Bitcoin Forum

Would the best attack against us be creating a mimic of stuxnet and taking out all the nodes at exactly the same time.....

Is this a legit concern for us?

Yes.
And no. As long as the network remains distributed.

No, I don't think so. It is possible to affect all the nodes at the same time. Until now, Bitcoin network has still been the most secure network provided by the miners all around the world. Even it is possible, due to the nodes located in the different parts of the world, once it comes out , it will be reported and some solutions will come out to fix it immediately.

That would be pretty extreme. Don't forget that the people behind Stuxnet did not just stop after creating the worm. They also went ahead and assassinated a bunch of Iranian nuclear scientists. If Bitcoin devs started getting blown up with car bombs then this would be mean war.

If bitcoin goes where we all think it's going, there will be no holds barred in the battle.
Bitcoin devs will be 'jumping' from windows if they can't be coerced.
Car bombs might come later in desperation I guess...

What does Stuxnet have to do with this?! It was a worm spreading via USB sticks (if autorun/autoplay was not disabled on the victim's machine) and had a payload interfering with SCADA systems (industrial controllers).

I would fear the people would do the same to us...  Well not you or I we are no one but the gifted speakers and thinkers of our community.  Probably hide it as several "unfortunate accidents".. :S.

More cyber war, Stuxnet was really just the first major example of cyber warfare.

Write it to take down any comp running a bitcoin node.   PLC's it was messing with, which is pretty crazy because no one ever thought people would write viruses for PLC's..  These control the back-up power to everything..  Done a bunch of back up systems with PLC's, due to the air-gap no virus protection is really thought of.

Although to get this on to all of the nodes would not be an easy task.. if even possible. 

I know of people writing "locks" for the code if the customer is known to not pay..  Well hey what do you know after 3 months it won't work and you haven't paid.. shame.  That is some shady stuff though.

No, it was only the first case of state-sponsored cyber warfare that gained media exposure.


In other words, Stuxnet has nothing to do with it. You are basically asking what if somebody released a virus targeting the full Bitcoin nodes. Clearly, it has to spread much more successfully than Stuxnet (i.e., not via USB sticks - maybe be a network worm using some zero-day exploit) and have a payload completely different from that of Stuxnet.

A much more profitable attack would be a virus that has a keylogger to steal the password to the user's wallet and then use the stolen password to steal the contents of that wallet. There are many such viruses, BTW, none of them very successful. Believe it or not, Bitcoing isn't that widespread to make such an attack wildly profitable. A much more efficient investment for the attacker's time is to create some malware (virus or some non-replicating malware) that steals banking credentials for on-line banking sites. And, indeed, that are many more such malicious programs and they bring much more profit to their creators.


And I know people who find and remove such locks for fun. ;D But that's again irrelevant to the issue at hand.

I could write a lock that would be impossible to remove.....  You'd have to re-write.

Having seen the kinds of software protections my friends have removed, I very much doubt that... In one case they even removed a hardware, dongle-based protection, where the protected program downloaded part of the decryption code from the dongle - and they cracked it without even having the dongle! Unless the protected program needs to be constantly on-line and receive information from the producer's server... And even then it's doubtful.

Of course, it depends what you mean by "re-write". In one case the protection was very complex. The protected program was encrypted and the decryption code was some kind of finite state automaton, basically consisting of instruction/jump-to-another-instruction pairs and practically impossible to debug and understand. The image on the disk was "position-protected", meaning that the installer recorded on which sectors the program was installed and it wouldn't run if copied elsewhere (or if the disk was defragmented, but this wasn't widely used way back then). So, my friend let the program decrypt itself and run in memory and then dumped the whole memory image. Then reduced the available memory and repeated the procedure, so he had two memory dumps of the same program loaded at two different addresses. From the differences of the two images he re-constructed the (equivalent) EXE header and ended up with the original program minus the protection. I guess you could call that "re-writing" it.

You can make parts of the program inaccessible until some condition is met (e.g., you can, cryptographically, hide the payload of a virus until the virus has found what it is looking for), but once the condition is met, it's game over, you know what the program does and how to counter it.

Have you ever programmed in ladder logic..?

I would LOVE to see you "detect a virus" in ladder logic, love to.

you can not shuntdown a P2P network.



"they" try since 15 years, now ...  ::)

I think Stux could be modified to do something like this. There would be a lot of ways to counter it however. The stux worm released on Iran was very sophisticated and was able to ferret out specific types of equipment. But why bitcoin?

Central banks wish to eliminate any threat to them at any cost to humanity.

They may want to eliminate bitcoin, but launching an attack like this has almost no chance of remaining secret. Once discovered, the damage to the bank would far outweigh the tiny advantage of hurting bitcoin for a limited time. It would be wildly illegal and require destroying thousands and thousands of mining machines and routers. They will be completely responsible for those damages and any lost revenue. Their settlement would run into the billions. And all they would gain is to suppress bitcoin for a short time. 

I have even "programmed" analog (i.e., not digital) computers and computers that used ternary (as opposed to binary) number representations. A dinosaur like me has seen it all...


And I would love to see you write a virus in ladder logic, I'd really love to. In fact, you'd have a hard time even writing a simple multiplication function in it...

It is clear to me now that you really have no clear idea what computer viruses are and how they really work - something which I already suspected when you brought Stuxnet into this context.

Not really. It simply doesn't make sense. If a third party wanted to attack the Bitcoin nodes with a virus, it would be much easier for them to write a new virus for this purpose as opposed to changing an existing one like Stuxnet (which wasn't even very successful as a virus, to begin with). For the original creators of the virus, it would be much easier, too. They have a framework for this purpose, so it's much easier to use it to build a new malware from the modules they already have than to modify something that they have already built (and which is known to the anti-virus community).


It was nothing exceptional. Oh, sure, it has interesting properties, like being obviously written by a defense contractor (ever heard the saying that an elephant is a mouse built by a committee to government specifications? Well, Stuxnet is a virus built by a "committee" - several teams not communicating with each other and only producing code modules matching a specification), it was attacking a SCADA system, it was used as a weapon against a country, and it gained wide notoriety in the press. But, as a virus, it was nothing special.

If you want sophistication, how about Flame or Gauss? They were both written by the same outfit that came up with Stuxnet, using the same (or similar) famework.

Flame (http://securelist.com/blog/incidents/34344/the-flame-questions-and-answers-51/) was huge - about 20 Mb! Four years later, we still don't know everything it could do - because how do you analyze 20 Mb of compiled code and linked libraries?! It even had a virtual machine and a Lua interpreter for some of its parts. Command-and-control, replication on demand, SQL injection, audio and video interception, backdoors, zero-day exploits, keylogging, encryption, compression, Bluetooth sniffing... Flame had it all. It even used an unknown till then collision attack to crack MD5 (http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/) and fake Microsoft Update. (Microsoft stopped using MD5-based certificates because of Flame.)

Gauss, clearly produced by the same outfit, is my personal favorite, because it implemented an attack I predicted in the late 90s. Google "clueless agents" - Bruce Schneier has a nice paper (https://www.schneier.com/paper-clueless-agents.pdf) about them. Gauss has a practically textbook implementation of them. We don't know what it does. It looks for directory paths by doing H(H(path)) where H() is a cryptographically strong hash function and then H(path) is used as the decryption key. We do know H(H(path)) - it's in the virus - but we have no clue what the path is, so we can't compute H(path) and decrypt the encrypted payload of the virus. (I am over-simplifying here - the hash-of-hash is not done once but 1000 times and the key is not a simple H(path) but of a more complex data which is derived from the path.) Although the hash function is MD5 and the cypher is RC4, both of which are considered nowadays cryptographically insecure, in practice we haven't got a snowball's chance in hell of decrypting the payload of the virus and understanding what it does...

For a more technical description of the issue, see this (http://securelist.com/blog/incidents/33561/the-mystery-of-the-encrypted-gauss-payload-5/).

My understanding of Stux is that it had a powerful basic core that included at least two zero day exploits. That is rare and why I consider it to be sophisticated. This basic code was then elaborately modified to target specific hardware. The primary targets were Iranian uranium enrichment centrifuges. These could be destroyed by spinning them at a particular speed that caused them to wobble and fall over. 

Whoa, thanks for pointing this out, I'll unplug my uranium centrifuge from my bitcoin machine immediately.

Why are you posting something so stupid? Honestly, can you give us a real answer on why you felt the need to disappoint so many people in this forum today?

Stuxnet lol....

Well, it depends how you define "powerful". It was one big mess of a code. Built from a framework of modules. A mouse built to government specifications.


Four, if I remember correctly.


Yeah, well, attacking a country's uranium enrichment equipment is unusual too, but that doesn't make the virus particularly sophisticated. Maybe I'm just biased, having seen so many really sophisticated tricks in viruses over the last quarter of a century... I still think that as a virus (i.e., as self-replicating code) Stuxnet was nothing special, no matter what else the code did.


No, it wasn't modified. It was designed to do so from the get-go.

Really, it was the oldskool "walking disk drive" hack applied to centrifuges.

Not a chance

A PLC attacking worm with 4 zero day exploits is not sophisticated? I have to disagree. By the way, I don't think that the actual stuxnet code is a danger to bitcoin. But the idea of a malicious attack with similar code could be. Imagine if it were programed to find bitcoin ASICs. 

Then we'll have to agree to disagree. Have you actually analyzed the Stuxnet code? How many other computer viruses have you analyzed? Just trying to establish a basis of comparison here, you see.

I've been analyzing viruses since 1989. I've seen some pretty incredible things. Viruses that did not reside in any file or boot sector, or, in fact, anywhere on the disk (CodeRed). Viruses that resided in the unused disk space of the last cluster of the file (Number of the Beast). Viruses that infected directories, instead of files (Dir_II). Viruses that hid into unused areas of zeroes in the infected file (Lehigh). Viruses that hid in the header of the infected EXE files (TheRat) or even optimized that header in order to shorten it and free up space for themselves (Phoenix). Viruses that compressed the infected files (Cruncher). Viruses that infected the master boot sector by changing just one byte in a data area (Starship). Viruses that didn't save the original boot sector anywhere and performed its function themselves, instead. Viruses that infected documents (Concept) or spreadsheets (Laroux) or JPEG images (Perrun). Viruses that were just 29 bytes long (Trivial). Viruses that had cryptographically protected payload, so that we still don't know what they were supposed to do (Gauss). Viruses that infected multiple fundamentally different platforms, like both Windows and Linux, or Windows, MacOS and Android. Viruses that rewrite themselves to look different every time they replicate (V2P6). Viruses that chopped their own code into many parts and spread them all over the infected file (Commander_Bomber). Viruses that brute-forced their own encrypted code (i.e., didn't contain the decryption key) in order to slow down anti-virus products that use emulation (RDA_Fighter). And so on, and so on...

Compared to some of the stuff I've seen, a virus that is a humongous mess of code and replicates via USB sticks doesn't rate as "sophisticated", even if it uses 4 zero-day exploits, attacks unusual hardware configurations, and was used as a weapon against a nation-state.

But then I'm probably just biased. For most common people probably even just the ability to replicate makes a program "sophisticated"...

That was a nice write-up. I have not truly analyzed any virus. But what I mostly see in the wild are simple script kiddy versions of well known viri. Perhaps we do not disagree so much. The examples you noted are very complex viri and compared to those stux is not so special. But it must be in the top percentile compared with viri in general?

Well it seems to me that stuxnet was a tailored threat, aimed at systems of somewhat known configuration, whereas your generic virus has to proliferate on a number of wildly varying configurations that may have commonalities, but are different. Ergo, those have to be "smarter".

Now, a tailored threat for bitcoin mining? Well maybe you could take out KNC's operation or something, given enough intel about it, but different ASICs different mining programs, different OSes, different CPU instruction sets even (cgminer has been compiled for MIPsel, ARM, x86...) ... well let's just say it might have to be AI complete rather than merely smart to take out more than 50% and then it's only temporary disruption.

Yup. It didn't attack just any SCADA system. It didn't even attack just any SCADA system made by Siemens. It attacked a SCADA system made by Siemens that was used to control industrial regulators in a very specific configuration. We had an inkling that Iran's uranium enrichment facility was the target, but we had no proof. After all, we couldn't go to the Iranians and ask them "Hey, buddy, does your uranium enrichment setup happen to have this particular configuration of industrial controllers?". Until a colleague found an image on the site of the Iranian president, depicting his visit to the uranium enrichment facility:

http://www.langner.com/en/wp-content/uploads/2011/12/Natanz-SCADA.jpg

See that computer screen in the foreground (the left one)? It's the screen of a PC controlling the centrifuges. The image on the screen shows graphically the configuration of the controllers - and it matched exactly the one Stuxnet was looking for.

As another colleague of mine joked once, we call this "open source intelligence". ;D


Ah, not really. If you read what I've written so far on this subject, you might notice that I said that Stuxnet was not very sophisticated as a virus. There is a reason why I used this specific phrase. You see, most people equate "virus" with "damaging program". This is ignorant at best. A virus is a self-replicating program. While it is true that the mere act of self-replication tends to cause damages of various kind, it is important to note that a virus doesn't have to be intentionally destructive, in order to be a virus. It can do nothing else besides replicating - and will still be a virus. The opposite is also true - a malicious program, no matter how destructive, is not a virus if it lacks the ability to replicate itself.

So, when I say that a virus is sophisticated, it means that it has a clever and unusual self-replication mechanism - or at least some clever mechanism for hiding its spread. Stuxnet had nothing of the sort. Stuxnet had a sophisticated payload - but for me what a virus does besides replicating is pretty much irrelevant. The self-replicating property is what classifies a program as a virus, so this is what is important to me when analyzing one.

Shame the photog didn't aim a bit lower, coulda got the password on the post it note on the bottom of the monitor too :D

In theory, anything is possible. But probable ? Nope. ;D

Does anyone else think that ahmadinejad is charismatic? In an evil, taking over the world, type of way?

How's his maniacal laugh? Does he monolog? Does he have a white persian cat? ... oh nvm, we can buy him one.