Sunday, September 26, 2010

Stuxnet In Pictures: The Cyber-Weapon Said to Target Iran's Nuclear Infrastructure

A programmable logic controller (PLC) is a specialized, self-contained computer system used in manufacturing and processing plants around the world.

Most PLCs utilize a diagrammatic programming language called "ladder logic", not dissimilar to traditional flow charts, to allow engineers to schedule activities, turn switches on and off, regulate work-in-process queues and perform many other functions using "code blocks".

For example, a refinery might employ a PLC to control the flow of oil and byproducts between multiple stages of the refining process. It would perform these tasks by opening and closing valves, reading level sensors, etc.

PLCs are often network-attached. The term SCADA (Supervisory Control and Data Acquisition) refers to a network of PLCs and related devices that are supervised by control systems.

With that as a bit of background, let's rewind to July 2010. That month security vendors began warning of a new type of malware identified as either "Tmphider" or "W32.Stuxnet". The malware used a zero-day Windows vulnerability (involving .lnk or .pif shortcut files) to install both kernel- and user-mode attack software.

Virtually every version of Windows was vulnerable. But, interestingly, the malware had first been spotted infesting Siemens WinCC SCADA systems. Siemens makes one of the world's most popular lines of PLCs and was, as of a few years ago, reported to have a third of the world's market share.

When Stuxnet infects a Windows machine, it reports back to a C&C (command and control) server the following information within an encrypted HTTP request.

• The Windows version information
• The computer name
• The network group name
• Flag for whether SCADA software was installed or not
• IP addresses of all network interfaces

Symantec reports that the malware has some amazing capabilities targeting SCADA directly: "Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC."

It appears that Stuxnet contains 70 or more hidden code blocks for PLC operations including some of the most basic operations. It can also customize the code blocks based upon PLC model and type. It is not yet clear, however, what the modified PLC code blocks are intended to do.

However, it is rather certain that the code is not intended to streamline processes and improve efficiencies:

A previous historic example includes a reported case of stolen code that impacted a pipeline. Code was secretly “Trojanized” to function properly and only some time after installation instruct the host system to increase the pipeline's pressure beyond its capacity. This resulted in a three kiloton explosion, about 1/5 the size of the Hiroshima bomb.

Given the countries targeted -- Iran appears to be a primary 'beneficiary' of Stuxnet -- researchers speculate that the malware was designed to destroy the Islamic Republic's burgeoning nuclear infrastructure.

If that is the case, I have only one word for Stuxnet: Godspeed.

Update: The AP reports that 'Worm hits computers of staff at Iran nuclear plant.'


Anonymous said...

heh heh. The Mullahs will find themselves with a big problem - whether or not their systems have been infected, they can't know that anything will work properly or, say....dump irradiated coolant all over their plants. Nice work, to whoever did it :-)

Frank G

Reliapundit said...

now that they know what hit them how long before they clean it up?

Tailwind said...

You know....yesterday I remembered another recent story found at the link below.


I think s-o-m-e-o-n-e is trying to give them a message that they need to be vaywee, vaywee careful....and I bet they are not sure about anything anymore.

Tailwind sends

Disco Prime said...

This primarily affects the Siemens PLC line. What is concerning is that Siemens has been increasing its product capability in the US, where Rockwell/Allen-Bradley PLC systems have been a mainstay for a very long time. AB platforms have not been affected, but that does not mean that someone can start. If this thing is able to morph or move outside of Iran, prepare for some interesting developments in the world.

Pretty much everything we rely on operates off of a PLC system.

samantha said...

Perhaps I am behind the times. But PLCs in my experience are canned systems that are not generally reprogrammed by having any sort of ongoing linkage to a computer. In the old days we would blow a ROM for this. It is not general software but firmware. So Windows vulnerabilities haven't a lot to do with existing factory PLCs. PLCs precisely because they are designed to be specialized in place controllers are generally write once or rarely using special procedures. The idea that the target is a nuclear plant is especially laughable.

There is only one thing this is really about imho. It is about raising FUD over cyber-security in general. Expect a bunch of government proposals to "protect" us as freedom is judged too dangerous.