is actually quite simple.

電腦蠕蟲 Stuxnet 背後的概念

We don't want Iran to get the bomb.

其實相當簡單

Their major asset for developing nuclear weapons

我們不希望伊朗擁有核武

is the Natanz uranium enrichment facility.

而他們能發展核武的主要資產

The gray boxes that you see,

就是Natanz 鈾料濃縮工廠

these are real-time control systems.

你看到的灰色方塊

Now if we manage to compromise these systems

就是即時控制系統

that control drive speeds and valves,

現在如果我們真的能操弄系統

we can actually cause a lot of problems

控制速度與閥門開關

with the centrifuge.

那我們就能讓離心機

The gray boxes don't run Windows software;

出各種狀況

they are a completely different technology.

這個灰色方塊無法執行 Windows 軟體

But if we manage

而是用全然不同的科技

to place a good Windows virus

但如果我們能

on a notebook

在筆記電腦中

that is used by a maintenance engineer

放個 Windows 的病毒

to configure this gray box,

而那筆電是設備工程師用來

then we are in business.

控制系統的

And this is the plot behind Stuxnet.

那我們就快成功了

So we start with a Windows dropper.

這也就是 Stuxnet 的計畫

The payload goes onto the gray box,

讓我們從 Windows 的釋放程式開始

damages the centrifuge,

使攻擊程式能進入灰色方塊

and the Iranian nuclear program is delayed --

破壞離心機

mission accomplished.

就會拖延伊朗的核武計畫

That's easy, huh?

任務達成

I want to tell you how we found that out.

很容易對吧？

When we started our research on Stuxnet six months ago,

我想要告訴大家我們是怎麼發現的

it was completely unknown what the purpose of this thing was.

我們六個月前開始研究 Stuxnet時

The only thing that was known

完全不明白這東西的攻擊目標是什麼

is it's very, very complex on the Windows part, the dropper part,

只知道這東西

used multiple zero-day vulnerabilities.

是非常非常複雜的 Windows 釋放程式

And it seemed to want to do something

使用多個零日攻擊 (註: 指利用軟體未修補漏洞進行攻擊)

with these gray boxes, these real-time control systems.

它似乎想對這些灰色方塊

So that got our attention,

也就是即時控制系統下手

and we started a lab project

所以引起我們的關注

where we infected our environment with Stuxnet

開始一個實驗室計畫

and checked this thing out.

我們故意讓系統感染 Stuxnet 的病毒

And then some very funny things happened.

再試著檢查

Stuxnet behaved like a lab rat

結果有趣的事發生了

that didn't like our cheese --

Stuxnet 就像白老鼠一樣

sniffed, but didn't want to eat.

它不喜歡我們的起司

Didn't make sense to me.

聞了聞, 卻不想吃

And after we experimented with different flavors of cheese,

我覺得這完全沒道理啊

I realized, well, this is a directed attack.

我們試過不同口味的起司

It's completely directed.

才明白這是一個指向性攻擊

The dropper is prowling actively

徹底的指向攻擊

on the gray box

釋放程式會主動潛伏在

if a specific configuration is found,

灰色方塊裡

and even if the actual program code that it's trying to infect

如果它發現一個特定組態

is actually running on that target.

甚至是正在嘗試感染的程式

And if not, Stuxnet does nothing.

都會確實在目標上執行

So that really got my attention,

不然 Stuxnet什麼也不做

and we started to work on this

所以這真的引起我的注意

nearly around the clock,

我們沒日沒夜的

because I thought, "Well, we don't know what the target is.

進行研究

It could be, let's say for example,

因為我們並不知道它的目標為何

a U.S. power plant,

可能是，打個比方

or a chemical plant in Germany.

美國的核電廠

So we better find out what the target is soon."

或是德國的化工廠

So we extracted and decompiled

所以我們最好趕快發現它的目標

the attack code,

我們抽出攻擊程式

and we discovered that it's structured in two digital bombs --

並進行反組譯

a smaller one and a bigger one.

才發現 它是由兩個 數位炸彈構成的 --

And we also saw that they are very professionally engineered

一個較小 一個較大

by people who obviously had all insider information.

我們也發現 這是非常專業的設計

They knew all the bits and bites

設計者顯然知道一切內部資訊

that they had to attack.

他們知道所有需要攻擊的

They probably even know the shoe size of the operator.

位元和字節

So they know everything.

他們大概還知道控制員的鞋子尺寸

And if you have heard that the dropper of Stuxnet

總之 他們什麼都知道

is complex and high-tech,

如果你們聽過Stuxnet釋放程式

let me tell you this:

的高科技與複雜程度

the payload is rocket science.

讓我肯定地說:

It's way above everything

這病毒根本就像是火箭科技

that we have ever seen before.

艱難得超過

Here you see a sample of this actual attack code.

過去我們所研究的所有程式

We are talking about --

這裡是一小段實際攻擊程式的樣本

around about 15,000 lines of code.

總共約有

Looks pretty much like old-style assembly language.

15,000 行的代碼

And I want to tell you how we were able

看起來像是舊式機器組合語言

to make sense out of this code.

讓我向大家說明

So what we were looking for is, first of all, system function calls,

我們是如何理解這些代碼的

because we know what they do.

首先，我們會找出其中電腦系統函式呼叫

And then we were looking for timers and data structures

因為我們知道它們的作用

and trying to relate them to the real world --

再來找時間控制器與資料結構

to potential real world targets.

然後試著與真實世界中的運用連結

So we do need target theories

也就是可能的真實攻擊目標

that we can prove or disprove.

所以我們的確需要推測目標

In order to get target theories,

才能進一步證實

we remember

為了要找到這個目標

that it's definitely hardcore sabotage,

我們想起

it must be a high-value target

這會造成極大破壞

and it is most likely located in Iran,

一定是高價值的目標

because that's where most of the infections had been reported.

它非常可能位於伊朗

Now you don't find several thousand targets in that area.

因為據報大多數感染都在那裡發生

It basically boils down

現在已經不是數以千計的可能目標

to the Bushehr nuclear power plant

可以簡單歸納成

and to the Natanz fuel enrichment plant.

Bushehr 核能電廠

So I told my assistant,

以及 Natanz 核鈾料濃縮廠兩個

"Get me a list of all centrifuge and power plant experts from our client base."

我跟我的助理說

And I phoned them up and picked their brain

"把我們客戶裡了解所有離心機與核電廠的專家列出一張表給我"

in an effort to match their expertise

我一個個親自去電 聽取他們的意見

with what we found in code and data.

努力把他們的專業知識

And that worked pretty well.

和我們在代碼與資料找到的訊息做比對

So we were able to associate

這部份很成功

the small digital warhead

我們確實找出

with the rotor control.

小型數位彈頭

The rotor is that moving part within the centrifuge,

與轉子控制間的關聯

that black object that you see.

而轉子就是離心機內重要的移動單元

And if you manipulate the speed of this rotor,

也就是畫面中黑色物體

you are actually able to crack the rotor

若能控制轉子轉速

and eventually even have the centrifuge explode.

你就能破壞轉子

What we also saw

最終甚至導致離心機爆炸

is that the goal of the attack

我們也發現

was really to do it slowly and creepy --

這攻擊的目的

obviously in an effort

是緩慢而不引人注意的達成目標

to drive maintenance engineers crazy,

明顯的要把

that they would not be able to figure this out quickly.

維修工程師們逼瘋

The big digital warhead -- we had a shot at this

而他們也不能馬上想到這是怎麼一回事

by looking very closely

而這大型數位彈頭 -- 我們試著

at data and data structures.

仔細查看它的

So for example, the number 164

資料與資料結構

really stands out in that code;

比如說, 數字164

you can't overlook it.

在代碼裡相當突出

I started to research scientific literature

很難忽視它

on how these centrifuges

我開始研究科學文獻

are actually built in Natanz

想了解這些離心機

and found they are structured

是怎樣在Natanz建造的

in what is called a cascade,

也找出他們的結構

and each cascade holds 164 centrifuges.

是一層層的

So that made sense, that was a match.

每一個層級有 164 個離心機

And it even got better.

所以和我們的猜測相符

These centrifuges in Iran

我們更發現

are subdivided into 15, what is called, stages.

伊朗的離心機會下分為

And guess what we found in the attack code?

15個等級

An almost identical structure.

你猜 我們在程式中找到什麼？

So again, that was a real good match.

幾乎完全相同的架構

And this gave us very high confidence for what we were looking at.

又是完美的相符

Now don't get me wrong here, it didn't go like this.

這給麼我們很大的信心

These results have been obtained

但別會錯意了 這其實是非常嚴謹的

over several weeks of really hard labor.

一切都是經由

And we often went into just a dead end

好幾週的艱苦努力才得來的

and had to recover.

我們也常常遇到死胡同

Anyway, so we figured out

得重頭做起

that both digital warheads

總之 我們推論出

were actually aiming at one and the same target,

兩個數位彈頭

but from different angles.

都只針對一個目標

The small warhead is taking one cascade,

但從不同角度

and spinning up the rotors and slowing them down,

小彈頭是攻擊其中一個層級的

and the big warhead

轉子升速與降速

is talking to six cascades

而大的彈頭

and manipulating valves.

是攻擊6個層級

So in all, we are very confident

控制閥門

that we have actually determined what the target is.

簡言之 我們相當有信心

It is Natanz, and it is only Natanz.

我們已經找出真正的特定攻擊目標

So we don't have to worry

就是Natanz 只會是Natanz

that other targets

所以我們不用擔心

might be hit by Stuxnet.

會有其他的目標

Here's some very cool stuff that we saw --

受到 Stuxnet 攻擊

really knocked my socks off.

我們發現一些相當酷的東西

Down there is the gray box,

讓我印象深刻

and on the top you see the centrifuges.

在這灰色方塊的下方

Now what this thing does

也就是離心機的上方

is it intercepts the input values from sensors --

在這裡，病毒攻擊

so for example, from pressure sensors

攔截感應器的測得數值

and vibration sensors --

像是 壓力感應計

and it provides legitimate program code,

和震動感應器

which is still running during the attack,

而病毒攻擊是持續提供正常數值

with fake input data.

使得攻擊發生時 一切看似正常

And as a matter of fact, this fake input data

但卻是錯誤資料

is actually prerecorded by Stuxnet.

實際上 這一連串錯誤數值

So it's just like from the Hollywood movies

是預藏在 Stuxnet 內的

where during the heist,

就像好萊塢電影一樣

the observation camera is fed with prerecorded video.

在搶劫時

That's cool, huh?

監視器輸出畫面 被換入預錄的影像

The idea here is obviously

很酷吧？

not only to fool the operators in the control room.

這個想法很明顯的

It actually is much more dangerous and aggressive.

不只是要騙過控制室的操作人員

The idea

它的目標其實更加大膽與危險

is to circumvent a digital safety system.

想要

We need digital safety systems

規避數位電子安全系統

where a human operator could not act quick enough.

我們需要數位電子安全系統

So for example, in a power plant,

來補足人類操控員不夠快的時候

when your big steam turbine gets too over speed,

舉例說 在電廠中

you must open relief valves within a millisecond.

當大型蒸氣渦輪轉速過快

Obviously, this cannot be done by a human operator.

你一定要在一毫秒內打開洩壓閥

So this is where we need digital safety systems.

很明顯這絕不是人類辦的到的

And when they are compromised,

所以需要數位電子安全系統

then real bad things can happen.

一旦它們被破壞

Your plant can blow up.

真正嚴重的事情就會發生

And neither your operators nor your safety system will notice it.

電廠可能會爆炸

That's scary.

而且人員和系統都無法及時察覺

But it gets worse.

這就可怕了

And this is very important, what I'm going to say.

更糟的是

Think about this:

接下來要說的是更重要的

this attack is generic.

想想看

It doesn't have anything to do, in specifics,

這個攻擊是一般性的

with centrifuges,

它不一定要和特定

with uranium enrichment.

核鈾料廠中的

So it would work as well, for example,

離心機有關

in a power plant

舉例說吧 它也能適用於

or in an automobile factory.

發電廠

It is generic.

或是汽車工廠

And you don't have -- as an attacker --

可以被廣泛利用

you don't have to deliver this payload

就攻擊形式而言

by a USB stick,

你不需要藉由

as we saw it in the case of Stuxnet.

USB 碟傳遞病毒載體

You could also use conventional worm technology for spreading.

雖然這是 Stuxnet 預設方式

Just spread it as wide as possible.

你也可以 用傳統蠕蟲技術來散播

And if you do that,

盡可能的擴散出去

what you end up with

這麼一來

is a cyber weapon of mass destruction.

最後你就有了

That's the consequence

可以造成大規模破壞的數位武器

that we have to face.

那也是我們得面對的

So unfortunately,

後果

the biggest number of targets for such attacks

不幸的是

are not in the Middle East.

大多數的攻擊目標

They're in the United States and Europe and in Japan.

不是在中東

So all of the green areas,

是在美國 歐洲 與 日本

these are your target-rich environments.

所有綠色區域

We have to face the consequences,

就是充滿攻擊目標的地方

and we better start to prepare right now.

我們得面對這些後果

Thanks.

而且最好現在就開始準備

(Applause)

謝謝大家

Chris Anderson: I've got a question.

(掌聲)

Ralph, it's been quite widely reported

Chris Anderson: 我有個疑問

that people assume that Mossad

Ralph, Stuxnet 已經廣為人知

is the main entity behind this.

而人們猜測它背後

Is that your opinion?

的主使者是 Mossad (以色列特工)

Ralph Langner: Okay, you really want to hear that?

你也是這麼想嗎？

Yeah. Okay.

Ralph Langner: 好, 你真的想知道?

My opinion is that the Mossad is involved,

是啊

but that the leading force is not Israel.

我的看法是 Mossad 有參與其中

So the leading force behind that

但以色列絕不是主導角色

is the cyber superpower.

所以背後的主導力量

There is only one,

就是網路超級大國

and that's the United States --

也只有一個了

fortunately, fortunately.

那就是美國

Because otherwise,

幸好、幸好

our problems would even be bigger.

不然的話

CA: Thank you for scaring the living daylights out of us. Thank you, Ralph.

我們的問題會更嚴重

(Applause)

CA: 謝謝你把我們都給嚇壞了 謝謝 Ralph.