STUXNETA sophisticated Malware

Arpit SinghCPSC 420

arpits@clemson.edu

WHAT IS STUXNET ?

Stuxnet is a window specific worm first detected in June 2010 by VirusBlokAda.

Stuxnet uses a vulnerability in the way Windows handles shortcut files.

Originally thought to spread mainly through the use of removable drives, such as USB sticks.

Designed to steal industrial secrets and disrupt operations.

Stuxnet infected systems in many countries but 60 percent of the computers worldwide infected in Iran, indicating industrial plants in that country were the target.

WHAT IS SO SPECIAL ABOUT STUXNET ?

A list of Firsts

It is the first discovered worm that spies on and reprograms industrial systems.

It is the first-ever computer worm to include a PLC rootkit.

It is also the first known worm to target critical industrial infrastructure.

Kaspersky Labs released a statement that described Stuxnet as "a working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race in the world.“

Kaspersky Labs concluded that the attacks could only have been conducted "with nation-state support", making Iran the first target of real cyber warfare.

HOW STUXNET WORKS ?

Once within a network -- initially delivered via an infected USB device Stuxnet uses the EoP vulnerabilities to gain administrative access to other PCs

Seeks out systems running the WinCC and PCS 7 SCADA management programs, hijacks them by exploiting either the print spooler or MS08-067 bugs

Tries the default Siemens passwords to commandeer the SCADA software.

It could then reprogram the so-called PLC (programmable logic control) software to give machinery new instructions.

HOW STUXNET WORKS ?

While the intended target of Stuxnet appears to be the manipulation of Siemens PLCs, Stuxnet could have just as easily been designed to attack PLCs made by other SCADA manufacturers.

The worm hides the modified PLC programs by marking each of the worm’s function blocks in a particular way.

The wrapper contains code to recognize the worm’s marked function blocks.

The spread of worm by USB sticks was also monitored.

Anti-virus technologies and patching are now available to protect you against Stuxnet

HOW STUXNET SPREADS ?

Image courtesy Kaspersky Lab

TECHNIQUES USED Stuxnet used several zero days in order to infect and spread.

Stuxnet behaves differently depending on what type of network it thinks it is running on. Stuxnet performs some rudimentary checking to see whether it is on a corporate network or a control systems network: If it detects that it is running on a corporate network, it won’t invoke the older 2008 vulnerability.

Stuxnet also disguised two critical files by signing them with the legitimate digital signatures belonging to industrial giants Realtek Semiconductor Corp. and JMicron.

The malware weighed in a nearly half a megabyte -- an astounding size.

Written in multiple languages, including C, C++ and other object-oriented languages

STUXNET ICS ROOTKIT

http://findingsfromthefield.com/?p=516

C O N CLUS I O N

According to various experts around the world, Stuxnet has passed all the tests that qualifies it to be the most sophisticated and complex piece of malware ever written. It even initiates a debate over the cyber warfare.

Since the analyst have pointed out that the resources required to carry out the testing and deployment of such a malware are huge and only a state backed affair can manage that.

It is for us to see that how many more advanced malwares will we witness in coming future since this stuxnet affair is just been called a test because no firm complained of any damage or irregularities at the plants. May be this the start of the cyber warfare.

RECENT DEVELOPMENTSOn Nov. 23, 2010 Iran recently was forced to stop operating thousands of uranium enrichment centrifuges for a limited period of time.

On November 25, 2010 Reports appeared that it has been traded on the black market and could be used by terrorists

On Nov. 29, 2010 Iran's president has confirmed for the first time that a computer worm affected centrifuges in the country's uranium enrichment program.

REFRENCES

http://www.computerworld.com/s/article/9185919/Is_Stuxnet_the_best_malware_ever_?

http://krebsonsecurity.com/2010/09/stuxnet-worm-far-more-sophisticated-than-previously-thought/

http://findingsfromthefield.com/?p=516

http://www.cbsnews.com/stories/2010/11/29/world/main7100197.shtml

http://news.sky.com/skynews/Home/World-News/Stuxnet-Worm-Virus-Targeted-At-Irans-Nuclear-Plant-Is-In-Hands-Of-Bad-Guys-Sky-News-Sources-Say/Article/201011415827544

http://www.globalsecuritynewswire.org/gsn/nw_20101123_2990.php