What can I say about the Stuxnet worm that hasn’t been said yet… It is one of the most media covered (read hyped) Malware\attack recently. The Stuxnet worm is by far the most sophisticated Malware ever seen.
Here are some of the highlights of the Stuxnet worm:
- Discovered in June 2010 by VirusBlokAda, a Belarus based Anti-Virus vendor.
- Targets Supervisory Control And Data Acquisition (SCADA) systems, specifically Siemens SIMATIC WinCC and PCS 7.
- Programmable Logic Controllers (PLCs) reprogram capability.
- Using three deferent vulnerabilities to spread itself, CVE-2010-2568 CPLINK vulnerability (MS10-046), CVE-2010-2729 Printer Spooler vulnerability (MS10-061) and CVE-2008-4250 Windows Server Service RPC Handling vulnerability (MS08-067) which was used by the Conficker worm. The first two were 0days.
- Two more zero-day exploits which are still unpatched, both of them exploit privilege escalation vulnerabilities, one for Windows XP/2000 (via Keyboard layout file) and the second for Windows Vista/7 (via Task Scheduler).
- Using a zero-day vulnerability in Siemens WinCC which abuses hard-coded credentials (uid=WinCCConnect;pwd=2WSXcder) and allows local users to access a back-end database and gain privileges (CVE-2010-2772)
- Payloads are digitally signed by two stolen certificates of JMicron Technology Corporation and Realtek Semiconductor Corp (MrxCls.sys and MrxNet.sys)
Yeah, I know. That is one crazy worm.
Because of its complexity and sophistication, the knowledge it requires for attacking industrial infrastructure and the use of four deferent zero-day exploits, it is believed that the Stuxnet worm is a nation funded attack. Israel, the United States and NATO are the most speculated origins and the Bushehr Nuclear Power Plant or the Natanz nuclear facility are the most speculated targets. Whoever built it left almost no clues (b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb). But in my opinion, with the amount of sophistication put in this attack, we’ll probably never get answers for these questions.
For further information and technical analysis of the Stuxnet worm I recommend reading:
– ESET analysis of the Stuxnet worm and compression to Operation Aurora – Stuxnet Under the Microscope or online on Google Docs.
– Symantec wrote some very detailed posts on Stuxnet – Symantec Connect.
– Langner security analysis of Stuxnet – Stuxnet is a directed attack — ‘hack of the century’.
– Securelist blog on Stuxnet.
– Stuxnet Questions and Answers by F-Secure.
– Symantec released a technical analysis white paper – W32.Stuxnet Dossier or online on Google Docs.
Update:
For anyone interested, here’s a sample of Win32/Stuxnet.A provided by Abysssec for educational purposes only – Stuxnet_stub_Unpacked.zip (password: abysssec).
Categories: Malware
7 Comments | 
Comments RSS | 
TrackBack URL
RSS 2.0
ATOM 1.0
RDF 1.0
Links OPML
OpenSearch
A cyber warfare campaign backed by a state-nation. I think the Stuxnet worm marks a new age in cyber warfare… Operation Aurora is nothing compares to Stuxnet. I really wonder what’s the worm origin.
I bet the source is Israel.
There’s another clue reveled by Liam O Murchu of Symantec – http://www.zdnet.com/blog/security/inside-stuxnet-researcher-drops-new-clues-about-origin-of-worm/7409
When Stuxnet is executed on a machine, it checks the registry for the string “05091979″ – May 9, 1979. The execution date of a Jewish-Iranian businessman and philantropist Habib Elghanian. He was believed an Israeli spy.
speculations… speculations…. as I said, we’ll probably never know.
dookie
It is not common in Israel to write the dates as
MM/DD/YYYY
it’s not the default format…
so 5th to September would be more logical,I bet some one can find a funny fact about Israel on that date.
Yep, ser is right.
recommended article for all the speculators: Debunking the Bunk of Stuxnet
http://antivirus.about.com/b/2010/10/02/debunking-the-bunk-of-stuxnet.htm
Bruce Schneier on the Stuxnet worm:
http://www.schneier.com/blog/archives/2010/10/stuxnet.html