display | more...

Stuxnet is the name of the most sophisticated computer virus ever discovered, and perhaps ever created.

What it was

Technically a worm, the virus got its name from a string of characters buried in its code. It was one of the largest viruses ever discovered, at nearly half a megabyte, and the source code was written in six different programming languages.

What it targeted

Stuxnet was precisely targeted to affect the centrifuges in a specific nuclear fuel processing plant at Natanz in Iran. Although it was extremely "promiscuous," which is hacker jargon for a virus that spreads as widely as possible, it contained numerous safeguards designed to insure that it would not damage any computers or equipment other than its designated target. Specifically, the worm only activated once it found itself on a specific type of computer system used to control specific industrial processes that is manufactured by the German company Siemens. Even then it only affected motorized processes that spin within a specific band between 807 Hz and 1210 Hz. And even further still, it only activated in the presence of two specific kinds of variable-frequency drives known to be used at the Natanz plant. On all other systems, the worm deactivated itself and took a variety of steps to hide its presence. The worm also included a piece of code that would make it self-destruct and vanish from all infected systems on June 24, 2012.

How it spread

The worm initially spread through USB flash drives, and was capable of infecting all currently supported varieties of Microsoft's Windows operating system, including systems with all security patches installed and up-to-date. The virus took advantage of no less than six different security vulnerabilities in Windows, including an astonishing four "zero-day" vulnerabilities, which are vulnerabilities which were previously unknown to the software provider (this shocked security researchers because zero-day vulnerabilities are extremely valuable and are normally jealously guarded because they become much less useful once exploited for the first time). In addition, the program had both user-mode and kernel-mode rootkit capability in Windows, and its device drivers were signed using private security keys stolen from two different Taiwanese companies, JMicron and Realtek, both of which are located in the Hsinchu Science Park in Taiwan.

But getting into Windows was only the first step. Ultimately, the worm had to get onto the Siemens programmable logic controllers (PLCs) that controlled the centrifuges. However, for security reasons, these machines have no input devices other than a data cable. To get on the PLCs, the worm hijacked Siemens' "Step 7" Windows software application using yet another zero-day exploit plus two other, known exploits, as well as hard-coded Siemens passwords. This allowed the virus to pass through the data cable and install itself on the PLC machine.

What it did

Once the virus got on the PLC, it waited patiently until certain specific criteria were met, and then altered the speed of the motor being operated to 1,410 Hz for 15 minutes before returning the machine to its proper speed. Then, exactly 27 days later, it reduced the speed of the machine to 2 Hz for 50 minutes. All the while, the program took steps to mask its presence and the changes in speed from diagnostic software.

The result of running the motors well outside of their normal operating range, even for such short periods of time, was in many cases damage and even destruction of the machines. It has been estimated that Stuxnet destroyed about 1,000 centrifuges in Iran between November, 2009 and July, 2010, or approximately 10 percent of all centrifuges in the nation, all without being discovered by the Iranians. This led to a significant decline in Iran's enrichment of uranium during that time, as well as an unspecified "serious nuclear accident" that resulted in the resignation of the head of Iran's Atomic Energy Organization, Gholam Reza Aghazadeh.

How it was discovered

Although the Stuxnet worm spread to computer systems running Windows all over the world, because it took so many measures to hide its presence and avoid damaging non-target systems, the worm was active for approximately eight months, evidently going through three different versions during that time. However, on June 17, 2010, researchers at a tiny anti-virus company in Belarus called VirusBlokAda discovered two versions of the worm and announced their discovery to the world in a Web release written in poorly translated English. Thereafter, it took researchers around the world several months to fully unravel what the worm's code was and what it was supposed to do. Eventually, Siemens released patches to remove the worm and prevent similar worms from affecting its machines in the future.

Who was responsible

Stuxnet was almost certainly the work of a nation-state, rather than individual hackers. The worm's design and implementation required extensive knowledge of not only industrial processes and software, but also of particular details regarding Iran's uranium enrichment program. The code itself would have required several man-years to write, and was built upon extensive research into previously unknown Windows and Step 7 security flaws. Moreover at the time of its discovery, approximately 60% of all computers in Iran were infected with the Stuxnet worm, far more than any other nation (Indonesia was in second place, at 18%). This suggests that the contagion started in Iran and then spread elsewhere, meaning that in addition to actually coding the worm, there was also some sort of operation to smuggle the worm (presumably on USB flash drives) into Iran itself.

Almost all speculation has focused on Israel and the United States, either working alone or in tandem. Israel is a particularly strong candidate. The dates May 9, 1979 and September 24, 2007 appear in the code, the first being the date that Habib Elghanian, a prominent Iranian Jew, was executed in Tehran by the newly installed Islamists, and the second being the date that Iranian President Mahmoud Ahmadinejad gave a speech at Columbia University lambasting Israel and questioning the Holocaust. Moreover, although Israel has never officially claimed credit for the attack, leading Israeli intelligence figures are reported to have bragged privately about the Stuxnet operation.

Log in or register to write something here or to contact authors.