Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon Read Online Free

domain name and external IP address—the outer-facing address of machines connected to the internet—can reveal the name of the organization or company that owns the infected machine, based on who owns the block of IP addresses in which the machine’s address falls. This could help the attackers determine how fast and far Stuxnet spread. This information would also have told the attackers when Stuxnet traveled way off track as it began to show up in geographical regions far from its target. Internal IP addresses, on the other hand, are addresses that companies assign internally to machines to map them and route traffic between them. These IP addresses can be useful if the attackers possessed a map of the infected company or organization’s internal network, perhaps stolen from a system administrator’s computer, which indicated the internal IP address assigned to each machine on the network. If this was the case, the attackers could have tracked Stuxnet’s path as it slithered inside a network infecting machine after machine, reporting back to the command-and-control servers each time it infected one that was connected to the internet. As for the computer name, it could have helped the attackers identify which employee or work group inside an organization owned the machines that were infected. One machine, for example, was named GORJI-259E4B69A, another was PEYMAN-PC. But many of the infected systems shared the same generic name: “ADMIN-PC,” “USER-PC,” or “home laptop,” making it difficult to distinguish between them.
    5 Alex Gostev, chief malware expert at Kaspersky Lab in Russia, found that Stuxnet sent to the command servers a file—named Oem6c.pnf—that identified not only which Siemens program was installed on the computer (the Siemens Step 7 programming software or the WinCC program, which operators use to monitor conditions on their PLCs) but also included a list of any Step 7 project files on the machine and the path string that showed where on the computer the files were located. The Step 7 project files contain the programming commands for PLCs. Gostev suspects that anytime the attackers found project files on a machine, they may have sent a separate tool to the computer to steal the files and examine them for configuration data to determine if Stuxnet had found the systems it was seeking.
    6 The DNS providers had already dead-lettered the traffic to the two domains so that it was going nowhere when Symantec approached them. They had pointed the traffic to the IP address 127.0.01, which is commonly used to return traffic to the sender’s machine.
    7 The 100,000 figure is the number that Symantec tracked during the first six months after Stuxnet was discovered. But the total number of infections, based on figures that other antivirus companies compiled as they added detection to their tools, eventually climbed to more than 300,000, according to Kaspersky Lab.
    8 At a US Senate hearing in November 2010, Dean Turner, director of Symantec’s global intelligence network, testified that the number of unique infections in the United States had by then reached 1,600. Of these, 50 machines had the Siemens WinCC software installed on them.

ACKNOWLEDGMENTS
    When I first began writing about Stuxnet after its discovery in the summer of 2010, there was no way to know where it would lead. It wasn’t until months later, after the Symantec researchers and Ralph Langner’s team dug into it further, that it became clear that there was a larger story that needed to be told—not only about the attack on Iran’s centrifuges and the discovery of the world’s first digital weapon but about the security community and its changing nature at the dawn of the era of cyber warfare. It’s a cliché to say that something is a game-changer, but Stuxnet really is. Everything in malware that occurred prior to its appearance might well be labeled BS—Before Stuxnet—since the code that came before it represented simpler,