Stuxnet

From Wikipedia, the free encyclopedia

Stuxnet is a Windows-specific computer worm first discovered in June 2010 by VirusBlokAda, a security firm based in Belarus. It is the first discovered worm that spies on and reprograms industrial systems,^[1] the first to include a programmable logic controller (PLC) rootkit,^[2] and the first to target critical industrial infrastructure.^[3] It was specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes.^[4] Stuxnet includes the capability to reprogram the PLCs and hide its changes.^[5]

The worm’s probable target has been said to have been high value infrastructures in Iran using Siemens control systems.^[6]^[7] According to news reports the infestation by this worm might have damaged Iran’s nuclear facilities in Natanz^[8]^[9] and eventually delayed the start up of Iran’s Bushehr Nuclear Power Plant.^[10] Siemens has stated, however, that the worm has not in fact caused any damage.^[11]

Russian digital security company Kaspersky Labs released a statement that described Stuxnet as “a working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race in the world.” Kevin Hogan, Senior Director of Security Response at Symantec, noted that 60% of the infected computers worldwide were in Iran, suggesting its industrial plants were the target.^[12] Kaspersky Labs concluded that the attacks could only have been conducted “with nation-state support”, making Iran the first target of real cyberwarfare.^[13]^[14]^[15] ………..

Stuxnet attacks Windows systems using four zero-day attacks (plus the CPLINK vulnerability and a vulnerability used by the Conficker worm) and targets systems using Siemens‘ WinCC/PCS 7 SCADA software. It is initially spread using infected USB flash drives and then uses other exploits to infect other WinCC computers in the network. Once inside the system it uses the default passwords to command the software.^[5] Siemens advises immediately upgrading password access codes.^[22] ……..

The complexity of the software is very unusual for malware. The attack requires knowledge of industrial processes and an interest in attacking industrial infrastructure.^[1]^[5] The number of used zero-day Windows exploits is also unusual, as zero-day Windows exploits are valued, and crackers do not normally waste the use of four different ones in the same worm.^[6] Stuxnet is unusually large at half a megabyte in size,^[25] and written in different programming languages (including C and C++) which is also irregular for malware.^[1]^[5] It is digitally signed with two authentic certificates which were stolen^[25] from two certification authorities (JMicron and Realtek) which helped it remain undetected for a relatively long period of time.^[26] It also has the capability to upgrade via peer to peer, allowing it to be updated after the initial command and control server was disabled.^[25]^[27] These capabilities would have required a team of people to program, as well as check that the malware would not crash the PLCs. Eric Byres, who has years of experience maintaining and troubleshooting Siemens systems, told Wired that writing the code would have taken many man-months, if not years.^[25]…… full Wiki entry and references