As you read this article, the "Stuxnet worm” has taken the computer world by storm. Talk is rife that it is a form of "cyber warfare”. Some people are quoting the biblical that bring to mind "The Da Vinci Code.” 

Stuxnet, which first debut in July, is believed to be the first known malware that targets the controls at industrial facilities such as power plants.

At the time of its discovery, the assumption was that espionage lay behind the effort, but subsequent analysis by Symantec uncovered the ability of the malware to control plant operations outright. 

 What is Stuxnet? A German security researcher specializing in industrial-control systems suggested in mid-September that Stuxnet may have been created to sabotage a nuclear power plant in Iran.

Talk is rife that, the malware was distributed by Israel or the United States in an attempt to interfere with Iran’s nuclear program, although there is no proof of that!

There is no evidence as to who is behind the malware or even what country or operation was the intended target, though it’s clear most of the infections have been in Iran (about 60 percent, followed by Indonesia at about 18 percent and India at close to 10 percent, according to Symantec).

Rather than establishing the target for Stuxnet, that statistic could merely indicate that Iran was less diligent about using security software to protect its systems, said Eric Chien, technical director of Symantec Security Response.
German researcher Ralph Langner speculates that the Bushehr nuclear plant in Iran could be a target because it is believed to run the Siemens software Stuxnet was written to target.

Others suspect the target was actually the uranium centrifuges in Natanz. It seems that Iran is the target, and data regarding the geography of the infection lends credence to that notion, analysts say.

Nearly two weeks ago, a source associated with Iran’s nuclear program confidentially told WikiLeaks of a serious, recent, nuclear accident at Natanz.  (Natanz is the location of Iran’s nuclear enrichment program). 

WikiLeaks had reason to believe the source was credible, however contact with this source was lost. WikiLeaks would not normally mention such an incident without additional confirmation, however according to Iranian media and the BBC, head of Iran’s Atomic Energy Organization, Gholam Reza Aghazadeh, has resigned under mysterious circumstances.

According to The New York Times, "on a similar note, an Iranian intelligence official said this weekend that authorities had detained several spies connected to cyberattacks against its nuclear program.

Iranian officials have said that 30,000 computers were affected in the country as part of "electronic warfare against Iran,”. 

Specialists have hypothesized that it would take the resources of a nation state to create the software.

It uses two forged digital signatures to sneak software onto computers and exploits five different Windows vulnerabilities, four of which are zero-day (two have been patched by Microsoft). Stuxnet also hides code in a rootkit on the infected system and exploits knowledge of a database server password hardcoded into the Siemens software.

And it propagates in a number of ways, including through the four Windows holes, peer-to-peer communications, network shares, and USB drives. Stuxnet involves inside knowledge of Siemens WinCC/Step 7 software as it fingerprints a specific industrial control system, uploads an encrypted program, and modifies the code on the Siemens programmable logic controllers (PLCs) that control the automation of industrial processes like pressure valves, water pumps, turbines, and nuclear centrifuges, according to various researchers.

Through its analysis of the code, Symantec has figured out the intricacies of files and instructions that Stuxnet injects into the programmable logic controller commands, but Symantec doesn’t have the context involving what the software is intended to do, because the outcome depends on the operation and equipment infected.

"We know that it says to set this address to this value, but we don’t know what that translates to in the real world,” Chien said.

To map what the code does in different environments, Symantec is looking to work with experts who have experience in multiple critical infrastructure industries.

Symantec’s report found the use of "0xDEADF007” to indicate when a process has reached its final state. The report suggests that it may refer to Dead Fool or Dead Foot, which refers to engine failure in an airplane.

Even with those hints, it’s unclear whether the suggested intention would be to blow a system up or merely halt its operation.

That actually could be the case and whomever was targeted has simply not disclosed it publicly, experts said. But, again, there’s no evidence of this. The software has definitely been around long enough for lots of things to have happened.

Microsoft learned of the Stuxnet vulnerability in early July, but its research indicates that the worm was under development at least a year prior to that, said Jerry Bryant, group manager for Microsoft Response Communications.

"However, according to an article that appeared last week in Hacking IT Security Magazine, the Windows Print Spooler vulnerability (MS10-061) was first made public in early 2009,” he said.

"This vulnerability was independently rediscovered during the investigation of the Stuxnet malware by Kaspersky Labs and reported to Microsoft in late July of 2010.”

"They’ve been doing this for almost a year,” Chien said. "It’s possible they hit their target again and again.”   The code will stop spreading on June 24, 2012. 

There is a "kill date” encoded into the malware, and it is designed to stop spreading on June 24, 2012. However, infected computers will still be able to communicate via peer-to-peer connections, and machines that are configured with the wrong date and time will continue to spread the malware after that date, according to Chien.

Some sources think that, Stuxnet may have contributed to the Gulf of Mexico oil spill at Deepwater Horizon.  This is unlikely, though Deepwater Horizon did have some Siemens PLC systems on it, according to F-Secure.
  
eddie@afrowebs.com