What we really know about the Stuxnet worm

Following the most detailed report on Stuxnet to date, here are the facts -- without the speculation

Last week, Symantec released the most detailed report on Stuxnet yet.

While there has been much speculation in the media about Stuxnet, its creators, and, most of all, the target of the attack, the report provides a solid foundation of facts. Overall, the report presents a picture of a complex and professionally crafted threat that targeted a specific subset of industrial systems.

[ InfoWorld's Roger Grimes calls Stuxnet smarter -- and deadlier -- than the average worm. | Find out how to block the viruses, worms, and other malware that threaten your business with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. ]

"The code is professionally written; it is coded to a very high standard," says Liam O Murchu, a researcher with Symantec's Security Response, who spoke to reporters on Friday. "They were very careful not to leave traces in the code that could lead back to them."

Here are some salient facts from the report. Decide for yourself whether they support the speculation about Stuxnet.

The victims, especially industrial targets, were in Iran

While there was a lot of hype, and then some pooh-poohing, of the Iran angle, Stuxnet infections have mainly occurred in that country, according to Symantec's data. Of the approximately 100,000 compromised systems currently seen by Symantec's sensors, nearly 63,000 are in Iran. In addition, infected systems in Iran are dramatically more likely to have targeted Siemens control software installed: 58 percent do, compared to 8 percent of South Korean systems, the next highest proportion of industrial systems infected.

Of course, the primary problem with this data is that it's based only on what Symantec is seeing through its own network sensors. Other security firms have put India at the top of the infection heap, especially after the rate of Iran's infections plunged to zero in late August.

Over the weekend, Iran's intelligence agency arrested "spies" that it blamed for the attack.

First detected in June 2009, the worm was last updated as late as March 2010

If the attackers had a specific target in mind, it seems that, as of March 2010, they had not reached it. Security firms began detecting a new variant in March that started exploiting the LNK vulnerability (MS10-046), a previously unreported flaw that allowed the worm to spread to additional systems.

"It says something that they gave up a very important vulnerability by putting it into the threat," observed O Murchu, in a conference call about the report.

The attackers took steps to limit the spread of Stuxnet

Reverse engineering Stuxnet has shown that, when USB drives are infected, the program puts a counter that limits that USB drive to infecting three other systems. Moreover, Stuxnet will not infect machines after June 24, 2012.

Symantec also believes there is a third limitation on propagation. A compromised system will stop running the infection routines after three weeks.

"When we look at the code, there are dates in the code that we still don't fully understand," says O Murchu. "It looks like it will only spread from your computer for 21 days. It is still puzzling that we are seeing such high infection numbers."

Legitimate digital signatures bypass protections

When Stuxnet copies itself to a USB flash drive, it signs the files with legitimate certificates for a driver from PC hardware makers Realtek and JMicron Technology. The certificates have been confirmed to be compromised. Signing the drive allows Stuxnet to bypass some security controls.

VeriSign confirmed the compromise of the driver and revoked the certificate on July 16.

The worm spreads by about as many vectors as Nimda

Stuxnet propagates itself using five different methods:

  • Infects removable drives and network shares
  • Copies itself from computer to computer over networks using two exploits
  • Hides itself in project files of the industrial control system software, Step 7
  • Attempts to infect Windows-based control systems running WinCC via a default password
  • Updates itself on already infected computers using peer-to-peer

Stuxnet targets specific programmable logic controllers

A lot has been made about Stuxnet's targeting. The worm specifically targets industrial controllers with certain characteristics.

First, it only infects PLCs that have a type of 6ES7-315-2, which are Simatic System 7 300 controllers made by Siemens.

Second, the infection routine counts the number of times two values occur in the system data blocks (SDBs). If the total number of occurrences exceeds 32, then it will infect the PLC using one of two infection routines, depending on which value occurred more often. A third infection sequence occurs under other circumstances.

However, Symantec stresses that without knowledge of the intended target, it's impossible to determine how Stuxnet's changes will impact the industrial process.

This article, "What we really know about the Stuxnet worm," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.


Copyright © 2010 IDG Communications, Inc.