Analysis: Stuxnet dissected

So how did Stuxnet do the damage?

Hogan believes the team has a fairly accurate idea of how Stuxnet succeeded.

1. Getting inside

Even the most sophisticated virus in the world would have trouble infecting machines that aren't connected to the internet.

The computers connected to the enrichment program's industrial control systems are air-gapped - that is, not connected to the internet or other insecure networks.

Hogan can only guess that a degree of social engineering would have been required to convince an operator or engineer that worked at the plant to introduce data from external media (such as USB key) that was infected with the virus.

"In our experience in cases like this, the target organisation is usually being attacked through an intermediary like an outsourced partner," Hogan said.

These intermediaries might have offered skilled labour, technology outsourcing, and any number of services to the program.

Engineers often used ruggedised laptops, he said, that are taken off-site for new instruction sets to be programmed and taken into the facility to upload these new commands to the system.

Hogan suspected that the worker that infected the machines made a genuine mistake rather than a deliberate attempt at spying.

The attacker may have deliberately left memory sticks lying around at the offices of the outsourced provider. As long as one machine was infected, any network it connected to was at risk - and the worm was programmed to use these connections to seek out those devices that could do the damage.

2. Creating a backdoor

Once a USB stick or other external media is plugged in, the worm used the LNK automatic file execution vulnerability to infect the machine. The code would be executed simply by the user looking at what contents might be on that USB stick using internet explorer - they would not have to click on anything.

The Stuxnet worm then used compromised security certificates from two Taiwanese device manufacturers - JMicron and Realtek - to allow Stuxnet to run more deeply inside the target computer.

"Someone got access to private keys of those two organisations - which curiously are based within a few kilometres of each other," Hogan said.

Stuxnet would then log-in, create an internet connection and connect to two command and control servers to download instructions.

3.  Looking around the network

The worm also used vulnerability in Microsoft's Windows print spooler to spread to other devices connected to the local area network for infection, copying itself and executing on network shares.

Stuxnet then created a peer-to-peer network between infected machines to efficiently download the latest version of the virus from the command-and-control servers.

The virus also performs a check to see whether a Siemens Step 7 SCADA software is running on any devices connected to the infected machine.

If any computers with this software are found on the network, Stuxnet copies itself and executes on these machines, too.

4.  Doing the damage

Once the virus finds machines running the Siemens software, it infects the Step7 project files as another way to spread around the target installation.

Ultimately, Stuxnet attempts to upload its own code to the Siemen's controllers or programmable logic controllers that act as a hardware-software interface. In the case of the Iranian nuclear enrichment facility, the controllers were connected to frequency modulators that ran high-speed motors to spin the centrifuges used for nuclear enrichment.

So Stuxnet was able to download a fresh set of commands to the controllers that would override instruction sets.

This code instructed frequency converters on how fast the 164 motors in the centrifuges should spin and for how long.

Stuxnet was programmed to first watch the frequency modulation for 13 days to calculate what instructions could cause the most physical damage. Symantec believes Stuxnet would have inserted a set of instructions to spin up the frequency converters at 1410Hz for 15 minutes, well above the usual limit of 1064Hz.

"We assume it was spinning it up quickly to malfunction," Hogan said. "It was an attempt to create sympathetic vibrations that would cause problems," he said, potentially even breaking the rotors or centrifuges themselves.

Next, Stuxnet's instruction set aimed to set the frequency converters back to nominal speed for at least 27 days, then set the speed way back down to 2Hz for some 50 minutes, before spinning back to normal speed, screaming back up to 1410Hz, and so on and so forth.

5.  Masking its tracks

In order to inflict maximum damage, Stuxnet would intercept any attempt by operators to upload new code onto the controller chips. As new instructions are uploaded, Stuxnet would shunt the code aside and keep its own instructions running, but present a picture back to the operators that suggested all was running as it should be.

"If you went in and looked at the .DLL file, you would see your original code," Hogan remarked. "Stuxnet is hiding what it is doing."

Best in class, and hopefully the last.

After months of pulling Stuxnet apart and documenting its ability, Hogan is convinced it is the "first publicly known malware to intend real-world damage".

He believes the development of such a sophisticated threat "required resources characteristic of a nation state".

Symantec has noted that the attacker would have required access to the design schematics of the plant, to the private keys of the two Taiwanese manufacturers, and a team of "five to 10 core developers" taking about six months to develop the exploit.

With the LNK vulnerability now known, and Stuxnet analysed in every corner, Hogan is confident it will be a relatively isolated attack.

"I don't believe there will be a Stuxnet II," he said.

"But the whole area of industrial controls systems security is now an open to a lot more eyes and brains than it was before - for both good and bad."

The writer attended Symantec's research labs in Japan as a guest of the anti-virus vendor.