Stuxnet has been troubling the world of cyber-security for over two years now. It is the most sophisticated piece of worm ever written, and has been tailored to attack particular infrastructures, making it the deadliest cyber-weapon of early 20th century. Now that it has been discovered and studied thoroughly (thanks to Symantec), many interesting facts have come to light, which will help deal with such attacks in future. However, the more people try to understand Stuxnet, the more it surprises them.
Recently, the earliest version of Stuxnet has been discovered, and christened Stuxnet 0.5. Stuxnet 0.5 reveals the evolution of this dreaded worm over the years. While still aimed at nuclear power plant infrastructures, Stuxnet 0.5 had a different behavior altogether. Help net Security writes,
Unlike Stuxnet versions 1.x that disrupted the functioning of the uranium enrichment plant by making centrifuges spin too fast or too slow, this one was meant to do so by closing valves.
Apparently, Stuxnet 0.5 did not meet the developer’s expectations (or perhaps ambitions), and it was developed further to attack centrifuges. However, the development frameworks used in both the versions were different; Flamer for version 0.5 and Tilded for version 1.x, suggesting that a different set of developers were involved in these two versions. Moreover, Stuxnet 0.5 was not designed to spread efficiently either. However, the most interesting part of the code was the one that stopped Stuxnet 0.5 from contacting its command and control center from January 11, 2009 and completely functioning beyond July 4, 2009.
Check out this YouTube video for a quick overview of Stuxnet and its attack patterns.
Symantec explains Stuxnet 0.5 in great detail in this whitepaper [link to PDF].
We have seen Stuxnet designed to attack nuclear plants in Iran, we have seen Flame designed for mass surveillance of Middle-eastern nations and we have seen Duqu, the sister trojan of Stuxnet also aimed at Iran. How low does this cyber-espionage war fall? Well, low has a new definition now, as a new trojan Gauss has been discovered, which apparently steals bank account details of individuals.
The Gauss trojan surfaced as part of an ongoing investigation on Flame. It is believed to have been created mid-2011, and released in three months. The Gauss trojan shows the same level of sophistication as seen in Stuxnet and Duqu.
Kaspersky defines Gauss as,
In 140 chars or less, “Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation”. Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload, which is activated on certain specific system configurations.
Gauss is based on the flame platform, and performs an array of hacks ranging from infecting USB sticks, to stealing browser cookies, to listing the contents of system drives to hijacking social networking accounts. It was aimed mainly at Here is a paper released by Kaspersky Labs on the Gauss trojan [PDF link].
The Gauss trojan names its modules after famous mathematicians like Gauss himself, Lagrange and Godel. The primary module which implements the data stealing capabilities is called Gauss, and hence the name itself. This main payload, which affects USB storage devices, is protected by numerous layers of hashing and a strong RC4 encryption. Kaspersky has also urged cryptography experts to help with the decryption.
News of Duqu- a large-scale trojan attack surfaced over the Internet, last week. The impact of Duqu measures up to the likes of Stuxnet, as it attacks mission critical systems. Duqu was discovered by Symantec, which claimed that it had code similar to the Stuxnet trojan. This malware has raised concern in the world of security as it has been devised to raise mayhem in industrial fields, just like Stuxnet. The primary targets of Duqu are oil refineries, power plants and pipeline systems.
Duqu seems to have a very similar scare-factor as Stuxnet because it attacks critical industries. Although, it is not related to Stuxnet in any way, the complicated nature of Duqu makes it look like a well-funded attack, probably by a government. The first piece of evidence in Duqu was found at Web Werks, which is a web-hosting company based in Mumbai. The Department of Information Technology in India received a tip from Symantec, and the Indian Computer Emergency Response Team visited Web Werks offices. They seized two hard-drives with information of the trojan. Apparently, the hosting at Web Werks was used to run their command-and-control center. However, the complicated nature of the trojan makes it hard for a quick analysis.
The Duqu trojan as explained by Symantec is,
W32.Duqu is a worm that opens a back door and downloads more files on to the compromised computer. It also has rootkit functionality and may steal information from the compromised computer. Initial analysis of this threat has shown that it is related closely to the W32.Stuxnet worm from 2010.
Although the affected system list does not include Windows 7, it includes all possible Windows versions before Windows 7 all the way to Windows 95. However, you may be surprised to see that the Symnatec page on Duqu lists it as a low severity.
Web Werks has failed to track down the dubious customer who owned the h0sting account and the Indian Department of Information Technology is yet to unearth the mysteries contained in the seized drives. A second command-and-control center has been located in Belgium, recently.
In the meanwhile, CrySys laboratories in Hungary got hold of an installer for Duqu and claims that it exploits an unknown vulnerability in the Windows kernel. The attack spreads through a .doc (word document) file and is being distributed though social engineering. The safest way to protect against the worm is to follow email best practices and to steer clear of anything that looks fishy, especially dubious word documents.
Nasdaq OMX, the company that manages a number of stock exchanges including the US Nasdaq and others in Copenhagen, Stockholm, Helsinki, and the Baltic region underwent a number of hack attempts over the last year. However, the stock exchange servers were safe from the attack and were not compromised.
Federal authorities are investigating the matter, which has been revealed a bit late. One of the sources on this matter was spotted saying,
So far, [the perpetrators] appear to have just been looking around.
Last year, spikes were seen in the stock price activities of companies, twice with a gap of 4 months in between. This was quite alarming and it has been a major cause behind the ongoing investigation. However, the cause for this matter seems to be erroneous handling and not hacking.
The incident can be seen in two ways. Either, Nasdaq OMX computers were compromised or, the attackers were targeting the stock exchange. Either way, a thorough check of both the company and the exchange networks are necessary before jumping into conclusions. The recent Stuxnet worm has proven beyond doubt that these hacks have reached an uber level of sophistication and we cannot assume any security with current measures.
The Stuxnet worm has become a thing of interest among hackers. It has displayed immense potential and has hit a nation at its ultimate reserve- energy. An analysis of the worm by Tom Parker has revealed some interesting facts at the Black Hat DC conference on Tuesday. The most interesting facts are the two-phase nature of the development of Stuxnet and the unprotected and evident obviousness of its behavior.
The analysis by Parker reveals that an expert group of talents, who specialized in reverse-engineering platforms, proprietary file formats and developing kernel rootkits initially, designed the worm to be deployed. However, these talents were used as a third party in the development process and there was another team of less talented hackers responsible for implementing the worm. This is where the plan suffered a setback. The deployment was not of the same level of expertise of the development phase and probably could not make full use of the entire potential of Stuxnet.
Another fact that security experts are advocating is that the Stuxnet developers made minimal effort to hide the payload data and the data transmission could be better hidden. It was almost as if the developers of Stuxnet wanted it to be found and understood. Also, there was no anti-debugging code obfuscation involved in the development of Stuxnet. The only possible conclusion is that the developers of Stuxnet did not have enough time to incorporate these protections and were under pressure to deploy the code even before it was completely ready.
Iran’s President Mahmoud Ahmadinejad has recently acknowledged that the Stuxnet worm could actually penetrate its nuclear facility after a series of denials. However, this has caused enough distrust that security researchers in the US and Europe have doubted his recent claim of the worm being contained.
Fox News writes on this saying,
The American and European experts say their security websites, which deal with the computer worm known as Stuxnet, continue to be swamped with traffic from Tehran and other places in the Islamic Republic, an indication that the worm continues to infect the computers at Iran’s two nuclear sites.
Another American company offering advice on how to negate the effect of this worm has received a massive inflow of traffic and has written:
Iran now represents 14.9 percent of total traffic, surpassing the United States with a total of 12.1 percent. Given the different population sizes, that is a significant number.
Another concern is a growing number of imposters signing up on security websites dealing with the Stuxnet issue. This clearly shows that Stuxnet is more than just a worm in action here. This is a perfect cocktail of a worm-based attack and a human backing to give Iranian nuclear power plants a high.
The Stuxnet worm, which we covered in two previous articles, is continuing to make headlines. Sophisticated malwares are nothing new. Just last year, we saw the Conflicker, which used exceptionally smart techniques to avoid disinfection. However, Stuxnet is a different beast all together.
“I think that this is the turning point, this is the time when we got to a really new world, because in the past there were just cyber-criminals, now I am afraid it is the time of cyber-terrorism, cyber-weapons and cyber-wars,” said Eugene Kaspersky, co-founder and chief executive officer of Kaspersky Lab.
The worm has been confirmed to have caused extensive damage to Iran’s nuclear facilities, and is being currently analyzed by US security organisations. It has also been found in Siemens systems in India, Indonesia, Pakistan and elsewhere. Stuxnet is unique because of its ability to identify a facility’s control network and wreck it. “This malicious program was not designed to steal money, send spam, grab personal data, no, this piece of malware was designed to sabotage plants, to damage industrial systems”, stated Eugene Kaspersky.
The origin and exact purpose of Stuxnet is still a mystery. “One of our hardest jobs is attribution and intent,” said Sean McGurk, director of the National Cybersecurity and Communications Integration Center (NCCIC). The worm, which exploits four separate 0-day (previously unknown) vulnerabilities, is being dubbed as a working and fearsome prototype of a cyber-weapon.
Really, what is the deal with Stuxnet anyway? When it was detected back in June and Pallab at Techie-Buzz covered it back in July, we hardly knew it would end up in so much of badassery. Throwing some light on the issue,
The Shell Shortcut Parsing vulnerability is a particularly worrisome bug because there are not a lot of things a user can do to protect himself. Even if autorun and autoplay is disabled, users can still get infected. All that the user is required to do is to open the compromised device, network share or WebDav.
From that time on and today, Stuxnet has grown to be the most sophisticated piece of attack and for the first time in the history of worms, is posing serious threat to a specific infrastructure type.
As reported at BBC, the worm attacks power plants, water plants and industrial units, proof being a high concentration of attacks in Iran and a possible attack on its nuclear power plant. Stuxnet is like one of those dark programs we see in sci-fi movies that eat into your infrastructure. It is rightfully termed as a weapon. It does not steal information but cripples the system as a whole. The vulnerability is so serious and put simply, hardwired that a simple software patch will not help at all.
The Stuxnet worm spreads by USB drives and has the ability of reprogramming the programmable logic controller or PLC. The PLC, essentially a digital computer is the main interface between the electrical signals from the computer and the mechanical actions from say, the assembly line and other actuators. It is used extensively for the automation of these mechanical tasks.
Currently, Stuxnet is being reverse engineered and Langner Communications seems to be the only expert on it. From their analysis, it is clear that this attack is too well engineered to be the work of hackers who do it for fun. Anyone who worked on this was serious about getting back at some industries.