearby speech. Some would take screenshots of the target computer screens. Others would just be key loggers or programs that could copy documents that were store it on the computer and send it back to a different computer, spying stuff in other words. Now, Flame was enormous. It was twenty megabytes, so that's huge.

You know, stucks net when it was packed up was five kilobytes and it was considered big, But twenty megabytes was huge if you had all the different modules added in. And it was really interesting that someone had developed this very sophisticated approach to uh malware, something that could be adapted to specific uses, and you didn't have to include all the modules. You just include the ones that are important for whatever function you need. Um, it's pretty spooky

stuff really, and like dooku. Further investigations suggested that Flame actually came before stucks net. Again, it was discovered after stucks net, but the compiling code suggested that it actually was made first, and it led some to suspect that the stucks net developers had first started using Flame as their guide to create their malware, but then later on they switched gears and use Dooku to finish it out.

So that's the story about stocks Net. There's a lot we still don't know, and I would recommend that you know, if you're interested in learning more about this virus, check out that book I I talked about in the first episode. That book is count Down to Zero Day, stucks Net and the launch of the world's first digital weapon. The book goes into much more detail about the story of stucks Net and the people involved. It gives you background

on each of them. They're very interesting folks too. You also learn other weird stories, like how different security firms could have worked with each other and maybe unraveled stocks net a little more quickly, but due to some issues with communication and maybe some ego problems that didn't happen. So I always find those kind of stories to be really interesting too, just as interesting as the political nature

and the technological nature of this virus. It was kind of a perfect storm and really a fascinating and ultimately kind of scary topic. The idea of using code to make physical changes to our world in a destructive way is a little worrisome, maybe more than a little, especially when you consider the fact that investigators have found evidence of uh Chinese hacking code in power grid infrastructure in

the United States. Maybe that's just there to spy. Maybe it's also there is a potential way to shut down parts of the power grid should China and the United States ever enter into a more aggressively antagonistic relationship with each other. That's the world we live in now. It helps to educate yourself, but I admit it is kind of scary, but hey, not all topics that tech stuff need to be scary. Maybe next week I'll talk about Teddy Ruxman being told by Tari that Teddy Ruxman is terrifying.

But if you guys have any suggestions for future episodes of tech Stuff, get in touch with me. Let me know. Maybe there's a company you want me to talk about a specific technology. Maybe there's a guest I should have on the show, either as someone I should interview or someone who could be a guest co host for the day. Let me know your ideas. Send me the information on email. Here's the address text Stuff at how stuff works dot com, or you can drop me a line on Facebook or Twitter.

The handle of both of those is text Stuff h s W. Make sure you follow us on Instagram and if you want to watch me record these shows live. Go to twitch dot tv slash tech Stuff. There's a schedule there that tells you when I go online, and there's a chat room you can join in and chat away, and I'll be happy to chat with you, and I'll talk to you again really soon. For more on this and that of other topics, is it how stuff Works dot com m