<< Stuxnet in Iran | WEBLOG | Exercise Orange Tree: the invisibility of exercising in full public view. >>
Stuxnet is developing all the twists and turns of an Agatha Christie detective story.
First of all, Stuxnet appears to be written by at least three different authors. The worm consists of nearly half a megabyte of code. (Compare SQL Slammer, which comes to 376 bytes. Count them. ). It is written in multiple languages, including C, C++ and other object-oriented languages.
According to Computerworld, it contains four separate zero-day Windows exploits, effective against every Windows version since 2000, as well as a known exploit which was also used by the Conficker worm. Microsoft is still releasing patches.
The two security certificates it used came from companies who are near neighbours in the same Science Park in Taiwan, though not otherwise related. This suggests there may have been a physical intrusion into these two offices to obtain the keys, though there are software packages that may be able to steal private keys for digital certificates with the help of a little social engineering.
Hidden in the code is a reference to the file where one of the original authors stored code on his/ her machine. It is \myrtus\src\objfre_w2k_x86\i386\guava.pdb. As myrtus is "a genus of one or two species of flowering plants in the family Myrtaceae, native to southern Europe and north Africa" and guavas are plants in the myrtle family (Myrtaceae), and Myrtus is used in Jewish rituals, conspiracy theorists have had a field day. There's also a registry key with a value of 19790509, which is the date a Jewish-Iranian businessman called Habib Elghanian was executed in Iran, accused of spying for Israel.
Stuxnet is programmed to spread, but only slowly. Each instance only infects three others, whereas each SQL Slammer instance infected as many as it could. Despite this Stuxnet has spread dramatically, though it appears to have gone undetected for some months. (Possibly from July 2009 to June 2010) It is apparently programmed to shut down on June 24, 2012.(eg 3 years after release.) It was spread initially through infected USB sticks. One theory is that these were used by a Russian contractor working in Iran whose own website is allegedly infected by a worm. (I have not visited it to check this!)
However Symantec believe it has several methods of propagating itself.
According to the CSM, "Stuxnet has infected at least 45,000 computers worldwide, Microsoft reported last month. Only a few are industrial control systems. Siemens this month reported 14 affected control systems, mostly in processing plants and none in critical infrastructure. Some victims in North America have experienced some serious computer problems.... Most of the victim computers, however, are in Iran, Pakistan, India, and Indonesia. Some systems have been hit in Germany, Canada, and the US, too. Once a system is infected, Stuxnet simply sits and waits – checking every five seconds to see if its exact parameters are met on the system. When they are, Stuxnet is programmed to activate a sequence that will cause the industrial process to self-destruct...Once Stuxnet identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the giant industrial controls company, the malware takes control. One of the last codes Stuxnet sends is an enigmatic “DEADF007.” Then the fireworks begin, although the precise function being overridden is not known, Langner says. It may be that the maximum safety setting for RPMs on a turbine is overridden, or that lubrication is shut off, or some other vital function shut down. Whatever it is, Stuxnet overrides it.... "
According to Symantec, 60% of all infections have been in Iran.
According to Geekheim, On July 17, 2009 WikiLeaks said: "Two weeks ago, a source associated with Iran’s nuclear program confidentially told WikiLeaks of a serious, recent, nuclear accident at Natanz. Natanz is the primary location of Iran’s nuclear enrichment program. WikiLeaks had reason to believe the source was credible however contact with this source was lost. WikiLeaks would not normally mention such an incident without additional confirmation, however according to Iranian media and the BBC, today the head of Iran’s Atomic Energy Organization, Gholam Reza Aghazadeh, has resigned under mysterious circumstances. According to these reports, the resignation was tendered around 20 days ago."
Press photographs taken inside the Bushehr nuclear site show it running Siemens SCADA controllers which clearly show the warning "WinCC Runtime License: Your
software license has expired. Please obtain a valid license." Siemens have confirmed that they did not install their software at the plant, so the Iranians may have bought it indirectly. (Nuclear related exports to Iran are controlled in many countries.) It may therefore have been more vulnerable.
Some stories suggest that the virus may have shut down an Indian communications satellite. Conspiracy theorists are even wondering if the BP Deepwater spill may have been partly due to the worm, though there doesn't seem to be any evidence for this. However the platform may have used Siemens controllers.
The most prominent theory at the moment is that the Israelis wrote it, specifically to attack the Iranian nuclear programme. According to Reuters, Iran has accused the Israelis of causing an explosion in Tehran which killed Prof Massoud Ali-Mohammadi, allegedly a nuclear scientist, and another Iranian nuclear scientist Shahram Amiri, disappeared in 2009, reappeared in the US, and then returned to Iran, allegedly after his family was threatened.
Technical studies say that the number of centrifuges in operation in the Iranian programme has gone down, commenting (in February 2010) that "The reason for the disconnection and removal of these centrifuges is unclear. It is possible that technical problems required this removal so that defective centrifuges can be repaired or replaced. Or it is possible that Iran is dispersing the centrifuges to other known or unknown sites. " However, Iranian production of enriched uranium seems to have increased.
The BBC reported that the opening of the Bushehr civil nuclear power plant has been delayed by two months. Another BBC story reported that the Stuxnet worm had been found at Bushehr, but, according to the plant manager, only on non-SCADA PCs.