Stuxnet is a major computer virus, first discovered in June 2010, which was designed to attack Siemens Step7 software running on a Windows operating system.
The worm was at first identified by security firm VirusBlokAda in mid-June 2010, and was originally called ‘Rootkit.Tmphider’.
However, Symantec called it "W32.Temphid", then later altered the name to ‘W32.Stuxnet’. Its current name comes from a splicing of keywords in the software (.stub and mrxnet.sys).
The virus was found when it accidentally spread beyond its intended target (the Natanz nuclear powerplant in Iran) due to a programming error introduced in an update. This led to the worm spreading to an engineer’s computer that had been connected to the centrifuges, then spreading further when the engineer returned home and connected his computer to the Internet.
Kaspersky Lab experts at first estimated that Stuxnet started spreading around March or April 2010, but the first variant of the worm appeared in June 2009. On 15 July, 2010, the day the worm’s existence became widely known, a distributed denial-of-service attack was made on the servers for two leading mailing lists on industrial-systems security. This attack from an unknown source, but likely related to Stuxnet, disabled one of the lists and interrupted an important source of information for power plants and factories.
Recently, though, researchers at Symantec uncovered a version of the Stuxnet computer virus that was used to attack Iran’s nuclear programme in November 2007 – developed as early as 2005 when Iran was still setting up its uranium enrichment facility.
The second variant, with substantial improvements, appeared in March 2010, apparently because its authors felt Stuxnet was not spreading fast enough. A third version, with minor improvements, appeared in April 2010. The worm contains a component with a build time-stamp from February 3, 2010. In the UK on November 25, 2010, Sky News reported that it had received information from an anonymous source at an unidentified IT security organisation that Stuxnet, or a variation of the worm, had been traded on the black market.
It is speculated to have been created by US and Israeli agencies to attack Iran’s nuclear facilities.
In May 2011, the PBS program Need To Know cited a statement by Gary Samore, White House Coordinator for Arms Control and Weapons of Mass Destruction, in which he said, "we’re glad they [the Iranians] are having trouble with their centrifuge machine and that we – the US and its allies – are doing everything we can to make sure that we complicate matters for them", offering "winking acknowledgement" of US involvement in Stuxnet.
According to The Daily Telegraph, a showreel that was played at a retirement party for the head of the Israel Defense Forces (IDF), Gabi Ashkenazi, included references to Stuxnet as one of his operational successes as the IDF chief of staff.
On 1 June 2012, an article in The New York Times said that Stuxnet is part of a US and Israeli intelligence operation called ‘Operation Olympic Games’, started under President George W. Bush and expanded under President Barack Obama.
On 24 July 2012, an article by Chris Matyszczyk from CNET reported how the Atomic Energy Organization of Iran e-mailed F-Secure’s chief research officer Mikko Hyppönen to report a new instance of malware.
On 25 December 2012, an Iranian semi-official news agency announced there was a cyberattack by Stuxnet, this time on the industries in the southern area of the country. The virus targeted a power plant and some other industries in Hormozgan province in recent months.
According to expert Eugene Kaspersky, the worm also infected a nuclear powerplant in Russia. Kaspersky noted, however, that since the powerplant is not connected to the public Internet, the system should remain safe.
How it works
Stuxnet initially spreads via Microsoft Windows, and targets Siemens industrial control systems. While it is not the first time that hackers have targeted industrial systems, nor the first publicly known intentional act of cyberwarfare to be implemented, it is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit.
The worm initially spreads indiscriminately, but includes a highly specialised malware payload that is designed to target only Siemens supervisory control and data acquisition (SCADA) systems that are configured to control and monitor specific industrial processes. Stuxnet infects PLCs by subverting the Step-7 software application that is used to reprogram these devices.
Unlike most malware, Stuxnet does little harm to computers and networks that do not meet specific configuration requirements. While the worm is promiscuous, it makes itself inert if Siemens software is not found on infected computers, and contains safeguards to prevent each infected computer from spreading the worm to more than three others, and to erase itself on 24 June 2012.
For its targets, Stuxnet contains, among other things, code for a man-in-the-middle attack that fakes industrial process control sensor signals so an infected system does not shut down due to detected abnormal behaviour.
Such complexity is very unusual for malware. The worm consists of a layered attack against three different systems:
1. The Windows operating system,
2. Siemens PCS 7, WinCC and STEP7 industrial software applications that run on Windows and
3. One or more Siemens S7 PLCs.
Windows infection
Stuxnet attacked Windows systems using an unprecedented four zero-day attacks (plus the CPLINK vulnerability and a vulnerability used by the Conficker worm).
It is initially spread using infected removable drives such as USB flash drives, and then uses other exploits and techniques such as peer-to-peer RPC to infect and update other computers inside private networks that are not directly connected to the Internet.
The number of zero-day exploits used is particularly unusual, as they are highly valued and malware creators do not normally waste the use of four different ones in the same worm. Stuxnet is unusually large at half a megabyte in size, and written in several different programming languages (including C and C++), which is also irregular for malware. The Windows component of the malware is promiscuous in that it spreads relatively quickly and indiscriminately.
The malware has both user-mode and kernel-mode rootkit capability under Windows, and its device drivers have been digitally signed with the private keys of two certificates that were stolen from separate well-known companies, JMicron and Realtek, both located at Hsinchu Science Park in Taiwan. The driver signing helped it install kernel-mode rootkit drivers successfully without users being notified, and therefore to remain undetected for a relatively long period of time. Both compromised certificates have been revoked by VeriSign.
Two websites in Denmark and Malaysia were configured as command and control servers for the malware, allowing it to be updated, and for industrial espionage to be conducted by uploading information. Both of these websites have subsequently been taken down as part of a global effort to disable the malware. Step 7 software infection.
According to researcher Ralph Langner, once installed on a Windows system Stuxnet infects project files belonging to Siemens’ WinCC/PCS 7 SCADA control software (Step 7), and subverts a key communication library of WinCC called s7otbxdx.dll. Doing so intercepts communications between the WinCC software running under Windows and the target Siemens PLC devices that the software is able to configure and program when the two are connected via a data cable. In this way, the malware is able to install itself on PLC devices unnoticed, and subsequently to mask its presence from WinCC if the control software attempts to read an infected block of memory from the PLC system.
The malware furthermore used a zero-day exploit in the WinCC/SCADA database software in the form of a hard-coded database password.
Removal
Siemens has released a detection and removal tool for Stuxnet. Siemens recommends contacting customer support if an infection is detected and suggests installing Microsoft updates for security vulnerabilities and prohibiting the use of third-party USB flash drives. The firm also advises upgrading passwords immediately.
The worm’s ability to reprogramme external PLCs may complicate the removal procedure. Symantec’s Liam O’Murchu warns that fixing Windows systems may not completely solve the infection, stating that a thorough audit of PLCs might be required.