Feeds

Mystery lingers over stealthy Stuxnet infection

Cloak and dagger

Choosing a cloud hosting partner with confidence

Analysis The infamous Stuxnet worm infected 14,000 systems inside Iran, according to new estimates.

The sophisticated and complex malware was tuned to infect supervisory control and data acquisition (SCADA) systems that are used to control power plants and factories. Stuxnet was tuned to attack specific configurations of Siemens Simatic WinCC SCADA system software. The technology is used in industrial control systems in power plants, oil pipelines and factories.

In addition to exploiting four zero-day vulnerabilities, Stuxnet also used two valid certificates (from Realtek and JMicron) and rootlet-style technology, factors that helped the malware stay under the radar for much longer than might normally be the case. The malware is capable of reprogramming the programmable logic controllers (PLCs) of control systems. Infected USB sticks are reckoned to be the main route of initial infection but once established Stuxnet spreads via default shares.

It was first detected by VirusBlokAda, an anti-virus firm based in Belarus, in late June, and confirmed by other security firms shortly afterwards in July.

Some have used this, along with the pattern of the worm's infection and sophistication, to suggest it was the work of an intelligence agency rather than regular cybercrooks and that its objective may have been to damage Iran's new nuclear reactor in Bushehr.

"Studies conducted show some personal computers of the Bushehr nuclear-power plant workers are infected with the virus," Mahmoud Jafari, a facility projects manager, at Bushehr, told Iran's official Islamic Republic News Agency, the Wall Street Journal reports. He added that no significant damage was caused and the infection is unlikely to delay the scheduled completion of the plant next month. State media, by contrast, is reporting no infection at Iranian nuclear facilities.

Figures from Kaspersky Lab suggest far more systems in India (86,000) and Indonesia (34,000) have been affected than those inside Iran since the malware was first detected, back in July. However, binaries later associated with the malware were detected months before this, leading some to suggest Stuxnet may have been around for as long as a year.

The Russian anti-virus firm said that there's no firm evidence of the intended target much less who the creators of the attack are. However it is possible to narrow down the possibilities. Kaspersky describes the worm as a "one-of-a-kind, sophisticated malware attack" backed by a "well-funded, highly skilled attack team with intimate knowledge of SCADA technology".

"We believe this type of attack could only be conducted with nation-state support and backing," it concludes.

Other antivirus analysts agree with Kaspersky that the primary aim of the malware was sabotage rather than to information extraction (spying).

A comprehensive technical FAQ on the Stuxnet from McAfee can be found here. More detail on how Stuxnet infects systems can be found in an overview, complete with helpful diagrams, from Symantec, here.

Theories and further analysis about Stuxnet, which has started to receive widespread mainstream coverage over the last few days thanks to the Iranian nuke plant angle, are due to be discussed at the Virus Bulletin conference in Vancover later this week. For a contrary view, that the whole thing has been ridiculously overhyped, see Vmyths here. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.