Buggy Win 95 Code Almost Wrecked Stuxnet Campaign

mask.of.sanity writes: Super-worm Stuxnet could have blown its cover and failed its sabotage mission due to a bug that allowed it to spread to ancient Windows boxes, malware analysts say. Stuxnet was on the brink of failure thanks to buggy code allowing it to spread to PCs running older and unsupported versions of Windows, and probably causing them to crash as a result. Those blue screens of death would have raised suspicions at the Natanz nuclear lab.

funny...

[garyisabusyguy]

because it is buggy code that is written with poor security that allows things like this to spread in the first place

Re: funny...

[Anonymous Coward]

I'm shocked that your obviously high level of intellect and professionalism did not allow them to overlook your refusal to commit a felony on their behalf by lying to the FBI. Those bastards at MS are just so set in their evil ways.

Re:

[Zontar The Mindless]

He did say, "my old roommate", which could be taken to mean he doesn't have one any longer. And one might have a roommate for any numbers of reasons. Not that any of this makes me any more inclined to believe him, just that you seem to pick an odd point to dwell upon.

Windows !!!

[denisbergeron]

WTF anti-american country use a OS developed in the US ?
Why they didn't use Linux, BSD, even the Russia or RedFlag version ?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: Windows !!!

[Anonymous Coward]

They're on Windows because the customer knows best and the customers for SCADA systems demand Windows. The vast majority of players in that business are primarily targetting Windows.

Re:

[cheater512]

On Linux the attack would have faced a lot more challenges though.
No autoplay (which was the core attack vector) and you'd hope the SCADA software would run as it's own user under Linux which isn't possible with Windows.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Lunix Nutcase]

The one where you Right click the application and it's like the 3rd option in the context menu?

Re:

[Lunix Nutcase]

Sorry it's shift right-click in Windows 7.

Re:

[drinkypoo]

C'Mon people, Microsoft does enough shit wrong, we don't need to make crap up.

Ever enabling autorun was something they did wrong. And disabling it should have been a simple checkbox in the drive properties where it would make sense.

Re:

[Lunix Nutcase]

Right click->Run as different user. Yeah, real difficult.

Re:

[garyisabusyguy]

To be perfectly honest I spent most of the 90's installing software in Unix as root because, well, it eliminated any issues with permissions

It wasn't until the late nineties that I had an employer who demanded that we build out implementation plans for each install that followed their tight security guidelines

I would bet that more than a few *nix admins just do everything as root to avoid any hassle during install

Re:

[Gavagai80]

In the 90s, when you actually had to switch users to root to do any GUI root actions, I can see that happening. But these days few distros even allow a GUI login as root and sudo is the norm.

Re:

[cheater512]

Which is not how system services are designed to be invoked at all.

Re:Windows !!!

[Baloroth]

Stuxnet used multiple zero-day flaws across several different kinds of hardware (not all of which were even PCs). Once you get into that advanced an attack, the underlying OS becomes much less important: all software has flaws in it, and if you know where the flaws are, you can exploit them. And those flaws are there (remember Shellshock [wikipedia.org], anyone?), except in the most basic purpose-specific programming (and even then, there are often flaws). Using Windows opens you up to more generic attacks, especially if you deliberately lower (or don't use) Window's defenses for ease of use (much as using root for everything in Linux does), but against targeted well-funded attacks you should assume they're more or less equally vulnerable.

Re:

[garyisabusyguy]

This^ ++isTrue

Re:

[Lunix Nutcase]

It's impossible? So when I right click and choose "Run as different user" do I have some magical version of Windows?

Re:

[cheater512]

You are clearly clueless about how Linux does it, and yes Windows can not do it.

On my servers, the DNS server runs under it's own user. It can't touch anything it isn't supposed to. The mail server runs under it's own. The web server runs under it's own. Hell even the server monitoring software runs under it's own user.

This is by default with nothing further to do - No service can muck with stuff it isn't allowed to, and even if there was autoplay on USB sticks, nothing on that USB stick could touch any of

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[BadDreamer]

If we are talking found and reported vulnerabilities, then yes, Linux has more. Although notably, even grouping together all Linux kernel vulnerabilities regardless of version the number of HIGH vulnerabilities is not higher than the number of HIGH vulnerabilities in Windows 8.1.

But then, it's a lot easier to get fewer vulnerabilities when dropping support for one of the most used OS'es on the planet. Although XP is only on about 14% of all PC's now [malwarebytes.org], it appears. And now support for Windows 8.1 is dropped as [theconversation.com]

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[BadDreamer]

How many vulnerabilities is there in Ubuntu 6?

39 total vulnerabilities, 7 high severity, 27 medium severity, 5 low severity.

http://www.gfi.com/blog/most-v... [gfi.com]

Debian Sid?

Couldn't find that. It's in NVD though, if you're really interested.

https://nvd.nist.gov/ [nist.gov]

Windows XP is FIFTEEN YEARS OLD

No it's not. It's still under development, and there is almost nothing left of the codebase from the original XP when you have patched up an XP install.

Otherwise Linux is TWENTYFOUR YEARS OLD, but you know, writing that in all caps as if it means something just seems silly. Because it is.

And hardly any of the

Re:

[Anonymous Coward]

I don't like the United States of America, yet I still use Windows.

Re:Windows !!!

[Fire_Wraith]

No, you're thinking solely from a security perspective as a coder/engineer, and you're not the type that gets to make the decision of what to purchase. It's because their executives/managers were too cheap, and wanted the "cheap/easy" solution.

Cost is a huge driver for these things, and is a large part of why Siemens and other SCADA/ICS manufacturers moved from entirely proprietary systems of the past, to using commercial off the shelf hardware for the Human-Machine Interface (HMI) and such.

And what's the most common OS in business, the one that corporate is most familiar with, and the most likely for them to choose to put into pretty much anything? Why, Microsoft Windows.

Re:

[Opportunist]

I'd deem it unlikely that they're too stupid. But nobody pays a few millions for your team to spend 2 years to build a SCADA system which is then not even on par with one that they could simply buy.

If you look for the reason for this failure, don't look at the engineers. They're not the one making economy decisions.

Re:

[Opportunist]

But ... but ... IT'S CHEAP!

Hard economy trumps sentimentalist patriotism any time. Or when did you see the last US-Flag-flying, "U - S - A" chanting redneck reach for something "made in the U.S.A" when there's a Chinese knockoff available that's 10 cents cheaper?

Re:

[MobileTatsu-NJG]

Why they didn't use Linux, BSD, even the Russia or RedFlag version ?

For the same reason nobody wants to use Linux or OSX. Software.

Re:

[MobileTatsu-NJG]

Heh. You supported my point but phrased it as a rebuttal. Nice.

Re:

[Jack Griffin]

Why they didn't use Linux, BSD, even the Russia or RedFlag version ?

Because their UI is shit? I mean it's 2015, and Linux still hasn't made any headway onto the desktop...

Re:

[denisbergeron]

Do you consider the Windows interface with 2 desktops paradigm better than Mate or Cinnamon than have ± the same interface of XP or do you consider the OsX with a dock copied from early Sun/CDE desktop better, design retaked by Gnome or Unity but with a better use of the wide screen ?

Re:

[toddestan]

As compared to the UI regressions on the Windows and Mac side over the past few years? Granted, some of the popular Linux desktops also have similar problems, but at least in the Linux world you have a choice as to what desktop you want to use.

Re:

[redwraith94]

It's also a misnomer; 'code' is being rather generous.

Re:

[Opportunist]

It makes sense if you read it as a German. "Code" is a homonym for the German "Kot [leo.org]". And that makes a LOT of sense.

Re:

[redwraith94]

Yes, that makes only sense ;)

Bug in their bug

[tomhath]

We've noticed that the slide showing the Stuxnet disassembly doesn't support Werner and Leder's comments regarding the worm and Windows 9x

It appears they misunderstood the code they were looking at. But another quote earlier in the story is more relevant anyway:

either the worm couldn't find any old Windows boxes, or perhaps the Iranian boffins were used to Windows 95 and 98 falling over anyway

Really, who would be surprised by a blue screen from a Windows 95 box?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[r_jensen11]

Really, who would be surprised by a blue screen from a Windows 95 box?

The giveaway was probably when the blue screen was replaced with CIA's logo and the text "All your base are belong to us."

Ah yes, the precursor to "I'm all about that bass." Damn you - now I can't get that techno out of my head!

Re:

[Smask]

You could lower the crashiness in Win95 by removing everything, hardware and software, marked with "Creative Labs". My last sound card made by Creative was Soundblaster 16.

Re:

[Zero__Kelvin]

I remember W95 well, and I can tell you it would raise a lot more suspicions if it didn't bluescreen regularly. Serioulsy, I recall having to recover from BSODs multiple times per day (no exaggeration.)

Re:

[Cro Magnon]

Yeah, I remember. At one point, it got so bad I counted the BSODs. The record was 15, in an 8 hour day.

Re:

[jones_supa]

Generally Windows 7 is extremely stable, so let's see if you are not bullshitting. Can you tell how to reproduce those bugs?

Re:

[jones_supa]

And what is this "profilic driver"?

Canary in a coal mine

[roc97007]

That hadn't occurred to me before -- keep a Windows 95 box on the network as a canary, expecting it to crash if there is an intruder on the network.

Only problem might be too many false positives.

Re:

[Anonymous Coward]

Get Windows 3.11 then. It's still on MSDN! [microsoft.com]
Don't forget DOS 6.22 [microsoft.com] to go with it.
Relive the wonders of AUTOEXEC.BAT and CONFIG.SYS hell.

Opera 3 [oldapps.com] works as a browser.

Re:

[cnettel]

My attacker is very regular. He kicks my canary machine down every 49.7 days [microsoft.com].

bottle deposit machines

[roc97007]

This hadn't occurred to me before. I wonder if viruses are the reason those stupid bottle deposit machines are always out of order. I swear to Fudd, I've seen them reboot, usually just as I'm dumping in the last bag of soft drink cans, and they display the Windows 98 splash screen.

They have this backwards

[hyades1]

If a Win 95 box failed to produce at least a few BSODs a week, especially when something really important was being done with it...now that would have been suspicious.

Funny word for a "cyberattack"

[TheCarp]

Its the term the people who did this would use if it happened to them.... funny calling it a campaign when, by their own definitions, it was an attack. Shit, if they did similar, it might even be trumped up as an act of war.

Hmmm

[Hognoxious]

If it's the choice between a blue screen and a brown mushroom...