Stuxnet Remains a Mystery

Monday, October 4, 2010 @ 05:10 PM gHale

By Gregory Hale
Stuxnet remains a big topic of conversation in the cyber security environment and it is still sending chills down the spines of manufacturing automation cyber security professionals. Who created it? What was supposed to be the ultimate victim? Industry experts continue to ask questions, but answers are hard to come by.
While there were no great revelations, Eric Byres, chief technology officer at Byres Security, just heard three very interesting presentations by Symantec, Microsoft and Kaspersky Labs at the Virus Bulletin 2010 conference last week.
For two hours they discussed their latest findings on Stuxnet, the PLC/SCADA-targeting worm of the decade.
From Byres: If you are hoping for a clear answer on who wrote this nasty piece of malware and why, you are not going to find it here. And from what I have seen so far, you might not ever find that answer. But I will try to lay out what is known and what is pure speculation.
First some facts that are pretty hard to dispute:
• Stuxnet was designed to target a very specific industrial process that used Siemens S7-300 and S7-400 PLCs. Research from Symantec and Ralph Langner show that Stuxnet is looking for a very specific PLC configuration to attack.
• It was designed to be a long term and stealthy threat – Microsoft reported it was likely first released in July 2009 and was active (and undetected) for about a year, during which time its designers made several modifications, some as late as July 2010.
• It has multiple methods of infection, not just via USB keys as originally thought. For example, once the USB key method has gotten the worm a foot hold in one computer, it moves to other computers on the same network using a previously unknown flaw in the way computers share printers. If that doesn’t work, it has three other ways to spread, including infecting the actual Step7 PLC project files.
• Despite what Siemens has written, Stuxnet is not only a threat to “operating systems from XP and higher” Symantec’s analysis shows it is capable of infecting machines running older systems such as Windows 2000.
• It is very well written – it is 1.5 MBytes of complex logic and yet (according to Kaspersky) only one potential bug has been noted and they have not been able to actually see this bug take effect. This error rate is far better than industry standards for commercial software.
• Iran is the country with the largest number of infected computers. The Symantic report indicates that 58% of the infected machines are in Iran. Symantec reports that on August 22 they observed Iran was no longer reporting new infections. They go on to state “This was most likely due to Iran blocking outward connections to the command and control servers, rather than a drop-off in infections.” Furthermore, they show that the percentage of infected computers with the Siemens software installed is far higher in Iran.
Now looking at the Kaspersky data, one might assume that India has more infected computers; however, at the conference the Kaspersky speaker stated this skew is almost certainly due to the fact that they have very few customers in Iran. Thus they also believe that Iran is the main country of infection.
Now for some speculation: Considering Stuxnet uses a physical propagation method (i.e. USB keys) and not the Internet, you can interpret the large number of Iranian infections (over 60,000, according to Symnatec) as you see fit. For me, it says that Iran was the country targeted by the worm’s developers.
This still leaves a lot of open questions, the first of which is “Who wrote this worm?”
I don’t think anyone who has studied the code thinks it was an individual. Symantec is very clear about this:
“Analyzing the different types of samples Symantec has observed to date has shed some light on how long this threat has been under development and/or in use. The development of the threat dates back to at least June of 2009. The threat has been under continued development as the authors added additional components, encryption, and exploits. The amount of components and code used is very large. In addition to this the authors’ ability to adapt the threat to use an unpatched vulnerability to spread through removable drives shows that the creators of this threat have huge resources available to them and have the time needed to spend on such a big task; this is not a teenage hacker coding in his bedroom type operation.”
For now, the key message is there is no silver bullet to protect a system against the current Stuxnet or the next Stuxnet-like attack. Fully patched systems at Kaspersky Labs were infected, anti -virus systems were deliberately subverted to run the malware and shared print servers were used as infection paths. No single solution will block an attack like Stuxnet.
Eric Byres is the chief technology officer at Byres Security. Click here to follow his blog.

Leave a Reply

You must be logged in to post a comment.