is stuxnet the 'best' malware ever
TRANSCRIPT
8/3/2019 Is Stuxnet the 'Best' Malware Ever
http://slidepdf.com/reader/full/is-stuxnet-the-best-malware-ever 1/4
Is Stuxnet the 'best' malware ever?'Groundbreaking' worm points to a state-backed effort, say experts
Gregg Keizer
September 16, 2010 (Computerworld)
The Stuxnet worm is a "groundbreaking" piece of malware so devious in its use of unpatched
vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who
tore it apart believe it may be the work of state-backed professionals.
"It's amazing, really, the resources that went into this worm," said Liam O Murchu, manager of operations with Symantec's security response team.
"I'd call it groundbreaking," said Roel
Schouwenberg, a senior antivirus researcher at
Kaspersky Lab. In comparison, other notable
attacks, like the one dubbed Aurora that hacked
Google's network and those of dozens of other
major companies, were child's play.
O Murchu and Schouwenberg should know:
They work for the two security companies that
discovered that Stuxnet exploited not just one
zero-day Windows bug but four -- an
unprecedented number for a single piece of
malware.
Stuxnet, which was first reported in mid-June by
VirusBlokAda, a little-known security firm based
in Belarus, gained notoriety a month later when
Microsoft confirmed that the worm was actively
targeting Windows PCs that managed large-
scale industrial-control systems inmanufacturing and utility firms.
Those control systems are often referred to
using the acronym SCADA, for "supervisory
control and data acquisition." They run
everything from power plants and factory
machinery to oil pipelines and military
installations.
At the time it was first publicly identified in June,
8/3/2019 Is Stuxnet the 'Best' Malware Ever
http://slidepdf.com/reader/full/is-stuxnet-the-best-malware-ever 2/4
researchers believed that Stuxnet -- whose
roots were later traced as far back as June
2009 -- exploited just one unpatched, or "zero-
day," vulnerability in Windows and spread
through infected USB flash drives.
Iran was hardest hit by Stuxnet, according to Symantec researchers, who said in July that nearly
60% of all infected PCs were located in that country.
On Aug. 2, Microsoft issued an emergency update to patch the bug that Stuxnet was then known
to exploit in Windows shortcuts.
But unbeknownst to Microsoft, Stuxnet could actually use four zero-day vulnerabilities to gain
access to corporate networks. Once it had access to a network, it would seek out and infect the
specific machines that managed SCADA systems controlled by software from German electronics
giant Siemens.
With a sample of Stuxnet in hand, researchers at both Kaspersky and Symantec went to work,
digging deep into its code to learn how it ticked.
The two companies independently found attack code that targeted three more unpatched
Windows bugs.
"Within a week or week and a half [of news of Stuxnet], we discovered the print spooler bug," said
Schouwenberg. "Then we found one of the EoP [elevation of privilege] bugs." Microsoft
researchers discovered a second EoP flaw, Schouwenberg said.
Working independently, Symantec researchers found the print spooler bug and two EoP
vulnerabilities in August.
Both firms reported their findings to Microsoft, which patched the print spooler vulnerability on
Tuesday and said it would address the less-dangerous EoP bugs in a future security update.
"Using four zero-days, that's really, really crazy," said Symantec's O Murchu. "We've never seen
that before."
Neither has Kaspersky, said Schouwenberg.
But the Stuxnet wonders didn't stop there. The worm also exploited a Windows bug patched in
2008 with Microsoft's MS08-067 update. That bug was the same vulnerability used to devastating
effect by the notorious Conficker worm in late 2008 and early 2009 to infect millions of machines.
Once within a network -- initially delivered via an infected USB device -- Stuxnet used the EoP
vulnerabilities to gain administrative access to other PCs, sought out systems running the WinCC
and PCS 7 SCADA management programs, hijacked them by exploiting either the print spooler or
MS08-067 bugs, then tried the default Siemens passwords to commandeer the SCADA software.
They could then reprogram the so-called PLC (programmable logic control) software to give
machinery new instructions.
On top of all that, the attack code seemed legitimate because the people behind Stuxnet had
stolen at least two signed digital certificates.
"The organization and sophistication to execute the entire package is extremely impressive," said
Schouwenberg. "Whoever is behind this was on a mission to get into whatever company or
companies they were targeting."
O Murchu seconded that. "There are so many different types of execution needs that it's clear this
8/3/2019 Is Stuxnet the 'Best' Malware Ever
http://slidepdf.com/reader/full/is-stuxnet-the-best-malware-ever 3/4
is a team of people with varied backgrounds, from the rootkit side to the database side to writing
exploits," he said.
The malware, which weighed in a nearly half a megabyte -- an astounding size, said
Schouwenberg -- was written in multiple languages, including C, C++ and other object-oriented
languages, O Murchu added.
"And from the SCADA side of things, which is a very specialized area, they would have needed
the actual physical hardware for testing, and [they would have had to] know how the specific
factory floor works," said O Murchu.
"Someone had to sit down and say, 'I want to be able to control something on the factory floor, I
want it to spread quietly, I need to have several zero-days,'" O Murchu continued. "And then pull
together all these resources. It was a big, big project."
One way that the attackers minimized the risk of discovery was to put a counter in the infected
USB that allowed it to spread to no more than three PCs. "They wanted to try to limit the spread
of this threat so that it would stay within the targeted facility." O Murchu said.
And they were clever, said Schouwenberg.
Once inside a company, Stuxnet used the MS08-067 exploit only if it knew that the target was
part of a SCADA network. "There's no logging in most SCADA networks, and they have limitedsecurity and very, very slow patch cycles," Schouwenberg explained, making the long-patched
MS08-067 exploit perfect for the job.
Put all that together, and the picture is "scary," said O Murchu.
So scary, so thorough was the reconnaissance, so complex the job, so sneaky the attack, that
both O Murchu or Schouwenberg believe it couldn't be the work of even an advanced cybercrime
gang.
"I don't think it was a private group," said O Murchu. "They weren't just after information, so a
competitor is out. They wanted to reprogram the PLCs and operate the machinery in a way
unintended by the real operators. That points to something more than industrial espionage."
The necessary resources, and the money to finance the attack, puts it out the realm of a private
hacking team, O Murchu said.
"This threat was specifically targeting Iran," he continued. "It's unique in that it was able to control
machinery in the real world."
"All the different circumstances, from the multiple zero-days to stolen certificates to its distribution,
the most plausible scenario is a nation-state-backed group," said Schouwenberg, who
acknowledged that some people might think he was wearing a tin foil hat when he says such
things. But the fact that Iran was the No. 1 target is telling.
"This sounds like something out of a movie," Schouwenberg said. "But I would argue it's
plausible, suddenly plausible, that it was nation-state-backed."
"This was a very important project to whoever was behind it," said O Murchu. "But when an oil
pipeline or a power plant is involved, the stakes are very high."
And although Siemens maintains that the 14 plants it found with infected SCADA systems were
not affected or damaged by Stuxnet, O Murchu and Schouwenberg weren't so sure.
Experts have disagreed about when the Stuxnet attacks began -- Kaspersky believes it was as
early as July 2009, while Symantec traced attacks back to January 2010 -- but they agree that
8/3/2019 Is Stuxnet the 'Best' Malware Ever
http://slidepdf.com/reader/full/is-stuxnet-the-best-malware-ever 4/4
the worm went undetected for months.
"We don't know if they succeeded or not, but I imagine that they got to the targets that they
wanted," said O Murchu, citing the stealthy nature and sophistication of the worm.
"The command-and-control infrastructure of Stuxnet is very, very primitive, very basic," said
Schouwenberg. "I think they were convinced that they would be able to do what they wanted
before they were detected."
O Murchu will present a paper on Symantec's Stuxnet work at the Virus Bulletin security
conference, which is slated to kick off Sept. 29 in Vancouver, British Columbia. Researchers fromMicrosoft and Kaspersky will present a separate paper at the same conference.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology
breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , or subscribe to
Gregg's RSS feed . His e-mail address is [email protected].