Parsing Cyberwar, part 3: Patch #1 – Lessons from the Gauss malware

Summary: In “Parsing Cyberwar – Part 3” Marcus Ranum discussed the logistical problems implicit in cyberweapons. We now have a case-study showing how quickly a new cyberweapon technology obsoletes itself.  This, coupled with the tendency of one cyberweapons’ getting burned and potentially burning others in its family tree, will to tend to keep cyberweapons in the tactical domain, where they’ll be part of a churning arms-race that happens in “internet time.”

War fascinates us. Magazines, books, clubs, and a thousand websites discuss every aspect, every weapon. But most often looking backwards, because the romance and excitement of war lies in past — combat with now-obsolete weapons. In the 17th century war aficionados loved mounted knights. In 1938 tanks were boring, cavalry were prestigious. In 2000 fighter jocks were hot, uav’s were boring. Now special ops are dashing, with cyberwar discussed mostly by nerds.

This series by Marcus Ranum shows us the frontier of war (and crime), helping us prepare for the future instead of polishing myths about trendy but now only niche forms of war.  You children might consider this the primary form of State-to-State war, seeing tanks and fighters only as toys on the playroom floor.

Article deleted at author’s request.

 

(6) Other chapters in the Parsing Cyberwar series

  1. The Battlefield
  2. The Logistical Train
  3. Synergies and Interference
  4. Patch #1 – Lessons from the Gauss malware
  5. The Best Defense is a Good Defense

In the final part, we will conclude with an assessment of what practical actions are available to corporations and governments in the cyberwar environment.

(7)  For More Information

(a) On the FM website

See the FM Reference Page about Cyber-espionage and Cyber-war!, with links to Marcus Ranum’s other posts and a wide range of other resources.

(b)  Articles about malware

  1. Mysterious Font Left by Malware Befuddles, PC World, August 2012
  2. While Origin Unclear, Gauss Indicates Malware Tool Boom, CSO Online, August 2012
  3. On the Pallida Narrow Mystery and Remote Detection, CrySys Blog, August 2012
  4. With Microscope and Tweezers: the Worm from MIT’s Perspective, Communications of the ACM, June 1989 — Classic paper describing the rapid analysis of the Morris Internet Worm. The worm was dissected and details were published in a matter of days after its release, resulting in the complete blocking of its main attack vectors internet-wide. Admittedly, the internet was small back then.

13 thoughts on “Parsing Cyberwar, part 3: Patch #1 – Lessons from the Gauss malware

  1. It seems like there will be pressure going forward to develop new types of cyber weapons cheaper and more quickly. Building things cheaper and more quickly is the antithesis of how the Pentagon and the American intelligence community has historically worked. It looks like non-state actors, and the states who manage to use non-state actors, will have the edge in any coming cyber-warfare.

    1. Building cheaper/faster cyberweapons will probably not work, for the same reason that building viruses faster hasn’t worked: the security companies that produce tools against them will innovate against broad classes of attacks and block entire gene-lines of cyberweapons at a time. The last time I talked to Kaspersky he said they had several hundred engineers working full time to write signatures against tens of thousands of new malware variants a day. They’ve got their processes so refined that they can deal with a load like that!! Cyberweapons builders will not be able to build innovative attack tools at such a rate – which means they’ll have to “cookie cutter” them, and they’ll fall to the companies like Kaspersky and Symantec.

      As I said, I don’t think this particular “shiny thing” is going to be very shiny for very long.

  2. Your a good writer, interesting article. In the stuxnet family, could there have been over lap in the time lines? The speed in which each was deployed means #1 On the shelf awaiting burn of predecessor? #2 Anticipated burn date & issued new before discovery, #3 Have found 4 out of 7, 3 still await discovery? #4 These guys are really good, 3 mos devel,test,deploy?

    $3 million is peanuts, GOP gave billionaires $700 billion in tax cuts. & 11 yr Afghan war cost $517 billion. $3 million per strike on Iran maybe worth it in psyops value alone.

    “Can I have some more please”

    Gerald. Internet Anthropologist

    1. I don’t believe it’s relevant to compare the development costs of a cyberweapon to tax cuts, or even fighting a war. Instead compare the cyberweapon’s cost to that of a high-tech conventional weapons — like the X-51A Waverider hypersonic missile. Three tests, three failures, three hundred million dollars. See Wired for details.
      .
      X51!A Waverider Hypersonic Missile

    2. There seems to have been considerable overlap.

      Most likely what happened is that someone wrote a code-framework into which new “exploits” (the component that compromises the system) could be plugged, along with a command/control module that supported pluggable communications systems and any mission-specific payload. The pluggable parts would then be improved at varying rates depending on what the customer was asking for at the time. So, for example, the code that attacked the centrifuges at Natanz might have been a separate payload module developed by a different engineer with the classified knowledge about how Natanz was laid out, and the malware was wrapped, tested, and launched by a different group. So you’d get some overlap that way, in features, code, and time.

      $3 million is peanuts

      Yep. The pool of easy victims is going to dry up before the cash will.

  3. Godel, Gauss & Lagrange were named for scientists/mathematicians. However, Flame was a different type of name, and DuQu paid homage to e.e. (doc) smith and his writings.

    1. Thanks for that background. I didn’t see the e e smith connection. Interestingly, DuQuesne was the bad guy in the Skylark novels. Although of the somewhat nobel but power-seeking kind.

  4. RE: “War fascinates us. Magazines, books, clubs, and a thousand websites discuss every aspect, every weapon. But most often looking backwards, because the romance and excitement of war lies in past — combat with now-obsolete weapons. In the 17th century war aficionados loved mounted knights. In 1938 tanks were boring, cavalry were prestigious. In 2000 fighter jocks were hot, uav’s were boring. Now special ops are dashing, with cyberwar discussed mostly by nerds.”

    “Les armes ne sont pas seulement des outils de destruction, mais aussi de la perception des stimulants qui se font sentir à travers chimiques, neurologiques, des processus dans les organes des sens et du système nerveux central, affectant les réactions humaines.” «La perception de la Logistique», Cahiers du Cinéma

    “Weapons are not just tools of destruction, but also of perception- stimulants that make themselves felt through chemical, neurological, processes in the sense organs and central nervous system, affecting human reactions.”
    War and Cinema: The Logistics of Perception by Paul Virilio

    For more about this see “Notes on Paul Virilio’s War and Cinema“, Michael Stevenson, Masters of Media, 10 March 2008

    FM,

    Sorry dude. Even before I started reading your stuff since ’07, I was reading tons of leftist material. No idea if the French is accurate though.

  5. If you are interested in cyberweapons, you might like this article interviewing a person who made an Adware Trojan that was impossible to remove: “Interview with an Adware Author“, Philosecurity, 12 January 2009 — “Matt Knox, a talented Ruby instructor and coder, talks about his early days designing and writing adware for Direct Revenue. (Direct Revenue was sued by Eliot Spitzer in 2006 for allegedly surreptitiously installing adware on millions of computers.)”

    The technical details will give you some idea of what cyberweapons are using in their designs.

Leave a Reply