|
|
RalphLangner_2011-_破解二十一世纪的网络武器_震网病毒_
|
The idea behind the Stuxnet computer worm is actually quite simple. |
震网电脑蠕虫背后的思想 其实非常简单。 |
worm:n.蠕虫;蠕虫病毒寄生虫;肠虫;v.曲折行进
|
We don't want Iran to get the Bomb. |
我们不希望伊朗拥有核武器。 |
Their major asset for developing nuclear weapons is the Natanz uranium enrichment facility . |
他们用于开发核武器的主要设备 是纳坦兹的铀浓缩设施。 |
asset:n.资产;优点;有用的东西;有利条件;财产;有价值的人或物; nuclear:adj.原子能的;[细胞]细胞核的;中心的;原子核的; uranium:n.[化学]铀; enrichment:n.丰富;改进;肥沃;发财致富; facility:n.设施;设备;特别装置;特色;场所;天资;
|
The gray boxes that you see, these are real-time control systems. |
各位看到的灰盒子 是实时控制系统。 |
real-time:adj.实时的;接到指示立即执行的;
|
Now if we manage to compromise these systems that control drive speeds and valves , we can actually cause a lot of problems with the centrifuge . |
如果我们设法侵入这些 控制驱动器的速度和阀门的系统中, 我们实际上可以用离心机 造成很多问题。 |
compromise:n.妥协;折中;互让;和解;v.妥协;违背(原则);达不到(标准);使陷入危险; valves:n.[机]阀门; v.装阀于…; centrifuge:vt.用离心机分离;使…受离心作用;n.离心机;[机][化工]离心分离机;
|
The gray boxes don't run Windows software; they are a completely different technology . |
这个灰盒子不能运行Windows软件; 它们用的是完全不同的技术。 |
technology:n.技术;工艺;术语;
|
But if we manage to place a good Windows virus on a notebook that is used by a maintenance engineer to configure this gray box, then we are in business. |
但如果我们设法 把一个Windows病毒 放到一名 设备工程师用于配置 这个灰盒子的笔记本上, 然后我们就可以开始行动了。 |
maintenance:n.维护,维修;保持;生活费用; configure:vt.安装;使成形;
|
And this is the plot behind Stuxnet. |
这就是震网病毒背后的阴谋。 |
plot:n.情节;阴谋;布局;小块土地;v.密谋;暗中策划;(在地图上)标出;绘制(图表);
|
So we start with a Windows dropper . |
那么我从一个Windows注入器开始。 |
dropper:n.滴管;使滴下的东西;点滴器;
|
The payload goes onto the gray box, damages the centrifuge, and the Iranian nuclear program is delayed -- mission accomplished . |
它携带的病毒传播到灰盒子, 破坏离心机, 伊朗核项目延迟 -- 任务完成。 |
payload:n.(导弹,火箭等的)有效载荷,有效负荷; (工厂,企业等)工资负担; Iranian:adj.伊朗的;伊朗人的;伊朗语的;n.伊朗人;伊朗语; mission:n.使命,任务;代表团;布道;v.派遣;向…传教; accomplished:adj.完成的;有技巧的;有学问的;v.完成;(accomplish的过去分词和过去式)
|
That's easy, huh? |
很容易,是吧? |
I want to tell you how we found that out. |
我想告诉大家我们是如何发现这些的。 |
When we started our research on Stuxnet six months ago, it was completely unknown what the purpose of this thing was. |
当六个月前我们开始研究震网病毒时, 我们对它的目的一无所知。 |
The only thing that was known is very, very complex on the Windows part, the dropper part, used multiple zero-day vulnerabilities . |
唯一知道的是, 它的Windows部分,注入器部分非常非常复杂, 使用了多重零日漏洞攻击。 |
complex:adj.复杂的;合成的;n.复合体;综合设施; multiple:adj.数量多的;多种多样的;n.倍数; vulnerabilities:n.缺陷(vulnerability的复数形式);脆弱点;
|
And it seemed to want to do something with these gray boxes, these real-time control systems. |
它似乎想要对 这些灰盒子,这些实时控制系统做些什么。 |
So that got our attention, and we started a lab project where we infected our environment with Stuxnet and checked this thing out. |
这引起了我们的注意, 我们启动了一个实验室项目, 用震网病毒感染我们的系统, 并进行了仔细的检查。 |
infected:adj.带菌的; v.传染; (infect的过去分词和过去式)
|
And then some very funny things happened. |
接着一些非常有趣的事发生了。 |
Stuxnet behaved like a lab rat that didn't like our cheese -- sniffed , but didn't want to eat. |
震网病毒表现的像只 不喜欢起司的大白鼠 -- 嗅一嗅起司,但并不想吃。 |
behaved:v.表现;表现得体;有礼貌;(behave的过去分词和过去式) sniffed:吸气;
|
Didn't make sense to me. |
我有些不理解。 |
make sense:有意义;讲得通;言之有理;
|
And after we experimented with different flavors of cheese, |
而在我们实验了各种不同的起司之后, |
flavors:n.风味调料(flavor复数);v.添加味道(flavor的三单形式);
|
I realized, well, this is a directed attack. |
我意识到,这是一个定向攻击。 |
It's completely directed. |
它完全是定向的。 |
The dropper is prowling actively on the gray box if a specific configuration is found, and even if the actual program that it's trying to infect is actually running on that target. |
如果找到了特定的配置, 注入器就会 主动潜入灰盒子里, 即使它正试图感染的实际的程序 也在干着同样的事儿。 |
prowling:vi.徘徊,潜行;vt.在…搜寻;潜行于;n.徘徊,潜行;悄悄踱步; specific:adj.特殊的,特定的;明确的;详细的;[药]具有特效的;n.特性;细节;特效药; configuration:n.配置;结构;外形;
|
And if not, Stuxnet does nothing. |
如果没有找到目标,震网病毒什么也不做。 |
So that really got my attention, and we started to work on this nearly around the clock, because I thought, well, we don't know what the target is. |
这确实引起了我的注意, 我们开始昼夜不停的 对这个进行研究, 因为我觉得我们还不知道它的目标呢。 |
It could be, let's say for example, a U.S. power plant , or a chemical plant in Germany. |
目标也许是,打个比方, 一座美国发电厂, 或德国的化工厂。 |
power plant:n.发电厂;发电站; chemical:n.化学制品,化学药品;adj.化学的;
|
So we better find out what the target is soon. |
因此我们最好尽快找出它的目标。 |
So we extracted and decompiled the attack code, and we discovered that it's structured in two digital bombs -- a smaller one and a bigger one. |
我们提取并反编译了 攻击代码, 发现它包含两个数字炸弹 -- 一个小些的和一个大些的。 |
extracted:adj.萃取的;引出的;v.提取(extract的过去式及过去分词); structured:adj.有结构的;有组织的;v.组织;构成(structure的过去分词);建造; digital:adj.数字的;手指的;n.数字;键;
|
And we also saw that they are very professionally engineered by people who obviously had all insider information. |
而我们也发现,它们是被了解所有内幕信息的人 非常专业地制作出来的。 |
professionally:adv.专业地;内行地; insider:n.内部的人,会员;熟悉内情者;
|
They knew all the bits and bites that they had to attack. |
他们了解所要攻击 目标的所有细节。 |
They probably even know the shoe size of the operator . |
他们甚至知道操作员鞋子的号码。 |
operator:n.算子;接线员;操作人员;骗子;
|
So they know everything. |
他们知道一切。 |
And if you have heard that the dropper of Stuxnet is complex and high-tech , let me tell you this: the payload is rocket science . |
如果各位曾经听说过,震网病毒的注入器 复杂且是高科技的, 让我告诉各位: 它携带的病毒非常复杂。 |
high-tech:adj.高科技的,高技术的;仿真技术的;n.高科技; rocket science:复杂的事;航天器学;
|
It's way above everything that we have ever seen before. |
这远超过我们 曾经见过的技术。 |
Here you see a sample of this actual attack code. |
在这儿各位能看到实际的攻击代码的片段。 |
We are talking about -- round about 15,000 lines of code. |
我们在讨论 -- 大约1万5千行代码。 |
Looks pretty much like old-style assembly language . |
看起来很像旧式的汇编语言。 |
old-style:adj.旧式的;老派的; assembly language:n.汇编语言;组合语言;
|
And I want to tell you how we were able to make sense out of this code. |
我想告诉各位我们是 如何弄明白这些代码的。 |
So what we were looking for is first of all is system function calls, because we know what they do. |
我们首先要寻找的是系统函数调用, 因为我们知道这些函数做什么。 |
first of all:adv.首先;
|
And then we were looking for timers and data structures and trying to relate them to the real world -- to potential real world targets. |
然后我们要找到定时器和数据结构, 接着尝试把它们和现实世界联系起来 -- 与潜在的现实世界目标联系起来。 |
timers:n.[电子]定时器;计时器;定时装置(timer的复数形式); structures:n.结构; v.建造(structure的第三人称单数形式); potential:n.潜能;可能性;[电]电势;adj.潜在的;可能的;势的;
|
So we do need target theories that we can prove or disprove . |
因此我们需要目标理论 我们能用它来证实与否。 |
disprove:vt.反驳,证明…是虚假的;
|
In order to get target theories, we remember that it's definitely hardcore sabotage , it must be a high-value target, and it is most likely located in Iran, because that's where most of the infections had been reported. |
为了得到目标理论, 我们记得 这绝对会造成严重的破坏, 因此必然有个高价值的目标, 而且很有可能就位于伊朗境内, 因为在伊朗报告的病毒感染最多。 |
definitely:adv.清楚地,当然;明确地,肯定地; hardcore:adj.赤裸裸描写性行为的;n.硬核;硬底层;碎砖垫层; sabotage:v.妨害;对…采取破坏行动;n.破坏;破坏活动;怠工; high-value:n.高位值; located:adj.位于; v.确定…的准确地点; (locate的过去分词和过去式) infections:n.传染病;口腔病害(infection复数形式);
|
Now you don't find several thousand targets in that area. |
在这一区域并不会发现许多目标。 |
It basically boils down to the Bushehr nuclear power plant and to the Natanz fuel enrichment plant. |
基本上可以把目标缩小至 布歇赫尔核电厂 和纳坦兹的铀浓缩厂。 |
basically:adv.主要地,基本上; nuclear power:na.核大国;
|
So I told my assistant, "Get me a list of all centrifuge and power plant experts from our client base." |
因此我对我的助理说, “给我一个包含我们客户群中所有离心机和发电厂专家的列表。” |
client:n.[经]客户;顾客;委托人;
|
And I phoned them up and picked their brain in an effort to match their expertise with what we found in code and data. |
我跟他们通了电话,让他们 用他们的专业知识帮忙 分析我们在代码和数据中的发现。 |
expertise:n.专门知识;专门技术;专家的意见;
|
And that worked pretty well. |
这非常管用。 |
So we were able to associate the small digital warhead with the rotor control. |
我们能把这个小的 数字弹头与转子控制器 联系起来了。 |
associate:v.联合:联想:交往:adj.非正式的:副的:联合的:n.伙伴:同事: warhead:n.弹头; rotor:n.[电][机][动力]转子;水平旋翼;旋转体;
|
The rotor is that moving part within the centrifuge, that black object that you see. |
这个转子是离心机内部的运动机件, 就是各位看到的那个黑色物体。 |
And if you manipulate the speed of this rotor, you are actually able to crack the rotor and eventually even have the centrifuge explode . |
如果控制这个转子的速度, 实际上就能破解转子 并甚至最终能让离心机爆炸。 |
manipulate:vt.操纵;操作;巧妙地处理;篡改; crack:v.使破裂;打开;变声;n.裂缝;声变;噼啪声;adj.最好的;高明的; eventually:adv.最后,终于; explode:v.爆炸;爆裂;勃然(大怒);突然发生(危险);
|
What we also saw is that the goal of the attack was really to do it slowly and creepy -- obviously in an effort to drive maintenance engineers crazy, that they would not be able to figure this out quickly. |
我们也看到了 攻击的目的 是让这一切令人恐怖的事缓慢地发生-- 显然这会 让维护工程师们发疯, 他们不可能很快找出问题所在。 |
creepy:adj.令人毛骨悚然的;爬行的;
|
The big digital warhead -- we had a shot at this by looking very closely at data and data structures. |
大的数字弹头 -- 通过仔细地 观察数据和数据结构, 我们有机会对它有所了解。 |
So for example, the number 164 really stands out in that code; you can't overlook it. |
例如,数字164 在这些代码中非常引人注目; 不可能忽略它。 |
overlook:v.忽略;俯视;视而不见;眺望;
|
I started to research scientific literature on how these centrifuges are actually built in Natanz and found they are structured in what is called a cascade , and each cascade holds 164 centrifuges. |
我开始研究与这些分离机 如何被建造在纳坦兹 有关的科学文献, 并发现它们被组织在 一个被称为层级的东西之中, 每个层级包含164个离心机。 |
scientific:adj.科学的,系统的; literature:n.文学;文献;文艺;著作; centrifuges:n.[机]离心机(centrifuge的复数);v.使离心(centrifuge的第三人称单数); cascade:n.小瀑布,瀑布状物;串联;vi.像瀑布般大量倾泻下来;vi.像瀑布般悬挂着;
|
So that made sense, it was a match. |
这有点清楚了,匹配起来了。 |
And it even got better. |
甚至更好地匹配了。 |
These centrifuges in Iran are subdivided into 15, what is called, stages. |
在伊朗的这些离心机 被分成15个所谓的机组。 |
subdivided:细分;
|
And guess what we found in the attack code? |
猜测我们在攻击代码中发现了什么? |
An almost identical structure. |
一个几乎完全相同的机组结构。 |
identical:adj.同一的;完全相同的;n.完全相同的事物;
|
So again, that was a real good match. |
因此,再一次地很好地匹配上了。 |
And this gave us very high confidence for what we were looking at. |
这在我们所进行的工作上给了我们更多自信。 |
confidence:n.信心;信任;秘密;adj.(美)诈骗的;骗得信任的;
|
Now don't get me wrong here, it didn't go like this. |
现在别误会我,它不是像这样进行的。 |
These results have been obtained over several weeks of really hard labor. |
这些结果中包含了 我们数周的辛苦劳动。 |
obtained:v.获得(obtain的过去分词);
|
And we often went into just a dead-end and had to recover. |
我们常常走入死胡同 并回到起点。 |
dead-end:无出路的;辣手的;绝境;
|
Anyway, so we figured out that both digital warheads were actually aiming at one and the same target, but from different angles. |
总之,我们找出了 这两个从不同角度 瞄准着同一个目标的 数字弹头。 |
warheads:na.弹头;(warhead的复数) one and the same:同一个;完全一回事;
|
The small warhead is taking one cascade, and spinning up the rotors and slowing them down, and the big warhead is talking to six cascades and manipulating valves. |
小弹头选择一个层级, 旋转加速转子,接着让它们慢下来, 然后大弹头 选择六个层级 并操控阀门。 |
spinning:n.纺纱(手艺):纺线v.(使)旋转:纺线:纺纱;(spin的现在分词) rotors:n.[电][机][动力]转子;回转轴(rotor的复数形式); cascades:n.[水文]小瀑布;叶棚(cascade的复数);v.瀑布似地落下(cascade的三单形式); manipulating:v.(暗中)控制,操纵,影响;正骨;治疗脱臼;(manipulate的现在分词)
|
So in all, we are very confident that we have actually determined what the target is. |
总的来说,我们非常自信 我们确定了目标是什么。 |
confident:adj.自信的;确信的; determined:adj.决定了的:v.决定;(determine的过去分词和过去式)
|
It is Natanz, and it is only Natanz. |
就是纳坦兹,只可能是纳坦兹。 |
So we don't have to worry that other targets might be hit by Stuxnet. |
我们并不担心 其他可能被震网病毒 要攻击的目标。 |
Here's some very cool stuff that we saw -- really knocked my socks off. |
有些我们看到的非常酷的东西 -- 确实让我大吃一惊的东西。 |
stuff:n.东西:物品:基本特征:v.填满:装满:标本:
|
Down there is the gray box, and on the top you see the centrifuges. |
这儿下面是灰盒子, 在上面看到的是离心机。 |
Now what this thing does is it intercepts the input values from sensors -- so for example, from pressure sensors and vibration sensors -- and it provides legitimate code, which is still running during the attack, with fake input data. |
事情是这样的, 它拦截了从传感器发送来的输入值-- 例如,来自压力传感器 和震动传感器的输入值 -- 并提供合法的代码, 这代码会在攻击期间仍然保持运行, 随代码一起的还有假的输入数据。 |
intercepts:vt.拦截;截断;窃听;n.拦截;[数]截距;截获的情报; input:n.投入; v.把(数据等)输入计算机; sensors:n.[自]传感器,感应器;感测器(sensor的复数); vibration:n.振动;犹豫;心灵感应; legitimate:adj.合法的;正当的;合理的;正统的;v.使合法;认为正当(等于legitimize); fake:n.假货;骗子;假动作;v.捏造;假装…的样子;adj.伪造的;
|
And as a matter of fact , this fake input data is actually prerecorded by Stuxnet. |
事实上,这假的输入数据 是震网病毒事先预存的。 |
as a matter of fact:事实上; prerecorded:vt.事先录音;
|
So it's just like from the Hollywood movies where during the heist , the observation camera is fed with prerecorded video. |
正如好莱坞电影 中的抢劫片段, 观察摄像头被连上了事先录制好的视频。 |
heist:v.抢劫,拦劫;强夺;n.抢劫;强夺; observation:n.观察;观测;监视;(尤指据所见、所闻、所读而作的)评论;
|
That's cool, huh? |
很酷,不是么? |
The idea here is obviously not only to fool the operators in the control room. |
它的打算显然 不仅是要愚弄控制室中的操作员。 |
It actually is much more dangerous and aggressive . |
它实际上要更危险,更具侵略性。 |
aggressive:adj.侵略性的;好斗的;有进取心的;有闯劲的;
|
The idea is to circumvent a digital safety system. |
它的打算 是要绕过数字安全系统。 |
circumvent:vt.包围;陷害;绕行;
|
We need digital safety systems where a human operator could not act quick enough. |
我们需要数字安全系统 在那些人类操作员不能做出足够快的行动的地方。 |
So for example, in a power plant, when your big steam turbine gets too over speed, you must open relief valves within a millisecond . |
例如,在发电厂, 当巨大的蒸汽轮机转速过快时, 必须在一毫秒内打开安全阀。 |
turbine:n.汽轮机;涡轮机; relief:n.救济;减轻,解除;安慰;浮雕; millisecond:n.毫秒;
|
Obviously, this cannot be done by a human operator. |
显然,人类操作员不可能做到。 |
So this is where we need digital safety systems. |
因此,在这儿就需要数字安全系统。 |
And when they are compromised , then real bad things can happen. |
而当它们受到损害时, 真正的问题就会出现。 |
compromised:v.妥协,折中,让步; (compromise的过去分词和过去式)
|
Your plant can blow up. |
电厂会爆炸。 |
And neither your operators nor your safety system will notice it. |
操作员和安全系统都不会注意到。 |
That's scary. |
这很可怕。 |
But it gets worse. |
但还会更糟。 |
And this is very important, what I'm going to say. |
我将要说到的,非常重要。 |
Think about this. |
想想这个。 |
This attack is generic . |
这种攻击是通用的。 |
generic:adj.类的;一般的;属的;非商标的;
|
It doesn't have anything to do, in specifics , with centrifuges, with uranium enrichment. |
它不需要对离心机, 对铀浓缩做什么 具体的事情。 |
specifics:n.细节;特性(specific的复数);详情;
|
So it would work as well, for example, in a power plant or in an automobile factory. |
它也将发挥作用,例如, 在一个发电厂 或是一个汽车制造厂。 |
automobile:n.汽车;v.开汽车;坐汽车;adj.自动的;
|
It is generic. |
这很普通。 |
And you don't have -- as an attacker -- you don't have to deliver this payload by a USB stick, as we saw it in the case of Stuxnet. |
作为一名攻击者,你不需要 -- 不需要用U盘把病毒 传播出去, 如我们在震网病毒这一案例中看到的那样。 |
attacker:n.攻击者;进攻者;
|
You could also use conventional worm technology for spreading. |
你也可以用传统的蠕虫技术进行传播。 |
conventional:adj.符合习俗的,传统的;常见的;惯例的;
|
Just spread it as wide as possible. |
尽可能广泛地传播它。 |
And if you do that, what you end up with is a cyber weapon of mass destruction . |
如果做到了这些 最终就会拥有 一个大规模杀伤性的网络武器。 |
cyber:adj.网络的,计算机的; weapon of mass destruction:n.大规模杀伤性武器(如核武器、化学武器和生物武器);
|
That's the consequence that we have to face. |
这就是我们不得不 面对的后果。 |
consequence:n.结果;重要性;推论;
|
So unfortunately , the biggest number of targets for such attacks are not in the Middle East . |
不幸地是, 这类攻击数量最多的目标 不是在中东。 |
unfortunately:adv.不幸地; Middle East:n.中东(包括亚洲西南部和非洲东北部);
|
They're in the United States and Europe and in Japan. |
而是在美国、欧洲和日本。 |
United:adj.联合的; v.联合,团结; (unite的过去分词和过去式)
|
So all of the green areas, these are your target-rich environments. |
所有这些绿色的区域, 这些是目标密集的区域。 |
We have to face the consequences , and we better start to prepare right now. |
我们不得不面对这些后果, 我们最好立即开始做准备。 |
consequences:n.后果,结果;影响(consequence的复数);
|
Thanks. |
谢谢。 |
(Applause) |
(掌声) |
Chris Anderson: I've got a question. |
克里斯·安德森:我有个问题。 |
Ralph , it's been quite widely reported that people assume that Mossad is the main entity behind this. |
拉尔夫,广为流传 人们认为摩萨德 是幕后主使。 |
Ralph:v.呕吐; assume:v.承担;假定;采取;呈现; Mossad:n.摩萨德(以色列情报机关); entity:n.实体;存在;本质;
|
Is that your opinion? |
你怎么看? |
Ralph Langner: Okay, you really want to hear that? |
拉尔夫·兰纳:好的,你真的想知道? |
Yeah. Okay. |
是的,好吧。 |
My opinion is that the Mossad is involved , but that the leading force is not Israel . |
我认为摩萨德牵涉其中, 但主导力量不是以色列。 |
involved:adj.有关的; v.涉及; (involve的过去式和过去分词) Israel:n.以色列(亚洲国家);犹太人,以色列人;
|
So the leading force behind that is the cyber superpower . |
其后的主导力量 是网络超级大国。 |
superpower:n.超级大国;超级强权;
|
There is only one, and that's the United States -- fortunately, fortunately. |
只有一个, 那就是美国 -- 很幸运,很幸运。 |
Because otherwise, our problems would even be bigger. |
因为否则的话, 我们面临的问题就更加严重了。 |
CA: Thank you for scaring the living daylights out of us. Thank you Ralph. |
克里斯:谢谢你吓了我们一大跳,谢谢你,拉尔夫。 |
daylights:n.生命; v.使沐浴于日光(daylight的第三人称单数形式);
|
(Applause) |
(掌声) |