8/3/2019 Is Stuxnet the 'Best' Malware Ever

http://slidepdf.com/reader/full/is-stuxnet-the-best-malware-ever 1/4

 

Is Stuxnet the 'best' malware ever?'Groundbreaking' worm points to a state-backed effort, say experts

Gregg Keizer 

September 16, 2010 (Computerworld)

The Stuxnet worm is a "groundbreaking" piece of malware so devious in its use of unpatched

vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who

tore it apart believe it may be the work of state-backed professionals.

"It's amazing, really, the resources that went into this worm," said Liam O Murchu, manager of operations with Symantec's security response team.

"I'd call it groundbreaking," said Roel

Schouwenberg, a senior antivirus researcher at

Kaspersky Lab. In comparison, other notable

attacks, like the one dubbed Aurora that hacked

Google's network and those of dozens of other 

major companies, were child's play.

O Murchu and Schouwenberg should know:

They work for the two security companies that

discovered that Stuxnet exploited not just one

zero-day Windows bug but four -- an

unprecedented number for a single piece of 

malware.

Stuxnet, which was first reported in mid-June by

VirusBlokAda, a little-known security firm based

in Belarus, gained notoriety a month later when

Microsoft confirmed that the worm was actively

targeting Windows PCs that managed large-

scale industrial-control systems inmanufacturing and utility firms.

Those control systems are often referred to

using the acronym SCADA, for "supervisory

control and data acquisition." They run

everything from power plants and factory

machinery to oil pipelines and military

installations.

At the time it was first publicly identified in June,

8/3/2019 Is Stuxnet the 'Best' Malware Ever

http://slidepdf.com/reader/full/is-stuxnet-the-best-malware-ever 2/4

researchers believed that Stuxnet -- whose

roots were later traced as far back as June

2009 -- exploited just one unpatched, or "zero-

day," vulnerability in Windows and spread

through infected USB flash drives.

Iran was hardest hit by Stuxnet, according to Symantec researchers, who said in July that nearly

60% of all infected PCs were located in that country.

On Aug. 2, Microsoft issued an emergency update to patch the bug that Stuxnet was then known

to exploit in Windows shortcuts.

But unbeknownst to Microsoft, Stuxnet could actually use four zero-day vulnerabilities to gain

access to corporate networks. Once it had access to a network, it would seek out and infect the

specific machines that managed SCADA systems controlled by software from German electronics

giant Siemens.

With a sample of Stuxnet in hand, researchers at both Kaspersky and Symantec went to work,

digging deep into its code to learn how it ticked.

The two companies independently found attack code that targeted three more unpatched

Windows bugs.

"Within a week or week and a half [of news of Stuxnet], we discovered the print spooler bug," said

Schouwenberg. "Then we found one of the EoP [elevation of privilege] bugs." Microsoft

researchers discovered a second EoP flaw, Schouwenberg said.

Working independently, Symantec researchers found the print spooler bug and two EoP

vulnerabilities in August.

Both firms reported their findings to Microsoft, which patched the print spooler vulnerability on

Tuesday and said it would address the less-dangerous EoP bugs in a future security update.

"Using four zero-days, that's really, really crazy," said Symantec's O Murchu. "We've never seen

that before."

Neither has Kaspersky, said Schouwenberg.

But the Stuxnet wonders didn't stop there. The worm also exploited a Windows bug patched in

2008 with Microsoft's MS08-067 update. That bug was the same vulnerability used to devastating

effect by the notorious Conficker worm in late 2008 and early 2009 to infect millions of machines.

Once within a network -- initially delivered via an infected USB device -- Stuxnet used the EoP

vulnerabilities to gain administrative access to other PCs, sought out systems running the WinCC

and PCS 7 SCADA management programs, hijacked them by exploiting either the print spooler or 

MS08-067 bugs, then tried the default Siemens passwords to commandeer the SCADA software.

They could then reprogram the so-called PLC (programmable logic control) software to give

machinery new instructions.

On top of all that, the attack code seemed legitimate because the people behind Stuxnet had

stolen at least two signed digital certificates.

"The organization and sophistication to execute the entire package is extremely impressive," said

Schouwenberg. "Whoever is behind this was on a mission to get into whatever company or 

companies they were targeting."

O Murchu seconded that. "There are so many different types of execution needs that it's clear this

8/3/2019 Is Stuxnet the 'Best' Malware Ever

http://slidepdf.com/reader/full/is-stuxnet-the-best-malware-ever 3/4

is a team of people with varied backgrounds, from the rootkit side to the database side to writing

exploits," he said.

The malware, which weighed in a nearly half a megabyte -- an astounding size, said

Schouwenberg -- was written in multiple languages, including C, C++ and other object-oriented

languages, O Murchu added.

"And from the SCADA side of things, which is a very specialized area, they would have needed

the actual physical hardware for testing, and [they would have had to] know how the specific

factory floor works," said O Murchu.

"Someone had to sit down and say, 'I want to be able to control something on the factory floor, I

want it to spread quietly, I need to have several zero-days,'" O Murchu continued. "And then pull

together all these resources. It was a big, big project."

One way that the attackers minimized the risk of discovery was to put a counter in the infected

USB that allowed it to spread to no more than three PCs. "They wanted to try to limit the spread

of this threat so that it would stay within the targeted facility." O Murchu said.

And they were clever, said Schouwenberg.

Once inside a company, Stuxnet used the MS08-067 exploit only if it knew that the target was

part of a SCADA network. "There's no logging in most SCADA networks, and they have limitedsecurity and very, very slow patch cycles," Schouwenberg explained, making the long-patched

MS08-067 exploit perfect for the job.

Put all that together, and the picture is "scary," said O Murchu.

So scary, so thorough was the reconnaissance, so complex the job, so sneaky the attack, that

both O Murchu or Schouwenberg believe it couldn't be the work of even an advanced cybercrime

gang.

"I don't think it was a private group," said O Murchu. "They weren't just after information, so a

competitor is out. They wanted to reprogram the PLCs and operate the machinery in a way

unintended by the real operators. That points to something more than industrial espionage."

The necessary resources, and the money to finance the attack, puts it out the realm of a private

hacking team, O Murchu said.

"This threat was specifically targeting Iran," he continued. "It's unique in that it was able to control

machinery in the real world."

"All the different circumstances, from the multiple zero-days to stolen certificates to its distribution,

the most plausible scenario is a nation-state-backed group," said Schouwenberg, who

acknowledged that some people might think he was wearing a tin foil hat when he says such

things. But the fact that Iran was the No. 1 target is telling.

"This sounds like something out of a movie," Schouwenberg said. "But I would argue it's

plausible, suddenly plausible, that it was nation-state-backed."

"This was a very important project to whoever was behind it," said O Murchu. "But when an oil

pipeline or a power plant is involved, the stakes are very high."

And although Siemens maintains that the 14 plants it found with infected SCADA systems were

not affected or damaged by Stuxnet, O Murchu and Schouwenberg weren't so sure.

Experts have disagreed about when the Stuxnet attacks began -- Kaspersky believes it was as

early as July 2009, while Symantec traced attacks back to January 2010 -- but they agree that

8/3/2019 Is Stuxnet the 'Best' Malware Ever

http://slidepdf.com/reader/full/is-stuxnet-the-best-malware-ever 4/4

the worm went undetected for months.

"We don't know if they succeeded or not, but I imagine that they got to the targets that they

wanted," said O Murchu, citing the stealthy nature and sophistication of the worm.

"The command-and-control infrastructure of Stuxnet is very, very primitive, very basic," said

Schouwenberg. "I think they were convinced that they would be able to do what they wanted

before they were detected."

O Murchu will present a paper on Symantec's Stuxnet work at the Virus Bulletin security

conference, which is slated to kick off Sept. 29 in Vancouver, British Columbia. Researchers fromMicrosoft and Kaspersky will present a separate paper at the same conference.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology 

breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer , or subscribe to

Gregg's RSS feed  . His e-mail address is gkeizer@ix.netcom.com.