Stuxnet

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Slon02 (talk | contribs) at 23:22, 24 September 2010 (spelling fix- software). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Stuxnet is a computer worm first discovered in June 2010 by a security firm based in Belarus. It is notable because it is the first discovered worm that spies on and reprograms industrial systems.[1] It was specifically written to attack SCADA systems which are used to control and monitor industrial processes. Stuxnet includes the capability to reprogram the programmable logic controllers (PLCs) and hide the changes.[2]

History

It was first reported by the security company VirusBlokAda in mid-June 2010, and roots of it have been traced back to June 2009.[2] The worm contains a component with a build time stamp from 3 February 2010.[3]

Operation

Stuxnet attacks Windows systems using four zero-day attacks (including the CPLINK vulnerability and a vulnerability used by the Conficker worm) and targets systems using Siemens' WinCC/PCS 7 SCADA software. It is initially spread using infected USB flash drives and then uses other exploits to infect other WinCC computers in the network. Once inside the system it uses the default passwords to command the software.[2] Siemens however advises against changing the default passwords because it “could impact plant operations”.[4]

The complexity of the software is very unusual for malware. The attack requires knowledge of industrial processes and an interest in attacking industrial infrastructure.[2][1] The number of used zero-day Windows exploits is also unusual as undiscovered zero-day Windows exploits are valued and hackers do not normally waste using four different ones in the same worm.[5] Stuxnet is unusually large at half a megabyte in size,[6] and written in different programming languages (including C and C++) which is also irregular for malware.[2][1] It is digitally signed with two authentic certificates which were stolen from two certification authorities. It also has the capability to upgrade via peer to peer, allowing it to be updated after the initial command and control server was disabled.[6][7] These capablities would have required a team of people to program, as well as check that the malware would not crash the PLCs. Eric Byres, who has years of experience maintaining and troubleshooting Siemens systems, told Wired that writing the code would have taken many man-months if not years.[6]

Removal

Siemens has released a detection and removal tool for Stuxnet. Siemens recommends to contact the customer support in case an infection is detected and advises to install the Microsoft patch for the vulnerabilities and disallow the use of third-party USB sticks.[8]

Speculations about the target and origin

A Siemens spokesperson said that the worm was found on 15 systems with five of the infected systems being process manufacturing plants in Germany. Siemens claims that no active infections have been found and there were no reports of damages caused by the worm.[9] Symantec claims that the majority of infected systems were in Iran,[10] which has led to speculation that it may have been deliberately targeting “high-value infrastructure“ in Iran[5] including either the Bushehr Nuclear Power Plant or the Natanz nuclear facility.[6] Ralph Langner, a German cyber-security researcher, called the malware a “a one-shot weapon“ and said that the intended target was probably hit,[11] although he admitted this was speculation.[6] Bruce Schneier described this theory as interesting, but pointed out that there was little evidence to support it.[12]

References

  1. ^ a b c Robert McMillan (16 September 2010). "Siemens: Stuxnet worm hit industrial systems". Computerworld. Retrieved 16 September 2010.
  2. ^ a b c d e Gregg Keizer (16 September 2010). "Is Stuxnet the 'best' malware ever?". Infoworld. Retrieved 16 September 2010.
  3. ^ Aleksandr Matrosov, Eugene Rodionov, David Harley, and Juraj Malcho. "Stuxnet under the microscope" (PDF). Retrieved 24 September 2010.{{cite web}}: CS1 maint: multiple names: authors list (link)
  4. ^ Tom Espiner (20 July 2010). "Siemens warns Stuxnet targets of password risk". cnet. Retrieved 17 September 2010.
  5. ^ a b Fildes, Jonathan (23 September 2010). "Stuxnet worm 'targeted high-value Iranian assets'". BBC News. Retrieved 23 September 2010.
  6. ^ a b c d e Kim Ztter (23 September 2010). "Blockbuster Worm Aimed for Infrastructure, But No Proof Iran Nukes Were Target". Wired. Retrieved 24 September 2010.
  7. ^ Liam O Murchu (17 September 2010). "Stuxnet P2P component". Symantec. Retrieved 24 September 2010.
  8. ^ "SIMATIC WinCC / SIMATIC PCS 7: Information concerning Malware / Virus / Trojan". Siemens. Retrieved 24 September 2010.
  9. ^ crve (17 September 2010). "Stuxnet also found at industrial plants in Germany". The H. Retrieved 18 September 2010.
  10. ^ Robert McMillan (23 July 2010). "Iran was prime target of SCADA worm". Computerworld. Retrieved 17 September 2010.
  11. ^ Clayton, Mark (21 September 2010). "Stuxnet malware is 'weapon' out to destroy ... Iran's Bushehr nuclear plant?". Christian Science Monitor. Retrieved 23 September 2010.
  12. ^ Bruce Schneier (22 September 2010). "Schneier on Security: The Stuxnet Worm". Retrieved 23 September 2010.

External links

Retrieved from "https://en.wikipedia.org/w/index.php?title=Stuxnet&oldid=386839881"