Stuxnet may have damaged as many as 1,000 centrifuges in a single Iranian facility, and variants will target other non-PC devices, security researchers said.
The Stuxnet Trojan may have knocked out as many as 1,000
centrifuges at Iran's nuclear facility earlier this year, according to a
security paper. Experts said it heralds a new breed of Trojans that will attack
more devices that aren't computers in 2011.
"We need to think above and beyond expected targets, which
are not servers or routers," Adam Bosnian, an executive vice president for
information security company Cyber-Ark, told eWEEK.
According to a Dec. 24 article in
the Jerusalem Post
, it was possible Stuxnet hit as many as 1,000 of the
approximately 10,000 IR-1 centrifuges at Iran's Natanz uranium enrichment facility
The article was based on a paper from the Washington-based Institute for
Science and International Security which analyzed the malware's code.
David Albright, the Institute's president, told the
Jerusalem Post that the virus caused the engines in Iran's IR-1 centrifuges,
which normally runs at 1,007 cycles per second, to speed up to as fast as 1,064
cycles per second, causing the vibrations to break the motors. Stuxnet was
meant to be subtle and work slowly by causing "small amounts of damage" that would
not make the system operators suspect a malware, he said.
Security researchers at Panda Security said specialized
malware like Stuxnet will "undoubtedly increase" but that many of these attacks
will go "unnoticed" by the general public.
Stuxnet infected the machines via USB thumb drives by
exploiting an AutoRun bug in the Windows
operating system. That bug, and a few
others Stuxnet exploited
, have since then been patched by Microsoft
. Once on
the machine, the malware checked for software programs that run Supervisor
Control and Data Acquisition systems, often used to monitor automated industrial
processes. If the infected machine happened to have logical controllers from
, Stuxnet logged in using the software's default password, which is the same
for all Siemens controllers.
Despite being a major security vulnerability, a number of
products still ship with a default password, said Bosnian. For a number of
years, Oracle shipped its databases with 32 embedded passwords, one for each
role, and if the customer didn't change each of these passwords, the company
was left with a gaping security hole, he said. "But at least they let you
change it," Bosnian said.
Future Stuxnet variants can exploit physical
infrastructure such as power grid controls or electronic voting systems,
according to Paul Wood, of Symantec Hosted Services.
Enterprises have a number of systems and software that
still have factory default passwords, or passwords that are so deeply embedded
that they can't be changed by the customer, said Bosnian. Businesses don't
think about the less obvious targets, such as a "copier, video conferencing
system, or anything with memory and processors," he said.
Such was the case with Cisco's
Unified Video Conferencing 5100 series
products, which had a hardcoded
password for several accounts that can't be changed or deleted, according to
Bosnian. Cisco announced a free software upgrade to close the vulnerability in
November, and also suggested a workaround where access to the
Cisco UVC Web server was limited to only trusted hosts via access control lists
on the network's routers and switches.
IT teams need to do a thorough audit on systems to change
all default passwords, he said. Building walls to restrict access from the
outside is not enough because administrators need to "start with the assumption
that the bad guys are already in the network," he said.
Security analysts have speculated that Stuxnet used thumb
drives to spread because many SCADA systems are not connected to the Internet,
but have a USB port. Once on a device, it can replicate over the local network.
The point of entry can be something as innocuous as programmable and network-ready
coffee makers, many of which come with USB ports, said Ed Cohen, vice-president
of e-mail security at SonicWALL. "If my coffee maker is on the network, it can
infect my computers," he said.
While Stuxnet has hit computers in various countries,
including the United States, Indonesia, Malyasia, United Kingdom, and
Australia, Iran was perhaps the hardest hit, with over 62,000 infected
machines, according to Symantec.