Stuxnet had a full bag of tricks, report says
While 5 Iranian facilities were worm's target, it spread far beyond original intent, report finds
- By Kevin McCaney
- Feb 16, 2011
The Stuxnet worm, apparently intended to disrupt Iran’s uranium enrichment program, targeted five organizations in Iran during a 10-month period, according to a recent report from Symantec.
The extensive, 69-page report, titled the "W32. Stuxnet Dossier," states that Stuxnet records a time stamp and other system information with each infection, which allowed researchers to trace 12,000 incidents to those five organizations, based on the domain name of the computers that were attacked.
The attacks occurred between June 2009 and May 2010, the report states. But although the worm had specific targets, its propagation techniques resulted in it spreading far beyond its initial target. By the end of September 2010, more than 100,000 computers worldwide had been infected, more than 60,000 of them in Iran, according to the report.
Stuxnet is not Superworm, researcher says
Stuxnet story is high-profile but still out of reach
Stuxnet is believed to be the first piece of malware that targets industrial control systems, such as those used in power plants, pipelines, electrical grids or nuclear facilities. Because it apparently targeted Iran’s uranium enrichment program, and by extension its nuclear weapons program, experts have speculated whether the United States and/or Israel are behind the attack.
The Symantec report, however, says only that Stuxnet “is a threat targeting a specific industrial control system likely in Iran, such as a gas pipeline or power plant.”
“Its final goal is to reprogram industrial control systems by modifying code on programmable logic controllers to make them work in a manner the attacker intended and to hide those changes from the operator of the equipment,” the report states.
The worm uses a wide variety of components, according to the report, including “zero-day exploits, a Windows rootkit, the first ever PLC rootkit, antivirus evasion techniques, complex process injection and hooking code, network infection routines, peer-to-peer updates, and a command-and-control interface.”
Other researchers tracking the worm have described it as a very sophisticated bit of software that could herald a new front in the emerging realm of cyber war in which physical infrastructure, not just computer systems, is targeted. But it also has its flaws, such as a simplistic command-and-control channel.
The attacks against the five targets in Iran came in three waves, the report states. Symantec does not name the targets.
The report, by way of explaining how Stuxnet works, lists some of its features:
- Self-replicates through removable drives exploiting a vulnerability allowing auto-execution.
- Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732)
- Spreads in a LAN through a vulnerability in the Windows Print Spooler.
- Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073)
- Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).
- Copies and executes itself on remote computers through network shares.
- Copies and executes itself on remote computers running a WinCC database server.
- Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded.
- Updates itself through a peer-to-peer mechanism within a LAN.
- Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed.
- Contacts a command-and-control server that allows the hacker to download and execute code, including updated versions.
- Contains a Windows rootkit that hide its binaries.
- Attempts to bypass security products.
- Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system.
- Hides modified code on PLCs, essentially a rootkit for PLCs.
Kevin McCaney is a former editor of Defense Systems and GCN.