Zero Days Page #2

just bad things everywhere.

Just like, okay, this is bad

and that's bad,

and, you know,

we need to investigate this.

And just suddenly

we had, like,

a hundred questions

straightaway.

The most interesting thing

that we do is detective work

where we try to track down

who's behind a threat,

what are they doing,

what's their motivation,

and try to really stop it

at the root.

And it is kind of

all-consuming.

You get this new puzzle

and it's very difficult

to put it down,

you know, work until, like,

4:
00 am in the morning

and figure these things out.

And I was in that zone where

I was very consumed by this,

very excited about it,

very interested to know

what was happening.

And Eric was also

in that same sort of zone.

So the two of us were, like,

back and forth all the time.

Chien:
Liam and I continued

to grind at the code,

sharing pieces,

comparing notes,

bouncing ideas

off of each other.

We realized that

we needed to do

what we called deep analysis,

pick apart the threat,

every single byte,

every single zero, one,

and understand everything

that was inside of it.

And just to give you

some context,

we can go through and understand

every line of code

for the average threat

in minutes.

And here we are

one month into this threat

and we were just starting

to discover what we call

the payload

or its whole purpose.

When looking at

the stuxnet code,

it's 20 times the size

of the average piece of code

but contains almost

no bugs inside of it.

And that's extremely rare.

Malicious code always has

bugs inside of it.

This wasn't the case

with stuxnet.

It's dense and every piece

of code does something

and does something right

in order to conduct its attack.

One of the things that

surprised us

was that stuxnet

utilized what's called

a zero-day exploit,

or basically,

a piece of code

that allows it to spread

without you having

to do anything.

You don't have to, for example,

download a file and run it.

A zero-day exploit

is an exploit that

nobody knows about

except the attacker.

So there's no protection

against it.

There's been

no patch released.

There's been zero days

protection,

you know, against it.

That's what attackers value,

because they know 100 percent

if they have

this zero-day exploit,

they can get in

wherever they want.

They're actually

very valuable.

You can sell these

on the underground

for hundreds

of thousands of dollars.

Chien:

Then we became more worried

because immediately we

discovered more zero days.

And again, these zero days

are extremely rare.

Inside stuxnet we had,

you know, four zero days,

and for the entire rest

of the year,

we only saw

12 zero days used.

It blows all... everything else

out of the water.

We've never seen this before.

Actually, we've never seen it

since, either.

Seeing one in a malware

you could understand

because, you know, the malware

authors are making money,

they're stealing people's credit

cards and making money,

so it's worth their while

to use it,

but seeing four zero days,

could be worth

half a million dollars

right there,

used in one piece

of malware,

this is not your ordinary

criminal gangs doing this.

This is...

This is someone bigger.

It's definitely

not traditional crime,

not hacktivists.

Who else?

It was evident

on a very early stage

that just given

the sophistication

of this malware...

Suggested that

there must have been

a nation-state involved,

at least one nation-state

involved in the development.

When we look at code

that's coming from

what appears to be

a state attacker

or state-sponsored attacker,

usually they're scrubbed clean.

They don't... they don't leave

little bits behind.

They don't leave

little hints behind.

But in stuxnet

there were actually

a few hints left behind.

One was that, in order to

get low-level access

to Microsoft windows,

stuxnet needed to use

a digital certificate,

which certifies that

this piece of code

came from

a particular company.

Now, those attackers obviously

couldn't go to Microsoft

and say,

"hey, test our code out for us.

And give us

a digital certificate."

So they essentially

stole them...

From two companies

in Taiwan.

And these two companies have

nothing to do with each other

except for

their close proximity

in the exact same

business park.

Digital certificates

are guarded very, very closely

behind multiple doors

and they require multiple

people to unlock.

Security:
...To the camera.

Chien:
And they need to provide

both biometrics

- and, as well, pass phrases.

It wasn't like

those certificates were

just sitting on some machine

connected to the Internet.

Some human assets

had to be involved, spies.

O'murchu:
Like a cleaner who

comes in at night

and has stolen

these certificates

from these companies.

It did feel like walking

onto the set

of this James Bond movie

and you...

You've been embroiled

in this thing that,

you know, you...

You never expected.

We continued to search,

and we continued

to search in code,

and eventually we found some

other bread crumbs left

we were able to follow.

It was doing something

with Siemens,

Siemens software,

possibly Siemens hardware.

We'd never ever seen that

in any malware before,

something targeting Siemens.

We didn't even know why

they would be doing that.

But after googling,

very quickly we understood

it was targeting

Siemens plcs.

Stuxnet was targeting

a very specific hardware device,

something called a plc or

a programmable logic controller.

Langner:
The plc is kind of

a very small computer

attached to

physical equipment,

like pumps,

like valves, like motors.

So this little box is

running a digital program

and the actions

of this program

turns that motor on, off,

or sets a specific speed.

Chien:
Those program

module controllers

control things like

power plants, power grids.

O'murchu:

This is used in factories,

it's used in

critical infrastructure.

Critical infrastructure,

it's everywhere around us,

transportation,

telecommunications,

financial services,

health care.

So the payload of stuxnet

was designed

to attack some

very important part

of our world.

The payload is gonna be

important.

What happens there could be

very dangerous.

Langner:
The next

very big surprise came

when it infected

our lab system.

We figured out that

the malware was probing

for controllers.

It was quite picky

on its targets.

It didn't try to manipulate any

given controller in a network

that it would see.

It went through several checks,

and when those checks failed,

it would not implement

the attack.

It was obviously probing

for a specific target.

You've got to put this

in context that,

at the time,

we already knew,

well, this is the most

sophisticated piece of malware

that we have ever seen.

So it's kind of strange.

Somebody takes that huge effort

to hit one specific target?

Rate this script:0.0 / 0 votes