Threat Management, Vulnerability Management

Stuxnet examined at Vancouver conference

The Stuxnet SCADA virus is a sophisticated attack mounted directly against control systems in Iran, according to researchers from Symantec. The company presented its findings at the Vancouver, BC-based Virus Bulletin conference late last month.

Originally discovered in July, Stuxnet was operating for at least a year before that, according to Liam O Murchu, supervisor of security response operations for North America at Symantec. The virus included the world's first-ever rootkit designed for programmable logic controllers (PLCs). In this case, it was written specifically for a Siemens PLC. The malware would have been written using 5-10 core developers over six months and tested on systems mirroring the process control hardware, he said.

So sophisticated was the attack that the perpetrators would have needed to steal digital certificates used to sign driver files used in target systems.

“The amount of components and code used is very large,” said Murchu's analysis of the threat. “In addition to this, the authors' ability to adapt the threat to use an unpatched vulnerability to spread through removable drives shows that the creators of this threat have huge resources available to them and have the time needed to spend on such a big task. This is not a teenage hacker coding in his bedroom-type operation.”

Iran, which has an ongoing nuclear programme, and which has threatened the destruction of Israel, has speculated that the worm is a western plot against its nuclear plants. Foreign Ministry spokesman Ramin Mehmanparast said that Stuxnet was a Zionist attempt to cripple its nuclear activities.

The activation of Bushehr nuclear power plant in Iran was delayed for ‘technical reasons', said Mehmanparast, responding to press reports that the plant had been infected with Stuxnet.

Fifty-eight percent of the infected Stuxnet hosts were in Iran, said Murchu. That figure rose to 67 percent of systems specifically running Siemens' Step 7 industrial control software.

Controversy over the worm deepened after the discovery that one of its files was named ‘Myrtus'. That could refer to the Hebrew Book of Esther, which tells the story of a pre-emptive Persian plot against the Jews.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.