Stuxnet: Dissecting the Worm
Aug 16, 2010 6:00 AM PT
The Stuxnet worm, which targets industrial control systems, or "SCADA" systems, is one of the most sophisticated bits of digital malware security researchers have come across in a long time. Now, those researchers want to know where it came from. Was Stuxnet the product of a den of hackers working on their own accord, or did a national government somewhere in the world have a hand in its creation?
"Given the sophistication and organization behind it, we highly suspect it has nation-state involvement rather than being a tool for competitive intelligence," Roel Schouwenberg, a senior antivirus researcher with Kaspersky Lab, told TechNewsWorld.
Security experts are still trying to find out who created and distributed the Stuxnet worm, and why.
Stuxnet's Tricky Makeup
Stuxnet can be looked at as having two components: an exploit (or Trojan) part and a rootkit part, Fortinet security researcher Guillaume Lovet wrote. In addition, it uses falsified VeriSign certificates.
The Trojan part of the threat consists of two malicious drivers, mrxnet.sys and mrxcls.sys. Both are dropped into System32\drivers\ in an attack. They have all the features of a rootkit -- they try to hide themselves and inject malicious code into key parts of the system under attack. This code spies on the system and sends information back to the hackers, Lovet wrote.
Stuxnet introduced the first known rootkit for SCADA systems, according to Nicolas Falliere, a senior software engineer at Symantec.
Stuxnet can profile systems, and it will run differently when it's running on a corporate machine instead of a SCADA system, Kaspersky's Schouwenberg said. Once a computer is infected, it becomes part of the Stuxnet botnet. The worm works on all versions of Microsoft Windows after Windows 2000, he added.
In addition to stealing code and design projects and hiding itself using a classic Windows rootkit, Stuxnet can upload its own code to the programmable logic controllers (PLCs) in SCADA systems. The PLCs contain code that controls the automation of industrial processes. By uploading code to PLCs, Stuxnet can potentially control or change how the system operates, Symantec's Falliere wrote.
Stuxnet hides the code it uploads to PLCs so when a programmer using an infected machine tries to see all the code blocks on a PLC, those uploaded by Stuxnet will not show up, stated Falliere. Stuxnet contains 70 encrypted code blocks that apparently replace some foundation routines that handle simple, common tasks such as comparing file names.
A Diet of Worms?
SCADA systems in Iran bore the brunt of the Stuxnet attack. India and Indonesia were also badly hit, but nowhere near as hard as Iran.
"It's hard to say whether all three of these countries were targeted, or whether Iran was the primary target and the other countries got infected because some SCADA engineers who traveled between them accidentally infected computers there," Kaspersky's Schouwenberg said.
"The geographic distribution strongly suggests that the attack was targeted at one or a few countries," Schouwenberg pointed out. "That and the sophistication of the attack makes competitive espionage much less likely than an intelligence operation."
"It's possible that the Stuxnet worm was created or funded by a nation-state," Tom Parker, director of security consulting services at Securicon, told TechNewsWorld. "Due to the range of technologies utilized in Stuxnet, and diverse programming styles between the root kit, the dropper and the exploit, it's unlikely to be the work of one individual."
The worm was spread through the use of infected USB sticks. Wouldn't that method be too sloppy for any self-respecting intelligence agency? It couldn't ensure which targets were hit or even whether the worm was properly distributed.
"We don't know how Patient Zero got infected," Schouwenberg explained. "I'd argue that it's very likely that the initial targets were carefully selected. However, because Stuxnet operates as a worm, it may well have ended up in unintended places," he added.
Other Possible Sources
Some have their doubts that a government could be behind Stuxnet. The random spread of the worm makes it unlikely that it was created or sponsored by a nation-state, Randy Abrams, director of technical education at ESET, told TechNewsWorld.
"A widespread attack will make it difficult to figure out the intended victim, but, if it's discovered that a country attacked virtually every other state in the world, including its allies, things would get a bit messy," Abrams explained.
Stuxnet exploited the .lnk vulnerability in the Windows shell, and that's another reason Abrams doubts that a nation-state funded or created the worm. The vulnerability has already been patched.
"The .lnk vulnerability would probably have a lot more valuable uses to a nation-state than attempts to infiltrate SCADA systems," Abrams pointed out. "On the other hand, if a cybergang was behind the attack, it would have several potential customers if it managed to get confidential SCADA information from a variety of countries."
Alternatively, a single hacker might have created Stuxnet and disclosed the .lnk vulnerability in order to show how vulnerable SCADA systems are, Abrams speculated. Finally, there's the possibility that Stuxnet was spawned in an attempt to gain corporate intelligence, Abrams said.
The Hunt for Stuxnet's Creator
The security community is searching for the person or organization behind the Stuxnet worm.
"The security community is always fascinated with the origins of worms -- particularly when they make use of unpublished flaws," Securicon's Parker said.
"We're still investigating Stuxnet and trying to figure out more details," Kaspersky's Schouwenberg said.
For its part, "Microsoft, as a general practice, works with law enforcement when our investigations reveal potential criminal activity," spokesperson Jerry Bryant told TechNewsWorld. He said users who believe they have been affected by Stuxnet should refer to Microsoft's security advisory for more information.
Tracking down the culprit won't be easy.
"A lot more work needs to be done before any kind of credible attribution regarding Stuxnet can be performed," Securicon's Parker pointed out.
A possible clue is that one of the Stuxnet rootkit device drivers includes a debug string that contains the words "myrtus" and "guava." Both plants belong to the Myrtaceae family, which also includes the eucalyptus plant.
"Programmers and systems administrators often choose nomenclatures for their works based on topics of interest to them, in this case, possibly, botany," Parker said.
Whether or not that helps in tracking down a suspect remains to be seen.