27 September 2013

How Stuxnet hit Iran - inside story

We all know how Stuxnet hit Iran and its nuclear research center, via infected USB drive prepared by its enemies.
Of course Iran had security software installed but did not manage to discover Stuxnet.
Later a known security software company announced the discovery of Stuxnet.
This is the public until known history.

The truth is another.
The security software used by Iran had the possibility to detect by heuristics the suspicious behaviour of Stuxnet.
I tested it and get the confirmation.
What happened?
The security software company used by Iran made few, but capital mistakes, some are already solved now after years, other still persist.

1. When updating the definitions files (virus definitions, trojan definitions, other threats definitions) assure that all files are digitally signed, not only some of them.

2. Assure that your clients are receiving the updated definitions files from a trusted server in a secure and trusted friend country, and if your customer is at your borders, make a direct secure connection, not via other countries.

3. Use digital certificates issued by an authority in own country, not a foreign company in a foreign nation.

What really happened?
The updated definitions files were partly faked on the definitions files server.
Being grouped as many files, the official legitimate file got its name changed with a blank in front, and a modified file was created with the same correct name. It's an old trick based on the fact that Windows names can not start with blank and at that time the update engine worked similarly. For people from FXP gold era the trick is known and was used in so-called mazes in hacked FTP servers.
The modified file was exactly the one which heuristically could detect the Stuxnet. The modified one ignored the Stuxnet.
How could this happen? For sure the state authorities in the respective country updated definitions distribution server have persuaded the server owner to make these modifications.
In other words, official state supported IT terrorism.
It was excluded that the security software company self would have done this, it would have been unimaginable to sabotage its own international reputation.
A hacked updated definitions distribution server? Unprobably, the anomaly disappeared after a time. A clear sign that the real authors were so confident in the secrecy of their operation.

It's a shame what happened, when a state supports upon external pressures, IT terrorism.


1. Digitally sign all your files with your own security certificates (when you are a security software company), never more use other countries companies digital certificates.

2. Use updated definitions distribution servers in trusted countries only.

3. Use direct distribution channels if your clients are at your country borders.

4. Depending on your country political situation, use security products only from friend countries, never from politically adversary countries.

5. Assure you receive the updated definitions files from trusted friend countries.

The Stuxnet is a lesson for history, Internet is no longer an international academic and clean environment! It's just a new dirty Cold War field.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.