Zero Days Page #2
just bad things everywhere.
Just like, okay, this is bad
and that's bad,
and, you know,
we need to investigate this.
And just suddenly
we had, like,
a hundred questions
straightaway.
The most interesting thing
that we do is detective work
where we try to track down
who's behind a threat,
what are they doing,
what's their motivation,
and try to really stop it
at the root.
And it is kind of
all-consuming.
You get this new puzzle
and it's very difficult
to put it down,
you know, work until, like,
4:
00 am in the morningAnd I was in that zone where
I was very consumed by this,
very interested to know
what was happening.
And Eric was also
in that same sort of zone.
So the two of us were, like,
back and forth all the time.
Chien:
Liam and I continuedto grind at the code,
sharing pieces,
comparing notes,
bouncing ideas
off of each other.
We realized that
we needed to do
what we called deep analysis,
pick apart the threat,
every single byte,
every single zero, one,
and understand everything
that was inside of it.
And just to give you
some context,
we can go through and understand
every line of code
for the average threat
in minutes.
And here we are
one month into this threat
and we were just starting
to discover what we call
the payload
or its whole purpose.
When looking at
the stuxnet code,
it's 20 times the size
of the average piece of code
but contains almost
no bugs inside of it.
And that's extremely rare.
Malicious code always has
bugs inside of it.
This wasn't the case
with stuxnet.
of code does something
and does something right
in order to conduct its attack.
One of the things that
surprised us
was that stuxnet
utilized what's called
a zero-day exploit,
or basically,
a piece of code
that allows it to spread
without you having
to do anything.
You don't have to, for example,
download a file and run it.
A zero-day exploit
is an exploit that
nobody knows about
except the attacker.
So there's no protection
against it.
There's been
no patch released.
There's been zero days
protection,
you know, against it.
That's what attackers value,
because they know 100 percent
if they have
this zero-day exploit,
they can get in
wherever they want.
They're actually
very valuable.
You can sell these
on the underground
for hundreds
of thousands of dollars.
Chien:
Then we became more worried
because immediately we
discovered more zero days.
And again, these zero days
are extremely rare.
Inside stuxnet we had,
you know, four zero days,
and for the entire rest
of the year,
we only saw
12 zero days used.
It blows all... everything else
out of the water.
We've never seen this before.
Actually, we've never seen it
since, either.
Seeing one in a malware
you could understand
because, you know, the malware
authors are making money,
they're stealing people's credit
cards and making money,
to use it,
but seeing four zero days,
could be worth
half a million dollars
right there,
used in one piece
of malware,
this is not your ordinary
criminal gangs doing this.
This is...
This is someone bigger.
It's definitely
not traditional crime,
not hacktivists.
Who else?
It was evident
on a very early stage
that just given
the sophistication
of this malware...
Suggested that
there must have been
a nation-state involved,
at least one nation-state
involved in the development.
When we look at code
that's coming from
what appears to be
a state attacker
or state-sponsored attacker,
usually they're scrubbed clean.
They don't... they don't leave
little bits behind.
They don't leave
little hints behind.
But in stuxnet
there were actually
a few hints left behind.
One was that, in order to
get low-level access
to Microsoft windows,
stuxnet needed to use
a digital certificate,
which certifies that
this piece of code
came from
a particular company.
Now, those attackers obviously
couldn't go to Microsoft
and say,
"hey, test our code out for us.
And give us
a digital certificate."
So they essentially
stole them...
From two companies
in Taiwan.
nothing to do with each other
except for
their close proximity
in the exact same
business park.
Digital certificates
are guarded very, very closely
behind multiple doors
and they require multiple
people to unlock.
Security:
...To the camera.Chien:
And they need to provideboth biometrics
- and, as well, pass phrases.
It wasn't like
those certificates were
just sitting on some machine
connected to the Internet.
Some human assets
had to be involved, spies.
O'murchu:
Like a cleaner whocomes in at night
and has stolen
these certificates
from these companies.
It did feel like walking
onto the set
of this James Bond movie
and you...
You've been embroiled
in this thing that,
you know, you...
You never expected.
We continued to search,
and we continued
to search in code,
and eventually we found some
we were able to follow.
It was doing something
with Siemens,
Siemens software,
possibly Siemens hardware.
We'd never ever seen that
in any malware before,
something targeting Siemens.
We didn't even know why
But after googling,
very quickly we understood
it was targeting
Siemens plcs.
Stuxnet was targeting
a very specific hardware device,
something called a plc or
a programmable logic controller.
Langner:
The plc is kind ofa very small computer
attached to
physical equipment,
like pumps,
like valves, like motors.
So this little box is
running a digital program
and the actions
of this program
turns that motor on, off,
or sets a specific speed.
Chien:
Those programmodule controllers
control things like
power plants, power grids.
O'murchu:
This is used in factories,
it's used in
critical infrastructure.
Critical infrastructure,
it's everywhere around us,
transportation,
telecommunications,
financial services,
health care.
So the payload of stuxnet
was designed
to attack some
very important part
of our world.
important.
very dangerous.
Langner:
The nextvery big surprise came
when it infected
our lab system.
We figured out that
the malware was probing
for controllers.
It was quite picky
on its targets.
It didn't try to manipulate any
given controller in a network
that it would see.
It went through several checks,
and when those checks failed,
it would not implement
the attack.
It was obviously probing
for a specific target.
You've got to put this
in context that,
at the time,
we already knew,
well, this is the most
sophisticated piece of malware
that we have ever seen.
So it's kind of strange.
Somebody takes that huge effort
to hit one specific target?
Translation
Translate and read this script in other languages:
Select another language:
- - Select -
- 简体中文 (Chinese - Simplified)
- 繁體中文 (Chinese - Traditional)
- Español (Spanish)
- Esperanto (Esperanto)
- 日本語 (Japanese)
- Português (Portuguese)
- Deutsch (German)
- العربية (Arabic)
- Français (French)
- Русский (Russian)
- ಕನ್ನಡ (Kannada)
- 한국어 (Korean)
- עברית (Hebrew)
- Gaeilge (Irish)
- Українська (Ukrainian)
- اردو (Urdu)
- Magyar (Hungarian)
- मानक हिन्दी (Hindi)
- Indonesia (Indonesian)
- Italiano (Italian)
- தமிழ் (Tamil)
- Türkçe (Turkish)
- తెలుగు (Telugu)
- ภาษาไทย (Thai)
- Tiếng Việt (Vietnamese)
- Čeština (Czech)
- Polski (Polish)
- Bahasa Indonesia (Indonesian)
- Românește (Romanian)
- Nederlands (Dutch)
- Ελληνικά (Greek)
- Latinum (Latin)
- Svenska (Swedish)
- Dansk (Danish)
- Suomi (Finnish)
- فارسی (Persian)
- ייִדיש (Yiddish)
- հայերեն (Armenian)
- Norsk (Norwegian)
- English (English)
Citation
Use the citation below to add this screenplay to your bibliography:
Style:MLAChicagoAPA
"Zero Days" Scripts.com. STANDS4 LLC, 2024. Web. 20 Dec. 2024. <https://www.scripts.com/script/zero_days_23977>.
Discuss this script with the community:
Report Comment
We're doing our best to make sure our content is useful, accurate and safe.
If by any chance you spot an inappropriate comment while navigating through our website please use this form to let us know, and we'll take care of it shortly.
Attachment
You need to be logged in to favorite.
Log In