Stuxnet
Type	Network worm
Creator
Date Discovered	2010.06.17?
Place of Origin
Source Language
Platform	MS Windows
File type	.dll, .tmp*
Infection length
Reported costs

Stuxnet is a worm sometimes referred to as the first "cyber super weapon". It is both the first worm to spy on industrial as well as the first to reprogram them. Its activities and the time it was discovered lead some to believe it was a creation of either the US or Israeli governments to use against Iran. The worm specifically targets industrial control systems, like the kinds found in nuclear power plants among other facilities.

Contents 1 Behavior 1.1 Rootkit 1.2 Phoning Home 1.3 Targeting SCADA Software 1.3.1 PLC Infection 2 Effects 2.1 Stuxnet at Iran's Nuclear Facilities 2.2 Implications 3 Origin 3.1 Iran and its Nuclear Facilities as Possible Targets 3.1.1 Opposition to this Theory 3.2 Other Possibilities 3.3 Stuxnet Source Code for Sale 4 Other Facts 5 Sources

BehaviorEdit

Stuxnet exploits a vulnerability in the Windows Print Spooler service to spread over networked machines. It sends a specially crafted print request to a networked printer. This allows its code to be executed on that remote system. It "prints" two files, winsta.exe, a dropper in the system folder and one additional file, sysnullevnt.mof, to the subdirectory \wbem\mof\ in the system folder.

When a removable drive infected with Stuxnet is connected to a computer, it copies itself as the files mrxcls.sys and mrxnet.sys in the "drivers" subdirectory of the system folder. It then creates two local machine registry keys that register these files as a service*.

When it is unable to gain administrator privileges in other ways, it exploits a vulnerability in Win32k.sys to elevate its privileges. The worm loads a file as a keyboard layout file which contains exploit code allowing it to execute code with SYSTEM privileges.

The worm copies itself to the root of any removable drives as the files ~WTR4132.tmp and ~WTR4141.tmp. While they have a .tmp extension, they are actually .dll files. It also copies the shortcuts linking to ~WTR4132.tmp named Copy of Shortcut to.lnk, Copy of Copy of Shortcut to.lnk, Copy of Copy of Copy of Shortcut to.lnk and Copy of Copy of Copy of Copy of Shortcut to.lnk.

Stuxnet exploits the zero-day LNK/PIF (shortcut file) automatic execution vulnerability to execute on the target system. When an application that can view an executable icon views the link files, the files show it the code that executes ~WTR4132.tmp. ~WTR4132.tmp exists for little other purpose than executing ~WTR4141.tmp. This file has a certificate issued by VeriSign to Realtek Semiconductor.

It spreads over network shares, copying itself as the file "DEFRAG(random number).tmp. The random number will be the tick count, the number of milliseconds since the system started in hexadecimal numbers. Like the files it copies to removable drives, this is also a .dll file. This file is set to be run by Rundll32.exe the next day.

It creates encrypted copies of itself in the inf subdirectory of the Windows folder named oem6C.PNF, oem7A.PNF, mdmcpq3.PNF and mdmeric3.PNF. The mrxcls.sys file in the drivers directory decrypts these if an attempt is made to remove the worm from the system.

Stuxnet disables or bypasses the system security to protect itself, while performing its intended actions. It gets past firewalls by injecting itself into the iexplorer.exe process. It also ends 10 processes, all security related:

• avguard.exe
• bdagent.exe
• ccSvcHst.exe
• ekrn.exe
• fsdfwd.exe,
• Mcshield.exe
• rtvscan.exe
• tmpproxy.exe
• UmxCfg.exe
• vp.exe

The worm is set to self-destruct on 2012.06.24.

RootkitEdit

It uses different methods of hiding itself depending on the file. For ~WTR4132.tmp, it hooks the functions FindFirstFileW, FindNextFileW and FindFirstFileExW in Kernel32.dll and NtQueryDirectoryFile and ZwQueryDirectoryFile in Ntdll.dll. The worm replaces the code of these functions with code that looks for files with names ending with .lnk and names beginning with ~WTR and ending in .tmp. When the user attempts to check for those files, it will tell the user that none like that exist.

When ~WTR4132.tmp loads ~WTR4141.tmp, it first loads several Ntdll.dll functions, including ZwMapViewOfSection, ZwCreateSection, ZwOpenFile, ZwCloseFile, ZwQueryAttributesFile and ZwQuerySection. It calls LoadLibrary to load a file name that does not actually exist on the disk. Usually LoadLibrary would crash under these conditions, however the worm has the hooked Ntdll.dll monitor for files with specially crafted file names being loaded, and loads a .dll file that actually does exist.

Phoning HomeEdit

It contacts two URL's to test connectivity, www.mypremierfutbol.com and www.todaysfutbol.com, sending an encrypted http request to them. These URL's belong to a server which acts as the worm's command and control. The request is encrypted with XOR using a 31-byte key, which is contained in the worm. It can be used to decipher traffic between the C&C and the worm. Information sent to the server includes the Windows version, computer name, network group name, if SCADA software is installed and IP addresses for the network interfaces.

The C&C will send one of two types of responses. It may give a response that will tell the worm to execute a function already built into the code, or it may send a new .dll file with additional functions. The C&C can command the worm to read, write to or delete a file create a process, inject a .dll into lsass.exe, Load an additional .dll file, extract a resource from the main .dll of the worm or update the worm's configuration data.

Targeting SCADA SoftwareEdit

Stuxnet specifically targets systems with Siemens Step 7 SCADA software. It takes advantage of the fact that most Siemens Simatic WinCC products have a default password that may allow the worm access to the software. The worm interacts with .dll files associated with Step 7 SCADA software. It tries to access files associated with the software, including cc_tag.sav, cc_alg.sav, db_log.sav, cc_tlg7.sav (these four are in a subdirectory named "\GracS") as well as any files with the extensions, .S7P, .MCP and .LDF.

PLC InfectionEdit

It checks for certain types of Programmable Logic Controllers (sub-computers used for automation of electromechanical processes, such as controlling machinery). Only PLC's with CPU types 6ES7-417 and 6ES7-315-2 will be infected. It chooses how it will infect the PLC based on the values it finds in the system data blocks. It also checks for the presence of the bytes 2C CB 00 01 at offset 50h and will not infect the PLC if it does not find it.

It prepends code to OB1 (Organization Block 1, the entry point of the PLC program) and OB35 (entry point of the program that monitors critical input). The worm finds the file DP_RECV, the PLC's standard co-processor and copies it as the file FC1869, and replaces it with a copy of its own, allowing it to intercept communications on the Profibus. It may also send information the attacker wants to be sent. Under certain conditions, it will read and write I/O information in the memory mapped areas of the PLC.

The worm installs itself in the PLC of the industrial systems the SCADA monitors. If someone tries to view all code blocks on the infected PLC, they will not see Stuxnet. The worm modifies the s7otbxdx.dll file to allow it to manipulate files on the PLC. It hooks enumeration, read, and write functions, so it can't be overwritten. The worm looks for a specific factory environment (this environment is as of yet unknown) and stops there if it does not find it. If the worm does, it can make modifications to it (though the specifics of this are also as of yet unknown).

Stuxnet searches for frequency converter drives made by Fararo Paya of Iran and Vacon of Finland. In addition, Stuxnet is only interested in frequency converter drives that operate between 807 Hz and 1210 Hz and will not do anything to the drives until they operate in that range for some time. It changes the output frequencies of the drives, and therefore the speed of associated motors, for short intervals over periods of months. It changes the frequencies to 1410Hz, then to 2Hz and then to 1064Hz.

EffectsEdit

In addition to Iran, Stuxnet also infected systems in several other countries. By July 23, 60 percent of all infection were in Iran, but it had also spread to India and Indonesia. By the end of summer, these three nations represented 80% of all Stuxnet infections. Other nations with high percentages of infections include from the highest, Pakistan, Uzbekistan, Russia, Kazakhstan, Belarus, Kyrghyzstan, Azerbaijan, the United States, Cuba, Tajikistan and Afghanistan. The rest of the world accounted for 4.6 of Stuxnet infections.

Early in the worm's run, Symantec estimated between 15,000 and 20,000 systems were infected. Around 14,000 IP addresses tried to connect to the command and control server, and some of those IP addresses contained more than one infected system. In addition, some systems were not connected to the Internet. Siemens counted 15 plants with a Stuxnet infection with their SCADA software installed. There was no damage or modifications to any of them, according to Siemens.

By the end of September, Stuxnet had become popular in China. Rising International estimated the worm infected six million personal and 1,000 corporate computer accounts there.

Stuxnet at Iran's Nuclear FacilitiesEdit

The Bushehr nuclear plant, which experienced a number of setbacks, was thought to be the intended target by some theorists. The expected startup of the Bushehr nuclear plant was delayed three to four months, for unclear reasons (one Iranian official cited hot weather, and later a leak was blamed). Tehran denied the worm infected critical systems at the Bushehr plant, but a plant director claimed staff computers of people connected with the plant were infected.

Whether or not the worm was present there is unknown as is whether or not Bushehr was the intended target (assuming there is one). One of the Russian contractors building the plant also worked in other countries where Stuxnet was popular. Siemens however had no contracts with Bushehr and was rolling back its operations in Iran, fearing for its image. A Siemens expert said Bushehr was using an unlicensed copy of its software.

Whether or not Stuxnet targeted or even infected the plant or Iran, the worm received a certain amount of attention from the Iranian government. The Iranian Atomic Energy Organisation met in late September to discuss how to remove the worm. A former Iranian official appeared on the Al-Jazeera program "Behind the News", to vehemently deny that Iran was seriously affected by the worm, but indicated he believed the worm was targeted at Iran.

The Iranian government would later almost completely reverse itself on this. Mahmoud Ahmadinejad made some statements at the end of November 2010 that some observers interpreted as him admitting that Stuxnet had directly caused some problems with Iran's nuclear plants. He said the virus damaged several uranium enrichment centrifuges. The Israel Defense Force confirmed that some technological difficulties with its centrifuges at the Natanz facility.

Debka, an Israeli news site reporting primarily on conflicts in the Middle East, reported on the Iranian government seeking help with removing the worm as early as September of that year. According to Debka's European sources, Iran was desparate to have the worm removed. It also reported that attempts to remove the worm made it more agressive, though this is dubious, as none of the tests on it have revealed this capability.

Langner Communications, an organization that had been closely monitoring Stuxnet and analyzing its code since about the time it became well-known said they believed Iran had been severely damaged by the worm. A consultant for the company told the Jerusalem Post that the worm was "nearly as effective as a military strike" and that the Iranian nuclear program had been set back two years.

ImplicationsEdit

As of yet, Stuxnet has yet to do any major damage or cost anyone anything aside from cleanup time and costs. The greatest effect (at least known one) the worm has had up to now has been to cause speculation about where the worm comes from and what the worm will mean for malware in the future. One analyst described the worm's capabilities as disturbing.

Stuxnet was discussed at the Virus Bulletin 2010 conference in Vancouver. Liam O'Murchu, a Symantec security researcher gave a presentation and a demonstration of what a program with similar capabilities could do. He inserted his own code (not Stuxnet) into a PLC controlling an air pump to fill a balloon with air until it popped. O'Murchu said the same action on an oil pipeline would be catastrophic.

OriginEdit

There are many theories about Stuxnet's origin, which is uncertain. Most of them are based on the international politics of the day, however the truth is unknown. The websites it tries to communicate with are based in Denmark and Malaysia, two radically different countries. The most popular is that it is a creation of an Israeli agency, specifically to attack Iran's nuclear facilities. Antivirus researchers largely agreed that it was likely a government or large organization created the worm.

Its time of origin is also a bit of a mystery. Antivirus companies discovered the worm in Summer of 2010, but it is thought to have begun spreading in June 2009. Some components have compile dates as far back as January 2009, while newer variants have components with timestamps as late as July 2010.

Iran and its Nuclear Facilities as Possible TargetsEdit

The apparent primary target, regional and world politics of the time and some clues in the worm itself suggest the worm is of Israeli origin and intended to attack Iran. Around the time of its discovery, Iran was thought to be very close to having its own nuclear weapon while the Iranian leadership became more belligerent and had long ago explicitly stated its desire to push Israel into the sea. Israel already showed its willingness to destroy a nuclear reactor in Iraq in 1981 using less subtle means. Israel was reportedly "pouring" money into its new "Unit 8200" cyber intelligence unit.

A text string inside the code was sometimes taken as a biblical reference, and is one of two (not very solid) links to Israel. However, the text string \myrtus\src\objfre_w2k_x86\i386\guava.pdb simply tells us where the coder stored his source code. Myrtus is a plant mentioned in the Christian Bible though it really exists, but aside from this, no other connection to any religious text has been found in the worm. Another name for Myrtus is Hadassah, the Hebrew name of the biblical heroine Esther, who is central to the Purim celebration. It could possibly stand for My RTUs, since RTU's are important to SCADA software. The significance of the string if it does refer to the plant is unknown.

The worm itself sets a registry key with a value of 19790509, which was taken by some observers as a significant clue. 1979.05.09 was the date of the execution of a Jewish Iranian businessman for spying for Israel. He was however not an Israeli citizen and it is unknown if he ever had any intention to move to Israel or if he had any connection to the nation at all aside from sharing the main religion. He was the only Jew executed that day, but not the only person, as 37 others were executed that day, some also accused of spying.

Its infection of primarily Iranian targets was the main reason some people thought Iran was its intended target. Stuxnet was most popular in Iran for its first few months in the wild. It was first discovered in the wild by VirusBlokAda, an antivirus company based in Belarus, on the systems of a client in Iran.

Iran placed the blame squarely on "foreign enemies", and said this and other attempts would not stop Iran from using nuclear power for peaceful purposes. Several spies were arrested in late September in relation to spying on Iran's nuclear facilities. While it is unknown if these spies had any connection to the worm, Iran's intelligence minister mentioned the spies, the worm and sabotage of the plants in the same statement to the semi-official Mehr news agency.

Opposition to this TheoryEdit

While some observers suspected Stuxnet was coded by a government or corporation for the purpose of attacking a specific target, others thought it was to early to come to a conclusion like that. That age of the worm when it became popular, possible misinterpretation of some clues found in the worm and the state of Iranian computer security are facts that may go against the theory of Stuxnet being an American or Israeli attack on Iran. One commentator described the worm's deployment as "amateur", though admitting the worm itself is very advanced.

The evidence for Stuxnet being a government-sponsored cyber-weapon directed at Iran, though convincing and even exciting to some, is all circumstantial. While the timing seems right and there is the fact that it is going after something very specific, there is simply no definitive link yet proving that this was targeted at anything in Iran.

By the time of its discovery, Stuxnet's main binaries were 13 months old, having been compiled in June of 2009. It was not discovered in Iran until July of 2010. While first discovered in Iran, the first actual infection was discovered to be at a plant in Germany.

For a country so intent on provoking its many powerful enemies, Iran is extremely lax on computer security. Even rudimentary antivirus programs are difficult to find there, as most of it is produced in countries with an embargo against Iran. In addition, many critical infrastructure systems, including systems with SCADA software are connected to the Internet, while in most other parts of the world they are generally not. Iran's computers were simply the most susceptible to the worm.

So far no agency, corporation or hacker group has come forward to claim responsibility. Pentagon Spokesman Col. David Lapan made a statement saying the Department of Defense can "neither confirm nor deny" launching the attack. While the statement may cause speculation that the Pentagon knows more than it is saying, he in the end contributed no new information.

Other PossibilitiesEdit

There is a small possibility it originated in Taiwan or has a deep Taiwan connection. The Verisign certificate for the ~WTR4141.tmp file was stolen from Realtek Semiconductor, while another version of the worm has one stolen from JMicron Technology Corporation. Both have headquarters in the Hsuchin Science Park office park in Taiwan.

Germany has also been named as a possible source of the worm, but the evidence for this theory is all circumstantial, just like all the others. German intelligence works very close with American intelligence. The worm attacks the software of a German company and was first found to have infected a system there.

One theory suggests it may be a tool of China against India in their race to the moon. The Chinese government said they could land a man on the moon in 2025, while India said its own program could in 2020. This theory was posited by someone a bit skeptical of the theory that Stuxnet came from Israel to attack Iran and that other, possibly better, theories exist.

Stuxnet Source Code for SaleEdit

The source code was reportedly for sale in late November of 2010. It caused some fear that the worm could be adapted to target anything. Whether the worm is being sold by a criminal organization or leaked from a government agency or corporation (or even if the people claiming they were selling the code even had it) is as of yet unknown. While some analysts gave dire warnings about what could happen if the worm source code is sold, others described these warnings as "irresponsible", "alarmist" and "sensationalist". In addition, they noted that for a new variant to be successful and do something as destructive as the alarmists were saying, the people modifying the worm would have to be as capable as the people who created it. So far, nothing has come of it and some experts believe the source code was never available to the people claiming to sell it.

Other FactsEdit

Two of the zero-day vulnerabilities Stuxnet exploits were patched in October. They were two of the record 49 Microsoft patched that month.

A trojan later identified by Symantec as Trojan.Fadeluxnet claimed to clean up Stuxnet. While it did remove the worm from drive C:, it also changes some registry keys to make it impossible to run or open executables, MP3's and some popular image formats. It also terminates some processes and may wipe everything from the C: drive.

SourcesEdit

Langner Communications.

Jarrad Shearer. Symantec, W32.Stuxnet. 2010.09.17

Aleksandr Matrosov, Eugene Rodionov, David Harley, Juraj Malcho. Eset, Stuxnet Under The Microscope (PDF).

Nicholas Falliere. Symantec, Exploring Stuxnet's PLC Infection Process. 2010.09.21

Mary Landesman. About.com Antivirus, How does the Stuxnet worm spread?.

Robert McMillan. Computer World, Siemens: Stuxnet worm hit industrial systems. 2010.09.14

F-Secure Blog, Stuxnet Questions and Answers. 2010.10.01

Mary Landesman. About.com Antivirus, Stuxnet: Is Stuxnet Really Targeting Iran?.

-. -, Debunking the Bunk of Stuxnet.

-. -, Stuxnet: The Work of Aliens and Psychic Spies.

Gadi Evron. Security Dark Reading, Stuxnet: An Amateur's Weapon. 2010.10.15

Robert McMillan. Computerworld, Iran was prime target of SCADA worm. 2010.07.23

Mark Clayton. Christian Science Monitor, Stuxnet malware is 'weapon' out to destroy ... Iran's Bushehr nuclear plant?. 2010.09.21

Leila al-Sheikhly. Al-Jazeera, مهاجمة أنظمة المعلومات الإيرانية إلكترونيا. 2010.09.27

AlJazeera, Iran 'attacked' by computer worm. 2010.09.25

-, 'State-sabotage' behind Iran virus. 2010.09.26

-, Delay hits Iran Bushehr plant. 2010.09.29

-, Inside Story, A new frontier in cyber war?. 2010.10.02

-, Iran holds 'nuclear spies'. 2010.10.03

Ryan Naraine. ZDNet, Inside Stuxnet: Researcher drops new clues about origin of worm. 2010.09.30

Jeffrey Carr. Forbes, Did The Stuxnet Worm Kill India's INSAT-4B Satellite. 2010.09.29

Brian Krebs. KrebsonSecurity, Microsoft Plugs a Record 49 Security Holes. 2010.10.13

Shunichi Imano. Symantec Connect, Fake Stuxnet cleaner literally cleans up your computer. 2010.10.15

Reuters. Ynet News, Wary of naked force, Israel eyes cyberwar on Iran. 2009.07.07

Agence France-Presse, Google, Stuxnet 'cyber superweapon' moves to China. 2010.09.30

Tyler Durden. Zero Hedge, Is Stuxnet The Secret Weapon To Attack Iran's Nukes; Is A Virus About To Revolutionize Modern Warfare?. 2010.09.23

Peter Apps. Reuters, Analysis: Cyber defenders, attackers probe Stuxnet's secrets, Page 2. 2010.10.28

Frank Rieger. Die Frankfurter Allegemeine Zeitung. Der digitale Erstschlag ist erfolgt.

Associated Press. Fox News, Iran Claims Computer Worm is Western Plot. 2010.10.05

Justin Fishel. Fox News, Pentagon Silent on Iranian Nuke Virus. 2010.09.27

John Leyden. The Register, Stuxnet code leak to cause CYBER-APOCALYPSE NOW! 2010.11.26

Larry Seltzer. PCMagazine, Experts Doubt Stuxnet Source Code for Sale. 2010.11.27

Eric Chien. Symantec, Stuxnet: A Breakthrough. 2010.11.12

Chris Williams. Enterprise Security, The Register, Iran admits cyberattack hit nuke programme. 2010.11.29

Yaakov Katz. The Jerusalem Post, Stuxnet virus set back Iran’s nuclear program by 2 years. 2010.12.15

Bare Naked Islam, IRAN begs for help with the rampaging StuxNet Cyber Worm. 2010.09.29