Feeds

Mystery lingers over stealthy Stuxnet infection

Cloak and dagger

Beginner's guide to SSL certificates

Analysis The infamous Stuxnet worm infected 14,000 systems inside Iran, according to new estimates.

The sophisticated and complex malware was tuned to infect supervisory control and data acquisition (SCADA) systems that are used to control power plants and factories. Stuxnet was tuned to attack specific configurations of Siemens Simatic WinCC SCADA system software. The technology is used in industrial control systems in power plants, oil pipelines and factories.

In addition to exploiting four zero-day vulnerabilities, Stuxnet also used two valid certificates (from Realtek and JMicron) and rootlet-style technology, factors that helped the malware stay under the radar for much longer than might normally be the case. The malware is capable of reprogramming the programmable logic controllers (PLCs) of control systems. Infected USB sticks are reckoned to be the main route of initial infection but once established Stuxnet spreads via default shares.

It was first detected by VirusBlokAda, an anti-virus firm based in Belarus, in late June, and confirmed by other security firms shortly afterwards in July.

Some have used this, along with the pattern of the worm's infection and sophistication, to suggest it was the work of an intelligence agency rather than regular cybercrooks and that its objective may have been to damage Iran's new nuclear reactor in Bushehr.

"Studies conducted show some personal computers of the Bushehr nuclear-power plant workers are infected with the virus," Mahmoud Jafari, a facility projects manager, at Bushehr, told Iran's official Islamic Republic News Agency, the Wall Street Journal reports. He added that no significant damage was caused and the infection is unlikely to delay the scheduled completion of the plant next month. State media, by contrast, is reporting no infection at Iranian nuclear facilities.

Figures from Kaspersky Lab suggest far more systems in India (86,000) and Indonesia (34,000) have been affected than those inside Iran since the malware was first detected, back in July. However, binaries later associated with the malware were detected months before this, leading some to suggest Stuxnet may have been around for as long as a year.

The Russian anti-virus firm said that there's no firm evidence of the intended target much less who the creators of the attack are. However it is possible to narrow down the possibilities. Kaspersky describes the worm as a "one-of-a-kind, sophisticated malware attack" backed by a "well-funded, highly skilled attack team with intimate knowledge of SCADA technology".

"We believe this type of attack could only be conducted with nation-state support and backing," it concludes.

Other antivirus analysts agree with Kaspersky that the primary aim of the malware was sabotage rather than to information extraction (spying).

A comprehensive technical FAQ on the Stuxnet from McAfee can be found here. More detail on how Stuxnet infects systems can be found in an overview, complete with helpful diagrams, from Symantec, here.

Theories and further analysis about Stuxnet, which has started to receive widespread mainstream coverage over the last few days thanks to the Iranian nuke plant angle, are due to be discussed at the Virus Bulletin conference in Vancover later this week. For a contrary view, that the whole thing has been ridiculously overhyped, see Vmyths here. ®

Remote control for virtualized desktops

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
prev story

Whitepapers

Seattle children’s accelerates Citrix login times by 500% with cross-tier insight
Seattle Children’s is a leading research hospital with a large and growing Citrix XenDesktop deployment. See how they used ExtraHop to accelerate launch times.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.