Quote:I thought it was able to jump from device to device until it finally found its way to the target. My guess was just wifi I've never looked to much into it. Ill check out the book some time thanks for the link!

 

It's quite interesting how it worked, and how it did what it did.  I'm betting that there are still computers running this thing today.

 

In a nutshell, here is how it worked.

 

It was distributed initially via a thumb drive.  Once connected, it would search for what particular anti-virus software was installed on the particular machine, then install itself in a way that would not trigger the anti-virus software alerts.

 

It then figured out if it was connected to the internet, and if so it would notify a Command and Control (CNC) server that it was there.  This not only gives the CNC an idea of where it is at, but also opens up the capability to send "updates" to the software.

 

Another thing that it would do is monitor the USB ports on the machine, and if it detects that a "new device" is connected, it would copy itself to that device.  So plug a thumb drive into an infected machine means that the thumb drive is now infected.  
This part is critical to understand how it spread so quickly and efficiently.


 

My comment: Infecting a network not connected to the internet can be done and was proven by this attack.  The end target is not on the internet.

 

Next it looked to see if particular software was installed on the machine.  In this case, it was looking for software that is used to program a specific device, in this case a specific Programmable Logic Controller (PLC).  If it is installed, then it would proceed to the next step.  If the software isn't there, then it does nothing but revert back to step 1.

 

Next, it would check to see if the computer is connected to a certain device, again a specific model of PLC.  If so, it would check to see if the PLC was connected to certain other devices.  If so, then it will wait and just watch.  If not, then it does nothing but revert back to step 1.

 

If it passed the first few tests, it would assume that it's on the right computer and just watch and record what the PLC is doing for a period close to a month.  This step is key to how it hid itself.

 

After a certain period of time, it would command the PLC to do something that wasn't originally programmed (speed up above limits), but would report to monitoring computers that "everything is O.K." using the data that it gathered while "watching".  It would do this for a set amount of time, then let the PLC return to "normal operation" for a certain period of time.

 

Next, it would command the PLC to slow down way below limits for a certain period of time, then return to "normal operation".

 

Overall Effect

 

Commanding the PLC to operate the equipment that they are connected to well above and well below the limits causes a failure.  In this case, "regular centrifuge replacement" should be in the hundreds within a year.  Actual replacement was in the thousands within a month.

 

Think about that for a moment.  Your very computer could possibly have this virus on it, and you would never know it.  Think about how many times you plug something in via USB.  If it's plugged in to another computer, you just spread the virus.

 

Bottom Line Analysis

 

This was a very nasty bug that is the result of a lot of work by WAY more than one person.  I vaguely outlined what the code did,  Where did it originate?  That's probably a good topic for discussion.

---