The computer virus that could cause a nuclear explosion.
How it works
Stuxnet initially spreads via Microsoft Windows, and targets Siemens industrial control systems. While it is not the first time that hackers have targeted industrial systems, nor the first publicly known intentional act of cyberwarfare to be implemented, it is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit.
The worm initially spreads indiscriminately, but includes a highly specialised malware payload that is designed to target only Siemens supervisory control and data acquisition (SCADA) systems that are configured to control and monitor specific industrial processes. Stuxnet infects PLCs by subverting the Step-7 software application that is used to reprogram these devices.
Unlike most malware, Stuxnet does little harm to computers and networks that do not meet specific configuration requirements. While the worm is promiscuous, it makes itself inert if Siemens software is not found on infected computers, and contains safeguards to prevent each infected computer from spreading the worm to more than three others, and to erase itself on 24 June 2012.
For its targets, Stuxnet contains, among other things, code for a man-in-the-middle attack that fakes industrial process control sensor signals so an infected system does not shut down due to detected abnormal behaviour.
Such complexity is very unusual for malware. The worm consists of a layered attack against three different systems:
1. The Windows operating system,
2. Siemens PCS 7, WinCC and STEP7 industrial software applications that run on Windows and
3. One or more Siemens S7 PLCs.
Stuxnet attacked Windows systems using an unprecedented four zero-day attacks (plus the CPLINK vulnerability and a vulnerability used by the Conficker worm).
It is initially spread using infected removable drives such as USB flash drives, and then uses other exploits and techniques such as peer-to-peer RPC to infect and update other computers inside private networks that are not directly connected to the Internet.
The number of zero-day exploits used is particularly unusual, as they are highly valued and malware creators do not normally waste the use of four different ones in the same worm. Stuxnet is unusually large at half a megabyte in size, and written in several different programming languages (including C and C++), which is also irregular for malware. The Windows component of the malware is promiscuous in that it spreads relatively quickly and indiscriminately.
The malware has both user-mode and kernel-mode rootkit capability under Windows, and its device drivers have been digitally signed with the private keys of two certificates that were stolen from separate well-known companies, JMicron and Realtek, both located at Hsinchu Science Park in Taiwan. The driver signing helped it install kernel-mode rootkit drivers successfully without users being notified, and therefore to remain undetected for a relatively long period of time. Both compromised certificates have been revoked by VeriSign.
Two websites in Denmark and Malaysia were configured as command and control servers for the malware, allowing it to be updated, and for industrial espionage to be conducted by uploading information. Both of these websites have subsequently been taken down as part of a global effort to disable the malware. Step 7 software infection.
According to researcher Ralph Langner, once installed on a Windows system Stuxnet infects project files belonging to Siemens’ WinCC/PCS 7 SCADA control software (Step 7), and subverts a key communication library of WinCC called s7otbxdx.dll. Doing so intercepts communications between the WinCC software running under Windows and the target Siemens PLC devices that the software is able to configure and program when the two are connected via a data cable. In this way, the malware is able to install itself on PLC devices unnoticed, and subsequently to mask its presence from WinCC if the control software attempts to read an infected block of memory from the PLC system.
The malware furthermore used a zero-day exploit in the WinCC/SCADA database software in the form of a hard-coded database password.
Siemens has released a detection and removal tool for Stuxnet. Siemens recommends contacting customer support if an infection is detected and suggests installing Microsoft updates for security vulnerabilities and prohibiting the use of third-party USB flash drives. The firm also advises upgrading passwords immediately.
The worm’s ability to reprogramme external PLCs may complicate the removal procedure. Symantec’s Liam O’Murchu warns that fixing Windows systems may not completely solve the infection, stating that a thorough audit of PLCs might be required.