Jonathan Baulch
A worm that spreads via USB drives Exploits a previously unknown vulnerability
in Windows Trojan backdoor that looks for a specific softwarecreated by Siemens
June 2009 – Earliest Stuxnet version seen. Lacks many complexities of the later versions
January 25, 2010 – Stuxnet driver signed with valid certificate from Realtek Semiconductor Corps
June 17, 2010 – Virusblokada reports W32.Stuxnet named RootkitTmphider
July 13, 2010 – Symantec adds detection known as W32.Temphid
July 16, 2010 – Verisign revokes Realtek Semiconductor Corps certificate
July 17, 2010 – Eset identifies new Stuxnet driver with certificate from JMicron Technology Corp.
July 19, 2010 – Siemens reports they are investigating reports of malware affecting Siemens WinCC SCADA systems
August 6, 2010 – Symantec reports how Stuxnet can inject and hide code on a PLC
September 30, 2010 – Symantec presents at Virus Bulletin and releases comprehensive analysis of Stuxnet
Self-replicates through removable drives exploiting a vulnerability allowing auto-execution
Spreads in a LAN through a vulnerability in the Windows Print Spooler
Copies and executes itself on remote computers through network shares
Copies and executes itself on remote computers running a WinCC database server
Copies itself into Step 7 projects in such a way that it automatically loads when Step 7 is run
Updates itself through a peer-to-peer mechanism within a LAN
Exploits 4 different zero-day Microsoft vulnerabilities
Contacts a command and control server that allows a hacker to download and execute code
Contains a Windows rootkit that hides its binaries
Attempts to bypass security products
Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system
Hides modified code on PLCs
PLC – Programmable Logic Controller◦ Loaded with blocks of code and data written using
a variety of languages such as STL or SCL
◦ PLCs are small embedded industrial control systems that run automated processes on factory floors, chemical and nuclear plants, oil refineries, etc.
It has yet to be discovered who authored the Stuxnet worm and who/what the target was.◦ Research project that got out of control. There is
history of accidental releases of worms by researches before.
◦ Criminal worm designed to demonstrate the power the authors possess.
◦ Worm released by the U.S. military to scare government into increasing the budget for cyber security.
◦ Developed by Israel to attack Iran
Iran was one of the top countries to be affected most by the Stuxnet worm.
Iran currently is constructing a nuclear plant in Bushehr and experts believe the delays have been the result of Stuxnet.
Report by Siemens expert, Ralph Langer, says that Stuxnet could easily cause a refinery’s centrifuge to malfunction.
Stuxnet achieved many things in the malicious code realm
First to exploit 4 0-day vulnerabilities
Compromised 2 digital certificates
Injected code into industrial control systems and hid the code from operators.
Many experts say it is the most complex malicious software created in the history of cyber security.
Highlights that it is possible to attack critical infrastructures in places other than Hollywood movies.
Improbable that copy cat attacks will begin to be mass produced due to the complexity of the software.
W32.Stuxnet Dossier - http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Schneier on Security - http://www.schneier.com/blog/archives/2010/10/stuxnet.html Details on the first-ever control system malware - http://news.cnet.com/8301-27080_3-20011159-
245.html