Stuxnet Mutants All Over The Web

The application security management firm, Idappcom, say they detected 52 new pieces of malicious software last month that are designed in a similar way as the feared Stuxnet worm. Stuxnet have been caracterized as the worlds first cyber weapon, aimed at critical public  facilities like power plants and water supply systems.

“There are lots of other countries which realise that you can do this, and gain access to systems which are running critical infrastructure. We will see copycats, maybe modified versions of Stuxnet, copies of which aren’t hard to find at all.”

Mikko Hypponen


According to Mikko Hypponen, chief security researcher at F-Secure, there has been a revolution in malware with Stuxnet. At the same time security management firm, Idappcom, reports 52 new threats targeted at supervisory control and data acquisition systems - Scada- the sort hit by the infamous Stuxnet worm.

Scada systems are found in a variety of industrial plants ranging from water and waste treatment to food and pharmaceuticals and even nuclear power plants.

“We quickly realised this was too much of a significant blip to be an anomaly. It may be an indicator towards a worrying trend.”

“Our records go back to 2004 and I’ve never recorded any sort of significant blip on the radar in an area like this previously.” says Tony Haywood, chief technology officer at Idappcom.

“We quickly realised this was too much of a significant blip to be an anomaly. It may be an indicator towards a worrying trend,” Haywood says.

Some of the xploits found are causing DOS (Denial Of Service), bringing systems to halt.

Scada systems are often at greater risk because they are connected to legacy operating systems such as Windows 95 for which there are no service packs or automatic updates.

Day by day, its getting harder to secure the SCADA systems.

“The worst case scenario is that Al-Qaeda or another organisation could gain access to this type of knowledge and information, and make use of it to launch attacks on critical infrastructure.”

“The worst case scenario is that Al-Qaeda or another organisation could gain access to this type of knowledge and information, and make use of it to launch attacks on critical infrastructure – like blow up nuclear power plants or do something to our food chain,” Mikko Hypponen says.

Discovered at the middle of last year, Stuxnet has become a major puzzle for those involved in computer security, but more than that, also among those interested in international espionage.

“There will be copies of Stuxnet, from the same source and elsewhere.”

Mikko Hypponen

“I think Stuxnet is a new phenomenon, the first example of its kind, and will be something we will look back at in years to come,” says Hypponen, whose information security experience spans many years and who was involved in classified briefings regarding the new threat.

“There will be copies of Stuxnet, from the same source and elsewhere,” he predicts.

Stuxnet is a Windows worm that is propagated on USB sticks and over private networks, but with one very unique feature – it doesn’t replicate over the Internet.

Malware that we generally see on computers is generally designed to spread as far as possible, as cyber criminals aren’t too worried about what it will infect.

But Stuxnet is different, because it wants to reach environments that are disconnected from the Internet on purpose, like the nuclear programme in Iran.

But that’s not to say that it won’t infect your Windows PC.

Hypponen points: “It infects any Windows PC that you put an infected USB stick in. But when it infects a PC it does nothing. It will only replicate on any other USB stick you put into it.”

This means that Stuxnet is a worm that can go around the world silently, doing nothing to the systems it infects, waiting for a precise moment to strike. And it will strike, but only if it reaches a Windows PC that has a specific type of program installed.

“It’s called Step 7, made by Siemens and which is used to program Programmable Logic Control (PLC) devices,” the researcher explains.

“These boxes control factories, pumps, general purpose systems. These are running their own operating system, which isn’t Windows as it isn’t reliable enough.”

“It’s trying to find a specific environment with a specific configuration of high frequency power converters made by two different manufacturers.”

But the PLC boxes need to be programmed by a Windows computer before they are sent over to a factory or wherever they need to go.

If a USB stick has transferred Stuxnet to one of these computers, this is the point where Stuxnet will start to make its move, if it finds itself on a system that has a specific type of PLC box connected.

“It will reprogram the PLC, so that any changes are hidden. And it will wait, hoping that somebody disconnects the PLC from the Windows computer and takes it to a factory.”

If that should happen, Stuxnet will still do nothing, apart from check what kind of factory the PLC box is supposed to be controlling.

“It’s trying to find a specific environment with a specific configuration of high frequency power converters made by two different manufacturers. When it finds the right kind, then it knows it’s in the right environment.”

The right environment is Iran’s nuclear enrichment facility.

Nuclear centrifuges are being cleaned by the high frequency power converters, which Stuxnet now has the capability to control.

“But even then it does nothing,” Hypponen continues. “It records the normal everyday traffic for two or three days.”

And then like a heist movie where a criminal fiddles with a security camera so a guard sees a film from yesterday rather than what’s happening in the present, Stuxnet floods back the traffic it recorded to the factory’s monitoring system.

Anyone monitoring will see normal operation, but operation from the past.

“Then it starts changing the spinning speed, which ends up breaking the centrifuges or ends up creating lousy uranium.”

The intelligence and technological sophistication of Stuxnet has led experts to believe it was the creation of a multi-million pound operation with state involvement.

There are also claims it was the creation of a joint effort between Israel and the US, a theory Hypponen believes to be true.

But the expert also thinks that it could be a major wake-up call to interested parties, which could be a problem for developed western nations in the future.

“When people think about these extremists, they don’t think about them having these types of technology skills. They typically think of unintelligent Talibans riding camels in the desert. That’s a dangerous misconception.”

“There are lots of other countries which realise that you can do this, and gain access to systems which are running critical infrastructure. We will see copycats, maybe modified versions of Stuxnet, copies of which aren’t hard to find at all,” he says.

Which led us to Hypponen’s first comment over worst case scenarios if jihadists ever find a way of attacking Western nations with modified Stuxnet technology, now available easily through a search of the web.

He said, “When people think about these extremists, they don’t think about them having these types of technology skills. They typically think of unintelligent Talibans riding camels in the desert. That’s a dangerous misconception.”

Hypponen show The INQUIRER a copy of “Inspire”, a lifestyle publication written in English that is best described as a jihadist magazine aimed at new recruits.

Among the news articles, poems, songs, Osama Bin Laden speeches and right alongside a section on making bomb making equipment, there is a section on how to do public key encryption.

It describes an open source PGP-like encryption system coded and developed by extremists.

“These guys write pretty good magazines in English and code their own tools. They could easily get Stuxnet itself – it’s far from trivial to modify, but it’s easier to modify than write something from scratch. But I think I’m more worried about the idea of getting copied by other parties.”

Hypponen concludes the interview with the following last thought:

“When George W Bush signed a cyber attack agreement in 2008 against the Iran nuclear program, I do believe the outcome of that signature was Stuxnet.”

Related by the Econotwist’s:

11 Comments

Filed under International Econnomic Politics, Laws and Regulations, Technology