Stuxnet: Smarter -- and deadlier -- than the average worm

Stuxnet's purpose isn't entirely clear, but whoever created it knew what they were doing

RELATED TOPICS

Every few years, a malware program comes along that ups the ante in the world of IT security risks. Code Red infected a ton of IIS Web servers in 2001 and led to Microsoft's increased focus on secure software development. In 2003, SQL Slammer infected nearly every unpatched SQL server on the Internet in 10 minutes. The MS-Blaster worm revealed the chewy center of most firewall-protected perimeters. The big worms Sobig, MyDoom, Netsky, and Bagle proved that hackers didn't need unprotected open SMTP relays to send spam. Banking Trojans taught us that nearly any authentication protection can be easily bypassed in order to empty bank accounts.

Now we have Stuxnet, which has deservedly garnered a fair share of media coverage over the past few months. The malware is unlike any threat we've previously seen. If Stuxnet is a sign of things to come, it will be difficult to believe that our biggest malware fears were merely boot viruses, rogue file attachments, and macro viruses.

[ Also on InfoWorld.com: Efforts to erradicate Stuxnet could be stymied by the worm's ability to re-infect scrubbed PCs. | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

For starters, Stuxnet is the first worm directly coded to attack power plant and industrial control systems, which fall under the category of SCADA supervisory control and data acquisition systems. Although SCADA systems are already widely known and notorious for lacking conventional security controls, Stuxnet looks for specific SCADA systems, such as Siemens; if successful, it infects them, reprograms their PLCs (programmable logic controllers), and hides with the first SCADA-specific rootkit. (Symantec offers an excellent layman's analysis of this particular part of the worm in a whitepaper [PDF] called "W32_Stuxnet Dossier.")

The theory is that Stuxnet's creators want the ability to remotely control and exploit power plants. Many observers believe Iran was a direct target, given that it ended up with the vast majority of infections. Further buttressing this hypothesis the appearance of the word "Myrtus" within the worm. Myrtus could be a Biblical reference to a story involving a Persian plot.

Unbeknownst to most people, power plants and other industrial systems have been under direct attack for many years. At least one expert has claimed that controls systems have been compromised at least 125 times, with one such incident contributing to a death in the United States. I haven't seen the source documentation and evidence of this, however. The U.S. NERC agency has publicly stated that no deaths or disruptions in service have yet occurred due to computer compromises -- but the two data sets may not overlap completely.

I've also read that foreign power plants have been successfully held for ransom and that service interruptions have occurred (along with at least one documented death). That malware is directly targeting already weak SCADA systems is not a good thing.

RELATED TOPICS
1 2 Page 1
From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies