Subscribe

Stuxnet shifts threat landscape

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 11 May 2011

The infamous Stuxnet virus has fundamentally changed the threat landscape, and enterprises should now assume attackers know how their systems work.

This is according to Mike Jones, EMEA senior manager product marketing at Symantec, speaking during the ITWeb Security Summit, at the Sandton Convention Centre, yesterday.

In his presentation, “Stuxnet: The inside story from Symantec”, Jones said Stuxnet resulted in significant changes in hacking, cyber crime, cyber espionage and cyber warfare.

“Stuxnet is extremely sophisticated, but the techniques to modify current threats are not, as the hardware-hacker community has become so resourceful.”

He said Stuxnet targets industrial control systems like infrastructure monitoring and control hardware such as sensors, motors, relays, etc.

“It also targets real-time control systems like PLC [programmable logic controller] while programming systems, typically Windows desktops and laptops, are also affected.”

Stuxnet origins

Jones explained the original Stuxnet attack spread via the thumb drive. “The early versions used autorun.inf to execute, just in case special engineering could trick the user into executing the file.

“Later versions used the zero-day LNK vulnerability to hide files and automatically execute them,” he noted.

Describing the Stuxnet threat, Jones said it comprises seven infection vectors while most threats use one or two, adding that these vectors include USB, network shares, print spooler, SMB, peer-to-peer, WinCC SQL, and Step 7.

“It also uses a Windows rootkit to hide Window binaries while stolen digital signatures allow the undetected installation of rootkit targets,” he explained. “The goal of Stuxnet is to infect Simatic PLC devices.”

He added that PLC devices are loaded with blocks of data and code written using a variety of languages such as STL and SCL.

Infected machines, he added, check in with system information like OS version, computer name, domain, IP addresses, configuration data, and existence of programming software, and these compromised machines will send design documents if requested.

Outlining the Stuxnet geographic distribution of infections, Jones said Iran suffered the biggest attacks worldwide. “To date, Symantec witnessed about 40 000 infected unique external IPs from over 115 countries.”

Unique attacks

Jones also noted that what makes Stuxnet unique, in comparison with other threats, is that while typical malware has no zero-day vulnerabilities, Stuxnet has four. “While other malware doesn't have known vulnerabilities, Stuxnet has two.

“On the propagation methods, typical malware has one or two but Stuxnet has seven. Typical malware also does not have attack self-contained, but on the other hand Stuxnet does have.”

Symantec also discovered Stuxnet has device IDs embedded in malware which indicate make or model of targeted systems.

“It also contains activation frequencies of the payload between 800MHz and 1 200MHz, which destroys or damages refinement operations. This was mainly targeted at uranium enrichment processes in Iran,” he explained.

According to Jones, Stuxnet has also brought protection challenges to security experts, saying contractors are heavily in use and they connect their own machines to the PLC.

He also revealed that the protection challenges emanate from the fact that systems are mostly offline. “They are not air-gapped while USB key use is extremely rampant.”

Share