Blockbuster Worm Aimed for Infrastructure, But No Proof Iran Nukes Were Target
“…researchers who have spent the last three months reverse-engineering the code and running it in simulated environments now say that it’s designed for sabotage, and that its level of sophistication suggests that a well-resourced nation-state is behind the attack. A few researchers have speculated that Iran’s nascent nuclear program was a possible target for the worm’s destructive payload, though that’s based on circumstantial evidence.
Sophisticated Code
Ralph Langner, a computer security researcher in Germany, published an extensive look at the malware last week. He determined that once on a computer the malware looks for a specific configuration of a Siemens component called the Programmable Logic Controller, or PLC. If the malware determines it’s on the correct system, it begins to intercept communications from the system’s Simatic Manager to the PLC and interjects numerous commands to reprogram the PLC to do what it wants.
Symantec provided an even more detailed description of the malware on Wednesday and plans to release a paper about Stuxnet at a conference Sept. 29. Symantec’s Falliere, reached in France, said two models of Siemens PLCs are targeted by the worm — the S7-300 series and the S7-400 series — which are used in many facilities.
The malware is huge — about half a megabyte of code — and has a number of sophisticated and previously unseen characteristics:
* It uses four zero-day vulnerabilities (vulnerabilities that haven’t yet been patched by a software vendor and are generally undetected by antivirus programs). One zero-day is used to spread the worm to a machine by a USB stick. A Windows printer-spooler vulnerability is used to propagate the malware from one infected machine to others on a network. The last two help the malware gain administrative privileges on infected machines to feed the system commands.
* The malware is digitally signed with legitimate certificates stolen from two certificate authorities.
* The attacker uses a command-and-control server to update the code on infected machines but also uses, in case the command server is taken down, peer-to-peer networking to propagate updates to infected machines.