insight

工程技術,地產投資,信仰家園,時尚生活
個人資料
正文

計算機病毒武器實例

(2013-06-14 03:51:51) 下一個

來源:  

  

前蘇聯從加拿大購買石油管道控製設備,美國認為這是盜竊美國技術,在蘇聯訂購的控製設備中裝上了邏輯炸彈,結果導致1982年西伯利亞油管大爆炸,其當量相當於廣島原子彈的五分之一。

2010年1月,國際核能組織觀察到伊朗濃縮鈾工廠在幾個月內就有兩千個離心機報廢。占伊朗濃縮鈾工廠離心機的四分之一。伊朗核發展因此被阻斷。而致使離心機報廢的原因,是一種精密製導的計算機病毒武器。

這 種病毒首先由被感染的優盤帶入伊朗,當優盤插入計算機的時候,微軟視窗自動掃描多媒體文件播放,這個掃描過程中病毒就進入了計算機。它盜用了台灣一個工業 園中兩家公司產品的電子簽名逃過計算機病毒軟件的安全保護。這個病毒在計算機中尋找西門子的一個控製軟件,並經過該控製軟件的數據庫傳染到局域網內其它節 點。

該病毒找到西門子控製軟件以後,截獲控製軟件給可編程邏輯控製設備的指令,那就是給離心機的指令,然後發出虛假指令;並截獲控製設備發回來的報告,把報告中虛假指令的痕跡抹掉。

虛假指令先讓控製設備把換頻器的正常的1064赫茲提高到1410赫茲十五分鍾,然後恢複正常頻率27天,再把頻率降至2赫茲50分鍾,過27天後重複以上指令。

西門子這個控製軟件是用來控製伺服係統的馬達、電路開關和氣體液體閥門,廣泛應用於各行各業。

該病毒把被感染計算機的信息設置送到丹麥和馬來西亞的秘密服務器,而秘密服務器可以根據具體任務啟動被感染計算機中病毒的不同功能。

預定於2010年8月投入運行的伊朗核電站因此被無限期延遲。

搞網絡安全的人可以看看下邊鏈接這篇文章,其中有很多破解這個病毒的有趣的細節

How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History

  • By Kim Zetter, Wired

Satellite image of the Natanz nuclear enrichment plant in Iran taken in 2002 when it was still under construction. The image shows two cascade halls, in the upper right corner, as they were being built deep underground. The hall on the left, Hall A, is the only one currently operational and is the building where centrifuges believed to have been damaged by Stuxnet in 2009 were installed. (Photo: DigitalGlobe and Institute for Science and International Security)

Also on Wired.com
Stuxnet Timeline Shows Correlation Among Events

 
It was January 2010, and investigators with the International Atomic Energy Agency had just completed an inspection at the uranium enrichment plant outside Natanz in central Iran, when they realized that something was off within the cascade rooms where thousands of centrifuges were enriching uranium.

Natanz technicians in white lab coats, gloves and blue booties were scurrying in and out of the “clean” cascade rooms, hauling out unwieldy centrifuges one by one, each sheathed in shiny silver cylindrical casings.

Any time workers at the plant decommissioned damaged or otherwise unusable centrifuges, they were required to line them up for IAEA inspection to verify that no radioactive material was being smuggled out in the devices before they were removed. The technicians had been doing so now for more than a month.

“We were not immune to the fact that there was a bigger geopolitical picture going on. We were definitely thinking … do I really want my name to be put on this?” – Eric Chien

Normally Iran replaced up to 10 percent of its centrifuges a year, due to material defects and other issues. With about 8,700 centrifuges installed at Natanz at the time, it would have been normal to decommission about 800 over the course of the year.

But when the IAEA later reviewed footage from surveillance cameras installed outside the cascade rooms to monitor Iran’s enrichment program, they were stunned as they counted the numbers. The workers had been replacing the units at an incredible rate — later estimates would indicate between 1,000 and 2,000 centrifuges were swapped out over a few months.

The question was, why?

Iran wasn’t required to disclose the reason for replacing the centrifuges and, officially, the inspectors had no right to ask. Their mandate was to monitor what happened to nuclear material at the plant, not keep track of equipment failures. But it was clear that something had damaged the centrifuges.

What the inspectors didn’t know was that the answer they were seeking was hidden all around them, buried in the disk space and memory of Natanz’s computers. Months earlier, in June 2009, someone had silently unleashed a sophisticated and destructive digital worm that had been slithering its way through computers in Iran with just one aim — to sabotage the country’s uranium enrichment program and prevent President Mahmoud Ahmadinejad from building a nuclear weapon.

But it would be nearly a year before the inspectors would learn of this. The answer would come only after dozens of computer security researchers around the world would spend months deconstructing what would come to be known as the most complex malware ever written — a piece of software that would ultimately make history as the world’s first real cyberweapon.

 

Iranian President Mahmoud Ahmadinejad observes computer monitors at the Natanz uranium enrichment plant in central Iran, where Stuxnet was believed to have infected PCs and damaged centrifuges. (Photo: Office of the Presidency of the Islamic Republic of Iran)

 aS7tgtopx_exe:
                 unicode 0, ,0
                 align 4
 aSystemrootInf_:
                 unicode 0, <%SystemRoot%inf*.pnf>,0
                 align 4
 aSystemrootInfM:
                 unicode 0, <%SystemRoot%infmdmeric3.PNF>,0
 aSystemrootIn_0:
                 unicode 0, <%SystemRoot%infmdmcpq3.PNF>,0
                 align 10h
 aSystemrootSyst:
                 unicode 0, <%SystemRoot%system32Driversmrxcls.sys>,0
                 align 8
 aSystemrootSy_0:
                 unicode 0, <%SystemRoot%system32Driversmrxsmb.sys;%SystemRoot%sys>
                 unicode 0, ,0
                 align 8
 aSystemrootSy_1:
                 unicode 0, <%SystemRoot%system32Driversmrxnet.sys>,0
                 align 4
 aMrxcls:
                 unicode 0, ,0
                 align 10h
 aSystemCurrentc:
                 unicode 0, ,0
                 align 4
                 unicode 0, <>,0
 aImagepath:
                 unicode 0, ,0
 a_sys:
                 unicode 0, <.sys>,0
                 align 4
 a??:
                 unicode 0, ,0
                 align 4
 aGlobalWkssvcsh:
                 unicode 0, ,0
                 align 10h
 aGlobalSpooler_:
                 unicode 0, ,0
                 align 8
 aSpooler_perf_l:
                 unicode 0, ,0
                 align 10h
 aGlobal5ec171bb:
                 unicode 0, ,0
                 align 10h
 aGlobalCaa6bd26:
                 unicode 0, ,0
                 align 10h
 aGlobal4a9a9fa4:
                 unicode 0, ,0
                 align 10h
 aGlobalE41362c3:
                 unicode 0, ,0
                 align 10h
 aGlobal85522152:
                 unicode 0, ,0
                 align 10h
 aGlobalB2fac8dc:
                 unicode 0, ,0
                 align 10h
                 dd 1, 3, 2 dup(0)
                 dd 1, 0
                 dd 2, 2 dup(0)
                 dd 3, 2, 4F0053h, 540046h, 410057h, 450052h, 53005Ch, 450049h
                 dd 45004Dh, 53004Eh, 57005Ch, 6E0069h, 430043h, 53005Ch
                 dd 740065h, 700075h, 0
 aStep7_version:
                 unicode 0, ,0
 aSoftwareSiemen:
                 unicode 0, ,0
                 align 8
 aSoftwareMicr_4:
                 unicode 0, 
                 unicode 0, ,0
                 align 10h
 aNtvdmTrace:
                 unicode 0, ,0
                 dd offset dword_100335D8+0CA4h
                 dd offset dword_10001000+9Fh
                 dd offset dword_10008B7C+11DDh
                 dd offset dword_10008B7C+11E1h
                 dd offset dword_10008B7C+11E5h
                 dd 7574732Eh, 62h, 3Ah, 4D002Eh, 500043h, 0
                 dd 5037532Eh, 0
 aStgopenstorage db 'StgOpenStorage',0
                 align 4
 aOle32_dll      db 'ole32.dll',0
                 align 4
 aCcprojectmgr_e db 'CCProjectMgr.exe',0
                 align 4
 aMsvcrt_dll     db 'msvcrt.dll',0
                 align 4
 aMfc42_dll      db 'mfc42.dll',0
                 align 4
 aCreatefilea    db 'CreateFileA',0
 aKernel32_dll   db 'kernel32.dll',0
                 align 10h
 aS7apromx_dll   db 's7apromx.dll',0
                 align 10h
 
On June 17, 2010, Sergey Ulasen was in his office in Belarus sifting through e-mail when a report caught his eye. A computer belonging to a customer in Iran was caught in a reboot loop — shutting down and restarting repeatedly despite efforts by operators to take control of it. It appeared the machine was infected with a virus.

Ulasen heads an antivirus division of a small computer security firm in Minsk called VirusBlokAda. Once a specialized offshoot of computer science, computer security has grown into a multibillion-dollar industry over the last decade keeping pace with an explosion in sophisticated hack attacks and evolving viruses, Trojan horses and spyware programs.

The best security specialists, like Bruce Schneier, Dan Kaminsky and Charlie Miller are considered rock stars among their peers, and top companies like Symantec, McAfee and Kaspersky have become household names, protecting everything from grandmothers’ laptops to sensitive military networks.

VirusBlokAda, however, was no rock star nor a household name. It was an obscure company that even few in the security industry had heard of. But that would shortly change.

“If I turn up dead and I committed suicide on Monday, I just want to tell you guys, I’m not suicidal.” – Liam O Murchu

Ulasen’s research team got hold of the virus infecting their client’s computer and realized it was using a “zero-day” exploit to spread. Zero-days are the hacking world’s most potent weapons: They exploit vulnerabilities in software that are yet unknown to the software maker or antivirus vendors. They’re also exceedingly rare; it takes considerable skill and persistence to find such vulnerabilities and exploit them. Out of more than 12 million pieces of malware that antivirus researchers discover each year, fewer than a dozen use a zero-day exploit.

In this case, the exploit allowed the virus to cleverly spread from one computer to another via infected USB sticks. The vulnerability was in the LNK file of Windows Explorer, a fundamental component of Microsoft Windows. When an infected USB stick was inserted into a computer, as Explorer automatically scanned the contents of the stick, the exploit code awakened and surreptitiously dropped a large, partially encrypted file onto the computer, like a military transport plane dropping camouflaged soldiers into target territory.

It was an ingenious exploit that seemed obvious in retrospect, since it attacked such a ubiquitous function. It was also one, researchers would soon learn to their surprise, that had been used before.

VirusBlokAda contacted Microsoft to report the vulnerability, and on July 12, as the software giant was preparing a patch, VirusBlokAda went public with the discovery in a post to a security forum. Three days later, security blogger Brian Krebs picked up the story, and antivirus companies around the world scrambled to grab samples of the malware — dubbed Stuxnet by Microsoft from a combination of file names (.stub and MrxNet.sys) found in the code.

As the computer security industry rumbled into action, decrypting and deconstructing Stuxnet, more assessments filtered out.

It turned out the code had been launched into the wild as early as a year before, in June 2009, and its mysterious creator had updated and refined it over time, releasing three different versions. Notably, one of the virus’s driver files used a valid signed certificate stolen from RealTek Semiconductor, a hardware maker in Taiwan, in order to fool systems into thinking the malware was a trusted program from RealTek.

Internet authorities quickly revoked the certificate. But another Stuxnet driver was found using a second certificate, this one stolen from JMicron Technology, a circuit maker in Taiwan that was — coincidentally or not – headquartered in the same business park as RealTek. Had the attackers physically broken into the companies to steal the certificates? Or had they remotely hacked them to swipe the company’s digital certificate-signing keys? No one knew.

“We rarely see such professional operations,” wrote ESET, a security firm that found one of the certificates, on its blog. “This shows [the attackers] have significant resources.”

In other ways, though, Stuxnet seemed routine and unambitious in its aims. Experts determined that the virus was designed to target Simatic WinCC Step7 software, an industrial control system made by the German conglomerate Siemens that was used to program controllers that drive motors, valves and switches in everything from food factories and automobile assembly lines to gas pipelines and water treatment plants.

Although this was new in itself — control systems aren’t a traditional hacker target, because there’s no obvious financial gain in hacking them — what Stuxnet did to the Simatic systems wasn’t new. It appeared to be simply stealing configuration and design data from the systems, presumably to allow a competitor to duplicate a factory’s production layout. Stuxnet looked like just another case of industrial espionage.

Antivirus companies added signatures for various versions of the malware to their detection engines, and then for the most part moved on to other things.

The story of Stuxnet might have ended there. But a few researchers weren’t quite ready to let it go.

[ 打印 ]
閱讀 ()評論 (0)
評論
目前還沒有任何評論
登錄後才可評論.