Topic: Stuxnet and bitcoin... (Read 2831 times)

How's his maniacal laugh? Does he monolog? Does he have a white persian cat? ... oh nvm, we can buy him one.

Does anyone else think that ahmadinejad is charismatic? In an evil, taking over the world, type of way?

In theory, anything is possible. But probable ? Nope.

Shame the photog didn't aim a bit lower, coulda got the password on the post it note on the bottom of the monitor too

Yup. It didn't attack just any SCADA system. It didn't even attack just any SCADA system made by Siemens. It attacked a SCADA system made by Siemens that was used to control industrial regulators in a very specific configuration. We had an inkling that Iran's uranium enrichment facility was the target, but we had no proof. After all, we couldn't go to the Iranians and ask them "Hey, buddy, does your uranium enrichment setup happen to have this particular configuration of industrial controllers?". Until a colleague found an image on the site of the Iranian president, depicting his visit to the uranium enrichment facility:



See that computer screen in the foreground (the left one)? It's the screen of a PC controlling the centrifuges. The image on the screen shows graphically the configuration of the controllers - and it matched exactly the one Stuxnet was looking for.

As another colleague of mine joked once, we call this "open source intelligence".


Ah, not really. If you read what I've written so far on this subject, you might notice that I said that Stuxnet was not very sophisticated as a virus. There is a reason why I used this specific phrase. You see, most people equate "virus" with "damaging program". This is ignorant at best. A virus is a self-replicating program. While it is true that the mere act of self-replication tends to cause damages of various kind, it is important to note that a virus doesn't have to be intentionally destructive, in order to be a virus. It can do nothing else besides replicating - and will still be a virus. The opposite is also true - a malicious program, no matter how destructive, is not a virus if it lacks the ability to replicate itself.

So, when I say that a virus is sophisticated, it means that it has a clever and unusual self-replication mechanism - or at least some clever mechanism for hiding its spread. Stuxnet had nothing of the sort. Stuxnet had a sophisticated payload - but for me what a virus does besides replicating is pretty much irrelevant. The self-replicating property is what classifies a program as a virus, so this is what is important to me when analyzing one.

Well it seems to me that stuxnet was a tailored threat, aimed at systems of somewhat known configuration, whereas your generic virus has to proliferate on a number of wildly varying configurations that may have commonalities, but are different. Ergo, those have to be "smarter".

Now, a tailored threat for bitcoin mining? Well maybe you could take out KNC's operation or something, given enough intel about it, but different ASICs different mining programs, different OSes, different CPU instruction sets even (cgminer has been compiled for MIPsel, ARM, x86...) ... well let's just say it might have to be AI complete rather than merely smart to take out more than 50% and then it's only temporary disruption.

That was a nice write-up. I have not truly analyzed any virus. But what I mostly see in the wild are simple script kiddy versions of well known viri. Perhaps we do not disagree so much. The examples you noted are very complex viri and compared to those stux is not so special. But it must be in the top percentile compared with viri in general?

Then we'll have to agree to disagree. Have you actually analyzed the Stuxnet code? How many other computer viruses have you analyzed? Just trying to establish a basis of comparison here, you see.

I've been analyzing viruses since 1989. I've seen some pretty incredible things. Viruses that did not reside in any file or boot sector, or, in fact, anywhere on the disk (CodeRed). Viruses that resided in the unused disk space of the last cluster of the file (Number of the Beast). Viruses that infected directories, instead of files (Dir_II). Viruses that hid into unused areas of zeroes in the infected file (Lehigh). Viruses that hid in the header of the infected EXE files (TheRat) or even optimized that header in order to shorten it and free up space for themselves (Phoenix). Viruses that compressed the infected files (Cruncher). Viruses that infected the master boot sector by changing just one byte in a data area (Starship). Viruses that didn't save the original boot sector anywhere and performed its function themselves, instead. Viruses that infected documents (Concept) or spreadsheets (Laroux) or JPEG images (Perrun). Viruses that were just 29 bytes long (Trivial). Viruses that had cryptographically protected payload, so that we still don't know what they were supposed to do (Gauss). Viruses that infected multiple fundamentally different platforms, like both Windows and Linux, or Windows, MacOS and Android. Viruses that rewrite themselves to look different every time they replicate (V2P6). Viruses that chopped their own code into many parts and spread them all over the infected file (Commander_Bomber). Viruses that brute-forced their own encrypted code (i.e., didn't contain the decryption key) in order to slow down anti-virus products that use emulation (RDA_Fighter). And so on, and so on...

Compared to some of the stuff I've seen, a virus that is a humongous mess of code and replicates via USB sticks doesn't rate as "sophisticated", even if it uses 4 zero-day exploits, attacks unusual hardware configurations, and was used as a weapon against a nation-state.

But then I'm probably just biased. For most common people probably even just the ability to replicate makes a program "sophisticated"...

A PLC attacking worm with 4 zero day exploits is not sophisticated? I have to disagree. By the way, I don't think that the actual stuxnet code is a danger to bitcoin. But the idea of a malicious attack with similar code could be. Imagine if it were programed to find bitcoin ASICs. 

Not a chance

Really, it was the oldskool "walking disk drive" hack applied to centrifuges.

Well, it depends how you define "powerful". It was one big mess of a code. Built from a framework of modules. A mouse built to government specifications.


Four, if I remember correctly.


Yeah, well, attacking a country's uranium enrichment equipment is unusual too, but that doesn't make the virus particularly sophisticated. Maybe I'm just biased, having seen so many really sophisticated tricks in viruses over the last quarter of a century... I still think that as a virus (i.e., as self-replicating code) Stuxnet was nothing special, no matter what else the code did.


No, it wasn't modified. It was designed to do so from the get-go.

Why are you posting something so stupid? Honestly, can you give us a real answer on why you felt the need to disappoint so many people in this forum today?

Stuxnet lol....

Whoa, thanks for pointing this out, I'll unplug my uranium centrifuge from my bitcoin machine immediately.

My understanding of Stux is that it had a powerful basic core that included at least two zero day exploits. That is rare and why I consider it to be sophisticated. This basic code was then elaborately modified to target specific hardware. The primary targets were Iranian uranium enrichment centrifuges. These could be destroyed by spinning them at a particular speed that caused them to wobble and fall over. 

Not really. It simply doesn't make sense. If a third party wanted to attack the Bitcoin nodes with a virus, it would be much easier for them to write a new virus for this purpose as opposed to changing an existing one like Stuxnet (which wasn't even very successful as a virus, to begin with). For the original creators of the virus, it would be much easier, too. They have a framework for this purpose, so it's much easier to use it to build a new malware from the modules they already have than to modify something that they have already built (and which is known to the anti-virus community).


It was nothing exceptional. Oh, sure, it has interesting properties, like being obviously written by a defense contractor (ever heard the saying that an elephant is a mouse built by a committee to government specifications? Well, Stuxnet is a virus built by a "committee" - several teams not communicating with each other and only producing code modules matching a specification), it was attacking a SCADA system, it was used as a weapon against a country, and it gained wide notoriety in the press. But, as a virus, it was nothing special.

If you want sophistication, how about Flame or Gauss? They were both written by the same outfit that came up with Stuxnet, using the same (or similar) famework.

Flame was huge - about 20 Mb! Four years later, we still don't know everything it could do - because how do you analyze 20 Mb of compiled code and linked libraries?! It even had a virtual machine and a Lua interpreter for some of its parts. Command-and-control, replication on demand, SQL injection, audio and video interception, backdoors, zero-day exploits, keylogging, encryption, compression, Bluetooth sniffing... Flame had it all. It even used an unknown till then collision attack to crack MD5 and fake Microsoft Update. (Microsoft stopped using MD5-based certificates because of Flame.)

Gauss, clearly produced by the same outfit, is my personal favorite, because it implemented an attack I predicted in the late 90s. Google "clueless agents" - Bruce Schneier has a nice paper about them. Gauss has a practically textbook implementation of them. We don't know what it does. It looks for directory paths by doing H(H(path)) where H() is a cryptographically strong hash function and then H(path) is used as the decryption key. We do know H(H(path)) - it's in the virus - but we have no clue what the path is, so we can't compute H(path) and decrypt the encrypted payload of the virus. (I am over-simplifying here - the hash-of-hash is not done once but 1000 times and the key is not a simple H(path) but of a more complex data which is derived from the path.) Although the hash function is MD5 and the cypher is RC4, both of which are considered nowadays cryptographically insecure, in practice we haven't got a snowball's chance in hell of decrypting the payload of the virus and understanding what it does...

For a more technical description of the issue, see this.

I have even "programmed" analog (i.e., not digital) computers and computers that used ternary (as opposed to binary) number representations. A dinosaur like me has seen it all...


And I would love to see you write a virus in ladder logic, I'd really love to. In fact, you'd have a hard time even writing a simple multiplication function in it...

It is clear to me now that you really have no clear idea what computer viruses are and how they really work - something which I already suspected when you brought Stuxnet into this context.

They may want to eliminate bitcoin, but launching an attack like this has almost no chance of remaining secret. Once discovered, the damage to the bank would far outweigh the tiny advantage of hurting bitcoin for a limited time. It would be wildly illegal and require destroying thousands and thousands of mining machines and routers. They will be completely responsible for those damages and any lost revenue. Their settlement would run into the billions. And all they would gain is to suppress bitcoin for a short time. 

Central banks wish to eliminate any threat to them at any cost to humanity.

I think Stux could be modified to do something like this. There would be a lot of ways to counter it however. The stux worm released on Iran was very sophisticated and was able to ferret out specific types of equipment. But why bitcoin?