前蘇聯從加拿大購買石油管道控製設備,美國認為這是盜竊美國技術,在蘇聯訂購的控製設備中裝上了邏輯炸彈,結果導致1982年西伯利亞油管大爆炸,其當量相當於廣島原子彈的五分之一。
2010年1月,國際核能組織觀察到伊朗濃縮鈾工廠在幾個月內就有兩千個離心機報廢。占伊朗濃縮鈾工廠離心機的四分之一。伊朗核發展因此被阻斷。而致使離心機報廢的原因,是一種精密製導的計算機病毒武器。
這 種病毒首先由被感染的優盤帶入伊朗,當優盤插入計算機的時候,微軟視窗自動掃描多媒體文件播放,這個掃描過程中病毒就進入了計算機。它盜用了台灣一個工業 園中兩家公司產品的電子簽名逃過計算機病毒軟件的安全保護。這個病毒在計算機中尋找西門子的一個控製軟件,並經過該控製軟件的數據庫傳染到局域網內其它節 點。
該病毒找到西門子控製軟件以後,截獲控製軟件給可編程邏輯控製設備的指令,那就是給離心機的指令,然後發出虛假指令;並截獲控製設備發回來的報告,把報告中虛假指令的痕跡抹掉。
虛假指令先讓控製設備把換頻器的正常的1064赫茲提高到1410赫茲十五分鍾,然後恢複正常頻率27天,再把頻率降至2赫茲50分鍾,過27天後重複以上指令。
西門子這個控製軟件是用來控製伺服係統的馬達、電路開關和氣體液體閥門,廣泛應用於各行各業。
該病毒把被感染計算機的信息設置送到丹麥和馬來西亞的秘密服務器,而秘密服務器可以根據具體任務啟動被感染計算機中病毒的不同功能。
預定於2010年8月投入運行的伊朗核電站因此被無限期延遲。
搞網絡安全的人可以看看下邊鏈接這篇文章,其中有很多破解這個病毒的有趣的細節Also on Wired.com
Stuxnet Timeline Shows Correlation Among Events
Natanz technicians in white lab coats, gloves and blue booties were scurrying in and out of the “clean” cascade rooms, hauling out unwieldy centrifuges one by one, each sheathed in shiny silver cylindrical casings.
Any time workers at the plant decommissioned damaged or otherwise unusable centrifuges, they were required to line them up for IAEA inspection to verify that no radioactive material was being smuggled out in the devices before they were removed. The technicians had been doing so now for more than a month.
Normally Iran replaced up to 10 percent of its centrifuges a year, due to material defects and other issues. With about 8,700 centrifuges installed at Natanz at the time, it would have been normal to decommission about 800 over the course of the year.
But when the IAEA later reviewed footage from surveillance cameras installed outside the cascade rooms to monitor Iran’s enrichment program, they were stunned as they counted the numbers. The workers had been replacing the units at an incredible rate — later estimates would indicate between 1,000 and 2,000 centrifuges were swapped out over a few months.
The question was, why?
Iran wasn’t required to disclose the reason for replacing the centrifuges and, officially, the inspectors had no right to ask. Their mandate was to monitor what happened to nuclear material at the plant, not keep track of equipment failures. But it was clear that something had damaged the centrifuges.
What the inspectors didn’t know was that the answer they were seeking was hidden all around them, buried in the disk space and memory of Natanz’s computers. Months earlier, in June 2009, someone had silently unleashed a sophisticated and destructive digital worm that had been slithering its way through computers in Iran with just one aim — to sabotage the country’s uranium enrichment program and prevent President Mahmoud Ahmadinejad from building a nuclear weapon.
But it would be nearly a year before the inspectors would learn of this. The answer would come only after dozens of computer security researchers around the world would spend months deconstructing what would come to be known as the most complex malware ever written — a piece of software that would ultimately make history as the world’s first real cyberweapon.
aS7tgtopx_exe: unicode 0,,0 align 4 aSystemrootInf_: unicode 0, <%SystemRoot%inf*.pnf>,0 align 4 aSystemrootInfM: unicode 0, <%SystemRoot%infmdmeric3.PNF>,0 aSystemrootIn_0: unicode 0, <%SystemRoot%infmdmcpq3.PNF>,0 align 10h aSystemrootSyst: unicode 0, <%SystemRoot%system32Driversmrxcls.sys>,0 align 8 aSystemrootSy_0: unicode 0, <%SystemRoot%system32Driversmrxsmb.sys;%SystemRoot%sys> unicode 0, ,0 align 8 aSystemrootSy_1: unicode 0, <%SystemRoot%system32Driversmrxnet.sys>,0 align 4 aMrxcls: unicode 0, ,0 align 10h aSystemCurrentc: unicode 0, ,0 align 4 unicode 0, <>,0 aImagepath: unicode 0, ,0 a_sys: unicode 0, <.sys>,0 align 4 a??: unicode 0, ,0 align 4 aGlobalWkssvcsh: unicode 0, ,0 align 10h aGlobalSpooler_: unicode 0, ,0 align 8 aSpooler_perf_l: unicode 0, ,0 align 10h aGlobal5ec171bb: unicode 0, ,0 align 10h
aGlobalCaa6bd26: unicode 0,,0 align 10h aGlobal4a9a9fa4: unicode 0, ,0 align 10h aGlobalE41362c3: unicode 0, ,0 align 10h aGlobal85522152: unicode 0, ,0 align 10h aGlobalB2fac8dc: unicode 0, ,0 align 10h dd 1, 3, 2 dup(0) dd 1, 0 dd 2, 2 dup(0) dd 3, 2, 4F0053h, 540046h, 410057h, 450052h, 53005Ch, 450049h dd 45004Dh, 53004Eh, 57005Ch, 6E0069h, 430043h, 53005Ch dd 740065h, 700075h, 0 aStep7_version: unicode 0, ,0 aSoftwareSiemen: unicode 0, ,0 align 8 aSoftwareMicr_4: unicode 0, unicode 0, ,0 align 10h aNtvdmTrace: unicode 0, ,0 dd offset dword_100335D8+0CA4h dd offset dword_10001000+9Fh dd offset dword_10008B7C+11DDh dd offset dword_10008B7C+11E1h dd offset dword_10008B7C+11E5h dd 7574732Eh, 62h, 3Ah, 4D002Eh, 500043h, 0 dd 5037532Eh, 0 aStgopenstorage db 'StgOpenStorage',0 align 4 aOle32_dll db 'ole32.dll',0 align 4 aCcprojectmgr_e db 'CCProjectMgr.exe',0 align 4 aMsvcrt_dll db 'msvcrt.dll',0 align 4 aMfc42_dll db 'mfc42.dll',0 align 4 aCreatefilea db 'CreateFileA',0 aKernel32_dll db 'kernel32.dll',0 align 10h aS7apromx_dll db 's7apromx.dll',0 align 10h
Ulasen heads an antivirus division of a small computer security firm in Minsk called VirusBlokAda. Once a specialized offshoot of computer science, computer security has grown into a multibillion-dollar industry over the last decade keeping pace with an explosion in sophisticated hack attacks and evolving viruses, Trojan horses and spyware programs.
The best security specialists, like Bruce Schneier, Dan Kaminsky and Charlie Miller are considered rock stars among their peers, and top companies like Symantec, McAfee and Kaspersky have become household names, protecting everything from grandmothers’ laptops to sensitive military networks.
VirusBlokAda, however, was no rock star nor a household name. It was an obscure company that even few in the security industry had heard of. But that would shortly change.
Ulasen’s research team got hold of the virus infecting their client’s computer and realized it was using a “zero-day” exploit to spread. Zero-days are the hacking world’s most potent weapons: They exploit vulnerabilities in software that are yet unknown to the software maker or antivirus vendors. They’re also exceedingly rare; it takes considerable skill and persistence to find such vulnerabilities and exploit them. Out of more than 12 million pieces of malware that antivirus researchers discover each year, fewer than a dozen use a zero-day exploit.
In this case, the exploit allowed the virus to cleverly spread from one computer to another via infected USB sticks. The vulnerability was in the LNK file of Windows Explorer, a fundamental component of Microsoft Windows. When an infected USB stick was inserted into a computer, as Explorer automatically scanned the contents of the stick, the exploit code awakened and surreptitiously dropped a large, partially encrypted file onto the computer, like a military transport plane dropping camouflaged soldiers into target territory.
It was an ingenious exploit that seemed obvious in retrospect, since it attacked such a ubiquitous function. It was also one, researchers would soon learn to their surprise, that had been used before.
VirusBlokAda contacted Microsoft to report the vulnerability, and on July 12, as the software giant was preparing a patch, VirusBlokAda went public with the discovery in a post to a security forum. Three days later, security blogger Brian Krebs picked up the story, and antivirus companies around the world scrambled to grab samples of the malware — dubbed Stuxnet by Microsoft from a combination of file names (.stub and MrxNet.sys) found in the code.
As the computer security industry rumbled into action, decrypting and deconstructing Stuxnet, more assessments filtered out.
It turned out the code had been launched into the wild as early as a year before, in June 2009, and its mysterious creator had updated and refined it over time, releasing three different versions. Notably, one of the virus’s driver files used a valid signed certificate stolen from RealTek Semiconductor, a hardware maker in Taiwan, in order to fool systems into thinking the malware was a trusted program from RealTek.
Internet authorities quickly revoked the certificate. But another Stuxnet driver was found using a second certificate, this one stolen from JMicron Technology, a circuit maker in Taiwan that was — coincidentally or not – headquartered in the same business park as RealTek. Had the attackers physically broken into the companies to steal the certificates? Or had they remotely hacked them to swipe the company’s digital certificate-signing keys? No one knew.
“We rarely see such professional operations,” wrote ESET, a security firm that found one of the certificates, on its blog. “This shows [the attackers] have significant resources.”
In other ways, though, Stuxnet seemed routine and unambitious in its aims. Experts determined that the virus was designed to target Simatic WinCC Step7 software, an industrial control system made by the German conglomerate Siemens that was used to program controllers that drive motors, valves and switches in everything from food factories and automobile assembly lines to gas pipelines and water treatment plants.
Although this was new in itself — control systems aren’t a traditional hacker target, because there’s no obvious financial gain in hacking them — what Stuxnet did to the Simatic systems wasn’t new. It appeared to be simply stealing configuration and design data from the systems, presumably to allow a competitor to duplicate a factory’s production layout. Stuxnet looked like just another case of industrial espionage.
Antivirus companies added signatures for various versions of the malware to their detection engines, and then for the most part moved on to other things.
The story of Stuxnet might have ended there. But a few researchers weren’t quite ready to let it go.