by Kim Zetter
The intrusion program is restricted to police and intelligence agencies in NATO, ANZUS, and ASEAN, as well as the partner countries of these associations—what Bekrar describes as “a limited number of countries.”
“It’s very sensitive, so we want to keep the number of customers small,” he says. But NATO has twenty-eight member countries, including Romania and Turkey, and another some forty countries are considered its partners, including Israel, Belarus, Pakistan, and Russia. Bekrar insists that VUPEN won’t sell to all of them, however, just because they’re on the lists.
The company sells exploits that attack all the top commercial products from Microsoft, Apple, Adobe, and others, as well as that target enterprise database and server systems made by companies like Oracle. But browser exploits are the most coveted item, and Bekrar says they have exploits for every brand. The company sells only exploits and what Bekrar calls intermediate payloads that allow a customer to burrow into a network. It’s the customer’s job to weaponize the exploit with a final payload.
After Stuxnet was discovered, VUPEN also turned its attention to industrial control systems when customers began inquiring about exploits for them. Stuxnet’s exploits, which he said his team analyzed after the attack was exposed, were admirable. “The vulnerabilities themselves were really nice, and the exploit to take advantage of them was nicer,” he says. “They were not very easy to exploit.…” But to seriously develop attacks for industrial control systems requires access to special hardware and facilities for testing, and Bekrar says, “We don’t have such things and we don’t want to have such things.”
Subscribers to their exploit service have access to a portal, where they can shop a menu of existing zero days, or special-order exploits for a specific operating system or application. Exploits are priced at four levels, according to the brochure. Subscribers purchase a set number of credits, which can be applied to the purchase of exploits worth 1, 2, 3, or 4 credits. Each exploit comes with a description of the software it targets and an indication of how reliable the exploit is. Customers can also obtain real-time alerts any time a new vulnerability is discovered and an exploit is available. VUPEN monitors announcements from Microsoft and other vendors to see when a vulnerability one of their exploits attacks is discovered or patched, and alerts customers that the bug and exploit have been burned—sometimes with an announcement through Twitter.
Bekrar says his company doesn’t offer exclusivity on exploits but sells the same exploits to multiple buyers. The more an exploit is used, however, the more likely it will be caught, which would make it less attractive to an agency like the NSA, where stealth and secrecy are priorities. Bekrar insists that VUPEN works with only a limited number of governments, and says customers don’t use the exploits “in massive operations,” so there is “almost no chance” they will be widely deployed.
Bekrar, like Miller, has little sympathy for people who criticize the sale of exploits and has said in the past that software vendors created this government market for exploits by initially refusing to pay researchers for vulnerabilities they discovered, then refusing to pay top dollar, leaving them little choice but to turn to other buyers willing to compensate them for their work. He also insists, however, that he’s not in the exploit trade for the money. “We are not businessmen, we don’t care about sales. We mainly care about security, about ethics,” he said.
At the Pwn2Own contest, when Google offered to pay $60,000 for an exploit and information about a vulnerability the VUPEN team used against Google’s Chrome browser, Bekrar refused to hand over the information.10 He joked that he might consider it if Google offered $1 million. But later in private he said even for $1 million, he wouldn’t hand over the exploit, preferring to keep it for his customers. Asked if VUPEN’s customers had such money to pay for an exploit, he laughed and said, “No, no, no, no. Never.… They don’t have the budget.”
But he insisted his reasons for supplying to governments went deeper than money: “We mainly work with governments who are facing national security issues … we help them in protecting their democracies and protecting lives.… It’s like any surveillance method. The government needs to know if something bad is being prepared and to know what people are doing, to protect national security. So there are many ways to use the exploits for national security and to save lives.”
But critics argue that companies like VUPEN have no way of knowing where their exploits will end up or how they will be used, such as for domestic spying on innocent citizens. Bekrar acknowledges that VUPEN’s customer agreement doesn’t explicitly prohibit a government buyer from using VUPEN exploits to spy on its citizens. “But we say that the exploits must be used in an ethical way,” he says.
Bekrar says they can’t spell it out more specifically in the contract, because the legal agreements need to be general to cover all possible cases of unethical use. “For us it’s clear,” he said. “You have to use exploits in respect of ethics, in respect of international regulations and national laws and you cannot use exploits in massive operations.” But ethics, of course, are in the mind of the beholder, and Bekrar acknowledges that he has no way to control how customers interpret ethical injunctions. “My only way, at my side, to control this, is to control to which country I sell. And we only sell to democratic countries.”
Christopher Soghoian of the American Civil Liberties Union is one of VUPEN’s biggest critics. He calls exploit sellers like VUPEN “modern-day merchants of death” and “cowboys,” who chase government dollars to supply the tools and bullets that make oppressive surveillance and cyberwarfare possible—putting everyone at risk in the process.11 He acknowledges that governments would make and use their own zero days whether or not companies like VUPEN sold them, but says the free-market sellers are a “ticking bomb” because there’s no control over their trade.
“As soon as one of these weaponized zero-days sold to governments is obtained by a ‘bad guy’ and used to attack critical US infrastructure, the shit will hit the fan,” Soghoian told an audience of computer professionals at a conference in 2011. “It’s not a matter of if, but when.… What if a low-paid, corrupt police officer sells a copy of one of these weaponized exploits to organized crime or terrorists? What if Anonymous hacks into a law enforcement agency’s network and steals one of these weaponized exploits?”12
In 2013, initial steps were taken to try to regulate the sale of zero days and other cyberweapons. The Wassenaar Arrangement—an arms-control organization composed of forty-one countries, including the United States, the UK, Russia, and Germany—announced that it was for the first time classifying software and hardware products that can be used for hacking and surveillance and that “may be detrimental to international and regional security and stability” as dual-use products. The dual-use designation is used to restrict materials and technology (such as maraging steel used in centrifuges) that can be used for military ends as well as peaceful ones. Although the organization’s declarations are not legally binding, member states are expected to implement requirements for export licenses in their countries and cooperate with one another in controlling sales of dual-use products.13 Germany, a Wassenaar member, already has a law that effectively prohibits the sale of exploits as well as the practice of giving them away for free, something that security researchers do regularly among themselves to test systems and improve security. Lawmakers in the United States with the Senate Armed Services Committee introduced legislation in 2013 that calls on the president to establish a policy “to control the proliferation of cyberweapons through unilateral and cooperative export controls, law enforcement activities, financial means, diplomatic engagement, and such other means as the President considers appropriate.” But it’s unclear exactly how such controls would work, since zero days and other digital weapons are much more difficult to monitor than conventional weapons, and such controls requiring export licenses for the foreign sale of exploits and the screening of buyers can increase the cost for legitimate sellers, but n
ot all sellers are interested in legitimacy.
Furthermore, these kinds of controls are meant to keep exploits only out of the hands of criminals and rogue actors, such as terrorists. They’re not meant at all to curb government use of them for law enforcement or national security purposes. The thriving gray market for zero days makes it clear that law enforcement and spy agencies are anxious to get their hands on exploits like the ones that Stuxnet used—and are willing to pay generously for the privilege. That frenzied demand for zero days is only likely to grow, and with it, the number of state-sponsored programs that use them.
* * *
1 See Andy Greenberg, “Shopping for Zero-Days: A Price List for Hackers’ Secret Software Exploits,” Forbes, March 23, 2012. Zero-day vulnerabilities have become more challenging to find in recent years as the makers of some of the most targeted software programs have added features to make them more secure. Google and other companies have built so-called sandboxes into their browsers, for example, that erect a protective barrier to contain malicious code and prevent it from spilling out of the browser into the operating system or other applications on a machine. As a result, exploits that allow an attacker to escape a sandbox are valuable.
2 Charlie Miller, “The Legitimate Vulnerability Market: Inside the Secretive World of 0-Day Exploit Sales,” Independent Security Evaluators, May 6, 2007, available at weis2007.econinfosec.org/papers/29.pdf.
3 Author interview with Charlie Miller, September 2011.
4 Ibid.
5 Greenberg, “Shopping for Zero-Days: A Price List for Hackers’ Secret Software Exploits.”
6 Tonya Layman, “Rouland’s Tech Security Firm Growing Fast,” Atlanta Business Chronicle, June 11, 2011.
7 This and all quotes from Bekrar in this chapter are from an author interview in March 2012, unless otherwise cited.
8 From a press release titled “VUPEN Gets Entrepreneurial Company of the Year Award in the Vulnerability Research Market,” June 1, 2006, available at vupen.com/press/VUPEN_Company_of_the_year_2011.php.
9 The brochure is available at wikileaks.org/spyfiles/files/0/279_VUPEN-THREAD-EXPLOITS.pdf.
10 VUPEN had already won $60,000 from HT Tipping Point for the contest, but Google was offering an additional $60,000 on top of that to obtain information about the hole in order to fix it. The Pwn2Own contest generally requires contestants to hand over the exploit and information about a hole so that it can be fixed, but not for exploits that bypass a browser’s security sandbox, which is what VUPEN said its exploit did. The Google staffer accused VUPEN of showboating at the expense of users. “We’re trying to get information out of somebody so that we can fix it … [Without that information] it’s not about protecting users anymore, it’s about showing off. It’s good for stroking egos, but aside from that it doesn’t make the web safer,” a Google staffer told me.
11 Ryan Naraine, “0-Day Exploit Middlemen Are Cowboys, Ticking Bomb,” ZDNet.com, February 16, 2012, available at zdnet.com/blog/security/0-day-exploit-middlemen-are-cowboys-ticking-bomb/10294.
12 Ibid.
13 “The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies,” Public Statement 2013 Plenary Meeting, available at wassenaar.org/publicdocuments/2013/WA%20Plenary%20Public%20Statement%202013.pdf.
CHAPTER 8
THE PAYLOAD
Nico Falliere was hunched over his desk on the eighth floor of the forty-story Tour Egée, a triangular glass-and-concrete building in the La Défense business district of Paris. Outside, a grim forest of office towers rose in front of his window, obscuring his view of the pigeons and summer tourists ambling toward the steps of La Grande Arche. But Falliere wasn’t focused on the view. He was focused intently on making his first foray into Stuxnet’s complicated payload.
It was early in August 2010, a mere two weeks into the Symantec team’s analysis of Stuxnet, before Chien and O’Murchu discovered the unprecedented number of zero days that were hiding in the worm. During these first two weeks, Falliere had been working with O’Murchu to analyze the malware’s large Windows .DLL, but he knew Stuxnet’s real secrets lay in its payload, and he was anxious to get at them.
He had just returned from lunch with friends when he began digging through the payload files, separating each one out and trying to understand its format and structure. He noticed that one of them was a .DLL file with a familiar name. The Symantec researchers had by this point obtained copies of the Siemens Step 7 software, so Falliere scrolled through the Step 7 program files installed on his test system. It didn’t take long to find what he was looking for—a Siemens Step 7 .DLL that had the same name as the Stuxnet file. Hmm, he thought, that’s interesting.
He quickly determined that anytime Stuxnet found itself on a computer with the Siemens Step 7 or WinCC software installed, it unpacked its .DLL file with the matching name from inside its larger Windows .DLL and decrypted it.
Falliere used the key embedded in the malware to decrypt the .DLL and found that it contained all of the same functionality as the legitimate Step 7 .DLL. But it also contained some suspicious code that included commands like “write” and “read.” Falliere had seen enough malware in his career to know exactly what he was looking at—Stuxnet’s Step 7 .DLL was acting as a rootkit, lurking on the system silently, waiting to hijack, or hook, these functions anytime the system attempted to read or write code blocks to or from the targeted PLCs. Similar to the rootkit in the missile portion of Stuxnet, this one was hooking the read function to hide something that Sutxnet was doing to the PLCs. It was the first time, as far as he knew, that anyone had created a rootkit for an industrial control system. It was another first in the growing list of Stuxnet firsts.
Falliere couldn’t tell if Stuxnet’s rogue .DLL was hooking the read function to simply monitor the PLCs passively and gather intelligence about their operations, or if it had more sinister aims in mind. But the fact that it was also intercepting the “write” function suggested it was probably the latter and was attempting to halt the operation of the PLCs or change their operation in some way. He glanced at his watch and noted that it was around five a.m. in California—too early to call Chien—so he decided to keep digging.
He continued for several more hours, and when he had all the pieces of the puzzle he needed—it was exactly what he’d suspected. Stuxnet was indeed intercepting commands passing from the Siemens .DLL to the PLCs and replacing them with its own. He couldn’t say for sure what it was instructing the PLC to do—he couldn’t find the code blocks that Stuxnet injected into the PLC—but he was pretty sure it wasn’t good. By now it was nine a.m. in California, so he picked up the phone and called Chien.
Normally the two of them spoke once a week to exchange a quick update about whatever Falliere was working on; the calls were efficient and to-the-point and lasted no more than a few minutes. But this time Falliere recounted everything he had found in detail. Chien listened intently, amazed at what he heard. The attack kept getting more and more complex. Every corner they turned with Stuxnet they found a new surprise.
Chien agreed that Falliere should drop everything to find the code blocks that Stuxnet injected into the PLC. They also decided Falliere should make a brief announcement on their blog about the PLC rootkit. The rest of the information they would keep under wraps, for the time being, until Falliere could determine the nature of what Stuxnet was injecting into the PLC.
That night on the Métro on his way home from work, Falliere was charged with nervous energy. For four years he’d been deconstructing viruses and worms and had seen so many malicious programs during that time that it was hard to get excited about them anymore. But this one was different. An attack on a PLC was unprecedented and had the potential to usher in an entirely new breed of malicious attacks.
Despite his excitement, he knew the road ahead was filled with hurdles. The S
iemens .DLL that Stuxnet replaced was huge, and the structure of the Step 7 software and the PLCs it controlled was largely undocumented. Falliere and Chien were completely in the dark about how the system worked, and the technical challenges of deciphering the payload were going to be formidable. What’s more, there was no guarantee they’d even crack it. There were so many things Falliere didn’t know at this point. But one thing he did know was that he was in for a long and exhausting ride.
FALLIERE WAS TWENTY-EIGHT, with the dark, Gallic looks of someone who seemed like he’d be more at home DJing trance music in an underground Paris nightclub than poring over reams of printed computer code during a commute on the Métro. In reality, he was fairly shy and reserved, and sifting through dense computer code was in fact a much bigger draw to him than spending sweaty nights in a throbbing club.
Falliere was a master reverse-engineer who specialized in deep-dive analysis of malicious code. Reverse-engineering is a bit of a dark art that involves taking the binary language of ones and zeroes that a computer can read and translating it back to a programming language that humans can read. It requires a lot of intense focus and skill, particularly with code as complex as Stuxnet. But Falliere didn’t mind. The more complicated the code, the more satisfying it was when he finally cracked it.