This is the final part of Mikko Hypponen’s Defcon 19 speech where he dwells on the latest cyber infections that appeared after 2009 and stay active up till now. It took virus writers years to create some of those, so they were made very sophisticated and barely comparable with the older threats in terms of the disruptive potential and technical complexity.
‘Conficker’ – the biggest outbreak of 2009 – still remains one of the biggest mysteries we have in the history of viruses. Massive, massive infection which wasn’t used to do anything at all.
And then we started finding even more advanced viruses. If ‘Mebroot’ was advanced, this is pretty much the state of the art nowadays: ‘TDSS’, aka ‘Alureon’ rootkits which are today capable of infecting a 64-bit Windows 7 in the MBR1, booting all the way from the MBR, surviving the Windows boot, regardless of all the security features that were introduced in Windows 7, pretty remarkable stuff.
The amount of infected machines around the world right now, with this, is in the millions. And it’s being used for different kinds of a moneymaking scams. It’s one of the biggest problems we have at the moment.
But that was still quite different from these ransom trojans that we started seeing as well. By this time, like I explained earlier, most of the infections were invisible: you wouldn’t know that you’re infected. But then we started seeing Trojans like ‘GPCode’ which were very visible.What ‘GPCode’ does is it infects your system, then it waits for the PC to be idle, so that you are not at the computer, and then it starts encrypting your hard drive: goes through your hard drive, encrypts everything. And then it changes the Windows wallpaper to the message shown on the image, where it explains that, you know, all your files have now been encrypted, if you want to get your files back, please read the ‘how to decrypt’ txt-file. And when you read the ‘how to decrypt’ txt-file, it explains to you in detail that “Yup, we just encrypted your files using RSA 1024 with an ASCII, and if want to get your files back, please email us at ‘email@example.com’ and send us 125 bucks through a Ukash pre-paid system, and provide this unique key, which is unique to your system, and they will provide you with the decrypter.
Well, they actually will. We’ve worked with multiple cases where affected users have sent them money and have gotten the decrypter back.
And as much as I hate the idea of anybody sending any money to these clowns, I know that people have done it and they have gotten their files back.
2009 – Conficker
2010 – Stuxnet
2011 – Ransom Trojans
Many of these cases have actually been corporate users, where not just the corporate laptops have been encrypted but also network shares have been encrypted. And then they learned that they actually don’t have good backups. And that’s a big problem, so they would be more than happy to pay 125 dollars to get their files back.
But all this work with malware like this did not prepare us for what we would find next. And that was ‘Stuxnet’ – ‘Stuxnet’ which was found in summer of 2010, ‘Stuxnet’ which had been around spreading in the wild already for a year.
And that’s actually remarkable. And that’s actually embarrassing to us, I mean, us antivirus vendors and security companies. We missed ‘Stuxnet’ for a freaking year. Nobody saw it going around. Eventually, when it was found, it already had done what it wanted to do. And of course, as we know by now, ‘Stuxnet’ was written by you guys, I mean, the Americans, the U.S. Government.
And it was a successful operation that attempted to disrupt the Natanz nuclear enrichment plant in Iran. And it did. In fact, we believe it already did what it wanted to do in 2009, so by the time we found it in 2010, it didn’t actually matter anymore, it had already done what was meant for.So, let’s look at that a little closer. We obviously have computers everywhere: in factories, in plants…You go to any chemical plant, any power plant, any food producing plant, and you look around – it’s all being run by these. That’s a ‘Siemens S7-400’ (see image), a typical PLC2 programmable logic controller. For example, the elevators in this building most likely run PLCs or maybe something along these lines – automation which isn’t running Windows. ‘Siemens’ gear is running 32-bit Linux inside, very fault-tolerant systems. And the way they are being programmed is typically for Windows workstations. And that’s the route in, the ‘Stuxnet’ will infect pretty much any Windows computer in the world. But it won’t do anything except replicating, unless the computer has the ‘Siemens Step 7’ programming environment installed. And that’s the environment you use to program these. And even if it finds ‘Step 7’ running on a computer, it won’t do anything unless it’s connected to the right kind of a PLC, it has to be ‘Siemens S7-417’ or another model. If it finds the right PLC, then it will reprogram the PLC. And now it waits for somebody to disconnect the PLC from the computer and take it to a factory floor. And it still won’t do anything, unless it’s connected exactly to the right kind of gear, and it’s looking specifically for the things you can see on the image; these are high frequency power converters manufactured by a company called ‘VaCom’. It’s looking for a specific number of the right kind of high frequency power converters. And of course, these, we believe, were the converters that were used to spin the centrifuges in the Natanz nuclear enrichment plant. So, the real target becomes not just the high frequency power converters, but the whole nuclear program, or the nuclear enrichment program.
So, it has been a pretty wild ride. We look at the last 25 years – from ‘Brain’ spreading on 5.25 inch floppy disks, to ‘Stuxnet’ which is more than a megabyte of code, multimillion-dollar project, more then 10 man-years in making, targeting completely undocumented tailor-made systems, infecting PLCs, which has never been done before.
It’s been an amazing change that we’ve seen. Many things have changed, and at the same time, many things haven’t changed. For example, ‘Brain’ never spread over the Internet because we didn’t really have Internet in 1986 as we have it today. ‘Stuxnet’ does not spread over the Internet, it spreads on USB sticks. Why? Because the systems it wants to reach are not on the Internet, obviously nuclear systems are not online, they are separated, that’s why it spreads on USB sticks.
‘Brain’ was actually a rootkit, if you tried to read the infected boot sector, you wouldn’t see it, it would give you the original boot sector instead. ‘Stuxnet’ has a rootkit to hide itself not just on the infected Windows computer, but also on the infected PLC.
So, everything has changed, and nothing has changed. And it will be interesting to see what kind of viruses we will be analyzing 25 years from now. Thank you very much!
Read previous: The History and the Evolution of Computer Viruses: 2003-2008
1 – MBR (master boot record) is a type of boot sector consisting of a sequence of 512 bytes located at the first sector of a data storage device such as a hard disk. MBRs are usually placed on storage devices intended for use with IBM PC-compatible systems.
2 – PLC (programmable logic controller) is a digital computer used for automation of electromechanical processes, such as control of machinery on factory assembly lines, amusement rides, or light fixtures.