IT Security & Network Security News & Reviews: Stuxnet Worm: Nine Facts Every IT Security Pro Should Know

 
 
By Brian Prince  |  Posted 2010-09-30
 
 
 

Stuxnet Worm: Nine Facts Every IT Security Pro Should Know

by Brian Prince

Stuxnet Worm: Nine Facts Every IT Security Pro Should Know

The Target

Security researchers have traced Stuxnet worm to as far back as June 2009. It targeted the control systems at industrial plants, specifically Siemens' WinCC and Step 7 software. Historic data shows that Iran (nearly 59 percent), Indonesia (18.22 percent) and India (8.31 percent) accounted for most of the early infections. According to Siemens, 15 of its customers were identified as having detected the worm on their systems as of Sept. 14. None of them reported it doing any damage.

The Target

Digital Certificates to Go

As part of its tactics, Stuxnet used stolen digital certificates belonging to legitimate companies to hide. The certificates were from Realtek Semiconductor and JMicron Technology. The stolen certificates helped keep the malware under the radar.

Digital Certificates to Go

Zero Hour

Variants of Stuxnet used three separate Microsoft zero-day vulnerabilities, as well as a fourth that was unknown to Microsoft but had been mentioned publicly in 2009. Two of these four were escalation of privilege vulnerabilities that remain unpatched. In addition, the worm also used the patched Microsoft Windows Server Service RPC issue exploited by the Conficker worm.

Zero Hour

Before the .LNK Vulnerability

The first zero-day publicly associated with Stuxnet was a vulnerability involving the loading of .LNK files on Windows. But before that, early versions of Stuxnet abused Windows' AutoRun feature to spread. Rather than use an actual vulnerability, the malware took advantage of the way AutoRun processes commands from autorun.inf files to get the system to execute the worm's malicious code.

Before the .LNK Vulnerability

Inside Stuxnet

Each of the exported functions pictured here has code to perform different actions. For example, there are exports to communicate with a command-and-control server. In addition, the worm can access files created by the Step 7 software and install a kernel-level rootkit. The worm also scans to see if certain anti-virus programs are running.

Inside Stuxnet

Be Fruitful and Multiply

Researchers have uncovered multiple propagation vectors for the worm. In addition to using infected USB devices, the worm also copies itself to network shares protected by weak passwords. Stuxnet also has the ability to upgrade through peer-to-peer, giving the attackers the ability to be updated after the initial command-and-control server was disabled. Pictured here is a map of infections.

Be Fruitful and Multiply

The Discovery

In July, VirusBlokAda reported its researchers discovered malware in June that was exploiting the .LNK vulnerability. An analysis of the malware by the security community quickly revealed the malware was targeting SCADA [supervisory control and data acquisition] systems.

The Discovery

The Solution

As the weeks wore on, Microsoft patched some of the vulnerabilities associated with the worm, while security vendors issued detection for it. For its part, Siemens distributed a tool developed by Trend Micro to help companies clean their systems. This graph depicts recent infection levels worldwide.

The Solution

Cyber-war?

An open-ended question due to Stuxnet's sophistication is whether the malware was created on behalf of an intelligence agency to disrupt industrial systems, particular in light of the fact that Iran's first nuclear power plant was found to have been infected. Others have suggested it could have been done by a well-funded team of experts. While no firm evidence of state-sponsored activity has been uncovered, several security analysts have described it as a wakeup call for SCADA security.

Cyber-war?

Rocket Fuel