The idea behind the Stuxnet computer worm is actually quite simple. We don't want Iran to get the bomb. Their major asset for developing nuclear weapons is the Natanz uranium enrichment facility. The gray boxes that you see, these are real-time control systems. Now if we manage to compromise these systems that control drive speeds and valves, we can actually cause a lot of problems with the centrifuge. The gray boxes don't run Windows software; they are a completely different technology. But if we manage to place a good Windows virus on a notebook that is used by a maintenance engineer to configure this gray box, then we are in business. And this is the plot behind Stuxnet.
震网电脑蠕虫背后的思想 其实非常简单。 我们不希望伊朗拥有核武器。 他们用于开发核武器的主要设备 是纳坦兹的铀浓缩设施。 各位看到的灰盒子 是实时控制系统。 如果我们设法侵入这些 控制驱动器的速度和阀门的系统中, 我们实际上可以用离心机 造成很多问题。 这个灰盒子不能运行Windows软件; 它们用的是完全不同的技术。 但如果我们设法 把一个Windows病毒 放到一名 设备工程师用于配置 这个灰盒子的笔记本上, 然后我们就可以开始行动了。 这就是震网病毒背后的阴谋。
So we start with a Windows dropper. The payload goes onto the gray box, damages the centrifuge, and the Iranian nuclear program is delayed -- mission accomplished. That's easy, huh? I want to tell you how we found that out. When we started our research on Stuxnet six months ago, it was completely unknown what the purpose of this thing was. The only thing that was known is it's very, very complex on the Windows part, the dropper part, used multiple zero-day vulnerabilities. And it seemed to want to do something with these gray boxes, these real-time control systems. So that got our attention, and we started a lab project where we infected our environment with Stuxnet and checked this thing out. And then some very funny things happened. Stuxnet behaved like a lab rat that didn't like our cheese -- sniffed, but didn't want to eat. Didn't make sense to me. And after we experimented with different flavors of cheese, I realized, well, this is a directed attack. It's completely directed. The dropper is prowling actively on the gray box if a specific configuration is found, and even if the actual program code that it's trying to infect is actually running on that target. And if not, Stuxnet does nothing.
那么我从一个Windows注入器开始。 它携带的病毒传播到灰盒子, 破坏离心机, 伊朗核项目延迟 -- 任务完成。 很容易,是吧? 我想告诉大家我们是如何发现这些的。 当六个月前我们开始研究震网病毒时, 我们对它的目的一无所知。 唯一知道的是, 它的Windows部分,注入器部分非常非常复杂, 使用了多重零日漏洞攻击。 它似乎想要对 这些灰盒子,这些实时控制系统做些什么。 这引起了我们的注意, 我们启动了一个实验室项目, 用震网病毒感染我们的系统, 并进行了仔细的检查。 接着一些非常有趣的事发生了。 震网病毒表现的像只 不喜欢起司的大白鼠 -- 嗅一嗅起司,但并不想吃。 我有些不理解。 而在我们实验了各种不同的起司之后, 我意识到,这是一个定向攻击。 它完全是定向的。 如果找到了特定的配置, 注入器就会 主动潜入灰盒子里, 即使它正试图感染的实际的程序 也在干着同样的事儿。 如果没有找到目标,震网病毒什么也不做。
So that really got my attention, and we started to work on this nearly around the clock, because I thought, "Well, we don't know what the target is. It could be, let's say for example, a U.S. power plant, or a chemical plant in Germany. So we better find out what the target is soon." So we extracted and decompiled the attack code, and we discovered that it's structured in two digital bombs -- a smaller one and a bigger one. And we also saw that they are very professionally engineered by people who obviously had all insider information. They knew all the bits and bites that they had to attack. They probably even know the shoe size of the operator. So they know everything.
这确实引起了我的注意, 我们开始昼夜不停的 对这个进行研究, 因为我觉得我们还不知道它的目标呢。 目标也许是,打个比方, 一座美国发电厂, 或德国的化工厂。 因此我们最好尽快找出它的目标。 我们提取并反编译了 攻击代码, 发现它包含两个数字炸弹 -- 一个小些的和一个大些的。 而我们也发现,它们是被了解所有内幕信息的人 非常专业地制作出来的。 他们了解所要攻击 目标的所有细节。 他们甚至知道操作员鞋子的号码。 他们知道一切。
And if you have heard that the dropper of Stuxnet is complex and high-tech, let me tell you this: the payload is rocket science. It's way above everything that we have ever seen before. Here you see a sample of this actual attack code. We are talking about -- around about 15,000 lines of code. Looks pretty much like old-style assembly language. And I want to tell you how we were able to make sense out of this code. So what we were looking for is, first of all, system function calls, because we know what they do.
如果各位曾经听说过,震网病毒的注入器 复杂且是高科技的, 让我告诉各位: 它携带的病毒非常复杂。 这远超过我们 曾经见过的技术。 在这儿各位能看到实际的攻击代码的片段。 我们在讨论 -- 大约1万5千行代码。 看起来很像旧式的汇编语言。 我想告诉各位我们是 如何弄明白这些代码的。 我们首先要寻找的是系统函数调用, 因为我们知道这些函数做什么。
And then we were looking for timers and data structures and trying to relate them to the real world -- to potential real world targets. So we do need target theories that we can prove or disprove. In order to get target theories, we remember that it's definitely hardcore sabotage, it must be a high-value target and it is most likely located in Iran, because that's where most of the infections had been reported. Now you don't find several thousand targets in that area. It basically boils down to the Bushehr nuclear power plant and to the Natanz fuel enrichment plant.
然后我们要找到定时器和数据结构, 接着尝试把它们和现实世界联系起来 -- 与潜在的现实世界目标联系起来。 因此我们需要目标理论 我们能用它来证实与否。 为了得到目标理论, 我们记得 这绝对会造成严重的破坏, 因此必然有个高价值的目标, 而且很有可能就位于伊朗境内, 因为在伊朗报告的病毒感染最多。 在这一区域并不会发现许多目标。 基本上可以把目标缩小至 布歇赫尔核电厂 和纳坦兹的铀浓缩厂。
So I told my assistant, "Get me a list of all centrifuge and power plant experts from our client base." And I phoned them up and picked their brain in an effort to match their expertise with what we found in code and data. And that worked pretty well. So we were able to associate the small digital warhead with the rotor control. The rotor is that moving part within the centrifuge, that black object that you see. And if you manipulate the speed of this rotor, you are actually able to crack the rotor and eventually even have the centrifuge explode. What we also saw is that the goal of the attack was really to do it slowly and creepy -- obviously in an effort to drive maintenance engineers crazy, that they would not be able to figure this out quickly.
因此我对我的助理说, “给我一个包含我们客户群中所有离心机和发电厂专家的列表。” 我跟他们通了电话,让他们 用他们的专业知识帮忙 分析我们在代码和数据中的发现。 这非常管用。 我们能把这个小的 数字弹头与转子控制器 联系起来了。 这个转子是离心机内部的运动机件, 就是各位看到的那个黑色物体。 如果控制这个转子的速度, 实际上就能破解转子 并甚至最终能让离心机爆炸。 我们也看到了 攻击的目的 是让这一切令人恐怖的事缓慢地发生-- 显然这会 让维护工程师们发疯, 他们不可能很快找出问题所在。
The big digital warhead -- we had a shot at this by looking very closely at data and data structures. So for example, the number 164 really stands out in that code; you can't overlook it. I started to research scientific literature on how these centrifuges are actually built in Natanz and found they are structured in what is called a cascade, and each cascade holds 164 centrifuges. So that made sense, that was a match.
大的数字弹头 -- 通过仔细地 观察数据和数据结构, 我们有机会对它有所了解。 例如,数字164 在这些代码中非常引人注目; 不可能忽略它。 我开始研究与这些分离机 如何被建造在纳坦兹 有关的科学文献, 并发现它们被组织在 一个被称为层级的东西之中, 每个层级包含164个离心机。 这有点清楚了,匹配起来了。
And it even got better. These centrifuges in Iran are subdivided into 15, what is called, stages. And guess what we found in the attack code? An almost identical structure. So again, that was a real good match. And this gave us very high confidence for what we were looking at. Now don't get me wrong here, it didn't go like this. These results have been obtained over several weeks of really hard labor. And we often went into just a dead end and had to recover.
甚至更好地匹配了。 在伊朗的这些离心机 被分成15个所谓的机组。 猜测我们在攻击代码中发现了什么? 一个几乎完全相同的机组结构。 因此,再一次地很好地匹配上了。 这在我们所进行的工作上给了我们更多自信。 现在别误会我,它不是像这样进行的。 这些结果中包含了 我们数周的辛苦劳动。 我们常常走入死胡同 并回到起点。
Anyway, so we figured out that both digital warheads were actually aiming at one and the same target, but from different angles. The small warhead is taking one cascade, and spinning up the rotors and slowing them down, and the big warhead is talking to six cascades and manipulating valves. So in all, we are very confident that we have actually determined what the target is. It is Natanz, and it is only Natanz. So we don't have to worry that other targets might be hit by Stuxnet.
总之,我们找出了 这两个从不同角度 瞄准着同一个目标的 数字弹头。 小弹头选择一个层级, 旋转加速转子,接着让它们慢下来, 然后大弹头 选择六个层级 并操控阀门。 总的来说,我们非常自信 我们确定了目标是什么。 就是纳坦兹,只可能是纳坦兹。 我们并不担心 其他可能被震网病毒 要攻击的目标。
Here's some very cool stuff that we saw -- really knocked my socks off. Down there is the gray box, and on the top you see the centrifuges. Now what this thing does is it intercepts the input values from sensors -- so for example, from pressure sensors and vibration sensors -- and it provides legitimate program code, which is still running during the attack, with fake input data. And as a matter of fact, this fake input data is actually prerecorded by Stuxnet. So it's just like from the Hollywood movies where during the heist, the observation camera is fed with prerecorded video. That's cool, huh?
有些我们看到的非常酷的东西 -- 确实让我大吃一惊的东西。 这儿下面是灰盒子, 在上面看到的是离心机。 事情是这样的, 它拦截了从传感器发送来的输入值-- 例如,来自压力传感器 和震动传感器的输入值 -- 并提供合法的代码, 这代码会在攻击期间仍然保持运行, 随代码一起的还有假的输入数据。 事实上,这假的输入数据 是震网病毒事先预存的。 正如好莱坞电影 中的抢劫片段, 观察摄像头被连上了事先录制好的视频。 很酷,不是么?
The idea here is obviously not only to fool the operators in the control room. It actually is much more dangerous and aggressive. The idea is to circumvent a digital safety system. We need digital safety systems where a human operator could not act quick enough. So for example, in a power plant, when your big steam turbine gets too over speed, you must open relief valves within a millisecond. Obviously, this cannot be done by a human operator. So this is where we need digital safety systems. And when they are compromised, then real bad things can happen. Your plant can blow up. And neither your operators nor your safety system will notice it. That's scary.
它的打算显然 不仅是要愚弄控制室中的操作员。 它实际上要更危险,更具侵略性。 它的打算 是要绕过数字安全系统。 我们需要数字安全系统 在那些人类操作员不能做出足够快的行动的地方。 例如,在发电厂, 当巨大的蒸汽轮机转速过快时, 必须在一毫秒内打开安全阀。 显然,人类操作员不可能做到。 因此,在这儿就需要数字安全系统。 而当它们受到损害时, 真正的问题就会出现。 电厂会爆炸。 操作员和安全系统都不会注意到。 这很可怕。
But it gets worse. And this is very important, what I'm going to say. Think about this: this attack is generic. It doesn't have anything to do, in specifics, with centrifuges, with uranium enrichment. So it would work as well, for example, in a power plant or in an automobile factory. It is generic. And you don't have -- as an attacker -- you don't have to deliver this payload by a USB stick, as we saw it in the case of Stuxnet. You could also use conventional worm technology for spreading. Just spread it as wide as possible. And if you do that, what you end up with is a cyber weapon of mass destruction. That's the consequence that we have to face. So unfortunately, the biggest number of targets for such attacks are not in the Middle East. They're in the United States and Europe and in Japan. So all of the green areas, these are your target-rich environments. We have to face the consequences, and we better start to prepare right now.
但还会更糟。 我将要说到的,非常重要。 想想这个。 这种攻击是通用的。 它不需要对离心机, 对铀浓缩做什么 具体的事情。 它也将发挥作用,例如, 在一个发电厂 或是一个汽车制造厂。 这很普通。 作为一名攻击者,你不需要 -- 不需要用U盘把病毒 传播出去, 如我们在震网病毒这一案例中看到的那样。 你也可以用传统的蠕虫技术进行传播。 尽可能广泛地传播它。 如果做到了这些 最终就会拥有 一个大规模杀伤性的网络武器。 这就是我们不得不 面对的后果。 不幸地是, 这类攻击数量最多的目标 不是在中东。 而是在美国、欧洲和日本。 所有这些绿色的区域, 这些是目标密集的区域。 我们不得不面对这些后果, 我们最好立即开始做准备。
Thanks.
谢谢。
(Applause)
(掌声)
Chris Anderson: I've got a question. Ralph, it's been quite widely reported that people assume that Mossad is the main entity behind this. Is that your opinion?
克里斯·安德森:我有个问题。 拉尔夫,广为流传 人们认为摩萨德 是幕后主使。 你怎么看?
Ralph Langner: Okay, you really want to hear that? Yeah. Okay. My opinion is that the Mossad is involved, but that the leading force is not Israel. So the leading force behind that is the cyber superpower. There is only one, and that's the United States -- fortunately, fortunately. Because otherwise, our problems would even be bigger.
拉尔夫·兰纳:好的,你真的想知道? 是的,好吧。 我认为摩萨德牵涉其中, 但主导力量不是以色列。 其后的主导力量 是网络超级大国。 只有一个, 那就是美国 -- 很幸运,很幸运。 因为否则的话, 我们面临的问题就更加严重了。
CA: Thank you for scaring the living daylights out of us. Thank you, Ralph.
克里斯:谢谢你吓了我们一大跳,谢谢你,拉尔夫。
(Applause)
(掌声)