Analysis: Stuxnet dissected

Realising the threat

Speaking to iTnews.com.au in Tokyo, Hogan pointed out that the IT security community had taken note of some of the vulnerabilities exploited by Stuxnet as far back as late 2008, but could not have been certain how the threats could combine to such dramatic effect. Stuxnet used four zero-day exploits to achieve its authors' goals.

The IT security community had recognised the first few attempts Stuxnet's authors had made to infect its target but it took time to understand the ramifications.

The first wave variant - compiled on June 22, 2009, attempted to use the Autorun vulnerability and removable drives - but for whatever reason, the worm wasn't viral enough to meet all of the authors' goals. Another attempt was made with a second wave last March.

The rest of the world only discovered something was going on when Stuxnet's authors changed tactics.

Last July 12, VirusBlokAda discovered malware using the LNK vulnerability. Unlike the Autorun vulnerability, LNK had the capability to be extremely promiscuous. IT security vendors had to sit up and take notice - VBA had found a vulnerability that could have big ramifications for customers if left unpatched.

Seeking a sample of the code VBA had caught, researchers at Symantec's Security Response Team noted "some odd strings in Stuxnet," Hogan said.

"There were little snippets of text that referred to Siemens Step 7 [software used for industrial control systems]. There were also sections of the file that contained something that didn't look like normal compiled windows code."

That odd-looking code had the quantum leap Stuxnet's authors achieved - a capacity to cause change to physical systems by infecting the target's industrial control systems.

The security response team then 'sink-holed' or traced the two command-and-control servers for Stuxnet by gaining permission to redirect these domains to IP addresses in its Dublin response centre to log the information coming back from infected machines.

"We now had the opportunity to understand Stuxnet in the field," Hogan said.

The team noted that most victims of the new worm were on PCs in countries that wouldn't otherwise make up the lion's share of activity - places like India, Pakistan and Iran.

This was a strange attack.

It became very obvious that the threat was directed at Iran, at users of a specific Siemens industrial control system. The data showed that 58.31 percent of infections were in Iran, but once that number was adjusted to only include such Siemens users the worm appeared to target, that rose to 67.60 percent.

The data presented a peculiar challenge for Hogan - already he could see that the malware was more complex and targeted than most of the exploits his organisation was paid to shield users from - but it was very new and very fascinating.

"I had to approve putting senior resources into this - and there was that fear, maybe we are spending time and attention on nothing," he said.

But as the code was pulled apart, these fears were put to rest.

It became apparent that Stuxnet had not just been designed to attack systems using Siemens' S7-315 and S7-417 PLCs (programmable logic controllers), but specifically users of this technology that had a precise number of machines set up in a combination of which only Iran's nuclear enrichment program could be a match.

The data suggested to Symantec that there were five primary targets or root nodes that were Iranian commercial entities, working in engineering control systems and many infections elsewhere in the world (40,000) that Hogan believes were collateral damage.

The five facilities were attacked over three attack waves, Hogan said. Some targets in Iran had been hit in the first few waves and one was hit by all three.

Click to the final page to discover the five steps Stuxnet took to pwn Iran's nuclear program.