Sophisticated Stuxnet

September 22, 2010

Last summer, a new example of computer malware showed up, spread initially by infected USB drives.  It was initially noticed in June, and gained more notice in July when Microsoft issued a Security Advisory (2286198) about the exploited vulnerability, which  was caused by a flaw in the way .LNK files were processed.  The original advisory also indicated that the malware, called Stuxnet, appeared to target industrial control and SCADA systems.   Microsoft subsequently issued a Security Bulletin (MS10-046), with an out-of-schedule patch for the the flaw, on August 2.

Computer World now has a report on some further analysis of Stuxnet that has been carried out by Kaspersky Labs and by Symantec.  It turns out that the Stuxnet worm is considerably more sophisticated than was first thought.  In addition to the .LNK vulnerability that was initially recognized, the program has exploits built in for three other Windows vulnerabilities.  One of these, in the print spooler, was patched by Microsoft in its monthly security update on Tuesday, September 14.  The other two vulnerabilities, classed as “elevation of privilege” flaws, will be fixed in a future release.   The worm also incorporates an exploit for an older vulnerability in Windows, patched in 2008.  Both security firms said that Stuxnet showed a much higher level of sophistication than typical Internet malware.

The Stuxnet worm is a “groundbreaking” piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals.

“It’s amazing, really, the resources that went into this worm,” said Liam O Murchu, manager of operations with Symantec’s security response team.

“I’d call it groundbreaking,” said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab.

The worm managed to pass undetected for at least a few months, helped by the fact that it included two stolen digital certificates.  As Microsoft originally indicated, the worm specifically targeted SCADA systems, specifically the WinCC and PCS 7 SCADA management programs, associated with equipment manufactured by Siemens.

An article in the Christian Science Monitor suggests an even more disturbing possibility: that Stuxnet is not just an espionage device, or malware in the usual sense, but is intended to be a weapon.

The cyber worm, called Stuxnet, has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet’s arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world – to destroy something.

By August, researchers had found something more disturbing: Stuxnet appeared to be able to take control of the automated factory control systems it had infected – and do whatever it was programmed to do with them.

The first in-depth analysis of the worm was carried out by a German researcher, Ralph Langner, and is posted on his Web site.  According to the Monitor article, his findings have subsequently been confirmed by other security researchers.

Since reverse engineering chunks of Stuxnet’s massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown.

The article also suggests that Iran’s Bushehr nuclear reactor may have been the intended target, although the evidence for this is sketchy.

Regardless of its target, Stuxnet represents another step in the evolution of computer malware.  As I have noted before, we have for some time been seeing malware that is not the work of bored adolescents, but is directed toward specific criminal activity.  Stuxnet, whether created by an agency of a national government or someone else, represents another escalation in the arms race between the malware writers and system defenders.  It is not a reassuring development.

%d bloggers like this: