Stuxnet: Smarter — and deadlier — than the average worm

Every few years, a malware program comes along that ups the ante in the world of IT security risks. Code Red infected a ton of IIS Web servers in 2001 and led to Microsoft’s increased focus on secure software development. In 2003, SQL Slammer infected nearly every unpatched SQL server on the Internet in 10 minutes. The MS-Blaster worm revealed the chewy center of most firewall-protected perimeters. The big worms Sobig, MyDoom, Netsky, and Bagle proved that hackers didn’t need unprotected open SMTP relays to send spam. Banking Trojans taught us that nearly any authentication protection can be easily bypassed in order to empty bank accounts.

Now we have Stuxnet, which has deservedly garnered a fair share of media coverage over the past few months. The malware is unlike any threat we’ve previously seen. If Stuxnet is a sign of things to come, it will be difficult to believe that our biggest malware fears were merely boot viruses, rogue file attachments, and macro viruses.

For starters, Stuxnet is the first worm directly coded to attack power plant and industrial control systems, which fall under the category of SCADA supervisory control and data acquisition systems. Although SCADA systems are already widely known and notorious for lacking conventional security controls, Stuxnet looks for specific SCADA systems, such as Siemens; if successful, it infects them, reprograms their PLCs (programmable logic controllers), and hides with the first SCADA-specific rootkit. (Symantec offers an excellent layman’s analysis of this particular part of the worm in a whitepaper [PDF] called “W32_Stuxnet Dossier.”)

The theory is that Stuxnet’s creators want the ability to remotely control and exploit power plants. Many observers believe Iran was a direct target, given that it ended up with the vast majority of infections. Further buttressing this hypothesis the appearance of the word “Myrtus” within the worm. Myrtus could be a Biblical reference to a story involving a Persian plot.

Unbeknownst to most people, power plants and other industrial systems have been under direct attack for many years. At least one expert has claimed that , with one such incident contributing to a death in the United States. I haven’t seen the source documentation and evidence of this, however. The U.S. NERC agency has publicly stated that no deaths or disruptions in service have yet occurred due to computer compromises — but the two data sets may not overlap completely.

I’ve also read that foreign power plants have been successfully held for ransom and that service interruptions have occurred (along with at least one documented death). That malware is directly targeting already weak SCADA systems is not a good thing.

Stuxnet is also a frightening sign of tomorrow’s malware in that experienced antimalware analysts have been amazed by how clean the code is, especially given the worm’s size and complexity. It’s unlikely to bomb or bug out due to a programming error.

I’ve been examining malware for more than two decades, and I can tell you that 99.9 percent of malware, even professionally written, criminally motivated malware, is full of bugs and shoddy programming. Most have a dearth of error recovery routines. The average malware writer isn’t that concerned with his or her creation running cleanly; Stuxnet’s creator was.

Third, the current implementation of Stuxnet exploits at least three different Windows vulnerabilities and two different types of rootkits: one for the SCADA PLC and another for infected Windows computers. It hides its infection from prying eyes and from antimalware scanning programs. More interesting yet, Stuxnet intentionally looks for at least 10 different antivirus scanning executables and injects itself into those “trusted” processes, along with other common Windows files, such as winlogon.exe. Instead of trying to avoid them, it uses these processes to propagate.

Stuxnet also spreads using USB drives and drive shares, often using a folder linking trick that executes the worm if the victim simply looks into a folder containing it. This has only been done a few times before.

Although Stuxnet uses dozens of highly interesting techniques to full advantage, one that caught my cryptographer’s eye a few months ago was the fact that it signed its malware with a digital code signing certificate from two legitimate and very popular software vendors, Realtek Semiconductor and JMicron Technology. Both Taiwanese companies are apparently housed in the same building.

I haven’t learned how the digital signing key was compromised, but that would be as interesting to me as any of the other lessons learned from Stuxnet. Did the organizations become compromised (possibly with an unrelated malware program) and end up using their signing certificates on exploited computers? Or was there a shared insider who obtained the certificates? If anyone knows, please write or comment below.

Observers aren’t sure if Stuxnet is being used as part of a city-state plot to bring down Iranian power plants or to hold the world’s power plants hostage for monetary gain. Whatever the case, it signals a seriously disturbing evolution in the world of malware.