SECU RIT Y

Lessons from
Stuxnet
Thomas M. Chen, Swansea University
Saeed Abu-Nimeh, Damballa Inc.

Malware such as Stuxnet can affect critical physical infra-

structures that are controlled by software, which implies that
threats might extend to real lives.

T
housands of new mal- vulnerabilities—an unusually high lines, refineries, and power plants. It
ware appear in the wild number. The code is approximately attacks Windows PCs that program
daily. Most are evolution- 500 Kbytes and written in multiple specific Siemens programmable logic
ary variants of existing languages. As a reference, the SQL controllers—specialized comput-
families and don’t have a widespread Slammer worm was 376 bytes; the ers that control automated physical
impact. However, occasionally a Code Red worm was approximately processes, such as robot arms, in
noteworthy new piece of malware 4 Kbytes; the Nimda worm was 60 common industrial control systems.
will change the security landscape. Kbytes; and variants of the Zeus bank- PLCs can have elaborate input/output
For example, the 1988 Morris attack ing Trojan ranged between 40 and 150 arrangements for various applications
showed that an aggressive worm Kbytes. Virtually all malware is less in different physical environments.
could bring down a substantial part of than 1 Mbyte. They often have sensors on the inputs
the Arpanet, and the 2003 SQL Slam- Based on Stuxnet’s code, experts (for example, for temperature), and
mer attack demonstrated that a simple have speculated on its creators and the outputs typically operate equip-
user datagram protocol (UDP)-based intention. Its sophistication sug- ment such as motors, switches, and
worm could create devastating net- gests that the creators had detailed relays.
work congestion. knowledge of its target and access Stuxnet targets vulnerable PCs run-
Stuxnet is teaching the secu- to immense resources, perhaps with ning WinCC/Step 7 control software,
rity community new lessons. Since government backing. Its choice of tar- which is normally used to program
VirusBlokAda discovered the Win- gets also suggests a political motive. PLCs. When an infected PC connects
dows worm in Belarus in July 2010, to a Siemens Simatic PLC, Stuxnet
researchers have studied it intensely. TARGET SELECTION installs a malicious .dll file, replac-
They believe Stuxnet spread for sev- Unlike most malware, Stuxnet tar- ing the PLC’s original .dll file. The
eral months before discovery and gets industrial control systems, which malicious .dll file lets Stuxnet moni-
that it has already compromised its are used widely in factories, assembly tor and intercept all communication
intended target.
As Table 1 shows, Stuxnet differs Table 1. Stuxnet’s novel characteristics.
from past malware in several ways.
First, most malware tries to infect as Aspect Stuxnet Common malware
many computers as possible, whereas Targeting Extremely selective Indiscriminate
Stuxnet appears to target industrial Type of target Industrial control systems Computers
control systems and delivers its pay-
Size 500 Kbytes Less than 1 Mbyte
load under very specific conditions.
Probable initial infection Removable flash drive Internet and other networks
Second, Stuxnet is larger and more
vector
complex than other malware. It con-
Exploits Four zero-days Possibly one zero-day
tains exploits for four unpatched

0018-9162/11/$26.00 © 2011 IEEE Published by the IEEE Computer Society APRIL 2011
Authorized licensed use limited to: Rashtriya Raksha University. Downloaded on September 07,2024 at 08:21:23 UTC from IEEE Xplore. Restrictions apply.
 SECU RIT Y

between the PC and PLC. Depending uranium enrichment facility. The Stuxnet also demonstrates detailed
on specific PLC conditions, Stuxnet site’s production dropped 15 percent knowledge of Siemens WinCC/Step
injects its own code onto the PLC in in 2009, around the time Stuxnet is 7 software, reflected in its ability to
a manner undetectable by the PC believed to have begun spreading. In detect specific conditions and modify
operator. November 2010, Iran’s president con- code depending on the target PLC’s
Whereas most malware payloads firmed that several centrifuges were CPU. Stuxnet’s creators would have
have a clear purpose, such as spam hit by malware, which lends support needed to know the target PLC’s con-
or data theft, Stuxnet’s intended goal to the theory that Stuxnet targeted figuration, and probably required
is unknown. Security researchers Iran’s nuclear program. similar hardware to develop and test
believe that part of the injected code the malware code.
is intended to affect the frequency INSIDER KNOWLEDGE
converter drives’ speed. The code Stuxnet shows remarkably detailed EFFORT LEVEL
appears to alternate between slowing knowledge of PLCs and industrial Stuxnet’s sophistication points to
down and speeding up the normal fre- control systems. This type of infor- an unusually high effort level. Ilias
quency. Hypothetically, if the targeted mation isn’t published openly. For Chantzos, director of government
PLC connects to a nuclear centrifuge, example, the creators knew that its relations at Symantec, estimated
which is used for enriching uranium, target wouldn’t be reachable through the manpower required to develop
the speed fluctuations could cause the the Internet. Thus, the initial infection Stuxnet to have been 5 to 10 people
centrifuge to fly apart. However, the working for six months with access to
real-world result is difficult to guess Scada systems. All reports examining
because PLCs can connect to a variety Once installed on a local Stuxnet have agreed on the likelihood
of equipment. network, Stuxnet tries of at least one government’s involve-
According to measurements of its to find vulnerable PCs ment in its development.
traffic to command and control serv- and propagates through Besides detailed insider knowledge
ers, Stuxnet has infected an estimated of the target, other aspects suggest
network shares.
50,000 to 100,000 computers, mainly that Stuxnet’s creators expended
in Iran (58 percent), Indonesia, India, considerable resources. The code
and Azerbaijan (www.symantec. contains an unprecedented four
com/content/en/us/enterprise/media/ vector might have been a removable zero-day Windows exploits. Attack-
security_response/whitepapers/w32_ flash drive. Stuxnet is designed to ers value zero-day exploits, so four
stuxnet_dossier.pdf). Iran also has a infect and hide in removable drives, represents an unusually high invest-
high percentage of infected hosts using a Windows rootkit to prevent a ment. The Conficker worm likewise
that are running Siemens Step 7 soft- PC owner from discovering Stuxnet exploited the Windows Server Service
ware—67 percent compared to other files. The flash drive allows only three RPC vulnerability, for which Microsoft
countries, where the infection rate is infections, which attempt to spread issued a patch in 2008, but Stuxnet’s
less than 13 percent. for 21 days. This suggests an intent to creators seemed to know that patch-
Iran’s high infection rate suggests limit the spreading rate, perhaps to ing Scada systems is time-consuming.
a political motive. Based on his lab maintain stealth. Stuxnet is digitally signed by two
testing and dissection of the Stux- Once installed on a local network, certificates to appear legitimate.
net code, Ralph Langner—a German Stuxnet tries to find vulnerable PCs Initially, it used a stolen certificate
security expert familiar with indus- and propagates through network from Realtek Semiconductor, but
trial systems—has suggested that the shares. It copies itself to other Win- VeriSign revoked the certificate on
primary target was Iran’s Bushehr dows PCs through a print spooler 16 July 2010. The next day, Stuxnet
nuclear plant (www.langner.com/ vulnerability (MS10-061) and con- was found to be using a stolen certifi-
en). Iranian officials have denied that nects to other computers through cate from JMicron Technology, which
Stuxnet has caused any damage to the Server Message Block protocol was subsequently revoked on 22 July.
the nuclear plant’s main systems; and exploits a Windows Server Ser- The two companies are situated near
however, they did admit that some vice remote procedure call (RPC) each other, suggesting physical theft
staff PCs had been infected. Officials vulnerability (MS08-067). In addi- at those locations.
blamed a two-month delay in bring- tion, it seeks servers running Siemens Stuxnet goes to great lengths for
ing the reactor online on a leak in the WinCC database software, which has additional stealth, but its techniques
plant’s fuel storage pool. a hard-coded password that can’t be aren’t novel. It attempts to bypass
Other experts have speculated that changed or deleted. Stuxnet copies popular security software by inject-
the primary target was Iran’s Natanz itself to the server by SQL injection. ing itself into a recognized process,

92 COMPUTER
Authorized licensed use limited to: Rashtriya Raksha University. Downloaded on September 07,2024 at 08:21:23 UTC from IEEE Xplore. Restrictions apply.
 then installing a Windows rootkit to suitable as a “first strike” weapon to Stuxnet has also shown that isola-
hide in an infected PC. compromise its target covertly before tion from the Internet isn’t an effective
In addition, Stuxnet can update an overt offensive. defense, and an extremely motivated
itself in two ways. An infected PC After Stuxnet’s discovery, Iran attacker might have an unexpected
uses peer-to-peer communication to accused NATO and the US of involve- combination of inside knowledge,
learn new updates. It also tries to con- ment in the attacks, but both have advanced skills, and vast resources.
nect to command-and-control servers denied responsibility. Some have Existing technologies would have
(initially in Malaysia and Denmark) also suspected Israel’s Unit 8200 difficulty defending against this cali-
to report system data culled from the security agency. Israel hasn’t publicly ber of attack. Indeed, Stuxnet might
infected system and download arbi- commented on Stuxnet but acknowl- become the model for future genera-
trary executables. edges that cyberwarfare is now part tions of cyberoffense.
of its mission. Israel is far from the
CONSEQUENCES only nation with cyberwarfare capa- Thomas M. Chen is a professor in the
AND IMPLICATIONS bilities. The US established the Cyber School of Engineering, Swansea Uni-
versity, UK. Contact him at t.m.chen@
Although important details about Command (USCYBERCOM) at Fort
swansea.ac.uk.
Stuxnet—its creators, motives, target, Meade, Maryland, to defend Ameri-
and whether it has accomplished its can military networks. Other nations Saeed Abu-Nimeh is a security
goal—remain speculative, it has cer- including the UK, China, and the Rus- researcher at Damballa Inc., San
tainly reignited concerns about the sian Federation are widely believed to Diego. Contact him at sabunimeh@
damballa.com.
possibility of cyberwarfare. Some be pursuing cyberwarfare capabilities
experts perceive Stuxnet as the first as well.
real cyberwarfare weapon.

S
Fears of cyberwar were raised tuxnet has opened security Editor: Jeffrey Voas, National Institute
earlier by distributed denial-of-ser- researchers’ eyes to the fact of Standards and Technology;
vice attacks on Estonia in mid-2007. that malware isn’t restricted jeffrey.m.voas@gmail.com
However, a DDoS is a fairly simple to computers. Malware can affect
brute-force attack. Stuxnet is far critical physical infrastructures,
more sophisticated in its selectivity, which are mostly controlled by soft- Selected CS articles and columns
stealth, self-protection, and self- ware. This implies that threats might are available for free at
updating. Similar malware might be extend to real lives. http://ComputingNow.computer.org.

AdvertiSer informAtion • April 2011

Advertiser PAge Advertising sales representatives (display)

Apple 80-83
Ariba Inc. 79 Western US/Pacific/Far East:
Chevron 74 Eric Kincaid
Cisco 73, 74 Email: e.kincaid@computer.org
HP Enterprise Services, LLC 74, 76, 77, 79, 105 Phone: +1 214 673 3742
IEEE MDL 13
Fax: +1 888 886 8599
John Wiley & Sons Cover 2
Juniper Networks 61, 75, 104
Nokia Inc. 78 Eastern US/Europe/Middle East:
Philips Holdings USA 78 Ann & David Schissler
SES Summit 2011 Cover 4 Email: a.schissler@computer.org, d.schissler@computer.org
Tibco 74 Phone: +1 508 394 4026
UMUC 7 Fax: +1 508 394 4926
Univita 79
Classified Advertising 75-83
Advertising sales representatives (Classified Line/Jobs Board)

Greg Barbash
Advertising Personnel
Marian Anderson: Sr. Advertising Coordinator
Email: g.barbash@computer.org
Email: manderson@computer.org; P: +1 714 821 8380; F: +1 714 821 4010 Phone: +1 914 944 0940
Sandy Brown: Sr. Business Development Mgr. Fax: +1 508 394 4926
Email sbrown@computer.org; P: +1 714 821 8380; F: +1 714 821 4010

APRIL 2011 93
Authorized licensed use limited to: Rashtriya Raksha University. Downloaded on September 07,2024 at 08:21:23 UTC from IEEE Xplore. Restrictions apply.