Jonathan Baulch

A worm that spreads via USB drives Exploits a previously unknown vulnerability

in Windows Trojan backdoor that looks for a specific softwarecreated by Siemens

June 2009 – Earliest Stuxnet version seen. Lacks many complexities of the later versions

January 25, 2010 – Stuxnet driver signed with valid certificate from Realtek Semiconductor Corps

June 17, 2010 – Virusblokada reports W32.Stuxnet named RootkitTmphider

July 13, 2010 – Symantec adds detection known as W32.Temphid

July 16, 2010 – Verisign revokes Realtek Semiconductor Corps certificate

July 17, 2010 – Eset identifies new Stuxnet driver with certificate from JMicron Technology Corp.

July 19, 2010 – Siemens reports they are investigating reports of malware affecting Siemens WinCC SCADA systems

August 6, 2010 – Symantec reports how Stuxnet can inject and hide code on a PLC

September 30, 2010 – Symantec presents at Virus Bulletin and releases comprehensive analysis of Stuxnet

Self-replicates through removable drives exploiting a vulnerability allowing auto-execution

Spreads in a LAN through a vulnerability in the Windows Print Spooler

Copies and executes itself on remote computers through network shares

Copies and executes itself on remote computers running a WinCC database server

Copies itself into Step 7 projects in such a way that it automatically loads when Step 7 is run

Updates itself through a peer-to-peer mechanism within a LAN

Exploits 4 different zero-day Microsoft vulnerabilities

Contacts a command and control server that allows a hacker to download and execute code

Contains a Windows rootkit that hides its binaries

Attempts to bypass security products

Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system

Hides modified code on PLCs

PLC – Programmable Logic Controller◦ Loaded with blocks of code and data written using

a variety of languages such as STL or SCL

◦ PLCs are small embedded industrial control systems that run automated processes on factory floors, chemical and nuclear plants, oil refineries, etc.

It has yet to be discovered who authored the Stuxnet worm and who/what the target was.◦ Research project that got out of control. There is

history of accidental releases of worms by researches before.

◦ Criminal worm designed to demonstrate the power the authors possess.

◦ Worm released by the U.S. military to scare government into increasing the budget for cyber security.

◦ Developed by Israel to attack Iran

Iran was one of the top countries to be affected most by the Stuxnet worm.

Iran currently is constructing a nuclear plant in Bushehr and experts believe the delays have been the result of Stuxnet.

Report by Siemens expert, Ralph Langer, says that Stuxnet could easily cause a refinery’s centrifuge to malfunction.

Stuxnet achieved many things in the malicious code realm

First to exploit 4 0-day vulnerabilities

Compromised 2 digital certificates

Injected code into industrial control systems and hid the code from operators.

Many experts say it is the most complex malicious software created in the history of cyber security.

Highlights that it is possible to attack critical infrastructures in places other than Hollywood movies.

Improbable that copy cat attacks will begin to be mass produced due to the complexity of the software.

W32.Stuxnet Dossier - http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

Schneier on Security - http://www.schneier.com/blog/archives/2010/10/stuxnet.html Details on the first-ever control system malware - http://news.cnet.com/8301-27080_3-20011159-

245.html