Cloned Boy
Professional
- Messages
- 1,177
- Reaction score
- 889
- Points
- 113
Today I will tell you about computer viruses that could have prevented a nuclear war. How did ordinary code turn out to be stronger than armies? How did these viruses penetrate protected systems, who created them and why? You will learn how digital attacks changed the course of world history even before the first shots were fired.
We are used to perceiving wars as something obvious, weapons, explosions, planes, wounded and killed, news about sanctions and tariffs. We know what the struggle for resources, power and control looks like, but there is another war, invisible, silent, in it you can’t hear shots, and the enemy can be right in our computer. And this war has been going on for many years, and it is a cyber war. In this topic, I will tell you about a six-year cyber war that lasted from 2010 to 2016.
And the main weapons of this war were 5 viruses, developed in strict secrecy. They acted more effectively than weapons of mass destruction, broke systems, nuclear programs, confused governments and worked for the secret services. Let's figure out how five viruses changed the course of history without firing a single shot, and also subscribe to my cart, where there is more unique content.
Let's go! And it all started with the Stuxnet virus, the first code in history that was able to stop the outbreak of a nuclear war. It rewrote the rules of the game and opened a new era, the era of cyber wars. But who would have thought that all this was uncovered not somewhere in New York, not in London, and not even in Hong Kong. The most daring and large-scale cyberattack was first noticed in Gomel, a small town in Belarus.
Completely by accident. And yes, you heard right, in 2010, Sergey Ulasin, an information security engineer, worked at the Virus-Blockade company. Please note that this was not some giant corporation with skyscrapers and an army of specialists. This is an ordinary IT company that dealt with cybersecurity for corporate clients. In general, a simple working day, a boring routine, until Sergey received a strange message from a client in Iran.
I would like to point out that the client was not a representative of the state or any large company. He was an ordinary contractor who was engaged in servicing the internal systems of various organizations. He complained about an incomprehensible failure on his work PCs, and they really were strange. Computers suddenly rebooted, programs hung, something glitched for no reason. But the most unusual thing was that this happened with equipment that was not connected to the Internet.
It didn't look like a bug either. Several of the client's computers were behaving strangely. And then Sergey realized that there was something serious going on. Then the man started digging. He connected to the system, studied the logs and found suspicious processes. And then he noticed strange drivers. The files were signed with digital certificates from Realtek. But what did that mean? That someone had infected the computer with a virus that at first glance looked like a licensed driver and looked like a regular update.
It's like a thief pretending to be a police officer with a real ID. Isn't that strange? Then Sergey started studying the entire database and when he found it, he was shocked by what he saw. So, the computer had a virus that could update itself, copy itself via flash drives and, most importantly, could attack. No one had ever seen anything like this before.
It wasn't a data-stealing virus, not a Trojan for extortion, but a sophisticated weapon that was looking for a target. Moreover, this virus knew all the vulnerabilities of Windows and Siemens systems. Realizing that he couldn't handle it himself, Sergey contacted Kaspersky Lab. They checked the data and confirmed that the virus was complex and definitely not written on the fly. Professionals had clearly worked here. Moreover, the code was not created for a mass attack, it was aimed at a specific target, but what? I'll tell you now.
Sergey and Kaspersky passed on all the information about the vulnerability to Microsoft. The reaction was lightning fast. Microsoft urgently released an update, but it was too late. Rumors about the new virus began to circulate around the world and became known to everyone. And cybersecurity experts began to dig into the Stuxnet code. By the way, why was it called that? It comes from random lines in the code file of this virus Stax and NET.
So, the more the experts studied the virus code, the more shocked they were. The virus turned out to be incredibly complex and expensive to develop. But how did it work? StaxNet infected Windows computers, it found system vulnerabilities and easily penetrated inside and searched, actually. And the target was special devices that control equipment at factories. But not at ordinary factories, as you might think, but those that mine uranium.
Analysis of a thousand infected files showed that Stuxnet attacked five factories in Iran. That's where the centrifuges that enrich Iran for its nuclear program were spinning. And the virus knew exactly what to do. Slow down, break, confuse the system, breaking it from the inside. But at the same time, the operators saw on the screen that everything was working fine, while in reality the equipment was falling apart. But how did the virus get there in the first place? After all, these enterprises were not connected to the Internet at all, they were completely isolated from the outside world.
There is only one answer, someone brought it inside, perhaps by accident, or perhaps on assignment. On a flash drive or disk, it is enough to insert the media into the computer and the network will already be infected. Later it became known that Stuxnet damaged about a thousand centrifuges. A thousand! And this threw Iran's nuclear program back years. Apparently, this was the main goal of the virus. And then, as usual, it began. Journalists began digging, experts analyzed the code, and suddenly the puzzle began to come together.
The virus was too smart, too selective, complex and expensive to develop. They started talking about a secret operation codenamed "Olympic Games", allegedly carried out by the United States and Israel together. The goal, Path, is expectedly simple, to prevent Iran from creating nuclear weapons, but of course no one has officially confirmed anything and it is clear that they are still trying to hide such things.
But then the next question arises, if the state was behind this virus, could large corporations be involved, such as our beloved Windows or Siemens, from which Iran purchased some of the equipment. In theory, of course, yes, but in practice, everything is a little more complicated. Stuxnet used weak points of Windows, which only a very limited circle of specialists knew about. It is very difficult to obtain such information, which means that someone with access to Windows either helped or turned a blind eye.
The second point is Siemens controllers, to put it bluntly, the controller is the brains for factories, they tell the machines what and how to do, spin, stop the process, what to start, and so on. The virus was programmed to look for these so-called brains. And it replaced the commands, and in order to strike so accurately, you need to know very well how it works.
This can be found out either through a leak or through internal documentation. On the other hand, neither Microsoft nor Siemens wanted their products to be used as a hacking tool, and this is bad for their reputation. After the scandal, Microsoft began to monitor security better, and Siemens began to work with experts to understand how this happened at all. There is no direct evidence of their guilt. Now just imagine Iran, a country working on a nuclear arsenal to counter the US.
Factories, labs, security, all this secrecy. A real death star of the Middle East. And the main role at these facilities is played by one of the most basic US products, Windows. Serious, ordinary, our favorite Windows XP, the same one that someone's sapper used to hang out on as a child. And if they had installed Linux, for example, everything might have ended completely differently and a nuclear war could well have become a reality.
Although, knowing how difficult it is to set up even a printer in Linux, maybe their centrifuges simply wouldn't have turned on. By the way, if you're interested in the fate of Sergey, that same Belarusian programmer, spoiler, he didn't receive any award, although he discovered one of the most dangerous viruses in history. In Belarus, no one noticed it, and what's wrong with that, we find such viruses every day. The US politely kept silent, probably thinking to themselves.
"Seryoga, you're certainly cool, but why the hell did you even bother? We actually invested a ton of money there!" But the professional community, of course, appreciated him, and later Sergey went to work at Kaspersky Lab. But the cyber war didn't end with Stuxnet, it's just that at least some information about it began to appear. Thanks to the fact that the code was found, they began to study it, and something unusual was found in one of the infected computers.
A new virus that no one knew about before. It was discovered on September 1, 2011. This was done by specialists from the Crisis Lab in Budapest. They were studying Stuxnet and then they made such a find. One of the researchers uploaded a strange file to the VirusTotal website. Almost all antiviruses did not understand what was in front of them and only two were wary. Several weeks of studying this code passed. And then it became clear that this was not just a virus, it was a whole cyber spy.
It was watching and listening. Unlike Stuxnet, it did not break anything, it was just an observer. It was looking for how control systems are arranged, especially those responsible for critical infrastructure. Electricity, water, factories, everything that keeps the world afloat. And it penetrated computers quite simply, through a regular Word document. The victim was sent a file, like a report or a commercial offer. She opened it and that's it. Inside this document was hidden an unusual font.
Dexter Regular. It sounds harmless, but it is a reference. And yes, hackers have a good sense of humor. So, remember the TV series Dexter, about a guy who works as a forensic expert during the day and kills all the bad people at night. And of course, it's too symbolic to be an accident, right? The document used a Windows vulnerability. Complicated words, but in essence it's like a hole in a lock.
When a person opened this file, Windows tried to display text with this font and crashed. Because of this error, the virus got full access to the computer. After infection, the virus installed harmful files on the computer that began with the letters DQ, which is why the virus itself was called DQ from these letters. DQ penetrated the computer, installed the necessary files, launched and disappeared. The file with the font was no longer needed, the system was already infected.
And then silence. No slowdowns, no pop-ups. It just sat there, listened to what you were typing, where you were going, what you were clicking on, took screenshots, read files, looked at what programs were running, and if the user suddenly connected some serious equipment, total surveillance began, and then all this information was transferred to the creators of the virus. But you know what the real magic is?
This will definitely surprise you, by the way. Duke did not have a single specific code, it was modular, like Lego. Initially, it simply opened the door, and then additional tools were loaded on command. Programs for surveillance, interception of data, scanning the network, and all this is encrypted. But how could you not notice? Quite simple. For example, one of these modules was disguised as a photo of a distant galaxy. Yes, you see a file with a beautiful picture of space, but in fact it already contains Ryan, capable of controlling the entire network.
Duke easily accessed the Internet, used regular protocols, the same ones you use to watch YouTube now, and it passed any protection without any problems. It was not noticed at all, and inside the network it built its own communication system, connected with other computers, transmitted commands, copied itself, deleted old parts, changed the code, and all this looked like it was just the usual work of the system.
It even used real digital signatures stolen from C-Media. When the antivirus checked the authenticity, everything looked honest, so it could be launched. And in fact, very little is known about this virus. But why? Duke did not spread en masse. In total, 15 confirmed infections were detected in different countries. But no one knows for sure about all the victims. Most of the victims did not even know that they were hacked, everything went too cleanly.
One thing is known, it attacked important targets, government agencies, industrial giants and defense enterprises. According to one version, Duke was needed to prepare the ground, first reconnaissance, and then a strike. But who is behind all this? The question is, of course, philosophical, but to be honest, this is definitely not some hacker from the basement, this is a team. This is probably a huge, smart and expensive team.
The lab researchers compared Duke and Stuxnet and came to the obvious conclusion - they are siblings. One is a destroyer, and the other is an observer. They use the same architectural schemes, the same programming language, even the methods of hiding are almost identical. This is a continuation, another level of the same game, and each time the complexity increased. But the cyber war did not stop there. Someone considered it important to have as much information from the Middle East as possible.
And so in 2012, Iran began to experience system failures. Information was lost, computers began to slow down, and errors appeared. At first, it looked like trivial glitches, but the country already knew how to recognize a digital attack. After TaxNet and Deque, Iran knew that if technology began to behave strangely, it might not be a bug, but a signal, a signal that someone was again getting into their internal affairs.
Cybersecurity experts began to investigate. The code was cracked, and this caused a real shock. In front of them was not just a virus, but something huge, complex, and wildly thought out. The virus weighed about 20 megabytes. So you understand, most malware is compact programs of 100-200 kilobytes, some more complex ones can reach 1 megabyte, and this one was as much as 20. It's like comparing a pocket knife to a fighter jet.
And this is no longer a virus, it's a whole spy station inside your computer. It was called Flame, that is, flame, and it burned everything in its path, not directly, but informationally. Like Duhue, Flame was engaged in surveillance, but it acted completely differently. Flame could infect computers through fake Windows updates. Yes, exactly those that you habitually install, trusting the system, putting your own checkboxes everywhere, and so on.
The virus learned to forge a Microsoft digital signature. The computer thought, oh, this is an update from Microsoft and installed this update itself. In reality, you installed a spy package yourself. And voluntarily. In addition to Iran, Flame was also found in Lebanon, Syria, Palestine, Sudan and even Israel. Government organizations, oil companies, universities, everything that had at least some significance on the political or strategic map suffered.
With the help of Flame, they collected documents, audio recordings, e-mail correspondence, even leaked network passwords. And the virus was flexible. If a new target appeared, they simply threw the necessary module at it and it adjusted. When Flame was discovered and the media started writing about it, those who controlled it panicked.
The virus was given the command to self-destruct, and it obeyed. Flame began to delete itself from all systems, burn all logs, erase traces and everything that could give at least some chance to determine who its creator was. After Flame was found, specialists all over the world began to look for its relatives. The virus was too sophisticated to be the only one of its kind. It looked like part of an entire ecosystem, where each program performs its own specific task.
And the guess turned out to be correct. That same year, in 2012, specialists from Kaspersky Lab and the Lebanese University found a new digital monster. They named it Gauss, in honor of the mathematician Karl Gaus. But why? Because the virus itself resembled a complex mathematical formula. At first glance, Gauss was similar to Flame, it also had a modular structure.
It's like a toolbox in one suitcase. One module collects passwords, another monitors the browser, and the third connects to bank accounts. But the main difference with Gauss is that it was focused on money. And yes, that's right. Primarily on the banking systems of the Middle East. It collected data on clients, logins, passwords, payment system configurations, tracked who transfers how much to whom and where these amounts go next.
In closed banking networks, where the Internet is prohibited, the virus penetrated the system through infected USB flash drives. Gauss installed itself in the computer's memory and began to monitor. And now the interesting part. One of the Gauss modules was called Godel, in honor of Kurt Gödel, the great logician. The code of this module was encrypted so complexly that even now the best specialists have not been able to crack it.
In general, no one has been able to do it. It's like if you found a box with ancient letters, but not a single linguist in the world could understand what was written there. But it was this module that possibly contained the main function of the virus, the one we will never know about. But what happened next? Gauss began to disappear rapidly. As soon as information about it was published, it immediately received the same command as Flame - to self-destruct.
All infected copies began to be erased, erased for new logs, deleted from memory and again no trace. Well, now let's go back a little to Duke, which I already told you about. Despite the fact that it was discovered in 2011, this was not the end. It was developed and improved and in 2013, a new version of Duke 2.0 was released almost unnoticed and it appeared at the very moment when negotiations on the Iranian nuclear program began. If you
are not in the know, then I will explain briefly. The West accused Iran of developing nuclear weapons. Iran said, no, we are just building peaceful nuclear power plants. But the tension between the countries was such that it would have been enough for the entire Middle East power grid. These negotiations lasted more than two years, and the largest powers in the world participated in them. And it is clear that behind the scenes there was also a war.
An invisible, unofficial, cyber war. And it was precisely for such a war that Duke 2.0 was created. Its goal, as usual, was to spy, but not just read other people's emails. It penetrated conference rooms, computers of negotiators, foreign ministries, embassies, hotels where secret meetings were held. It was everywhere where Iran's nuclear program was discussed. But here is the most absurd and frightening moment, one of the infected objects was Kaspersky Lab.
Yes, those same ones who search for viruses themselves, who participated in finding Stuxnet, Duke, Flame and Gauss, and now the virus was in their own systems. Why? To understand what they know. It's like a burglar breaking into a police station and sitting there under the detective's desk, listening to someone trying to catch him, but be smart, and you need to know your enemies better than your friends.
And then one day in 2015, Kaspersky specialists noticed something strange. Not a virus in the usual sense, but the system's behavior, which resembled the movement of an alien. And when they started digging, they just gasped. It was DQ 2.0. It had been living on their servers for a long time. Reading, listening, transmitting. It just watched, silently. DQ 2.0 was built on the same code as the original DQ, and therefore based on Stuxnet. But this time, everything was on a different level.
It did not leave traces on the disk, the virus lived in RAM. This means that you turned off the computer, and the virus disappeared. Turned it on, and it suddenly appeared again, if it had time to overwrite itself before turning off. This method is called malware in memory. And this was already real science fiction. Because ordinary viruses did not see anything suspicious.
Because in fact, there was nothing. No files, no threat. But there was a threat. Now imagine how accurately it worked. It didn’t just infect the system – it looked for specific people, specific points in the negotiation chain. For example, if the foreign minister’s laptop suddenly ended up in a hotel where negotiations were taking place, the virus would activate and start working. It knew where it was, why it was there, and what it had to do.
But why would it need to do that? It’s that simple. In negotiations of this level, information is a real weapon. Knowing what Iran is going to demand, understanding the weaknesses of the parties, guessing who is ready to give in. And all this could be used in real time to win even before the negotiations were officially over. When DUKYU-2.0 was discovered, it was a real sensation. It was a full-fledged attack on the decision-making process.
And this is a level that had never existed before. They started to work on the virus, security systems were updated, new tracking algorithms were developed, but it was very difficult to get rid of it completely. It could remain in memory, penetrate through vulnerabilities in systems, also good old Windows, and disguise itself as ordinary processes. And although it was eventually neutralized, the fact that it existed showed that if you think that cyber war is the future, then you may have already lost.
So, five viruses seriously affected the course of Iran's nuclear program. And it could have been different. Iran quietly and quickly brings developments to completion, gains access to weapons, and the world becomes completely different. But it turned out differently. Failures, leaks, surveillance, sabotage. Instead of acceleration, constant rollbacks and problems.
These viruses did not just slow down the process, they shaped the agenda. And Iran was eventually forced to sit down at the negotiating table. Iran itself officially stated that it had been subjected to cyber attacks, especially after Stuxnet. At that time, the media reported failures in nuclear facilities, leaks, strange breakdowns, but there was never a direct admission of the scale of the damage, although the facts speak for themselves.
And here it is important to understand one very interesting thing. These 5 viruses are only what was found. Many were discovered completely by accident. For example, Flame was found simply because it caused a network anomaly. DQ2 was found when it was noticed on Kaspersky servers. Now think about how many such viruses were never discovered. And imagine that if such viruses already existed in 2010-2015, then what is happening today?
In recent years, viruses have appeared that do not just steal money, do not lure bitcoins, but monitor entire countries. For example, a virus that hid inside a telecommunications company and listened to the conversations of ministers. The virus was called Regin, and not somewhere there, but in European countries. And what about India, for example? There, at one of the nuclear facilities, D-Track was discovered, a virus that picked keys to systems like a thief to a safe.
And not in order to blow it up, but to find out everything. In the US, there was a phenomenal hack, SolarWinds, one update that supposedly updated software, but in fact opened access for hackers to dozens of government agencies. And then there is Germit, a virus that disguised itself as ordinary applications. Viruses of this level seem to tell us that you will not even know that I was here.
And all this is not for money, not for destruction, but for knowledge. Who is friends with whom, who is pressuring whom, what contracts are discussed behind closed doors, and so on. Just think, you can protect your phone with a password, set up a VPN, even keep your laptop in the refrigerator, but if they want to eavesdrop on you, they will still eavesdrop on you. Because in this game, the rules are written not by users, but by viruses.
So do not keep your interesting photos on your computer, otherwise it will suddenly turn out that they will become public knowledge. Well, as usual, you should tape over your webcam with something, otherwise you never know who is watching you. Thank you for watching this video to the end, surely some of you have encountered viruses that steal data, break systems or just make life worse.
So those who will offer some interesting ideas for future videos, I will also be able to thank you. So write. Well, thank you for your attention, well, until we meet again, bye-bye.
We are used to perceiving wars as something obvious, weapons, explosions, planes, wounded and killed, news about sanctions and tariffs. We know what the struggle for resources, power and control looks like, but there is another war, invisible, silent, in it you can’t hear shots, and the enemy can be right in our computer. And this war has been going on for many years, and it is a cyber war. In this topic, I will tell you about a six-year cyber war that lasted from 2010 to 2016.
And the main weapons of this war were 5 viruses, developed in strict secrecy. They acted more effectively than weapons of mass destruction, broke systems, nuclear programs, confused governments and worked for the secret services. Let's figure out how five viruses changed the course of history without firing a single shot, and also subscribe to my cart, where there is more unique content.
Let's go! And it all started with the Stuxnet virus, the first code in history that was able to stop the outbreak of a nuclear war. It rewrote the rules of the game and opened a new era, the era of cyber wars. But who would have thought that all this was uncovered not somewhere in New York, not in London, and not even in Hong Kong. The most daring and large-scale cyberattack was first noticed in Gomel, a small town in Belarus.
Completely by accident. And yes, you heard right, in 2010, Sergey Ulasin, an information security engineer, worked at the Virus-Blockade company. Please note that this was not some giant corporation with skyscrapers and an army of specialists. This is an ordinary IT company that dealt with cybersecurity for corporate clients. In general, a simple working day, a boring routine, until Sergey received a strange message from a client in Iran.
I would like to point out that the client was not a representative of the state or any large company. He was an ordinary contractor who was engaged in servicing the internal systems of various organizations. He complained about an incomprehensible failure on his work PCs, and they really were strange. Computers suddenly rebooted, programs hung, something glitched for no reason. But the most unusual thing was that this happened with equipment that was not connected to the Internet.
It didn't look like a bug either. Several of the client's computers were behaving strangely. And then Sergey realized that there was something serious going on. Then the man started digging. He connected to the system, studied the logs and found suspicious processes. And then he noticed strange drivers. The files were signed with digital certificates from Realtek. But what did that mean? That someone had infected the computer with a virus that at first glance looked like a licensed driver and looked like a regular update.
It's like a thief pretending to be a police officer with a real ID. Isn't that strange? Then Sergey started studying the entire database and when he found it, he was shocked by what he saw. So, the computer had a virus that could update itself, copy itself via flash drives and, most importantly, could attack. No one had ever seen anything like this before.
It wasn't a data-stealing virus, not a Trojan for extortion, but a sophisticated weapon that was looking for a target. Moreover, this virus knew all the vulnerabilities of Windows and Siemens systems. Realizing that he couldn't handle it himself, Sergey contacted Kaspersky Lab. They checked the data and confirmed that the virus was complex and definitely not written on the fly. Professionals had clearly worked here. Moreover, the code was not created for a mass attack, it was aimed at a specific target, but what? I'll tell you now.
Sergey and Kaspersky passed on all the information about the vulnerability to Microsoft. The reaction was lightning fast. Microsoft urgently released an update, but it was too late. Rumors about the new virus began to circulate around the world and became known to everyone. And cybersecurity experts began to dig into the Stuxnet code. By the way, why was it called that? It comes from random lines in the code file of this virus Stax and NET.
So, the more the experts studied the virus code, the more shocked they were. The virus turned out to be incredibly complex and expensive to develop. But how did it work? StaxNet infected Windows computers, it found system vulnerabilities and easily penetrated inside and searched, actually. And the target was special devices that control equipment at factories. But not at ordinary factories, as you might think, but those that mine uranium.
Analysis of a thousand infected files showed that Stuxnet attacked five factories in Iran. That's where the centrifuges that enrich Iran for its nuclear program were spinning. And the virus knew exactly what to do. Slow down, break, confuse the system, breaking it from the inside. But at the same time, the operators saw on the screen that everything was working fine, while in reality the equipment was falling apart. But how did the virus get there in the first place? After all, these enterprises were not connected to the Internet at all, they were completely isolated from the outside world.
There is only one answer, someone brought it inside, perhaps by accident, or perhaps on assignment. On a flash drive or disk, it is enough to insert the media into the computer and the network will already be infected. Later it became known that Stuxnet damaged about a thousand centrifuges. A thousand! And this threw Iran's nuclear program back years. Apparently, this was the main goal of the virus. And then, as usual, it began. Journalists began digging, experts analyzed the code, and suddenly the puzzle began to come together.
The virus was too smart, too selective, complex and expensive to develop. They started talking about a secret operation codenamed "Olympic Games", allegedly carried out by the United States and Israel together. The goal, Path, is expectedly simple, to prevent Iran from creating nuclear weapons, but of course no one has officially confirmed anything and it is clear that they are still trying to hide such things.
But then the next question arises, if the state was behind this virus, could large corporations be involved, such as our beloved Windows or Siemens, from which Iran purchased some of the equipment. In theory, of course, yes, but in practice, everything is a little more complicated. Stuxnet used weak points of Windows, which only a very limited circle of specialists knew about. It is very difficult to obtain such information, which means that someone with access to Windows either helped or turned a blind eye.
The second point is Siemens controllers, to put it bluntly, the controller is the brains for factories, they tell the machines what and how to do, spin, stop the process, what to start, and so on. The virus was programmed to look for these so-called brains. And it replaced the commands, and in order to strike so accurately, you need to know very well how it works.
This can be found out either through a leak or through internal documentation. On the other hand, neither Microsoft nor Siemens wanted their products to be used as a hacking tool, and this is bad for their reputation. After the scandal, Microsoft began to monitor security better, and Siemens began to work with experts to understand how this happened at all. There is no direct evidence of their guilt. Now just imagine Iran, a country working on a nuclear arsenal to counter the US.
Factories, labs, security, all this secrecy. A real death star of the Middle East. And the main role at these facilities is played by one of the most basic US products, Windows. Serious, ordinary, our favorite Windows XP, the same one that someone's sapper used to hang out on as a child. And if they had installed Linux, for example, everything might have ended completely differently and a nuclear war could well have become a reality.
Although, knowing how difficult it is to set up even a printer in Linux, maybe their centrifuges simply wouldn't have turned on. By the way, if you're interested in the fate of Sergey, that same Belarusian programmer, spoiler, he didn't receive any award, although he discovered one of the most dangerous viruses in history. In Belarus, no one noticed it, and what's wrong with that, we find such viruses every day. The US politely kept silent, probably thinking to themselves.
"Seryoga, you're certainly cool, but why the hell did you even bother? We actually invested a ton of money there!" But the professional community, of course, appreciated him, and later Sergey went to work at Kaspersky Lab. But the cyber war didn't end with Stuxnet, it's just that at least some information about it began to appear. Thanks to the fact that the code was found, they began to study it, and something unusual was found in one of the infected computers.
A new virus that no one knew about before. It was discovered on September 1, 2011. This was done by specialists from the Crisis Lab in Budapest. They were studying Stuxnet and then they made such a find. One of the researchers uploaded a strange file to the VirusTotal website. Almost all antiviruses did not understand what was in front of them and only two were wary. Several weeks of studying this code passed. And then it became clear that this was not just a virus, it was a whole cyber spy.
It was watching and listening. Unlike Stuxnet, it did not break anything, it was just an observer. It was looking for how control systems are arranged, especially those responsible for critical infrastructure. Electricity, water, factories, everything that keeps the world afloat. And it penetrated computers quite simply, through a regular Word document. The victim was sent a file, like a report or a commercial offer. She opened it and that's it. Inside this document was hidden an unusual font.
Dexter Regular. It sounds harmless, but it is a reference. And yes, hackers have a good sense of humor. So, remember the TV series Dexter, about a guy who works as a forensic expert during the day and kills all the bad people at night. And of course, it's too symbolic to be an accident, right? The document used a Windows vulnerability. Complicated words, but in essence it's like a hole in a lock.
When a person opened this file, Windows tried to display text with this font and crashed. Because of this error, the virus got full access to the computer. After infection, the virus installed harmful files on the computer that began with the letters DQ, which is why the virus itself was called DQ from these letters. DQ penetrated the computer, installed the necessary files, launched and disappeared. The file with the font was no longer needed, the system was already infected.
And then silence. No slowdowns, no pop-ups. It just sat there, listened to what you were typing, where you were going, what you were clicking on, took screenshots, read files, looked at what programs were running, and if the user suddenly connected some serious equipment, total surveillance began, and then all this information was transferred to the creators of the virus. But you know what the real magic is?
This will definitely surprise you, by the way. Duke did not have a single specific code, it was modular, like Lego. Initially, it simply opened the door, and then additional tools were loaded on command. Programs for surveillance, interception of data, scanning the network, and all this is encrypted. But how could you not notice? Quite simple. For example, one of these modules was disguised as a photo of a distant galaxy. Yes, you see a file with a beautiful picture of space, but in fact it already contains Ryan, capable of controlling the entire network.
Duke easily accessed the Internet, used regular protocols, the same ones you use to watch YouTube now, and it passed any protection without any problems. It was not noticed at all, and inside the network it built its own communication system, connected with other computers, transmitted commands, copied itself, deleted old parts, changed the code, and all this looked like it was just the usual work of the system.
It even used real digital signatures stolen from C-Media. When the antivirus checked the authenticity, everything looked honest, so it could be launched. And in fact, very little is known about this virus. But why? Duke did not spread en masse. In total, 15 confirmed infections were detected in different countries. But no one knows for sure about all the victims. Most of the victims did not even know that they were hacked, everything went too cleanly.
One thing is known, it attacked important targets, government agencies, industrial giants and defense enterprises. According to one version, Duke was needed to prepare the ground, first reconnaissance, and then a strike. But who is behind all this? The question is, of course, philosophical, but to be honest, this is definitely not some hacker from the basement, this is a team. This is probably a huge, smart and expensive team.
The lab researchers compared Duke and Stuxnet and came to the obvious conclusion - they are siblings. One is a destroyer, and the other is an observer. They use the same architectural schemes, the same programming language, even the methods of hiding are almost identical. This is a continuation, another level of the same game, and each time the complexity increased. But the cyber war did not stop there. Someone considered it important to have as much information from the Middle East as possible.
And so in 2012, Iran began to experience system failures. Information was lost, computers began to slow down, and errors appeared. At first, it looked like trivial glitches, but the country already knew how to recognize a digital attack. After TaxNet and Deque, Iran knew that if technology began to behave strangely, it might not be a bug, but a signal, a signal that someone was again getting into their internal affairs.
Cybersecurity experts began to investigate. The code was cracked, and this caused a real shock. In front of them was not just a virus, but something huge, complex, and wildly thought out. The virus weighed about 20 megabytes. So you understand, most malware is compact programs of 100-200 kilobytes, some more complex ones can reach 1 megabyte, and this one was as much as 20. It's like comparing a pocket knife to a fighter jet.
And this is no longer a virus, it's a whole spy station inside your computer. It was called Flame, that is, flame, and it burned everything in its path, not directly, but informationally. Like Duhue, Flame was engaged in surveillance, but it acted completely differently. Flame could infect computers through fake Windows updates. Yes, exactly those that you habitually install, trusting the system, putting your own checkboxes everywhere, and so on.
The virus learned to forge a Microsoft digital signature. The computer thought, oh, this is an update from Microsoft and installed this update itself. In reality, you installed a spy package yourself. And voluntarily. In addition to Iran, Flame was also found in Lebanon, Syria, Palestine, Sudan and even Israel. Government organizations, oil companies, universities, everything that had at least some significance on the political or strategic map suffered.
With the help of Flame, they collected documents, audio recordings, e-mail correspondence, even leaked network passwords. And the virus was flexible. If a new target appeared, they simply threw the necessary module at it and it adjusted. When Flame was discovered and the media started writing about it, those who controlled it panicked.
The virus was given the command to self-destruct, and it obeyed. Flame began to delete itself from all systems, burn all logs, erase traces and everything that could give at least some chance to determine who its creator was. After Flame was found, specialists all over the world began to look for its relatives. The virus was too sophisticated to be the only one of its kind. It looked like part of an entire ecosystem, where each program performs its own specific task.
And the guess turned out to be correct. That same year, in 2012, specialists from Kaspersky Lab and the Lebanese University found a new digital monster. They named it Gauss, in honor of the mathematician Karl Gaus. But why? Because the virus itself resembled a complex mathematical formula. At first glance, Gauss was similar to Flame, it also had a modular structure.
It's like a toolbox in one suitcase. One module collects passwords, another monitors the browser, and the third connects to bank accounts. But the main difference with Gauss is that it was focused on money. And yes, that's right. Primarily on the banking systems of the Middle East. It collected data on clients, logins, passwords, payment system configurations, tracked who transfers how much to whom and where these amounts go next.
In closed banking networks, where the Internet is prohibited, the virus penetrated the system through infected USB flash drives. Gauss installed itself in the computer's memory and began to monitor. And now the interesting part. One of the Gauss modules was called Godel, in honor of Kurt Gödel, the great logician. The code of this module was encrypted so complexly that even now the best specialists have not been able to crack it.
In general, no one has been able to do it. It's like if you found a box with ancient letters, but not a single linguist in the world could understand what was written there. But it was this module that possibly contained the main function of the virus, the one we will never know about. But what happened next? Gauss began to disappear rapidly. As soon as information about it was published, it immediately received the same command as Flame - to self-destruct.
All infected copies began to be erased, erased for new logs, deleted from memory and again no trace. Well, now let's go back a little to Duke, which I already told you about. Despite the fact that it was discovered in 2011, this was not the end. It was developed and improved and in 2013, a new version of Duke 2.0 was released almost unnoticed and it appeared at the very moment when negotiations on the Iranian nuclear program began. If you
are not in the know, then I will explain briefly. The West accused Iran of developing nuclear weapons. Iran said, no, we are just building peaceful nuclear power plants. But the tension between the countries was such that it would have been enough for the entire Middle East power grid. These negotiations lasted more than two years, and the largest powers in the world participated in them. And it is clear that behind the scenes there was also a war.
An invisible, unofficial, cyber war. And it was precisely for such a war that Duke 2.0 was created. Its goal, as usual, was to spy, but not just read other people's emails. It penetrated conference rooms, computers of negotiators, foreign ministries, embassies, hotels where secret meetings were held. It was everywhere where Iran's nuclear program was discussed. But here is the most absurd and frightening moment, one of the infected objects was Kaspersky Lab.
Yes, those same ones who search for viruses themselves, who participated in finding Stuxnet, Duke, Flame and Gauss, and now the virus was in their own systems. Why? To understand what they know. It's like a burglar breaking into a police station and sitting there under the detective's desk, listening to someone trying to catch him, but be smart, and you need to know your enemies better than your friends.
And then one day in 2015, Kaspersky specialists noticed something strange. Not a virus in the usual sense, but the system's behavior, which resembled the movement of an alien. And when they started digging, they just gasped. It was DQ 2.0. It had been living on their servers for a long time. Reading, listening, transmitting. It just watched, silently. DQ 2.0 was built on the same code as the original DQ, and therefore based on Stuxnet. But this time, everything was on a different level.
It did not leave traces on the disk, the virus lived in RAM. This means that you turned off the computer, and the virus disappeared. Turned it on, and it suddenly appeared again, if it had time to overwrite itself before turning off. This method is called malware in memory. And this was already real science fiction. Because ordinary viruses did not see anything suspicious.
Because in fact, there was nothing. No files, no threat. But there was a threat. Now imagine how accurately it worked. It didn’t just infect the system – it looked for specific people, specific points in the negotiation chain. For example, if the foreign minister’s laptop suddenly ended up in a hotel where negotiations were taking place, the virus would activate and start working. It knew where it was, why it was there, and what it had to do.
But why would it need to do that? It’s that simple. In negotiations of this level, information is a real weapon. Knowing what Iran is going to demand, understanding the weaknesses of the parties, guessing who is ready to give in. And all this could be used in real time to win even before the negotiations were officially over. When DUKYU-2.0 was discovered, it was a real sensation. It was a full-fledged attack on the decision-making process.
And this is a level that had never existed before. They started to work on the virus, security systems were updated, new tracking algorithms were developed, but it was very difficult to get rid of it completely. It could remain in memory, penetrate through vulnerabilities in systems, also good old Windows, and disguise itself as ordinary processes. And although it was eventually neutralized, the fact that it existed showed that if you think that cyber war is the future, then you may have already lost.
So, five viruses seriously affected the course of Iran's nuclear program. And it could have been different. Iran quietly and quickly brings developments to completion, gains access to weapons, and the world becomes completely different. But it turned out differently. Failures, leaks, surveillance, sabotage. Instead of acceleration, constant rollbacks and problems.
These viruses did not just slow down the process, they shaped the agenda. And Iran was eventually forced to sit down at the negotiating table. Iran itself officially stated that it had been subjected to cyber attacks, especially after Stuxnet. At that time, the media reported failures in nuclear facilities, leaks, strange breakdowns, but there was never a direct admission of the scale of the damage, although the facts speak for themselves.
And here it is important to understand one very interesting thing. These 5 viruses are only what was found. Many were discovered completely by accident. For example, Flame was found simply because it caused a network anomaly. DQ2 was found when it was noticed on Kaspersky servers. Now think about how many such viruses were never discovered. And imagine that if such viruses already existed in 2010-2015, then what is happening today?
In recent years, viruses have appeared that do not just steal money, do not lure bitcoins, but monitor entire countries. For example, a virus that hid inside a telecommunications company and listened to the conversations of ministers. The virus was called Regin, and not somewhere there, but in European countries. And what about India, for example? There, at one of the nuclear facilities, D-Track was discovered, a virus that picked keys to systems like a thief to a safe.
And not in order to blow it up, but to find out everything. In the US, there was a phenomenal hack, SolarWinds, one update that supposedly updated software, but in fact opened access for hackers to dozens of government agencies. And then there is Germit, a virus that disguised itself as ordinary applications. Viruses of this level seem to tell us that you will not even know that I was here.
And all this is not for money, not for destruction, but for knowledge. Who is friends with whom, who is pressuring whom, what contracts are discussed behind closed doors, and so on. Just think, you can protect your phone with a password, set up a VPN, even keep your laptop in the refrigerator, but if they want to eavesdrop on you, they will still eavesdrop on you. Because in this game, the rules are written not by users, but by viruses.
So do not keep your interesting photos on your computer, otherwise it will suddenly turn out that they will become public knowledge. Well, as usual, you should tape over your webcam with something, otherwise you never know who is watching you. Thank you for watching this video to the end, surely some of you have encountered viruses that steal data, break systems or just make life worse.
So those who will offer some interesting ideas for future videos, I will also be able to thank you. So write. Well, thank you for your attention, well, until we meet again, bye-bye.
