Donate for the Cryptome archive of files from June 1996 to the present

24 November 2014. Edward Snowden should publicly state that none of the material he provided contained hidden spyware, nor that published was later implanted with it.

23 November 2014. Part 2:

22 November 2014

Do Snowden Files Have NSA Implants? Part 1

Did Snowden, wittingly or unwittingly, use USBs to transfer Stuxnet-like programs in files he released to tag, track, infect, report their distribution? #CountdownToZeroDay


It was clear from all the methods Stuxnet used to propagate that the attackers were ruthlessly intent on getting their malware to spread. Yet unlike most malware that used e-mail or malicious websites to spread to thousands of machines at a time, none of Stuxnet’s exploits leveraged the internet. Instead, they relied on someone carrying the infection from one machine to another via a USB flash drive or, once on a machine, via local network connections. Based on this, it appeared the attackers were targeting systems they knew were not connected to the internet and, given the unprecedented number of zero-day exploits they used to do it, they must have been aiming for a high-value, high-security target.

Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 1700-1705).


Of all the methods and exploits the hackers used, however, the most crucial to the attack were the .LNK exploit and the infection of the Step 7 project files, because these were the ones that were most likely to get Stuxnet to its final target—the Siemens PLCs. PLC programmers often crafted their commands on workstations that were connected to the internet but not connected to the production network or to PLCs on a plant floor. To transfer commands to a PLC, someone had to transfer them via a laptop connected directly to a PLC with a cable or to carry them on a USB flash drive to a programming machine, called a Field PG— a Windows laptop used in industrial-control settings. The Field PG is not connected to the internet but is connected to the production network and the PLCs. By infecting Step 7 project files and investing Stuxnet with the power to jump the air gap as a USB stowaway, the attackers had essentially turned every engineer into a potential carrier for their weapon.

Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 1714-1720).


It was easy, in fact, for the researchers to track the exact paths that Stuxnet took in spreading. Tucked inside every copy of Stuxnet, the researchers found a little gem that helped them trace the course the malware had traveled in trying to reach its goal— a small log file containing data about every machine that it had infected. As the worm slithered its way through machines in search of its target, it logged the IP address and domain name of each of its victims, as well as a timestamp of when the infection occurred based on the machine’s internal clock. It stored the data, about 100 bytes in size, in the log file, which grew as the worm passed from machine to machine. Thus, every copy of Stuxnet collected from infected machines contained a history of every computer it had infected up to that point, leaving a trail of digital breadcrumbs that Chien and O’Murchu could trace back to the initial victims. The log had been designed to help the attackers track the path Stuxnet took, but they likely hadn’t counted on someone else using it for the same purpose.

Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 1749-1756).