The Stuxnet Trojan may have knocked out as many as 1,000 centrifuges at Iran's nuclear facility earlier this year, according to a security paper. Experts said it heralds a new breed of Trojans that will attack more devices that aren't computers in 2011.
"We need to think above and beyond expected targets, which are not servers or routers," Adam Bosnian, an executive vice president for information security company Cyber-Ark, told eWEEK.
According to a Dec. 24 article in the Jerusalem Post, it was possible Stuxnet hit as many as 1,000 of the approximately 10,000 IR-1 centrifuges at Iran's Natanz uranium enrichment facility. The article was based on a paper from the Washington-based Institute for Science and International Security which analyzed the malware's code.
David Albright, the Institute's president, told the Jerusalem Post that the virus caused the engines in Iran's IR-1 centrifuges, which normally runs at 1,007 cycles per second, to speed up to as fast as 1,064 cycles per second, causing the vibrations to break the motors. Stuxnet was meant to be subtle and work slowly by causing "small amounts of damage" that would not make the system operators suspect a malware, he said.
Security researchers at Panda Security said specialized malware like Stuxnet will "undoubtedly increase" but that many of these attacks will go "unnoticed" by the general public.
Stuxnet infected the machines via USB thumb drives by exploiting an AutoRun bug in the Windows operating system. That bug, and a few others Stuxnet exploited, have since then been patched by Microsoft. Once on the machine, the malware checked for software programs that run Supervisor Control and Data Acquisition systems, often used to monitor automated industrial processes. If the infected machine happened to have logical controllers from Siemens, Stuxnet logged in using the software's default password, which is the same for all Siemens controllers.
Despite being a major security vulnerability, a number of products still ship with a default password, said Bosnian. For a number of years, Oracle shipped its databases with 32 embedded passwords, one for each role, and if the customer didn't change each of these passwords, the company was left with a gaping security hole, he said. "But at least they let you change it," Bosnian said.
Future Stuxnet variants can exploit physical infrastructure such as power grid controls or electronic voting systems, according to Paul Wood, of Symantec Hosted Services.
Enterprises have a number of systems and software that still have factory default passwords, or passwords that are so deeply embedded that they can't be changed by the customer, said Bosnian. Businesses don't think about the less obvious targets, such as a "copier, video conferencing system, or anything with memory and processors," he said.
Such was the case with Cisco's Unified Video Conferencing 5100 series products, which had a hardcoded password for several accounts that can't be changed or deleted, according to Bosnian. Cisco announced a free software upgrade to close the vulnerability in November, and also suggested a workaround where access to the Cisco UVC Web server was limited to only trusted hosts via access control lists on the network's routers and switches.
IT teams need to do a thorough audit on systems to change all default passwords, he said. Building walls to restrict access from the outside is not enough because administrators need to "start with the assumption that the bad guys are already in the network," he said.
Security analysts have speculated that Stuxnet used thumb drives to spread because many SCADA systems are not connected to the Internet, but have a USB port. Once on a device, it can replicate over the local network. The point of entry can be something as innocuous as programmable and network-ready coffee makers, many of which come with USB ports, said Ed Cohen, vice-president of e-mail security at SonicWALL. "If my coffee maker is on the network, it can infect my computers," he said.
While Stuxnet has hit computers in various countries, including the United States, Indonesia, Malyasia, United Kingdom, and Australia, Iran was perhaps the hardest hit, with over 62,000 infected machines, according to Symantec.