Malicious software that went down in history. Part I
It seems to me that computer viruses should be considered as a form of life. This says a lot about the nature of man: the only life form that we have created to date is only destroying. We create life in the image and likeness of our own.Stephen Hawking
If there are rules, then there will certainly be someone who wants to break them. The same goes for malware creators. Some of them want to profit, others just show their talent to the world. Like it or not, malware has become an integral part of the IT industry. Their species diversity is amazing. Some are virtually harmless, while others suffer billions in losses to government agencies and private companies. In this article we will get acquainted with the most prominent and famous malware in the history of mankind, starting with the very first, in chronological order.
Brain - 1986
According to most, Brain is the first virus on a PC. However, unlike his brothers, he did practically no harm.
Two brothers, Bazit and Amjad Farouk Alvi, were involved in the development and implementation of medical software in Lahore, Pakistan. They were very worried about the issue of software piracy, which is why they created Brain.
The computer was infected in the following way. A copy of the virus was recorded on the boot sector of the diskette, while old information was transferred to another sector and marked as damaged. After that, the following message was displayed in the boot sector:
Welcome to the Dungeon © 1986 Basit & Amjads (pvt) Ltd VIRUS_SHOE RECORD V9.0 Dedicated to the dynamic memories of millions of viruses who are no longer with us today - Thanks GOODNESS !!! BEWARE OF THE er..VIRUS: this program is catching program follows after these messages .... $ # @% $ @ !!
Because of the virus, the floppy disk slowed down, and DOS lost access to 7 kilobytes of memory. However, Brain contained a built-in partition check of the hard disk, which did not allow it to infect data, thereby preserving it.
In the source code of the virus, it was possible to find information with the names of its creators, as well as their address and telephone:
Welcome to the Dungeon 1986 Basit & Amjads (pvt). BRAIN COMPUTER SERVICES 730 NIZAM BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE: 430791,443248,280530. Beware of this VIRUS ... Contact us for vaccination ...
The spread of the Brain virus was impressive. A few weeks later, calls began to arrive on the Alvi brothers' phone number demanding that the virus be removed from the infected PC. There were so many calls that the telephone lines had to be simply disconnected.
Alvi’s brothers now lead one of the largest telecommunications companies in Pakistan with the very nostalgic name of Brain Telecommunications.
Stoned - 1987
Another virus representative with extremely minor consequences. The essence of the virus was that with a probability of 1 to 8, a message appears on the PC screen: “ Your PC is now Stoned! Legalise Marijuana . "
The program was written by a student from Wellington, New Zealand. And most likely it worked exclusively with IBM PC 360KB floppies, since the virus worked problematically with IBM AT 1.2MB floppies, and on systems with more than 96 files the virus did not load at all. PCs usually get infected when booting from an infected floppy disk. When a floppy disk was connected to the infected computer, it also became infected.
The simplicity of this virus allowed even a person to reprogram it without any specific knowledge, for example, changing the text of the message.
Known variants of the Stoned virus:
- Bloody! Jun. 4, 1989 (on this day, the protests in Tiananmen Square in China were brutally dispersed by the authorities);
- The Swedish Disaster;
- Manitoba (does not have an activation mode and does not save the original boot sector on a floppy disk, overwriting it; 2.88MB EHD floppy wins);
- NoInt (stops programs trying to track it, causing read errors if the computer tries to access the partition table; reduces the available memory by 2 kB);
- Flame, Stamford (used 1 kB of DOS memory; remembered the month when the system was infected, when the month changed, displayed a multi-colored flame and overwritten the main boot record);
- Angelina (the virus reported "Greetings from ANGELINA !!! / by Garfield / Zielona Gora")
Form - 1990 A
virus from Switzerland that infected a boot sector instead of a master boot record. When a computer boots from an infected sector, Form becomes resident, capturing a table of interrupt vectors. Further, the original boot sector (in which the virus was hiding) was marked as faulty. The virus infected any media that interacted with the infected computer.
Form was also remembered for some unusual symptoms, including:
- consumed 2KB of memory, while the DOS MEM command issued that this memory is inaccessible;
- On floppy disks were noted 2 faulty sectors (1 kV);
- It was also possible to unearth the following text among the virus files: “The FORM-Virus sends greetings to everyone who's reading this text. FORM doesn't destroy data! Don't panic! F * ckings go to Corinne. ";
- Form considered DOS FAT an active partition, but if it was not (for example, in Windows NT), the virus overwritten the partition, which led to complete data loss;
- And the most unusual symptom - on the 18th of every month there were “clicking” sounds when pressing the keyboard keys
Michelangelo - 1992
The virus was first noticed on February 4, 1991 in Australia, but it was widely publicized only in 1992. Michelangelo is another representative of viruses in the boot sector at the BIOS level.
What did the virus do? On March 6 (the birthday of the great Renaissance artist Michelangelo Buonarroti), he rewrote the first hundred sectors on the hard drive to zeros. PC user data still remained on the hard drive, but it was extremely difficult to get it out of there. Although Michelangelo was programmed to run on DOS, it could easily interrupt other OSs as it infected the master boot record of the hard drive. Any media connected to an infected PC instantly became infected.
When Michelangelo began to gain "popularity", many experts, including the founder of the antivirus company John McAfee, announced the infection of millions of cars. However, on March 6, 1992, cases of infection in the range of 10,000-200,000 were recorded. The advice on the fight against the malignant software was also funny - just do not turn on the computer on March 6 or transfer the date of March 5 to the seventh, thereby skipping the sixth.
VCL - 1992
VCL is not a virus, but a whole program for creating viruses. Created her Nowhere Man from the NuKE hacker group. VCL had a standard window interface and worked on the MS-DOS platform. Among the functions of the program, you could choose:
- type of victim files;
- the ability to self-encrypt the virus;
- the presence of anti-debugging code;
- internal text strings;
- one of 10 effects that occur when the virus is activated;
- distribution method
However, unfortunately for Nowhere Man, viruses released via VCL were extremely primitive and did not do much harm, and besides, they were easy to detect and eliminate.
Monkey - 1993 A
distant relative of the Stoned virus, Monkey integrating f files and spreading rapidly. Being an early version of the rootkit, the virus blocked the boot from the floppy disk, and if it was improperly eliminated, it could block any boot at all.
Concept - 1995
The first computer virus developed in macro language (hereinafter referred to as viruses, called macro viruses) infected Microsoft Word files. The virus became the most common because it could infect any OS that could run Word.
Happy99 - 1999
The harmless holiday worm was first discovered on January 20, 1999. Happy99 is considered the first “worm” and the first malware to spread via e-mail. It was written by a Frenchman under the nickname Spanska.
Happy99 was distributed via e-mail and Usenet (a computer network for communication and file transfer). When the worm file was opened, an animated firework and the inscription “ Happy New Year 1999 ” appeared.
Happy99 cheated on Winsock, allowing itself to spread further. The infected machine sent this worm to everyone on the user's email contact list. The worm used port 25 or port 119 to propagate if the first one was closed. Happy99 was automatically activated when the computer rebooted.
Melissa - 1999
Another macro virus with enormous consequences both for PC users, the state, and for the one who distributed it.
Spanska's words regarding the author Melissa
The virus was written by a certain Kwyjibo. But David L. Smith freed him on March 26, 1999. Melissa infected MS Word files and spread by sending itself to everyone listed in the user's email address book. In addition, the virus could send the files themselves, thereby violating the confidentiality of their owner. Spreading rapidly, the Melissa virus caused damage of $ 80 million. This does not go unpunished. Using the UUID (software identification method), David L. Smith was calculated and brought before a court. He was sentenced to 10 years in prison and fined $ 5,000.
Loveletter - 2000
Three hidden words that have cracked millions of Windows computers around the world. The worm spread as an attached file “LOVE-LETTER-FOR-YOU.TXT.vbs” in an email with the subject line “ILoveYou”. Once this file was opened, the user's machine became infected. The worm sent copies of itself to all contacts from the Microsoft Outlook address book and overwrite files of certain types. Created LOVE-LETTER-FOR-YOU.HTM files in the Windows system directory and distributed via IRC channels.
The trick was to manipulate people. The fact is that the file extension in Windows was hidden by default, that is, the victim saw the following: LOVE-LETTER-FOR-YOU.TXT (without .vbs), considering this a harmless text file and opening it. This gave the malware a start.
As for the creators of this creation, they were two young guys from the Philippines - Reonel Ramones and Onel de Guzmán. For the creation and spread of the virus, the guys were arrested by NBI (National Bureau of Investigation Phillipin). The trial was not easy and even funny, because the Philippine laws did not contain penalties for creating a malicious OP. First, they wanted to attribute to the suspects credit card fraud, then damage to property. However, there was insufficient evidence, and Reonel Ramones and Onel de Guzmán were released.
In 2002, their creation was included in the Guinness Book of Records as the most dangerous computer virus of all time (the loss of the global economy from ILoveYou amounted to approximately $ 5.5 billion).
Code Red - 2001
In July 2001, a group of eEye Digital Security employees (Mark Meifret, Ryan Perm and Riley Hassel) detected a computer worm called Code Red (at the time of discovery, the guys just drank a drink called Code Red Mountain Dew). Already on July 19, the number of infected machines was about 360,000. The
distribution for the worm was a vulnerability in the Microsoft IIS indexing utility, and it was based on a buffer overflow. The worm did not check for IIS on the machine (the potential victim), but simply forwarded the exploit packets to a random IP address. This method was very primitive and extremely noticeable, but it paid off. Since even the Apache server logs contained the following:
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNN
% u9090% u6858% ucbd3% u7801% u9090% u6858% ucbd3% u7801
% u9090% u6858% ucbd3% u7801% u9090% u9090% u8190% u00c3
% u0003% u8b00% u531b% u53ff% u0078% u0000% u00 = a HTTP / 1.0
Code Red performed the following actions cyclically for a month:
Day 1-19
- The infected site gave the following message - “HELLO! Welcome to w * w.worm.c * m! Hacked By Chinese! ”
- generated many IPs, thereby trying to spread
Day 20-27
- Massive DoS attack on some IP addresses (including the White House)
Day 28 - end of the month
- Code Red was inactive
The source of the worm is considered the city of Makati (Philippines). But this is inaccurate information.
Slammer - 2003
This computer worm literally burst into the Internet, infecting more than 75,000 machines in the first 10 minutes of its existence. Slammer "organized" DoS attacks on some Internet hosts and greatly slowed down Internet traffic in general.
The technology of Slammer, as a malicious program, was very simple and based on flaws in Microsoft's SQL and the Desktop Engine. Half a year before the worm spread, patch MS02-039 was released, which was supposed to close all holes and eliminate vulnerabilities, but not all computers downloaded this patch. This provided a loophole for the spread of Slammer.
A worm consisting of a couple of lines of code only generated a random IP and sent itself to it. If the selected IP belonged to a device with unpatched Microsoft's SQL, the worm infected it and spread through this device further.
Slammer caused a real chain reaction. When too much traffic passes through the router, it either slows it down or interrupts the transmission. However, the routers spent by the worm simply failed. Other routers received a kind of notification about this and passed it on to other routers. The flow of notifications about updating routing tables led to a malfunction of new routers, which, upon reboot, started to update their status in the table again. All this became possible also because Slammer occupied only 376 bytes, and could fit in one single package. As they say, it’s small, but it’s remote.
Sobig - 2003
A hybrid of a computer worm and a trojan, Sobig has existed in several forms since its inception. The most widely publicized version was Sobig.F, first recorded on August 19, 2003.
The worm was an email with an attached file. The subject line could be different (Re: Approved; Re: Details; Re: Re: My details; Re: Thank you !; Re: That movie; Re: Wicked screensaver; Re: Your application; Thank you !; Your details). The letter also contained the following text: “See the attached file for details” or “Please see the attached file for details”.
The attached file could also differ in name (application.pif; details.pif; document_9446.pif; document_all.pif; movie0045.pif; thank_you.pif; your_details.pif; your_document.pif; wicked_scr.scr). When opening one of these files, the worm replicated itself using its own SMTP agent. Then he collected all the possible e-mail addresses, which he searched for, scanned files (of the extension: .dbx; .eml; .hlp; .htm; .html; .mht; .wab; .txt). And, of course, spread further.
Sobig.F was programmed to establish a connection with 20 IP addresses via UDP port 8998 to install some software or self-update. Later it turned out that this software was WinGate proxy server (often used as a backdoor to distribute spam).
As early as September 10, 2003, Sobig.F was deactivated. But Microsoft did not arrange for this completion of the story, and the company put up a reward of $ 250,000 to anyone who provided any information that would help capture the creator of Sobig. But to this day this has not happened.
Fizzer - 2003 It
became the top-end virus (more precisely, a worm) in 2003. Fizzer got to the computer via e-mail or through the KaZaA shared folder. The subject of the letter could be different, as well as the language in which it was written, the text is short, and the attached file extension .com, .exe, pif or .scr.
When extracting from the letter, Fizzer copied itself to the Windows folder, creating several files there: iservc.exe, initbak.dat, ProgOp.exe, iservc.dll, data1-2.cab, iservc.dat, Uninstall.pky and upd.bin . The worm also added iservc.exe to the startup key of the local machine, for activation at the time the PC was turned on. Each time a text file was opened, the ProgOp.exe and iservc.exe processes were launched. What is even more surprising is that Fizzer monitored and stopped any processes containing the following lines: NAV, SCAN, AVP, TASKM, VIRUS, F-PROT, VSHW, ANTIV, VSS and NMAIN. And all in order not to be detected.
Fizzer had several useful functions for a hacker. First, he connected to IRC servers (irc.awesomechat.net, irc.blueshadownet.org, irc.chatlands.org, irc.darkmyst.org, irc.hemmet.chalmers.se, irc.exodusirc.net and irc. mirc.gr) to wait for commands; secondly, created a fake name in the AOL Instant Messenger chat; and thirdly, it worked as an HTTP server on port 81, using ports 2018, 2019, 2020, and 2021 for additional backdoor functions.
Despite its versatility, Fizzer did not bring much harm, especially since the need for human participation for further infection (opening a file in a letter) did not allow the worm to quickly spread around the world. It was concentrated mainly in China and Hong Kong, but was also seen in Europe and the USA.
SDBot - 2003
A computer worm that gives an attacker full remote access to the victim’s computer. To establish a connection, the IRC protocol (Internet Relay Chat) is used. Methods for spreading the worm are email, shared network folders, or direct transfer from computer to computer.
In addition to providing access to the victim’s files, SDBot records login and password information and also reads the victim’s identification data on the Internet.
The advantage of SDBot is its ego invisibility, as it works in the background. But many modern antiviruses can easily detect and eliminate it.
Cabir - 2004
The world's first worm capable of infecting mobile phones and spread via Bluetooth, and the first on the Symbian OS.
Cabir activation method is completely dependent on human decisions. The phone can fix the Bluetooth connection that a person must accept. After that, the worm file is downloaded. Next, the malware asks the user if he wants to run it. In case of launch, the worm displays the message “Caribe - VZ / 29a” or “Caribe” on the screen. In the \ system \ apps directory, the worm creates a folder called caribe and installs the files caribe.app, flo.mdl and caribe.rsc. A caribesecuritymanager folder is also created in the \ system \ symbiansecuredata directory. When you start caribe.app, the files caribe.app, caribe.rsc and caribe.sis are installed. And in the folder \ system \ recogs the file flo.mdl is placed.
Each case, when I turn on the phone, Cabir starts searching for an active Bluetooth connection and, having found one, copies itself to another phone. This process can be repeated only if the infected phone reboots. In this case, transmission via Bluetooth will still be, even if the user has disabled it in the settings.
During the World Athletics Championships in August 2004, many phones were infected. This is explained by the large crowding of people in stadiums. A total of Cabir infected 115,000 phones.
It is believed that the author of this worm is a hacker Valtezz from group 29A. In June 2007, a man was detained in Valencia, Spain, accused of creating such malware. But it is still not known whether the detainee was Valtezz.
Mydoom - 2004
One of the most scandalous and powerful computer worms of its time. The worm spread in a way that was already familiar to us - in the form of an e-mail with a message about an alleged error: “Error”, “Mail Delivery System”, “Test” or “Mail Transaction Failed”. Opening the file attached to the letter, the victim gave the worm access to the address book, and the latter spread further. He also copied himself into the shared folder of the Kazaa application (file sharing).
Initially, the first version of the worm called Mydoom.A was supposed to perform the following actions:
- create a backdoor on port 3127 / tcp for remote access to the infected PC (by placing your SHIMGAPI.DLL file in the system32 folder, launching it as a child of Windows Explorer)
- conduct a DoS attack on SCO Group, scheduled for February 1, 2004
Mydoom.В, the second version of the worm, had the same features plus attacked Microsoft sites and popular antiviruses.
First seen on January 26, 2004, Mydoom slowed that day on overall Internet traffic by 10%, and average web page loading speed decreased by 50%. The SCO Group company suffered the most from the worm. About a quarter of Mydoom-infected hosts attacked the company's flood site. Some experts, including representatives of the SCO Group, began to accuse Linux of developing the worm. Allegedly, this attack on the company was revenge for the legal proceedings that the SCO Group launched against Linux. However, evidence of this was not found. For the day of the DoS attack (January 31), which was mentioned earlier, SCO Group launched its website www.sco.comfrom DNS. Therefore, it is still not known whether the company's website was really susceptible to attack or not. On February 3, DoS fell on Microsoft. The company has prepared for this. Users were offered an alternative site that is not susceptible to attack - information.microsoft.com. Despite concerns, the attack power on the main Microsoft site was minimal and its work was not interrupted.
Both Microsoft and the SCO Group promised $ 250,000 for any information about the developer of the Mydoom worm.
Sasser - 2004
A computer worm that used buffer overflows in LSASS (Local Security Authority Subsystem Service). To search for the victim, the worm scanned a wide range of IP addresses, then it penetrated the PC through port 445 or 139. The main feature of Sasser was that its activation did not require the participation of a user of an infected computer.
Many companies and institutions have been affected by the worm’s activities (Delta Air Lines, AFP News Agency, Nordic Insurance Company, UK Coast Guard, Goldman Sachs, Deutsche Post, European Commission, and even the Department of X-ray at Lund University Hospital). Microsoft (as usual they accepted) announced a reward of $ 250,000 for information regarding the creator of Sasser.
The author of this “masterpiece” was a 17-year-old German named Sven Yashan. He was detained and sentenced to 1 year and 9 months in prison with a probationary period of 3 years, plus 30 hours of community service. At the moment, Sven has become a “white” hacker (testing the security of computer systems) and a cyber security consultant.
Haxdoor - 2005
The Trojan that laid the foundation for the formation of a whole family of Trojan programs called Win32 / Haxdoor. The main objective of this type of program is to steal personal data (login / passwords, bank card data, etc.) from a user of an infected machine to an attacker via remote access. Win32 / Haxdoor processes use kernel-level rootkit components to hide their presence. Among other things, Haxdoor can deactivate antivirus software, redirect user URL requests, delete data on disks, and shut down Windows.
Sony BMG - 2005-2007
In 2005, Sony BMG, a record label distribution company, was at the center of a huge global scandal. The company decided to supply its CDs not only with music, but also with a couple of protection programs against unauthorized copying. But this software, subsequently, brought a lot of problems to both ordinary PC users and Sony BMG itself.
More than 22 million CDs released for sale by Sony BMG contained two programs: Extended Copy Protection (hereinafter XCP) and MediaMax CD-3. And now more about each.
Xcp
On October 31, 2005, Mark Russinovich, a Microsoft employee, wrote on his blog about the unusual discovery that he made by inserting the CD he bought into his computer. This discovery was XCP. Mark, like many others, was outraged by the fact that there was not a word in the EULA license agreement about this software. That is, the program was installed without the knowledge of the user and hid its existence in every way, which characterizes it as a rootkit.
From the point of view of copyright holders, this software was done with good intentions, but at the same time, XCP created a lot of problems and vulnerabilities:
- XCP created security holes that could be used (and were, in fact) by other malicious programs;
- XCP worked in the background constantly, consuming most of the system resources, slowing down the PC;
- XCP used unsafe procedures to cause the system to crash and start;
- XCP did not have an uninstaller, and most attempts to remove it led to the OS not recognizing existing drivers.
Following Russinovich’s statement, many cybercriminals took advantage of the security holes created by XCP to spread viruses and worms.
MediaMax CD-3 The
scandalous feature of this software was the installation despite a license agreement. That is, before the actual use of the disk, the user had to agree with the points of the license agreement. If you refuse, close the window, or even “kill” the process, MediaMax was still installed on the computer.
Consequences
The malware news on the Sony BMG CD has spread at the speed of sound. As a result, the company was forced to announce the return of unsold copies. However, despite this statement, in many cities, the sale of infected disks was carried on.
On November 21, 2005, Texas Attorney General Greg Abbott filed a lawsuit against Sony BMG. Texas was the first (but not the last) state to decide to sue Sony BMG. The main idea of the accusation was that the company secretly installed harmful software on users' PCs, which disrupted the system and is white to the occurrence of security problems. Naturally, Sony BMG lost in court and had to pay $ 750,000 of legal costs, $ 150 for each damaged PC, place a detailed description of the malicious OP on its website and indicate its existence in its advertising on Google, Yahoo! and MSN.
This was followed by many lawsuits from the victims. Two methods for resolving the conflict were developed. In the first version, the victim received $ 7.5 compensation and the ability to download a music album for free. In the second - download 3 albums but without monetary compensation.
Such a strong public outcry, financial losses and legal proceedings nevertheless pushed Sony BMG to decide - no longer use such software on their disks.
Storm Worm - 2007
Trojan, discovered on January 17, 2007. It was distributed through an email with the subject “230 dead as storm batters Europe” (from which it got its name). The main objective of Storm Worm was to create a botnet.
The letter contained an attached file, opening which the user reluctantly started the process of installing the wincom32 service. Also, the Trojan could download and install another Trojan.Abwiz.F Trojan and the W32.Mixor.Q@mm worm. The rapid spread and vitality of the Storm Worm was facilitated by a change in its batch code every 10 minutes and the use of fast flux to change the IP addresses of its management server.
The infected PC became part of the botnet, which was difficult to eliminate. Most ordinary botnets are managed by a single central server, the elimination of which leads to a botnet crash. In the case of Storm Worm, identifying a central server was extremely difficult. Each of the infected machines was connected only with a part of the botnet (30-35 machines). None of the machines had a complete list of the botnet, but only part of it, which did not allow to identify the management server. According to September 7, 2007, from 1 to 10 million computers participated in the botnet.
Mebroot - 2008
A rootkit based on the master boot record, which is used to form botnets. Mebroot started before the system booted up, which enabled it to bypass security protocols. An encrypted channel was installed to the infected computer, through which the attacker could install a couple more trojans. The main goal of Mebroot, in conjunction with his brother Anserin, was to steal banking information. Triple infection occurred through visits to the websites where he "lived", about 1500 were counted.
Conficker - 2008
People who know German will understand all the rudeness of this name. The first part of son is the part of the word configuration, and the second part of ficker is the German analogue of fucker (I think everyone guessed what this means in translation).
Conficker used to infect a vulnerability in the Windows network service, which, according to the good old tradition, had been eliminated in the patch before the worm appeared.
Having infected a computer, Conficker disabled certain services in order to prolong its existence - automatic updating of Windows, Windows Error Reporting, Windows Defender and Windows Security Center. Further, to receive commands, the worm generated a list of sites to which it established an HTTP connection. Conficker also blocked access to the sites of many antiviruses.
Detection and elimination of this worm is an extremely difficult process, since its creators monitor all anti-virus updates to improve their product and eliminate vulnerabilities in it.
Stuxnet - 2010
A large, very large computer worm (approximately 10 times larger than usual), which has become the weapon of industrial espionage and sabotage. It was first seen in 2010. For its rapid distribution, it used a zero-day vulnerability (a vulnerability that has not yet been discovered by software developers). Distributed using USB flash drives. The main target of the worm was programmable logic controllers (PLC / PLC) from Siemens. PLC allows you to automate electromechanical processes (assembly line in enterprises, for example).
Stuxnet has been programmed to attack very specific and specific targets. First of all, the computer was supposed to run on Windows. Then the worm detected the Siemens Simatic Step7 software (software for the development of automation systems based on PLCs) and changed the command codes, while the user did not see this. In a nutshell, Stuxnet intercepted and modified the information that was transferred between the Simatic Step7 PLC and the workstations of the Simatic WinCC SCADA system. At the same time, the worm was masked by the presence of real digital signatures - certificates from Realtek and JMicron.
The PLC infection was not random, but followed several parameters embedded in the worm code. The worm attacked PLC systems with frequency converters exclusively from two vendors: Vacon (Finland) and Fararo Paya (Iran). In addition, Stuxnet read the frequencies of connected centrifuges, attacking only those in the range 807 Hz - 1,210 Hz. Next, the worm installed its OP in the DB890 PLC memory block, which controls Profibus (an open industrial network). When all the criteria converge, the worm changes the frequency of the centrifuges to 1.410 Hz, then 2 Hz, then 1.064 Hz. THEM thereby disrupting their work. Stuxnet also uses a rootkit that hides the fact that centrifuge speeds are jumping from the monitoring system.
By such actions, Stuxnet was able to disrupt the work and actually disable 1000 centrifuges to enrich uranium. This threw off Iran’s nuclear program several years ago.
There is no exact information about who created Stuxnet and why. However, many consider Stuxnet a common creation of the United States and Israel, aimed specifically at the Iranian nuclear program. Since, according to statistics, it was Iran that suffered the most (58.85%)
Afterword
Nobody likes viruses, worms and trojans (except for their creators, of course). But it is impossible to underestimate their contribution to the development of technologies, namely security systems. After all, without an adversary worthy of confronting you, you will not develop to overcome it. Lastly, do not forget to update your antivirus. Meet me in the next part, where we talk about malware from 2010-2017.
As an advertisement. Stock! Only now get up to 4 months of free use of VPS (KVM) with dedicated drives in the Netherlands and the USA (configurations from VPS (KVM) - E5-2650v4 (6 Cores) / 10GB DDR4 / 240GB SSD or 4TB HDD / 1Gbps 10TB - $ 29 / month and above, options with RAID1 and RAID10 are available) , a full-fledged analogue of dedicated servers, when ordering for a period of 1-12 months,Promotion conditions here, existing subscribers can get 2 months bonus!
How to build the infrastructure of the building. class using Dell R730xd E5-2650 v4 servers costing 9,000 euros for a penny?