Spy Shortcut: The Story of the Stuxnet Trojan. Federal Danger Service

“I don’t know what weapons will be used to fight in the third world war, but in the fourth they will use stones and clubs.”
Albert Einstein

At the end of September it became known that the Stuxnet virus caused serious damage to the Iranian nuclear program. Using operating system vulnerabilities and the notorious “human factor,” Stuxnet successfully destroyed 1,368 of the 5,000 centrifuges at the Natanz uranium enrichment plant, and also disrupted the launch of the Bushehr nuclear power plant. Customer – unknown. The perpetrator is a negligent Siemens employee who inserted an infected flash drive into a workstation. The damage caused to Iran's nuclear facilities is comparable to the damage caused by an attack by the Israeli Air Force.
The world is talking about new generation wars. Cyber ​​attacks could become ideal tools The following wars are swift, effective in their destructiveness and, as a rule, anonymous. Today, states are urgently agreeing on a joint strategy to counter cyber threats. What will be tomorrow? Unfortunately, the most realistic answer to this question still remains Einstein’s sad aphorism.

Iran is helpless against the techno-threat

The editorial pages of the world press are filled with gloomy prophecies about the advent of an era of technological wars. Experts from various fields are struggling to solve the solution to Stuxnet, a virus that affected Iran’s nuclear facilities, from IT security to linguistics and anthropology. Stuxnet was discovered by antivirus laboratories quite a long time ago, but the world learned about the true scale of the infection at the end of September, when it became known about the delay in the launch of Iran's first Bushehr nuclear power plant. Although Ali Akbar Salehi, head of the Atomic Energy Organization of Iran, said that the delay in launching the nuclear power plant had nothing to do with the virus, Mark Fitzpatrick, an employee of the International Institute for Strategic Studies, noted that this sounds “not very serious”, and Iran is inclined to hush up the real problems at the nuclear power plant. After some time, Mahmoud Jafari, manager of the project department of the station in Bushehr, “let it slip”. According to him, Stuxnet "infected several computers, but did not cause any damage to the station's main operating system." Sapienti sat. Iran's nuclear facilities at Natanz were also severely damaged: 1,368 of the 5,000 centrifuges were disabled as a result of Stuxnet. When Mahmoud Ahmadinejad was directly asked after the UN General Assembly session about the technological problems with the nuclear program, he just shrugged his shoulders and said nothing. Let us note that, according to the New York Times, the damage caused by the virus in Iran is comparable, perhaps, to an attack by the Israeli Air Force.

Author! Author!

For obvious reasons, Stuxnet's developers prefer to keep a low profile, but it is clear that the complexity of the virus is unprecedented. The creation of such a project requires huge intellectual and financial investments, which means that only government-scale structures can do it. All experts agree that the virus is not the result of the efforts of a “group of enthusiasts.” Laurent Eslau, head of security systems at Symantec, estimates that at least six to ten people worked on the creation of Stuxnet over the course of six to nine months. Frank Rieger, technical director of GSMK, supports his colleague - according to him, the virus was created by a team of ten experienced programmers, and the development took about six months. Rieger also names the estimated cost of creating Stuxnet: it is at least $3 million. Evgeny Kaspersky, CEO of Kaspersky Lab, speaks about the military purposes of the virus: “Stuxnet does not steal money, does not send spam and does not steal confidential information. This malware was created to control production processes, to literally manage huge production capacities. In the recent past, we fought against cyber criminals and online hooligans, now, I’m afraid, the time of cyber terrorism, cyber weapons and cyber wars is coming.” Tillmann Werner, a member of the Honeynet Project, a community of Internet security experts, is confident that lone hackers are not capable of this. “Stuxnet is so advanced from a technical point of view that we must assume that government experts were involved in the development of the malware, or that they at least provided some assistance in its creation,” Werner said.

In the process of analyzing Stuxnet, some media outlets concluded that Israel was behind the creation of the virus. The first to speak about Israel's involvement in the attack on Iran was John Markoff, a journalist for the New York Times, reporting that analysts especially noted the name of one of the code fragments “myrtus” (“myrtle”). Translated into Hebrew, “myrtle” sounds like “adas,” which, in turn, is consonant with the name “Adassah,” belonging to Esther (Esther), the heroine of Jewish history who saved her people from destruction in the Persian Empire. Drawing an analogy with ancient Persia, on whose territory modern Iran is located, some analysts believe that Israel left “ business card" in the virus code. However, according to a number of experts, this version does not stand up to criticism and resembles the plot of a cheap detective story - too primitive a “handwriting” for a project of this scale.

At the same time, it should be emphasized that last summer (remember, the spread of Stuxnet began in 2009), the WikiLeaks resource reported a serious nuclear accident in Natanz. Soon after, it became known that the head of the Atomic Energy Organization of Iran, Gholam Reza Aghazadeh, resigned without explanation. Around the same time, statements by Israeli politicians and military personnel appeared in the media about a possible confrontation with Iran on the technological front. In addition, Israel adjusted the projected date for Iran to obtain an atomic bomb, pushing it back to 2014, and the mandate of Meir Dagan, the head of the Mossad, was extended for his participation in unnamed “important projects.”

Human factor

The history of the initial infection, which marked the beginning of the spread of the virus, is noteworthy. It is obvious that automated control systems of this level are not connected to the Network. An expert from the NATO Cyber ​​Center in Estonia, Kenneth Geers, suggested at one of the security conferences that the success of the Stuxnet attack depended solely on contacts with the right people and... basic USB drives. “You can pay someone to launch a Trojan into closed system, or replace a flash drive that was intended only for internal use,” Giers reflects. “It’s enough to insert an infected flash drive into a standard USB connector on your computer, and Stuxnet will immediately automatically jump to the operating system, and no anti-virus programs or other protection measures will interfere with it.” And indeed, the “weak link” turned out to be the human factor - Stuxnet was entered into the system via a regular USB drive, which was carelessly inserted into the workstation by a careless employee. It is noteworthy that after statements by Iranian Intelligence Minister Heydar Moslehi about the detention of “nuclear spies” (they turned out to be completely uninvolved Russian technicians), Siemens management admitted that the virus was introduced by company employees, emphasizing the unintentional nature of the infection. It should be noted that Stuxnet only affects a specific type of Siemens controller, namely SIMATIC S7, which, according to the IAEA, is used by Iran.

Cyberwar. The battlefield is Earth?

At the Virus Bulletin 2010 conference in Vancouver, Canada, a brief presentation by Liam O Murchu, one of Symantec's leading IT security experts, caught the public's attention. An analyst conducted an experiment that explained the dangers of a cyber threat better than hundreds of formal reports. O Merchu installed an air pump on stage running an operating system manufactured by Siemens, infected the workstation controlling the pump with the Stuxnet virus and launched the process into action. The pump quickly inflated the balloon, but the process did not stop - the balloon inflated until it burst. “Imagine that this is not a balloon, but an Iranian nuclear power plant,” the expert said, putting an end to the question of the “seriousness” of cyber wars.

O Merchu's colleagues fully share his concerns. Trend Micro researcher Paul Ferguson said that with the creation of Stuxnet, a full-fledged cyber weapon appeared in the world, which goes beyond traditional destructive schemes (theft of credit card numbers, etc.) and can lead to serious accidents in very dangerous industrial facilities. Ferguson emphasizes that analysts will now “literally intimidate the government into taking serious security measures.”

Indeed, the head of the newly created US Cyber ​​Staff at the Pentagon, General Keith Alexander, speaking before Congress, publicly stated that the threat of cyber warfare has been growing rapidly over the past few years. Alexander recalled two cyber attacks on entire states - on Estonia (in 2007, after the dismantling of the Bronze Soldier) and on Georgia (in 2008, during the war with Russia).

Estonian President Toomas Hendrik Ilves, in an interview with the Berliner Zeitung, raises the issue of cyber threats in reality. high level. The Estonian President emphasizes: NATO’s decision to locate the Cyber ​​Security Center in Tallinn (remember, it opened in May 2008) is due to the fact that Estonia is one of the most computerized countries in Europe, as well as the first state to suffer a full-scale cyber attack in 2007. After the attack paralyzed the entire country's infrastructure, Estonian Defense Minister Jaak Aaviksoo even demanded that NATO equate these cyber attacks with military actions. The president makes similar points today: “The Stuxnet virus demonstrated how seriously we must take cybersecurity, because with the help of similar products Vital infrastructure may be destroyed. In the case of Iran, the virus appeared to be aimed at its nuclear program, but similar viruses could destroy our computer-driven economy. This should be discussed in NATO: if a missile destroys a power plant, paragraph 5 comes into force. But what to do in the event of a computer virus attack?” - asks Toomas Hendrik Ilves. The president’s proposal is in line with current trends: “Both the EU and NATO must develop a common policy, including legal norms, that will become the basis for collective defense against threats in cyberspace,” the head of state believes.

First Deputy Secretary of Defense William J. Lynn fully agrees with Toomas Hendrik Ilves. In an interview with Radio Liberty, Lynn tried to answer the question raised by Ilves: “If the attack affected significant elements of our economy, we should probably consider it an attack. But if the hack resulted in data theft, then it may not be an attack. Between these two extremes there are many other options. To formulate a clear policy line, we must decide where the line lies between hacking and attack, or between espionage and data theft. I believe that there is a discussion on this topic both within and outside the government, and I don’t think that this discussion has already been exhausted.”

In addition, the key point of William Lynn's speech was the public announcement of the five principles on which the new strategy United States cybersecurity. We quote the US Deputy Secretary of Defense without cuts:
“The first of these principles is that we must recognize cyberspace for what it has already become - a new war zone. Just like land, sea, air and space, we must view cyberspace as a domain of our operations that we will protect and extend our military doctrine to. That's what drove us to create a unified Cyber ​​Command within Strategic Command.

The second principle, which I have already mentioned, is that defense must be active. It should include two generally accepted lines of passive defense - in fact, this is ordinary hygiene: install patches on time, update your anti-virus programs, improve your protection tools. We also need a second line of defense, which is used by private companies: intrusion detectors, security monitoring programs. All of these tools will probably help you repel about 80 percent of attacks. The remaining 20 percent is a very rough estimate - sophisticated attacks that cannot be prevented or stopped by patching holes. A much more active arsenal is needed. We need tools that can detect and block malicious code. We need programs that will identify and pursue inside your own network malicious elements invading it. Once you have found them, you should be able to block them from communicating with the external network. In other words, it is more like a war of maneuver than a Maginot Line.

The third principle of a cybersecurity strategy is the protection of civilian infrastructure.

Fourth, the United States and its allies must take collective defense measures. Important decisions in this regard will be made at the upcoming NATO summit in Lisbon.

Finally, the fifth principle is that the United States must remain at the forefront of software development.”

The reaction of Dmitry Rogozin, Russia's permanent representative to NATO, to the processes taking place in the Alliance is very noteworthy. Apparently, Russia is extremely concerned about the upcoming NATO summit in Lisbon, which will take place on November 20, because it is planned to clarify the dilemma of whether an attack on the military and government computer networks of a NATO member is considered a reason to invoke Article 5 of the Washington Treaty and respond with a collective military strike. Rogozin, in his characteristic style, writes: “We will finally find out whether it is permissible for NATO to hit hackers’ apartments with a nuclear bomb or whether it is assumed that cyber war will not go beyond the boundaries of cyberspace. I have great reason to doubt the latter scenario. Literally before our eyes, a huge scandal is unfolding in Western periodicals in connection with the spread of computer worm called Stuxnet. I was used to reading and sending SMS in Latin, so I immediately read the name of the virus as a Russian verb in the future tense: “stukhnet”. Rest assured, something will definitely go bad or fall off for someone, especially those who started this virus. As we know, whoever sows the wind will reap the whirlwind.” Without daring to comment on the literary and creative research of Mr. Rogozin, we note that in the two largest hacker attacks entire states (Estonia and Georgia) were blamed on Russia - perhaps this is what caused such a violent reaction from the impressionable plenipotentiary.

Thus, against the backdrop of the hysteria provoked by Stuxnet, a number of states announced the need to formulate a joint policy to prevent cyber attacks. Will this lead to the desired result, even if we assume that some document will be developed (and signed) regulating the use of destructive technologies? IT Business week this seems extremely doubtful, the temptations offered by high technologies are too great: anonymity, security (for an attacker), an unprecedented cost/effectiveness ratio. This means that Stuxnet was only the first sign of the era of techno-social revolution, which began not at all as dreamed.

Tags:

• virus
• Stuxnet
• Iran

Add tags

I am a professional programmer and a physicist by training, so everything stated in this article is not speculation, I can do it all myself, with my own hands. And I have much more information on the topic than I can present on this non-core information platform for me.
So if you object on the forum, think about who you are objecting to.
This is not “from the pass”, where I look like an amateur, I am a professional in this topic, so listen with respect.

Let's start from a hundred years ago

In 1905, when a military column was passing across the “Egyptian” bridge in St. Petersburg, it collapsed due to a strong “swing,” as they called it then. Now we would say because of resonance.

The main version is that the bridge structure could not withstand too rhythmic vibrations from the coordinated step of the military, which is why a resonance occurred in it. This version was included in the school physics curriculum as a clear example of resonance.

In addition, a new military command to “go out of step” was introduced; it is given to a combat column before entering any bridge.

History is also instructive in the sense that when faced with an unknown phenomenon, the military quickly figured it out and took adequate measures to prevent it in the future.

We need such thoughtfulness and efficiency now.

Accident at the Sayano-Shushenskaya hydroelectric power station

In modern Russia, a hundred years later, a similar catastrophe occurred. As a result of the accident of power unit No. 2 of the Sayano-Shushenskaya hydroelectric power station on August 17, 2009, the turbine hall was destroyed and the operation of the hydroelectric power station was completely stopped; the accident claimed 75 human lives (not a single person died on the bridge).

Officially, the cause of the accident in the act of the commission to investigate the circumstances of the accident is formulated as follows:

Due to the repeated occurrence of additional variable loads on the hydraulic unit associated with transitions through the non-recommended zone, fatigue damage to the hydraulic unit attachment points, including the turbine cover, formed and developed. The destruction of the studs caused by dynamic loads led to the tearing of the turbine cover and depressurization of the water supply path of the hydraulic unit.

If translated into clear language, then the power unit (hydraulic turbine connected to an electric generator) collapsed due to prolonged operation in load areas where resonances of the electromechanical system are present.

A hundred years ago, experts figured out the situation and drew conclusions that everyone still follows; the command to “upset the step” will never be canceled by anyone.

But at the present time, the reasons have not been figured out and no conclusions have been drawn.

The area of ​​resonances in the document is vaguely called the “not recommended zone.” The officials did not even have the courage to call everything by their proper names, let alone draw conclusions. Meanwhile, events developed further.

Stuxnet virus

Stuxnet was the first computer virus to harm physical objects. Because of it, many centrifuges at Iranian nuclear facilities failed in 2010. A cyber attack on Iran's uranium enrichment plant at Netenz delayed the development of Iran's nuclear program for several years.

Military analysts acknowledge that Stuxnet has become a new milestone in the development of cyber weapons. It has moved from virtual space into reality, since an attack of such a virus affects not informational but physical, real-life objects.

The destruction of centrifuges by the Stuxnet virus was carried out using the resonance method of the electromechanical structure of the centrifuge. I’ll explain it in simple terms: a gas centrifuge has a rapidly rotating shaft (20-50 thousand revolutions per minute), which rotates an electric motor. The electric motor is controlled by a controller; if this controller is reprogrammed so that it periodically changes the rotation speed of the centrifuge shaft (professionals call it “frequency beat”), then at certain “beat” frequencies the system will enter into resonance, both the shaft axis bearings and the centrifuge housing itself will collapse.

Moreover, this will look like a normal breakdown not related to the operation of the electronics and programs of the electric motor control controller. First, the vibration will increase, then the nuts securing the housing parts begin to unscrew, then the bearings break and the system eventually jams and loses its tightness.

The Stuxnet virus, when it entered the facility, did just that, reprogramming the Simatic S7 electric motor control controller in such a way that it outputs voltage with a beat frequency that is a multiple of the resonant frequencies of the rotating centrifuge shaft.

The process of increasing the resonance amplitude can last for hours, if not days, so for the maintenance personnel it looked like a design defect in the centrifuge itself.

The Iranians never realized that their centrifuges were being destroyed by a virus until programmers from Belarus discovered the virus itself and figured out its functional load. Only after this did the Stuxnet virus gain worldwide fame and Iran admitted that its nuclear facility had been deliberately attacked for at least a year by this very cyber weapon.

What happened at the Sayano-Shushenskaya hydroelectric power station

The accident at the second hydraulic unit of the Sayano-Shushenskaya hydroelectric power station occurred due to resonance, as it happened at the beginning of the twentieth century in St. Petersburg, as it happened a year later in Iran. Moreover, it can be argued that the equipment was deliberately introduced into resonance, using methods implemented in the Stuxnet virus.

The fact is that at the time of the accident the unit was controlled automatically. Manual control for constant power delivery was disabled and the unit operated in load ripple compensation mode for the power systems of Western Siberia.

When commissioning equipment, resonant frequencies are checked and the acceptance certificates indicate the modes in which operation of the equipment is prohibited.

In March 2009, Ukrainian specialists took these most important parameters from the second unit (during a scheduled repair). It is unknown where and into what hands this data fell, but one can guess.

Having this data, it is not at all difficult to pump up the unit system through the GARM control microcontroller so that it gradually, in a few hours, drives the turbo unit with an electric generator on the same shaft into the resonance zone.

After that, the studs on the housing that held the turbine cover began to loosen due to vibrations, which was the immediate cause of the disaster.

The operation of the turbine and generator is automatically controlled special system, is called a system of group regulation of active and reactive power (GRARM).

The electronic part of the GRARM control cabinet is made on the basis of a PC-compatible microcomputer from Fastwell

This system was activated at the time of the accident on the second unit. The system was installed and put into operation in early 2009, shortly before the accident. Designed and installed this system by PromAvtomatika based on imported equipment.

Naturally, they didn’t think about any Information Security at that time; this system had direct access to the Internet, the resonant frequencies of the unit were known.

I think there is no need to explain further, what happened happened...

Colleagues from Israel and the United States have successfully tested cyber weapons to destroy infrastructure facilities in practice, after which, of course, it is necessary to create a special branch of the military to use it, which the United States did in the same 2009 by organizing Cyber ​​Command with a staff of 10,000 employees (fighters).

Cyber ​​weapons

In the third millennium, computer viruses also became weapons and were called “Cyberweapons”; moreover, in many countries these weapons are separated into a separate branch of the military, the general name of which, thanks to the light hand of the Americans, became the name “Cyber ​​Command”.

The commander of these armed forces received a completely fantastic name; believe it or not, in the USA they call him “Cyber ​​Tsar”, and it is the Russian word that is used for the official name of the American commander.

This weapon has already been used in the undeclared war of the United States and Israel against Iran. Most likely, it was also used in Russia, at the Sayano-Shushenskaya hydroelectric power station, and there is a trace of it in the accident at the Indian project for leasing nuclear submarines.

The same St. Petersburg company appeared there again; it was the developer of fire extinguishing equipment, which, as a result of spontaneous operation, led to the death of people during sea trials... but that's a separate topic.

a class of vulnerabilities called 0day. 0day is a term that denotes vulnerabilities (sometimes even malicious programs themselves) against which the defense mechanisms of antiviruses and other computer protection programs are powerless. This concept appeared because attackers who discover a vulnerability in a program or operating system carry out their attack immediately, no later than the first (“zero day”) day of the developer’s awareness of the discovered error. Naturally, this means that the developer does not have time to fix the vulnerability in time, which spreads complex epidemics of malicious programs that cannot be treated in a timely manner. At the moment, various attackers are focusing their attention on finding such vulnerabilities. First of all, they pay attention to this software , which has become widespread. Infecting this software malicious code, the attacker is guaranteed to get the maximum return from his actions. In this case, antivirus programs will be powerless, since they will not be able to identify the malicious code that is located in a popular program. One such example was the example above, when the virus infected Delphi service files and thereby injected its code into various programs that were compiled in this compiler. Since such programs were widely used, a large number of users were infected. All this made it clear to attackers that such attacks are quite effective and can be used in the future. However, finding a 0day vulnerability is a rather labor-intensive process. In order to find such a vulnerability, attackers resort to various software stress tests, parsing the code into parts, and also searching the developer’s program code various errors. But if these actions are successful and a vulnerability is found, then we can assume that attackers will definitely take advantage of it. Today, the most famous malware that exploits the 0day vulnerability in software is the Stuxnet worm, which was discovered in the summer of 2010. Stuxnet exploited a previously unknown operating system vulnerability Windows family, associated with the label processing algorithm. It should be noted that in addition to the 0day vulnerability, Stuxnet used three more previously known vulnerabilities. Zero-day vulnerabilities also allow attackers to create malware that can bypass antivirus protection, which is also dangerous for the average user. In addition to this kind of vulnerabilities (0day), there are also quite ordinary vulnerabilities that are constantly exploited by attackers. Another dangerous type of vulnerabilities are vulnerabilities that exploit Ring 0 of the operating system. Ring 0 is used to write various system drivers. This is a special level from which you can exercise full control over the operating system. The attacker in this case is likened to a programmer who writes a driver for the operating system, because in this case writing a malicious program and a driver is an identical case. Attacker using system functions and calls tries to give its malicious program the function of passing into Ring 0.

The danger of identity theft from mobile phones

If something like this was said literally 7 years ago, then, most likely, such a fact would simply not be believed. Now the danger of theft of personal data of mobile phone users is extremely high. There are a large number of malicious programs that specifically steal personal data from users’ mobile phones. And just recently, no one could have imagined that mobile platforms would be of interest to attackers. The history of viruses begins in 2004. This year is considered the starting point for mobile viruses. At the same time, the virus created this year was selected for the Symbian system. It was a demonstration of the very possibility of the existence of viruses on the Symbian operating system platform. The authors of such developments, driven by curiosity and the desire to help strengthen the security of the system they attacked, are usually not interested in their distribution or malicious use. Indeed, the original copy of the Worm .SymbOS.Cabir virus was sent to antivirus companies on behalf of the author himself, but later source codes worm appeared on the Internet, which led to the creation large quantity new modifications of this malicious program. In fact, after the source code was published, Cabir began to independently "roam" on mobile phones around the world. This caused trouble for ordinary smartphone users, but the epidemic essentially did not occur, since antivirus companies also had the source codes of this virus, and it was then that the first releases of antiviruses for mobile platforms began. Subsequently, various assemblies of this virus began to spread, which, however, did not cause great harm. This was followed by the first backdoor (a malicious program that allows access to the system from the outside). Its functionality allows you to transfer files in both directions and display text messages on the screen. When an infected device connects to the Internet, the backdoor sends its IP address to e-mail to his owner. Subsequently, another malicious program appeared for mobile platforms. The program is a SIS file - an installer application for the Symbian platform. Its launch and installation into the system leads to the substitution of icons (AIF files) standard applications operating system with an icon depicting a skull. At the same time, new applications are installed into the system, on top of the original ones. Rewritten applications stop functioning. All this was picked up by various amateurs in writing malicious programs, who began to produce all sorts of modifications to old viruses, and also tried to create their own. However, at that time, all malicious programs for mobile platforms were quite primitive and could not compare with their counterparts of malicious programs on the computer. A program called Trojan.SymbOS Lockhunt has caused quite a bit of noise. This program was a Trojan. It exploits "gullibility" (lack of file integrity checks). After launching, the virus creates a folder in the system directory /system/apps/ with the name gavno, dissonant from the point of view of the Russian language, inside which the gavno. app and its companions gavno.rsc and gavno_caption.rsc. Moreover, all files contain plain text instead of service information and code corresponding to their formats. operating system, based only on the file extension gavno. app , thinks it's executable - and hangs trying to launch "application" after reboot. Turning on the smartphone becomes impossible. After these viruses, there are mainly viruses of the same type that can transmit themselves through various technologies.

The vulnerability of mobile platforms itself is quite high, since there are no tools that would reliably protect mobile platforms. In addition, it is necessary to take into account the fact that modern mobile platforms are already closely matching conventional operating systems, which means that the algorithms for influencing them remain similar. In addition, mobile platforms have two rather specific methods of data transfer that computers do not have - Bluetooth technology and MMS. Bluetooth is a wireless data transmission technology developed in 1998. Today, it is widely used for exchanging data between various devices: telephones and headsets for them, pocket and desktop computers and other equipment. Bluetooth communication usually operates at a distance of up to 10-20 m, is not interrupted by physical obstacles (walls) and provides theoretical transmission speed data up to 721 Kbps. MMS is a relatively old technology designed to expand the functionality of SMS with the ability to transfer pictures, melodies and videos. Unlike the service

Threat name

Executable file name:

Threat type:

Affected OS:

Stuxnet Virus

(random).exe

Win32 (Windows XP, Windows Vista, Windows Seven, Windows 8)

Stuxnet Virus infection method

Stuxnet Virus copies its file(s) to your HDD. Typical file name (random).exe. Then it creates a startup key in the registry with the name Stuxnet Virus and meaning (random).exe. You can also find it in the process list with the name (random).exe or Stuxnet Virus.

If you have additional questions regarding Stuxnet Virus, please fill out and we will contact you shortly.

Download the removal utility

Download this program and remove Stuxnet Virus and (random).exe (download will start automatically):

* SpyHunter was developed by the American company EnigmaSoftware and is capable of removing Stuxnet Virus automatically. The program was tested on Windows XP, Windows Vista, Windows 7 and Windows 8.

Functions

The program is able to protect files and settings from malicious code.

The program can fix browser problems and protects browser settings.

Removal is guaranteed - if SpyHunter fails, free support is provided.

24/7 anti-virus support is included in the package.

Download the Stuxnet Virus removal utility from the Russian company Security Stronghold

If you are not sure which files to delete, use our program Stuxnet Virus removal utility.. The Stuxnet Virus removal tool will find and completely remove Stuxnet Virus and all problems associated with the Stuxnet Virus. A fast, easy-to-use Stuxnet Virus removal tool will protect your computer from the Stuxnet Virus threat that harms your computer and violates your privacy. The Stuxnet Virus removal tool scans your hard disks and registry and removes any manifestation of Stuxnet Virus. Regular antivirus software is powerless against malicious programs such as Stuxnet Virus. Download this simplified removal tool specially designed to solve problems with Stuxnet Virus and (random).exe (download will start automatically):

Functions

Removes all files created by Stuxnet Virus.

Removes all registry entries created by Stuxnet Virus.

The program can fix browser problems.

Immunizes the system.

Removal is guaranteed - if the Utility fails, free support is provided.

24/7 antivirus support via GoToAssist is included in the package.

Our support team is ready to solve your problem with Stuxnet Virus and remove Stuxnet Virus right now!

Leave a detailed description of your problem with Stuxnet Virus in the section. Our support team will contact you and provide you with a step-by-step solution to your Stuxnet Virus problem. Please describe your problem as accurately as possible. This will help us provide you with the most effective Stuxnet Virus removal method.

How to remove Stuxnet Virus manually

This problem can be resolved manually by removing registry keys and files associated with Stuxnet Virus, removing it from the startup list and de-registering all associated DLL files. In addition, missing DLL files must be restored from the OS distribution if they were damaged Stuxnet Virus.

In order to get rid of Stuxnet Virus, You need:

1. Terminate the following processes and delete the corresponding files:

Warning: you need to delete only files whose checksums are in the list of malicious ones. There may be files with the same names on your system. We recommend using this to solve the problem safely.

2. Delete the following folders:

3. Delete the following registry keys and/or values:

Warning: If registry key values ​​are specified, you should delete only the specified values ​​and leave the keys themselves intact. We recommend using this to solve the problem safely.

4. Reset browser settings

Stuxnet Virus can sometimes affect your browser settings, such as changing your search and home page. We recommend that you use the free "Reset Browsers" feature in "Tools" in the program to reset all browsers at once. Please note that before this you need to delete all files, folders and registry keys belonging to Stuxnet Virus. To reset browser settings manually, use these instructions:

For Internet Explorer

If you are using Windows XP, click Start, And Open. Enter the following in the field Open without quotes and press Enter: "inetcpl.cpl".

If you are using Windows 7 or Windows Vista, click Start. Enter the following in the field Search without quotes and press Enter: "inetcpl.cpl".

Select a tab Additionally

Under Reset settings Internet browser Explorer, click Reset. And press Reset again in the window that opens.

Select checkbox Remove personal settings to delete history, restore search and home page.

After Internet Explorer has completed the reset, click Close in the dialog box.

Warning: Reset browser settings V Tools

For Google Chrome

Locate your Google Chrome installation folder at: C:\Users\"username"\AppData\Local\Google\Chrome\Application\User Data.

In folder User Data, find the file Default and rename it to DefaultBackup.

Launch Google Chrome and it will be created new file Default.

Google Chrome settings reset

Warning: In case this doesn't work use free option Reset browser settings V Tools in the Stronghold AntiMalware program.

For Mozilla Firefox

Open Firefox

From the menu, select Help > Problem Solving Information.

Click the button Reset Firefox.

After Firefox finishes, it will show a window and create a folder on your desktop. Click Complete.

Warning: This way you will lose your passwords! We recommend using the free option Reset browser settings V Tools in the Stronghold AntiMalware program.

How Kaspersky Lab decrypted a malicious program that blocked the software of Iran's nuclear fuel enrichment control system.

Computer cables snake across the floor. Mysterious flowcharts are drawn on various boards hanging on the walls. In the hall there is a life-size replica of Batman. This office may seem no different from any other geeky workplace, but in fact it is the front line of a battle, or rather cyberwar, in which most battles are played out not in remote jungles or deserts, but in suburban office buildings. parks like this one.

As a senior researcher at Kaspersky Lab, a leading software company computer security Based in Moscow, Roel Schouwenberg spends his days (and many nights) here at the Laboratory's US headquarters in Woburn, Massachusetts, battling the most insidious digital weapons that can disrupt water supplies and cripple power plants. , banks and the infrastructure itself, which once seemed invulnerable to attack.

The rapid recognition of such threats began in June 2010 with the discovery Stuxnet, a 500-kilobyte computer worm that infected software at least 14 industrial sites in Iran (4/5), including a uranium enrichment plant. Although a computer virus depends on an unwitting victim to install it, a worm spreads on its own and often through a computer network.

This worm was an unprecedented piece of malicious code that attacked in three stages. It first targeted computers and Microsoft networks Windows repeatedly performs its self-reproduction. He then looked for Siemens Step7 software, which also runs on the Windows platform and is used to program industrial control systems that control equipment such as centrifuges. Finally, he compromised programmable logic controllers. The authors of the worm could thus spy on industrial systems and even cause centrifuges to spin at an accelerated rate in order to destroy them, all without the notice of the human operator at the plant. (Iran has not yet confirmed reports that Stuxnet destroyed some of its centrifuges.)

How Stuxnet works:

1. infecting the system via a USB flash drive,


2. search for target software and hardware from Siemens,


3. virus update via the Internet; however, if the system is not the target, the virus does nothing,


4. compromise,


5. control capture,


6. misinformation and equipment failure.

Stuxnet can spread covertly between Windows computers, even those that are not connected to the Internet. If a worker inserts a USB flash drive into an infected machine, Stuxnet is automatically copied to it, and then copied to other machines that once read the flash drive. From here, any employee, unsuspectingly, can infect a machine in such a way that allows the “worms” to spread throughout the local network. Experts fear that this malware may be running wild around the world.

In October 2012, US Secretary of Defense Leon Panetta warned that the US was vulnerable to a “cyber Pearl Harbor”, with possible train derailments, water contamination and power grid failures. The following month, Chevron confirmed this assumption, becoming the first American corporation to admit that Stuxnet had penetrated all of its computers.

Although the authors of Stuxnet were never officially identified, the size and complexity of the worm led experts to believe that it could only have been created with government sponsorship. And despite the secrecy, leaks to the press from officials in the US and Israel strongly suggest that the two countries are involved. Since the discovery of Stuxnet, Schouwenberg and other computer security experts have been battling a number of other weaponized viruses, such as Duqu, Flame and Gauss. The malware onslaught shows no signs of abating.

This marks a turning point in geopolitical conflicts, where apocalyptic scenarios only once depicted in films such as Die Hard 4.0 (Live Free or Die Hard) eventually become plausible. “Suddenly fiction became reality,” says Schouwenberg. But the hero of the fight against evil is not Bruce Willis, he is a 27-year-old guy with a shabby ponytail haircut. This Schouwenberg tells me: “We are here to save the world! The only question is: does Kaspersky Lab have everything you need?”

The photo, taken by David Yellen and titled "Cybersleuth," shows Kaspersky Lab's Roel Schouwenberg, who helped decipher Stuxnet and similar Internet worms, the most sophisticated ones ever discovered.

Viruses weren't always evil. In the 1990s, when Schouwenberg was just a geeky teen living in the Netherlands, and malware was usually created by pranksters and hackers - people who just wanted to cause disruption computer or doodle graffiti on your AOL home page.

After discovering viruses on his own computer, 14-year-old Schouwenberg contacted Kaspersky Lab, one of the leading antivirus companies. Such companies are judged in part by how many viruses they discover first, and Kaspersky is considered one of the best, although its success is debated. Some accuse it of having ties to the Russian government, but the company denies these accusations.

A few years after his first brush with viruses, Schouwenberg emailed company founder Evgeniy Kaspersky if he should study math in college if he wanted to become a computer security specialist. Kaspersky responded by offering the 17-year-old a job, which he took. After spending four years with a company in the Netherlands, he went to Boston. There, Schouwenberg learned that an engineer needs specific skills to combat malware because analyzing, and essentially reverse engineering, most viruses written for Windows requires knowledge of assembly language to Intel processors x86.

Over the next decade, Schouwenberg witnessed some of the most significant changes ever seen in the industry. Manual virus detection has given way to automated methods that can detect as many as 250,000 new malicious files every day. Above all, banks faced the most serious threats, and the specter of state-against-state cyberwars still seemed distant. "This wasn't just talk," said Liam O'Murchu, an analyst at computer security company Symantec Corp. in Mountain View, California.

That all changed in June 2010, when a Belarusian malware detection firm received a request from a client to determine why its computers were randomly rebooting. Malware has been signed digital certificate, simulating its receipt from a reliable company. This feature caught the attention of the antivirus community, whose automated detection programs were unable to cope with such a threat. This was the first time Stuxnet was targeted in the wild.

The danger posed by forged electronic signatures was so dire that computer security experts began quietly sharing their findings both via email and in private online forums. This state of affairs is not unusual. (that’s not unusual). "Information sharing in the computer security industry can be classified as an emergency," adds Mikko H. Hypponen, chief research officer at security firm F-Secure in Helsinki, Finland. “I couldn’t think of any other IT sectors where there is such widespread collaboration between competitors.” However, companies compete, for example, to be the first to identify key features cyberweapon, and then capitalize on appreciative public opinion as a result.

Before everyone knew what Stuxnet was targeting, researchers at Kaspersky Lab and other security companies had reverse-engineered the code, uncovered clues, identified the origins and direction of the virus, including the total number of infections and their share in Iran, and links to Siemens industrial programs used at energy facilities.

Schouwenberg was most impressed by the fact that Stuxnet performed not one, but four feats of zero-day sophistication, i.e. hacks that exploit vulnerabilities previously unknown to the white hat community ( white-hat community), “white hackers”. “Not only is it innovative, it all complements each other beautifully,” he says. - The LNK (shortcut file in Microsoft Windows) vulnerability is used for distribution via USB flash drives (USB sticks). The shared print spooler vulnerability is exploited to spread across networks with shared printers, which are common in networks with shared access connected to the Internet (Internet Connection Sharing). The other two vulnerabilities involve operations designed to gain system-level privileges even when the computers are completely isolated. It was done simply brilliantly.”

Schouwenberg and his colleagues at Kaspersky Lab soon concluded that the code was quite complex and could not have been developed by a group of black-hat hackers. Schouwenberg believes that it would take a team of 10 people at least two to three years to create it. The question was: who will take responsibility for all this?

It soon became clear from the code itself, as well as from operational reports, that Stuxnet was specifically designed to destroy Siemens systems running Iranian centrifuges for the nuclear uranium enrichment program. Kaspersky Lab analysts later realized that financial gain was not the goal. This was a politically motivated attack. “There was no doubt then that the development of the virus was government-sponsored,” says Schouwenberg. This phenomenon took computer security experts by surprise. “We're all engineers here, we look at code,” says Symantec's O'Murchu. “But this was the first real threat we faced that had real political consequences. It was something we there had to be some kind of agreement and common opinion.”

A Brief History of Malware

1971. The experimental self-replicating virus program Creeper was written by Bob Thomas of Bolt, Beranek and Newman. The virus infected DEC PDP-10 computers running the Tenex operating system. The Creeper accessed the ARPANET, the precursor to the Internet, and copied itself on a remote system, displaying the message "I'm a creeper, catch me if you can!" Later, the Reeper program was created to remove Creeper.

1981. Elk Cloner virus written for Apple systems II by Richard Skrenta, led to the first large-scale computer virus epidemic in history.

1986. Virus for boot sector Brain (aka Pakistani flu), the first virus for IBM PC-compatible computers, was released and caused an epidemic. It was created in Lahore, Pakistan by 19-year-old Basit Farooq Alvi and his brother Amjad Farooq Alvi.

1988. The Morris worm, created by Morris (Robert Tappan Morris), infected DEC VAX and Sun machines running BSD Unix connected to the Internet. It became the first worm to spread widely “in the wild.”

1992. The Michelangelo virus, the danger of which was exaggerated by computer security specialist John McAfee, who predicted that the virus would destroy information on millions of computers on March 6, but the actual damage was minimal.

2003. The SQL Slammer worm or the so-called Sapphire worm attacked vulnerabilities in Microsoft SQL server and Microsoft SQL Server Data Engine became the fastest spreading worm of all time, crashing into the Internet within 15 minutes of release.

2010. Stuxnet worm discovered. This is the first known worm to attack SCADA systems, i.e. automated process control systems (APCS).

2011. Duqu worm discovered. Unlike its sister network Stuxnet, it was intended only to collect information and not to interfere with production processes.

2012. Flame used for cyber espionage in Iran and other Middle Eastern countries discovered.

In May 2012, Kaspersky Lab received a request from the International Telecommunication Union, the UN agency that governs information and communication technologies, to investigate a piece of malware that was suspected of destroying oil company files on computers in Iran. At that time, Schouwenberg and his colleagues were already looking for variations of the Stuxnet virus. They knew that in September 2011, Hungarian experts discovered the Duqu virus, which was designed to steal information from industrial control systems.

Fulfilling a request from the UN, Kaspersky's automated system identified another variant of Stuxnet. Schouwenberg and his team initially concluded that the system had made a mistake because the newly discovered malware did not show obvious similarities to Stuxnet. However, after diving deeper into the code, they discovered traces of another file called Flame, which was apparently the initial iteration of Stuxnet. At first, Flame and Stuxnet were seen as completely independent malware, but now researchers have realized that Flame was actually a predecessor to Stuxnet that somehow went undetected.

Flame was 20 MB in total, about 40 times larger than Stuxnet. Security experts realized, as Schouwenberg put it, that “...again, the state is most likely behind this.”

To analyze Flame, Kaspersky Lab experts used a technique they call a “sinkhole.” It provides control over the command and control server of the Flame domain in such a way that when Flame tries to contact its home base server, it actually sends information to the Kaspersky server instead. It was difficult to determine who owned the Flame servers. “With all the stolen credit cards and Internet proxies available,” Schouwenberg says, “it really is very easy for attackers to remain undetected.”

While Stuxnet was designed to disable equipment, Flame's purpose was simply to spy on people. Spread from a USB flash drive, it can infect printers working together on the same network. Once Flame compromises a machine, it can silently search for secret PDF files using keywords, and then prepare and transmit summary information about the document found, all without being detected.

“Indeed, Flame's developers went to great lengths to avoid detection by security software,” says Schouwenberg. He gives an example: Flame does not simply transmit the collected information all at once to its command and control server, since network managers may notice a sudden leak. “Data is sent in small pieces in order to avoid degradation for a long time bandwidth", he says.

Most impressively, Flame can communicate with any Bluetooth-enabled device. In fact, attackers can steal information or install other malware not only within the standard 30-meter Bluetooth range, but also further out. A Bluetooth rifle, a directional antenna connected to a Bluetooth-enabled computer, has the ability to transmit data over a range of up to 2 kilometers.

But the most alarming thing about Flame is how it first got onto computers: through an operating system update. Windows systems 7. The user thinks that he is simply downloading a legitimate patch from Microsoft, but in fact he is installing Flame instead. "The fact that Flame is distributed through Windows Updates is more significant than Flame itself," says Schouwenberg, who believes there are perhaps only 10 programmers in the world capable of programming such behavior. “It's a feat of technical sophistication that's quite astonishing because it was world-class encryption that was broken,” says F-Secure's Hypponen. “You definitely need supercomputers and a lot of specialists to do this.”

If the US government is indeed behind this worm, then this Microsoft encryption bypass could create some tension between the company and its biggest client, the feds. "I'm guessing Microsoft had a phone call between Bill Gates, Steve Ballmer and Barack Obama," says Hypponen, "and I'd like to listen to that conversation."

By performing reverse engineering (analysis) of the Flame virus, Schouwenberg and his team tuned their technique to “algorithm similarity,” allowing them to detect virus variants created on a single platform. In July they discovered new virus Gauss. Its goal was also cybersurveillance.

Transferred from one computer to another via a USB flash drive, Gauss steals files and collects passwords, targeting Lebanese bank credentials for unknown reasons. Experts believe that this was done either to track transactions or to siphon money from certain accounts. “The USB module captures information from the system, encrypts it and stores that information on its USB flash drive,” Schouwenberg explains. “Then, when this USB flash drive is inserted into a Gauss-infected computer, Gauss grabs the collected data from the USB flash drive and sends it to the command-and-control server.”

While Kaspersky Lab engineers tricked the Gauss virus into communicating with its own servers, those servers suddenly went down. Leading engineers believe that the authors of the malware were able to quickly cover their tracks. Kaspersky Lab had already collected enough information to protect its clients from Gauss, but at that moment it was scary. "We're confident that if we did something wrong, hackers would get the better of us," Schouwenberg says.

The implications of the Flame and Stuxnet viruses go beyond state-sponsored cyberattacks. "Professional attackers look at what Stuxnet does and say, 'That's a great idea, let's copy it,'" Schouwenberg says.

"The bottom line is that nation states are spending millions of dollars developing different types of cybertools, and this is a trend that will only increase," says Jeffrey Carr, founder and CEO of computer security firm Thaya Global. Taia Global is from McLean, Virginia. Although Stuxnet was able to temporarily slow down Iran's uranium enrichment program, it did not achieve its ultimate goal. “Whoever spent millions of dollars on Stuxnet, Flame, Duqu, etc., it was all wasted money. Now these malware are already publicly available and can be reverse engineered, i.e. detailed analysis,” says Carr.

Hackers can simply use specific components and techniques available from the Internet to carry out their attacks. Criminals may use cyber espionage, for example, to steal customer data from a bank or simply to cause chaos as part of a more complex prank. "There's a lot of talk about nations trying to attack us, but we're in a situation where we're vulnerable to an army of 14-year-olds with two weeks of training," Schouwenberg says.

Vulnerability is a big problem, especially for industrial computers. All you need to find your way to, for example, US water systems is the ability to search for terms on Google. “We're seeing a lot of industrial control systems that are connected to the Internet,” says Schouwenberg, “and they don't change the default passwords, so if you know the right ones keywords, you can find required panels management."

Companies have been slow to invest the resources needed to update industrial control systems. Kaspersky Lab has identified critical infrastructure companies running outdated 30-year-old operating systems. In Washington, politicians are calling for laws requiring such companies to maintain best security practices. However, one such cybersecurity bill failed in August 2012 on the grounds that it would be too costly for businesses. "To fully ensure necessary protection our democracy, cybersecurity legislation must be passed by Congress,” Panetta said recently. “Without it, we are already vulnerable and will continue to remain vulnerable.”

In the meantime, virus hunters from Kaspersky Lab and other antivirus companies will continue the fight. “The stakes are just getting higher and higher and higher,” says Schouwenberg. “I'm very curious to see what happens in 10 or 20 years. How will history evaluate the decisions we have made now?”