The award is judged by a group of retired senior US military and intelligence personnel, and past winners. This year the award to Julian Assange was unanimous.
Previous winners and ceremony locations:
Coleen Rowley of the FBI; in Washington, D.C.
Katharine Gun of British intelligence; in Copenhagen, Denmark
Sibel Edmonds of the FBI; in Washington, D.C.
Craig Murray, former UK ambassador to Uzbekistan; in New York City
Sam Provance, former sergeant, U.S. Army, truth-teller about Abu Ghraib; in Washington, D.C.
Frank Grevil, major, Danish army intelligence, imprisoned for giving the Danish press documents showing that Denmark’s prime minister disregarded warnings that there was no authentic evidence of WMDs in Iraq; in Copenhagen, Denmark
Larry Wilkerson, colonel, U.S. Army (retired), former chief of staff to Secretary Colin Powell at the State Department, who has exposed what he called the “Cheney-Rumsfeld cabal”; in Washington, D.C.
http://original.antiwar.com/mcgovern/2010/08/15/can-wikileaks-help-save-lives/
Not sure yet where this year’s award ceremony will be held, but I’ll be there.
Oh, and (5), it isn’t espionage against Siemens. Whoever wrote Stuxnet obviously had a thorough understanding of Siemens’ Step 7 software already. Stuxnet clearly targets the USERS of Step 7, rather than the makers.
Shai Blitzblau is telling a pack of lies.
Shai Blitzblau heads Maglan:
http://en.wikipedia.org/wiki/Maglan
Or does it mean this Maglan – a company with “headquarters” in Italy, research in Israel – or are they related?:
http://www.maglangroup.com/maglan/index.jsp
Guava is a member of the genus myrtus. The stuff about myrtle being of significance in Judaism seems to be true, but is possibly unremarkable – myrtle is common in Mediterranean countries and has claimed medicinal/magical properties in many cultures (guess who’s been busy with Wiki).
The genus/species thing is interesting as the string is a file location – it suggests a folder structure with genus at the top level and species beneath – sys admins like this kind of thing (I wanted to have servers called Pearse, Connolly and McBride, but was dissuaded). So one would expect other paths like:
b:\myrtus\src\objfre_w2k_x86\i386\clove.pdb
…so, more than one database. And specifying the ‘b’ drive is taking a bit of a chance unless you know the target hardware, or the worm can alias whatever drive it finds. Of course it could try all the likely local drive identifiers and see what works. Taken all together, sounds as if there was more than one string of this type in the code, or perhaps the code manipulates this string as a template.
Shai Blitzblau would like us to fear “terrorists”:
http://defense-update.com/wp/20100930_stuxnet_cyber_terror_weapon.html
Vronsky,
you’ve been thinking along the same lines as myself (genus / species = project / module).
It was odd to see the “b:” drive specified, “normally” b: is the second floppy disk drive, but who even uses one floppy these days? But doesn’t that string identify where a compiler should find the source code? At half a MByte, the Stuxnet object code would fit on a floppy. Maybe the source would, too.
Or maybe they were working in a LiveCD environment – sensible if they’re developing infective agents. If you boot off a DOS-style CD (floppy emulation), the CD becomes “a:”, and the floppy gets reassigned to “b:”, doesn’t it?
WARNING – I don’t trust Maglan’s Web pages. Don’t visit them from Windows, turn off JavaScript, preferably use a LiveCD.
“Maglan’s labs conduct a range of classified research projects for commercial, government and defense sectors”.
http://www.maglanlabs.com/
Maglan do NOT just do “Computer Defence” – they have a page called “Exploits” linked from the “Tools and Exp” link on the page above.
“It was odd to see the “b:” drive specified”
Yes. I wondered if that indicated specific knowledge of some particular piece of equipment. There is still (or was until recently) equipment in production areas that used floppy disks for program loads, e.g. steppers in the semiconductor industry.
I suspect that this was just a file path from someones developement environment, which was accidentaly compiled in somehow, and the creators left it in (and/or edited it afterward) ensuring there is no danger of it providing any useful information to the curious.
I dont think there are likely to be any more curious strings left in the worm, though it is possible there are, in an as yet undiscovered level of encryption – if there are unidentified chunks of data left(?).
The Eset paper lists embedded database query strings at the end – it also mentions the ‘bulkiness’ of the code relative to other sophisticated malware, which can be extremely efficient and ‘tightly woven’ . Stuxnet worm isnt constructed like that, clear signatures of 2 different compilation enviroments (ubiquitous microsoft ones) were noted in the code as well.
Today’s q&a on the virus at f-prot:
http://www.f-secure.com/weblog/archives/00002040.html
States confidently,
Q: Was Stuxnet written by a government?
A: That’s what it would look like, yes.
And if the mysterious file path caught your attention, you might be interested in
Q: How does Stuxnet know it has already infected a machine?
A: It sets a Registry key with a value “19790509” as an infection marker.
Q: What’s the significance of “19790509”?
A: It’s a date. 9th of May, 1979.
…..
-but these are the kind of infinitely manipulatible details which i think are only allowed to slip, because they are useless attention sinks.
The only bit i would take issue with in that q&a is here:
Q: What does it do with Simatic?
A: It modifies commands sent from the Windows computer to the PLC. One running on the PLC, it looks for a specific factory environment. If this is not found, it does nothing
The Eset paper, indicates the worm can be instructed to unistall itself. But in the case that it does not find the certain target hardware/system so far discovered in its default state, it does still try to contact C&C ( mypremierfutbol.com) and is still ready to take updates and instructions from there. So it is actualy doing ‘nothing’ in the sense that a sleeper agent may do nothing, until instructed to do… whatever…
…how do none of the news reports mention “mypremierfutbol.com” ? This is surely a quite ‘popularist’ detail.
I suspect this whole thing could be a bit of a concern to the world’s leading virus crackers, because the most capable of them are a rare, highly experienced breed, and if this sort of thing continues, rather than their revealing work being upheld as that of ‘the good guys thwarting criminal efforts’ they could become considered as assets and enemies within national conflict narratives.
Clark – “I’m just wondering what sort of person would have chosen those two particular words.”
I’ve seen one (only) explanation of them on offer, and it seems so stretched that I’m wondering what sort of person would have chosen to offer it. (chorus: “Dan Brown ?”)
Given that the file is part of the attack, shouldn’t it have been loaded from the USB stick ? Or are there theories about the infection coming from laptops with floppies ? (notice it’s w2k-specific, floppies were more common in those days). Or an attack that has someone insert both a pen-drive and a floppy ? Or are there systems that map USB drives to a: and b: ?
“I suspect that this was just a file path from someones developement environment”
A project so Massively Awesome, requiring resources that are claimed to show it must be the work of [insert least favourite government here], and they’re developing it on floppy discs ? Well, I’m not saying it could absolutely never make sense, but …
What is a .pdb file, anyway ? At first (ignorant) guess, something databasey ?
Description of the .PDB files and of the .DBG files –
http://support.microsoft.com/kb/121366
The drive letter could have been changed, the whole path could have been made up and pasted over some totaly different string that they didnt want revealed.
The worm has a version number feild in its configuration data file at – %windir%\inf\mdmcpq3.pnf (page 52 eset)
Every version/update released will have been checked, with a resource hacker and other standard, quite powerful string search/detection tools, for leaked info. Whats left -pointless attention sinks imo.
Thanks, crab.
I had it in the back of my mind that I would once have recognised a .pdb – I used VC++ v1, for a while, but it was a long time ago. (It was one of the factors in my jumping ship to Linux).
So, as you say, left over from development, and, surely, shouldn’t be there in a runtime distribution ? (But. Makefiles, who knows ?)
I guess none of the people working on this have put a copy of the code they’re looking at, anywhere where us ordinary mortals could get a look ? I’m thinking, it might be constructive to run it through ‘strings’, for a list of all the bits of text that are there for people to be offering explanations of.
Of course, this being infective stuff, there are reasons why one might not want to make it easily available, and presumably no-one’s being paid to disable it first; but “many eyeballs make any code shallow”, insert open-source advocacy here, EMWTK, etc.
Sorry, should have mentioned that the link says the pdb extesnion of the mystery file path is a file made kind of temporarily by a microsoft debugger.
And you want a copy of the worm Richard? eek! 🙂 it hadn’t occured to me but i had a quick look on packetstorm and torrent search but no sign.
Of course it would need unpacked/decrypted before someone could do there own searches on it, and i just expect that the Eset guys have mentioned everything they managed to find.
Im thinking that, even in black/red(?) hat circles, the worm files could be considered pretty heavy shit, and not lightly passed around.
I didn’t notice that pdb was a debug database extension until you asked ,so it was a very lucky guess, and then maybe not so made up.
Now myrtle & guava puts me in mind of an earthy character, bearded perhaps, subconciously recalling the flora on his favourite desktop background…
..calling Sherlock..
In the main – Iran has been infected more than any other country by this most sophisticated blah blah…
In todays World, what does this tell us about the worms creators?
I went and had a look around Maglanlabs pages. “Tools and Exp” leads to two FTP pages, “Tools” and “Exploits”. “Tools” contains publicly available stuff, like Netstumbler. There is something called “wifikeyfinder” there. “Exploits” has several files, but they’re all password protected. One of them is called something like “Word 2007 Zero Day”. There are also some password lists in a folder called “Dictionaries”, sorted by password length.
Crab,
thanks. It looks like F-prot are agreeing with Langner rather than Symantec. So Stuxnet proliferates between Windows systems, but is finely targeted at one industrial process.
Langner has a new update:
http://langner.com/en/
“And you want a copy of the worm Richard? eek!”
Well, I did say there are arguments against (it could, presumably, be datched from the transport vector, thus not actually executable ? But this is something of a red herring). All I’m thinking is …
“i just expect that the Eset guys have mentioned everything they managed to find”
I’d just like to be able to verify that, instead of having to trust stuff put out by people I don’t know anything about. It would clarify the context of the single bit we have, if nothing else.
I’d put money on the proposition that it’s not literally the only sequence of printable characters they’ve found. As to whether all the others are obviously and totally without any meaning that anyone might be able to read in them … as I say, I’d like to see that for myself before going too far into the only one on offer.
Right Richard, i shouldnt be glib.
I pretty much trust the Eset guys though, and Langner ive read for the first time at Clark’s link -are talking my language too. The swaggering team photo and caption is good form. Seems they are also of the impression that the situation is being smudged by *our/western* Authorities.
“In the main – Iran has been infected more than any other country by this most sophisticated blah blah…
In todays World, what does this tell us about the worms creators?”
The (Pakistani) Daily Times has a rather excitable-looking piece in which Stuxnet is “creating havoc” by “infecting millions of machines” in China …
http://dailytimes.com.pk/default.asp?page=2010\10\01\story_1-10-2010_pg4_5
Again – this is not a football match, I’m not supporting any team. I’m just noting that when it was The Mysterious Death Of Gareth Williams, people were ready enough to consider the possibility that some of the suggestions reported weren’t necessarily to be taken as the absolute last-word truth, so … both of these being ongoing mysteries to which we’re not sure we have the full story yet, why not adopt the same attitude here ?
“The swaggering team photo and caption is good form”
*grin*. It made me think of a poster advertising the sort of thriller-film I probably wouldn’t want to go see, yes. (er, if that is a “yes”)
“Seems they are also of the impression that the situation is being smudged by *our/western* Authorities”
The little rant about CERT ?
There also seems to be a certain element of self-promotion. Even if it’s so precisely targetted and all, it’s still a major threat to everyone else because other hackers could use the same techniques in more general attacks, all will be revealed at a future date, and here’s how you can contact them if you want to hire them as consultants against this possible future threat that nobody else is taking seriously and they’re the ones on top of.
Which, again, is not to cast doubt on the quality of their work or the posibility that they might be right. I’m just remarking that not all the work being done and all the things said about it are for reasons of pure disinterested altruism. In the long term, of course, this is a field where self-interest could well lie in being right; but we’re not there yet.
Richard Robinson,
absolutely. Most of the reports in the Mainstream on on the ‘net are just speculation. Langner and Eset are my favourite analyses, and there’s the Symantec blog. I haven’t found the F-prot material yet, so…
Crab,
got a link? Hey, it’s not so hard to handle worms and viruses. I keep an image of Windows, which I decompress onto a spare hard disk, for use with disks that might have an infection. I wipe the spare hard disk when I’ve finished.
Richard Robinson,
note that Langner Communications do industrial control systems, not PCs. The usual PC security companies are out of their field on Stuxnet’s PLC capabilities. Yes, there’s an element of self promotion. Good luck to them, I say. Stuxnet had been known within the PC security world for three months before I saw it on the BBC site.
The (Pakistani) Daily Times: “…infected more than six million individual accounts…” Yeah, right. The best figure I’ve seen is 100,000 worldwide!
Ironic that there are so many copies out there, but there’s nowhere to download a sample.
Here’s a good summary about what the teabaggers are about, since someone was asking earlier:
http://www.fucktheteaparty.com/
Pardon my interruption of the Stuxnet discussion, I know there’s nothing else of any significance going on in the world.
Talking about how to deal with integrity. Canada’s Parliament shows Westminster the way denouncing the prestigious Maclean’s Magazine for an article headlined “The most corrupt province”. This is surely the solution to the political corruption that is also endemic in Westminster – Don’t allow the press to talk about it!! I need hardly add that most of the rest of Canada’s media has been roundly attacking Maclean’s as well, no doubt for breaking the unofficial rules of self censorship.
There are still a few dissident voices. One written comment in support of Maclean’s even says — “Well done Maclean’s!! I would have thought that important issues about the integrity of politicians were raised, but apparently not. Too often our media today practices censorship, placing undue deference to authority ahead of truth. It is a sad reflection on Canada that it is not the corrupt who get attacked but those who expose the corruption.”
I’ve downloaded a sample of Stuxnet. I don’t know how genuine it is yet.
“I haven’t found the F-prot material yet, so… Crab, got a link?”
You missed this one?
http://www.f-secure.com/weblog/archives/00002040.html
More generaly, we see that when something newsworthy and sensitive is up, all sorts of reports appear, putting out mainstream ideas about it, which only need to be thrown out there to be propogated. Then even reporters who should be specialists start accomodating the mainstream outlook.
Langer, Eset etc – these guys are the horses mouths, bigging themselves a bit maybe, but ‘the Register’, Symantec, a paper in Pakistan etc, are part of this modern/commercial news gossip farce.
Im not unsure about what has happened here. Iran has been attacked virtualy by US or Israel or both, 10-1 odds. It may not become a settled matter in the mainstream, but it is already clear as day to the main researchers.
Glenn – i apologise.
“Pardon my interruption of the Stuxnet discussion, I know there’s nothing else of any significance going on in the world.”
Absolutely. Seductive and sexy though the techie speculations might be, they’re trivial. I’ve worked as a white hat hacker (penetration tester) and could never fathom all the geeky stuff. Oh, maybe it could be done, but if you were seriously in the position of needing it done, it just isn’t the path you would follow. Much easier to get into the pants of the CEO’s secretary, or find out which genealogy/motorcycle/cookery sites their sys admin looks at. Must gloomily confess I had more luck with the latter options than with the CEO’s secretary – life is littered with such sadnesses. Well, except once – my wizened old body glows in remembrance. Ah, successful penetration – I can almost remember.
Vronsky, a “white hat hacker” sounds exotic and entrancing (well, at least if you dig cowgirls, hard hats and suchlike) and the thought of you getting “into the pants of the CEO’s secretary” is… ferociously apt, if I may say. Was that before, or after, your soiree with the mezzo-soprano? Tell us all: ‘Confessions of an ‘Ud Player’, or perhaps, ‘What the ‘Ud Player Saw’, or maybe even, ‘Carry On up the Oud’!
Interesting article. Complex, or what? Is this ‘Smiley’s People’, or what? But of course knows how such dynamics operate:
http://www.lobster-magazine.co.uk/articles/global-drug.htm