Sunday, September 26, 2010

The Stuxnet Worm, Windows & The Internet

A malware known as Stuxnet has attracted major media attention in recent days. This software inserts itself into computer systems using Microsoft Windows, Microsoft Explorer, and WinCC developed by the German electrical engineering giant Siemens AG. The latter piece of software is a Supervisory Control and Data Acquisition, or SCADA, application named Simatic S-7 that controls large scale industrial processes like power plants.

Stuxnet is a type of computer worm. That is, the program self-installs executable files that can be hidden on a USB flash memory stick or hard drive to the host computer. Subsequently, the executables are capable of transferring other files through the internet, if a connection is available. Stuxnet checks for narrowly specified system configurations and only acts if WinCC is running. Therefore, its mission consists of taking control of only a small number of exclusive targets.

An East European security firm was first to report Stuxnet last July. The worm is believed to have been active for about a year and has caused considerable disruptions in Asia, notably Iran. Potentially, the program may be capable of disrupting plant operations leading up to the destruction of the facilities. Its release is considered the first discovered cyber attack meant not only to disrupt information technology, but furthermore destroy capabilities.

The Chertoff Group's internet security expert David Falkenrath provides interesting insights on Stuxnet's impact and its ramifications in this interview by Bloomberg's Deidre Bolton entitled "Virus May Target Nuke Plant" aired Sep. 24, 2010.

Supposedly the vulnerabilities in Microsoft Explorer exploited by Stuxnet have been plugged. What may be of interest to the common user is that the worm used Microsoft approved security signatures from the network interface card chipset maker Realtek and the flash memory controller developer JMicron to install its files via the internet in the disguise of seemingly legitimate Microsoft-certified driver updates.

We should be safe as long as we keep our system and browser up to date with the latest security patches and avoid legacy hardware with obsolete drivers. That is, we should upgrade to the newest generation of internet adapter cards and regularly update the drivers, downloading directly from manufacturer sites.

  • In 2007, a large-scale bribery scandal broke in Germany, implicating Siemens AG's business in Southeast Asia. By 2008, a number of employees involved in this affair were let go. It only takes one disgruntled software engineer with intricate knowledge of the SCADA program running the targeted facility, maybe with the help of one or two other hackers knowledgeable in Microsoft Explorer and USB driver vulnerabilities, to accomplish Stuxnet in revenge. Perhaps, Iran is a clever diversion, Siemens already paid, and we never find out the actually intended target (10/04/10).
  • According to William J. Broad and David E. Sanger's article with the title "Worm Was Perfect for Sabotaging Centrifuges" published online in the New York Times today, recent results from the ongoing examination of Stuxnet code suggest that the worm was meant to target the speed control of ultra-centrifuges as those used for uranium enrichment, revving up their speeds to destructive levels. Since the implicated controllers were identified as products manufactured by companies in Finland and Iran, uranium enrichment facilities in Iran may have been the target (11/18/10).
  • According to William Broad, John Markoff and David Sanger's article with the title "Israel Tests on Worm Called Crucial in Iran Nuclear Delay" published online in The New York Times yesterday, more signs point to Israel and the U.S. as Stuxnet's originators with centrifuges in Iran's Natanz uranium enrichment plant as the target (01/16/11).
  • John Markoff reports in his article with the title "Malware Aimed at Iran Hit Five Sites, Report Says" posted online Feb. 11, 2011, that according to a Symantec study Stuxnet may have infiltrated as many as five Iranian institutions in three, possibly four, waves (01/13/11).
  • Listen to KCRW TO THE POINT's Warren Olney interview David Albright, President of the Institute for Science and International Security, on Stuxnet's effects in Iran 44 minutes into today's show with the title "A New Paradigm in the Middle East". According to Albright, Stuxnet disrupted the Iranian uranium enrichment program noticeably, but only in small ways. The greater threat may lie in the potential of adversaries using the worm, now public, as prototype for future attacks elsewhere (02/16/11).
  • According to Noah Shachtman's WIRED report with the title "Computer virus hits U.S. drone fleet" published online on CNN today, U.S. drones have been infected with a tracking virus, possibly through USB flash memory devices. This is not quite stuxnet yet, but a first step seems taken (10/10/11).
  • According to David Sanger's article with the title "Obama Order Sped Up Wave of Cyberattacks Against Iran" published online in The New York Times today, U.S. officials unofficially admitted that U.S. intelligence agencies created Stuxnet in collaboration with Israeli cyber warfare specialists to destroy ultra-centrifuges at the Natanz uranium enrichment facility in Iran. The article is scant on detail and Sanger's book "Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power" to be published next week may be more illuminating (06/01/2012).
Related Posts

No comments: