Feeds

Mystery lingers over stealthy Stuxnet infection

Cloak and dagger

SANS - Survey on application security programs

Analysis The infamous Stuxnet worm infected 14,000 systems inside Iran, according to new estimates.

The sophisticated and complex malware was tuned to infect supervisory control and data acquisition (SCADA) systems that are used to control power plants and factories. Stuxnet was tuned to attack specific configurations of Siemens Simatic WinCC SCADA system software. The technology is used in industrial control systems in power plants, oil pipelines and factories.

In addition to exploiting four zero-day vulnerabilities, Stuxnet also used two valid certificates (from Realtek and JMicron) and rootlet-style technology, factors that helped the malware stay under the radar for much longer than might normally be the case. The malware is capable of reprogramming the programmable logic controllers (PLCs) of control systems. Infected USB sticks are reckoned to be the main route of initial infection but once established Stuxnet spreads via default shares.

It was first detected by VirusBlokAda, an anti-virus firm based in Belarus, in late June, and confirmed by other security firms shortly afterwards in July.

Some have used this, along with the pattern of the worm's infection and sophistication, to suggest it was the work of an intelligence agency rather than regular cybercrooks and that its objective may have been to damage Iran's new nuclear reactor in Bushehr.

"Studies conducted show some personal computers of the Bushehr nuclear-power plant workers are infected with the virus," Mahmoud Jafari, a facility projects manager, at Bushehr, told Iran's official Islamic Republic News Agency, the Wall Street Journal reports. He added that no significant damage was caused and the infection is unlikely to delay the scheduled completion of the plant next month. State media, by contrast, is reporting no infection at Iranian nuclear facilities.

Figures from Kaspersky Lab suggest far more systems in India (86,000) and Indonesia (34,000) have been affected than those inside Iran since the malware was first detected, back in July. However, binaries later associated with the malware were detected months before this, leading some to suggest Stuxnet may have been around for as long as a year.

The Russian anti-virus firm said that there's no firm evidence of the intended target much less who the creators of the attack are. However it is possible to narrow down the possibilities. Kaspersky describes the worm as a "one-of-a-kind, sophisticated malware attack" backed by a "well-funded, highly skilled attack team with intimate knowledge of SCADA technology".

"We believe this type of attack could only be conducted with nation-state support and backing," it concludes.

Other antivirus analysts agree with Kaspersky that the primary aim of the malware was sabotage rather than to information extraction (spying).

A comprehensive technical FAQ on the Stuxnet from McAfee can be found here. More detail on how Stuxnet infects systems can be found in an overview, complete with helpful diagrams, from Symantec, here.

Theories and further analysis about Stuxnet, which has started to receive widespread mainstream coverage over the last few days thanks to the Iranian nuke plant angle, are due to be discussed at the Virus Bulletin conference in Vancover later this week. For a contrary view, that the whole thing has been ridiculously overhyped, see Vmyths here. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.