Skip to main content

Stuxnet: Malware more complex, targeted and dangerous than ever

Click to play
Cyberworm 'targets Iran'
  • Stuxnet, a new piece of computer malware, has unprecedented potential
  • It exploits four holes and goes straight to the brain of industrial computers
  • It's not internet based, but can use the internet to spread

(CNN) -- Stuxnet is viewed as potentially the most dangerous piece of computer malware discovered. It's been developed on an unprecedented scale and has the ability to target and control specified industrial machinery.

Trying to explain how this works is a bit like trying to trace the origin of this nasty little piece of work. It's a bit all over the place so bear with me on this one.

It's an attack that goes straight after the PLC (programmable logic control) software of an industrial machine, which is effectively the brain of the unit. It uses four zero-day exploits in one package, with a zero-day exploit being an undiscovered flaw in a piece of software; it's the time between the hackers finding a hole in the system and when the developers patch it. And in this case there are four of these exploits, meaning that they've already exponentially increased the chances of finding a way into the system in case any of the holes happened to already be plugged.

Once the malware infects the system it can spread to other computers on the local intranet. It is not an internet-based piece of malware; it can spread through indirect internet usage, but that's not how it sets about its business.

Its main course of action is to look for a specific type of machinery, then report back to a central control server located hundreds of miles away, from where the commands will again be relayed off into the maze of servers set up to make tracing near impossible.

And it is through the trail of servers around the world that the data generated by the PLC software is manipulated and the changes in the running of the machines are made. So theoretically, a group of people located on one side of the planet could control a machine in a nuclear power plant on the other. Scary stuff.

When I spoke to Liam O'Murchu, manager of security response operations for Symantec North America, he didn't want to speculate about what kind of physical results we could expect from the malware in an industrial setting. He commented that Symantec's people are more concerned with the technical side of the bug and concentrate on their analysis on it.

This doesn't mean that others won't speculate, and one website that's caught a lot of attention is that of a German IACS security researcher, Ralph Langner, where he says the target may be Iran's Bushehr nuclear facility, which is in a region where a large number of the infected computers are found. He suggests the facility could be infected through the USB drive of a Russian contractor using an "abandoned" drive.

O'Murchu agreed that it is not unheard of for abandoned drives to carry harmful code on them, but he wouldn't go as far as to agree that such was the case in this instance.

He did say, however, that the majority of the infections have occurred in Iran. Symantec has estimated that 60 percent of the infected computers are located in Iran. That claim is refuted in an extract from the Iranian Student News Agency that states, "Deputy minister of industries and mines denies the 60 percent contamination of Iran's computers by the spy worm Stuxnet."

Despite that denial, O'Murchu stands by Symantec's numbers and explained that the figures came straight from the logged traffic on one of the Stuxnet control servers that Symantec took control of. Symantec said it managed to find that the two control servers are located in Malaysia and Denmark, but when asked who the hosting company is, the company did not comment.

The big question remains as to who made this malware, O'Murchu suggested that it would have to be "a well-funded private group or a government. It would need to be someone who has an interest in what they're targeting." O'Murchu went on to say, "We've not seen something on this scale before" and offered a conservative estimate that it would take five to 10 people about six months to put together this piece of malware.

It is the level of preparation that really impressed O'Murchu. He hypothesized that the team would needed inside men, test runs, and even their own piece of machinery to develop the code on. The level of coding is like nothing he's seen before, with everything incredibly well-written and in different languages.

The only mistake O'Murchu could identify is that we're talking about it now. When Symantec's researchers tested the malware on a USB key, they discovered that it deleted itself after three infections.

"These are the kind of guys that are not happy with their exposure," he said. He went on to say that this is the kind of operation in which the developers would have hoped to get the infection planted, let the malware do its work and never hear from it again.

O'Murchu says that there is a "very slim chance of finding them. They're untraceable and covered their steps."

More than that, he doubts that this group of people was put in place for just one project. Now that this group has shown what is possible, he expects others to imitate it, resulting in a growth in this area of malware.

Fortunately, this code won't have a major effect on home computers and if some do become infected, it is likely that Symantec will get in touch with the owners. But O'Murchu warned that a multi-layered approach to defense is the best bet to stay clear from the nasty things out there.

But now more than ever, you need to be careful about what USB drives you put in your computer, especially if you work with industrial machinery.


Most popular Tech stories right now