Saturday, October 16, 2010


Stuxnet, a Trojan supposedly designed to attack Iran's nuclear program is so technically advanced that it is said to be able to remotely explode a power plant without the controller noticingIt was specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes. Stuxnet includes the capability to reprogram the programmable logic controllers (PLCs) and hide the changes.Once inside an organization, it can also spread by copying itself to network shares if they have weak passwords.


It is the first-ever computer worm to include a PLC rootkit. It is also the first known worm to target critical industrial infrastructure.Furthermore, the worm's probable target has been said to have been high value infrastructures in Iran using Siemens control systems.According to news reports the infestation by this worm might have damaged Iran's nuclear facilities in Natanz and eventually delayed the start up of Iran's Bushehr Nuclear Power Plant. Siemens has stated, however, that the worm has not in fact caused any damage.



Speaking at the Kaspersky Security Symposium with international journalists in Munich, Germany, Kaspersky described Stuxnet as the opening of "Pandora's Box."
"This malicious program was not designed to steal money, send spam, grab personal data, no, this piece of malware was designed to sabotage plants, to damage industrial systems," he said.
"I am afraid this is the beginning of a new world. 90-ies were a decade of cyber-vandals, 2000's were a decade of cybercriminals, I am afraid now it is a new era of cyber-wars and cyber-terrorism," Kaspersky added.
Researchers at Kaspersky Lab discovered two of the four zero-day vulnerabilities the worm exploits, which they reported directly to Microsoft. The analysts then worked closely with Microsoft during the creation and release of the patches for these vulnerabilities.



CountryInfected Computers
China600,000,000 (unconfirmed) (October 1)
Iran62,867
Indonesia13,336
India6,552
United States2,913
Australia2,436
Britain1,038
Malaysia1,013
Pakistan993
Finland7
Germany5(September)

What does it do? 
The reporting on this question has been maddeningly vague. Siemens says that Stuxnet "can theoretically influence specific processes and operations in a very specific automation environment or plant configuration in addition to passing on data," though it has been unable to verify that finding in testing. Supposedly, the worm was designed to send data to a server in Malaysia, which may or may not have been a "command center" that could seize control of PLCs or Programmable Logic Controllers, components used to operate and monitor industrial machinery. The consensus among people who've studied the code seems to be that its aim is sabotage, not simply espionage. But exactly how that was supposed to work remains unclear.

Ok, in theory: what could it do?
A: It could adjust motors, conveyor belts, pumps. It could stop a factory. With right modifications, it could cause things to explode.

Can it spread via other USB devices?
A: Sure, it can spread anything that you can mount as a drive. Like a USB hard drive, mobile phone, picture frame and so on.

Disabling AutoRun in Windows will stop USB worms, right?
A: Wrong. There are several other spreading mechanisms USB worms use. The LNK vulnerability used by Stuxnet would infect you even if AutoRun and AutoPlay were disabled.


The current versions have a "kill date" of June 24, 2012. It will stop spreading on this date.