insight

工程技术,地产投资,信仰家园,时尚生活
个人资料
正文

计算机病毒武器实例

(2013-06-14 03:51:51) 下一个

来源:  

  

前苏联从加拿大购买石油管道控制设备,美国认为这是盗窃美国技术,在苏联订购的控制设备中装上了逻辑炸弹,结果导致1982年西伯利亚油管大爆炸,其当量相当于广岛原子弹的五分之一。

2010年1月,国际核能组织观察到伊朗浓缩铀工厂在几个月内就有两千个离心机报废。占伊朗浓缩铀工厂离心机的四分之一。伊朗核发展因此被阻断。而致使离心机报废的原因,是一种精密制导的计算机病毒武器。

这 种病毒首先由被感染的优盘带入伊朗,当优盘插入计算机的时候,微软视窗自动扫描多媒体文件播放,这个扫描过程中病毒就进入了计算机。它盗用了台湾一个工业 园中两家公司产品的电子签名逃过计算机病毒软件的安全保护。这个病毒在计算机中寻找西门子的一个控制软件,并经过该控制软件的数据库传染到局域网内其它节 点。

该病毒找到西门子控制软件以后,截获控制软件给可编程逻辑控制设备的指令,那就是给离心机的指令,然后发出虚假指令;并截获控制设备发回来的报告,把报告中虚假指令的痕迹抹掉。

虚假指令先让控制设备把换频器的正常的1064赫兹提高到1410赫兹十五分钟,然后恢复正常频率27天,再把频率降至2赫兹50分钟,过27天后重复以上指令。

西门子这个控制软件是用来控制伺服系统的马达、电路开关和气体液体阀门,广泛应用于各行各业。

该病毒把被感染计算机的信息设置送到丹麦和马来西亚的秘密服务器,而秘密服务器可以根据具体任务启动被感染计算机中病毒的不同功能。

预定于2010年8月投入运行的伊朗核电站因此被无限期延迟。

搞网络安全的人可以看看下边链接这篇文章,其中有很多破解这个病毒的有趣的细节

How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History

  • By Kim Zetter, Wired

Satellite image of the Natanz nuclear enrichment plant in Iran taken in 2002 when it was still under construction. The image shows two cascade halls, in the upper right corner, as they were being built deep underground. The hall on the left, Hall A, is the only one currently operational and is the building where centrifuges believed to have been damaged by Stuxnet in 2009 were installed. (Photo: DigitalGlobe and Institute for Science and International Security)

Also on Wired.com
Stuxnet Timeline Shows Correlation Among Events

 
It was January 2010, and investigators with the International Atomic Energy Agency had just completed an inspection at the uranium enrichment plant outside Natanz in central Iran, when they realized that something was off within the cascade rooms where thousands of centrifuges were enriching uranium.

Natanz technicians in white lab coats, gloves and blue booties were scurrying in and out of the “clean” cascade rooms, hauling out unwieldy centrifuges one by one, each sheathed in shiny silver cylindrical casings.

Any time workers at the plant decommissioned damaged or otherwise unusable centrifuges, they were required to line them up for IAEA inspection to verify that no radioactive material was being smuggled out in the devices before they were removed. The technicians had been doing so now for more than a month.

“We were not immune to the fact that there was a bigger geopolitical picture going on. We were definitely thinking … do I really want my name to be put on this?” – Eric Chien

Normally Iran replaced up to 10 percent of its centrifuges a year, due to material defects and other issues. With about 8,700 centrifuges installed at Natanz at the time, it would have been normal to decommission about 800 over the course of the year.

But when the IAEA later reviewed footage from surveillance cameras installed outside the cascade rooms to monitor Iran’s enrichment program, they were stunned as they counted the numbers. The workers had been replacing the units at an incredible rate — later estimates would indicate between 1,000 and 2,000 centrifuges were swapped out over a few months.

The question was, why?

Iran wasn’t required to disclose the reason for replacing the centrifuges and, officially, the inspectors had no right to ask. Their mandate was to monitor what happened to nuclear material at the plant, not keep track of equipment failures. But it was clear that something had damaged the centrifuges.

What the inspectors didn’t know was that the answer they were seeking was hidden all around them, buried in the disk space and memory of Natanz’s computers. Months earlier, in June 2009, someone had silently unleashed a sophisticated and destructive digital worm that had been slithering its way through computers in Iran with just one aim — to sabotage the country’s uranium enrichment program and prevent President Mahmoud Ahmadinejad from building a nuclear weapon.

But it would be nearly a year before the inspectors would learn of this. The answer would come only after dozens of computer security researchers around the world would spend months deconstructing what would come to be known as the most complex malware ever written — a piece of software that would ultimately make history as the world’s first real cyberweapon.

 

Iranian President Mahmoud Ahmadinejad observes computer monitors at the Natanz uranium enrichment plant in central Iran, where Stuxnet was believed to have infected PCs and damaged centrifuges. (Photo: Office of the Presidency of the Islamic Republic of Iran)

 aS7tgtopx_exe:
                 unicode 0, ,0
                 align 4
 aSystemrootInf_:
                 unicode 0, <%SystemRoot%inf*.pnf>,0
                 align 4
 aSystemrootInfM:
                 unicode 0, <%SystemRoot%infmdmeric3.PNF>,0
 aSystemrootIn_0:
                 unicode 0, <%SystemRoot%infmdmcpq3.PNF>,0
                 align 10h
 aSystemrootSyst:
                 unicode 0, <%SystemRoot%system32Driversmrxcls.sys>,0
                 align 8
 aSystemrootSy_0:
                 unicode 0, <%SystemRoot%system32Driversmrxsmb.sys;%SystemRoot%sys>
                 unicode 0, ,0
                 align 8
 aSystemrootSy_1:
                 unicode 0, <%SystemRoot%system32Driversmrxnet.sys>,0
                 align 4
 aMrxcls:
                 unicode 0, ,0
                 align 10h
 aSystemCurrentc:
                 unicode 0, ,0
                 align 4
                 unicode 0, <>,0
 aImagepath:
                 unicode 0, ,0
 a_sys:
                 unicode 0, <.sys>,0
                 align 4
 a??:
                 unicode 0, ,0
                 align 4
 aGlobalWkssvcsh:
                 unicode 0, ,0
                 align 10h
 aGlobalSpooler_:
                 unicode 0, ,0
                 align 8
 aSpooler_perf_l:
                 unicode 0, ,0
                 align 10h
 aGlobal5ec171bb:
                 unicode 0, ,0
                 align 10h
 aGlobalCaa6bd26:
                 unicode 0, ,0
                 align 10h
 aGlobal4a9a9fa4:
                 unicode 0, ,0
                 align 10h
 aGlobalE41362c3:
                 unicode 0, ,0
                 align 10h
 aGlobal85522152:
                 unicode 0, ,0
                 align 10h
 aGlobalB2fac8dc:
                 unicode 0, ,0
                 align 10h
                 dd 1, 3, 2 dup(0)
                 dd 1, 0
                 dd 2, 2 dup(0)
                 dd 3, 2, 4F0053h, 540046h, 410057h, 450052h, 53005Ch, 450049h
                 dd 45004Dh, 53004Eh, 57005Ch, 6E0069h, 430043h, 53005Ch
                 dd 740065h, 700075h, 0
 aStep7_version:
                 unicode 0, ,0
 aSoftwareSiemen:
                 unicode 0, ,0
                 align 8
 aSoftwareMicr_4:
                 unicode 0, 
                 unicode 0, ,0
                 align 10h
 aNtvdmTrace:
                 unicode 0, ,0
                 dd offset dword_100335D8+0CA4h
                 dd offset dword_10001000+9Fh
                 dd offset dword_10008B7C+11DDh
                 dd offset dword_10008B7C+11E1h
                 dd offset dword_10008B7C+11E5h
                 dd 7574732Eh, 62h, 3Ah, 4D002Eh, 500043h, 0
                 dd 5037532Eh, 0
 aStgopenstorage db 'StgOpenStorage',0
                 align 4
 aOle32_dll      db 'ole32.dll',0
                 align 4
 aCcprojectmgr_e db 'CCProjectMgr.exe',0
                 align 4
 aMsvcrt_dll     db 'msvcrt.dll',0
                 align 4
 aMfc42_dll      db 'mfc42.dll',0
                 align 4
 aCreatefilea    db 'CreateFileA',0
 aKernel32_dll   db 'kernel32.dll',0
                 align 10h
 aS7apromx_dll   db 's7apromx.dll',0
                 align 10h
 
On June 17, 2010, Sergey Ulasen was in his office in Belarus sifting through e-mail when a report caught his eye. A computer belonging to a customer in Iran was caught in a reboot loop — shutting down and restarting repeatedly despite efforts by operators to take control of it. It appeared the machine was infected with a virus.

Ulasen heads an antivirus division of a small computer security firm in Minsk called VirusBlokAda. Once a specialized offshoot of computer science, computer security has grown into a multibillion-dollar industry over the last decade keeping pace with an explosion in sophisticated hack attacks and evolving viruses, Trojan horses and spyware programs.

The best security specialists, like Bruce Schneier, Dan Kaminsky and Charlie Miller are considered rock stars among their peers, and top companies like Symantec, McAfee and Kaspersky have become household names, protecting everything from grandmothers’ laptops to sensitive military networks.

VirusBlokAda, however, was no rock star nor a household name. It was an obscure company that even few in the security industry had heard of. But that would shortly change.

“If I turn up dead and I committed suicide on Monday, I just want to tell you guys, I’m not suicidal.” – Liam O Murchu

Ulasen’s research team got hold of the virus infecting their client’s computer and realized it was using a “zero-day” exploit to spread. Zero-days are the hacking world’s most potent weapons: They exploit vulnerabilities in software that are yet unknown to the software maker or antivirus vendors. They’re also exceedingly rare; it takes considerable skill and persistence to find such vulnerabilities and exploit them. Out of more than 12 million pieces of malware that antivirus researchers discover each year, fewer than a dozen use a zero-day exploit.

In this case, the exploit allowed the virus to cleverly spread from one computer to another via infected USB sticks. The vulnerability was in the LNK file of Windows Explorer, a fundamental component of Microsoft Windows. When an infected USB stick was inserted into a computer, as Explorer automatically scanned the contents of the stick, the exploit code awakened and surreptitiously dropped a large, partially encrypted file onto the computer, like a military transport plane dropping camouflaged soldiers into target territory.

It was an ingenious exploit that seemed obvious in retrospect, since it attacked such a ubiquitous function. It was also one, researchers would soon learn to their surprise, that had been used before.

VirusBlokAda contacted Microsoft to report the vulnerability, and on July 12, as the software giant was preparing a patch, VirusBlokAda went public with the discovery in a post to a security forum. Three days later, security blogger Brian Krebs picked up the story, and antivirus companies around the world scrambled to grab samples of the malware — dubbed Stuxnet by Microsoft from a combination of file names (.stub and MrxNet.sys) found in the code.

As the computer security industry rumbled into action, decrypting and deconstructing Stuxnet, more assessments filtered out.

It turned out the code had been launched into the wild as early as a year before, in June 2009, and its mysterious creator had updated and refined it over time, releasing three different versions. Notably, one of the virus’s driver files used a valid signed certificate stolen from RealTek Semiconductor, a hardware maker in Taiwan, in order to fool systems into thinking the malware was a trusted program from RealTek.

Internet authorities quickly revoked the certificate. But another Stuxnet driver was found using a second certificate, this one stolen from JMicron Technology, a circuit maker in Taiwan that was — coincidentally or not – headquartered in the same business park as RealTek. Had the attackers physically broken into the companies to steal the certificates? Or had they remotely hacked them to swipe the company’s digital certificate-signing keys? No one knew.

“We rarely see such professional operations,” wrote ESET, a security firm that found one of the certificates, on its blog. “This shows [the attackers] have significant resources.”

In other ways, though, Stuxnet seemed routine and unambitious in its aims. Experts determined that the virus was designed to target Simatic WinCC Step7 software, an industrial control system made by the German conglomerate Siemens that was used to program controllers that drive motors, valves and switches in everything from food factories and automobile assembly lines to gas pipelines and water treatment plants.

Although this was new in itself — control systems aren’t a traditional hacker target, because there’s no obvious financial gain in hacking them — what Stuxnet did to the Simatic systems wasn’t new. It appeared to be simply stealing configuration and design data from the systems, presumably to allow a competitor to duplicate a factory’s production layout. Stuxnet looked like just another case of industrial espionage.

Antivirus companies added signatures for various versions of the malware to their detection engines, and then for the most part moved on to other things.

The story of Stuxnet might have ended there. But a few researchers weren’t quite ready to let it go.

[ 打印 ]
阅读 ()评论 (0)
评论
目前还没有任何评论
登录后才可评论.