SCF Advanced Search

  • Total Posts: 37539
  • Total Topics: 12273
  • Online Today: 1076
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: Is Stuxnet worm work of a nation state?!  (Read 3836 times)

0 Members and 1 Guest are viewing this topic.


  • SCF Administrator
  • *****
  • Posts: 7512
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum
Is Stuxnet worm work of a nation state?!
« on: 25. September 2010., 07:53:51 »

The devious worm first discovered in Iran in July and built to attack the physical world that is industrial control systems is not your run-of-the-mill threat, warns a Symantec expert:,4365.0.html
The new era of cyber attacks on the smart devices that manage your life.

A Symantec Corp. expert thinks Stuxnet, a worm first discovered on PCs in Iran in July that has since attacked several industrial control systems, signals the start of a never-before-seen breed of cyber attack intentionally designed to inflict massive harm in the physical world.

“The intent of this threat is clearly not trying to steal information, but in some way get into industrial control systems to be in a position to potentially create destruction,” said Gerry Egan, director of product management with Cupertino, Calif.-based Symantec.

With end users’ lives increasingly tethered to smart devices, Egan said there has to be an awareness that these machines are beginning to, and have, come under attack.

“It is a very significant milestone on the threat landscape without a doubt,” said Egan.

Stuxnet was found in Iran by researchers at Belarus-based security firm VirusBlokAda Ltd. this summer. Specifically built to target Siemens AG industrial control systems, it has since managed to affect a number of Siemens plants but did not cause production malfunction or damage.

Stuxnet is hardly run-of-the-mill, with characteristics that couldn’t have come easy. Egan estimates its creation took six months and between five and 10 people with extensive knowledge of the Windows operating system and industrial control systems software and hardware.

Moreover, Stuxnet exploits four zero-day vulnerabilities. Putting that in perspective, Symantec’s 2009 Threat Report listed only 12 known zero-day vulnerabilities. The makers of Stuxnet also went to the trouble to use two stolen digital certificates, and two rootkits.

“All that together means an incredible effort went into this,” said Egan.

To top it all, there was a bit of social engineering effort involved. The worm took advantage of a Windows vulnerability, then unknown and since patched, and spreads between machines via USB stick. “How did these USB keys come to be inside these organizations? Well maybe they were dropped in the parking lot outside,” said Egan. “We don’t quite know what the mechanics were.”

Although Egan refused to conjecture what the identities of the makers were, he did say “it looks like a lot of effort went into this, so it was a well-funded body, well-organized.”

But Kaspersky Lab researcher Roel Schouwenberg did say Stuxnet is very likely the work of a nation state. "This sounds like something out of a movie," Schouwenberg said. "But I would argue it's plausible, suddenly plausible, that it was nation state-backed."

Egan said 10 to 15 years ago, people were well aware of the potential security threats lurking in the form of floppy disks. But today, he’s not quite sure there exists the same perception about USB keys.


Samker's Computer Forum -

Is Stuxnet worm work of a nation state?!
« on: 25. September 2010., 07:53:51 »


  • SCF Administrator
  • *****
  • Posts: 7512
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum
Secrets of the Stuxnet Worm's Travels
« Reply #1 on: 03. October 2010., 17:04:47 »

Secrets of the Stuxnet Worm's Travels

Stuxnet's inability to stay stealthy may be fallout from a failure to hit its intended targets last year, security researchers said today.

The worm, which was designed to infiltrate heavy-duty industrial control programs that monitor and manage factories, oil pipelines, power plants and other critical installations, only popped onto researchers' radars this summer, nearly a year after it was likely first launched.

"Obviously, it spread beyond its intended target or targets," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab, one of the two security companies that has spent the most time analyzing Stuxnet.

Most researchers have agreed that Stuxnet's sophistication -- they've called it "groundbreaking"  -- means that it was almost certainly built by a well-financed, high-powered team backed by a government. The worm's probable target was Iran, possibly the systems in its budding nuclear power program.

Earlier this week, Iranian officials acknowledged that tens of thousands of Windows PCs had been infected with Stuxnet, including some in place at a nuclear power plant in southwestern Iran. They have denied that the attack had damaged any facilities, however, or that Stuxnet contributed to well-known delays in the reactor's construction.

But if Stuxnet was aimed at a specific target list, why has it spread to thousands of PCs outside Iran, in countries as far flung as China and Germany, Kazakhstan and Indonesia?

"That's something we find puzzling," said Liam O Murchu, operations manager with Symantec's security response, and a co-author of a paper that analyzed the worm's code.

Even though the Stuxnet makers obviously included measures to limit its spread, something went amiss, O Murchu said.

The original infection method, which relied on infected USB drives, included a counter that limited the spread to just three PCs, said O Murchu. "It's clear that the attackers did not want Stuxnet to spread very far," he said. "They wanted it to remain close to the original infection point."

O Murchu's research also found a 21-day propagation window; in other words, the worm would migrate to other machines in a network only for three weeks before calling it quits.

Those anti-propagation measures notwithstanding, Stuxnet has spread widely. Why?

Kaspersky's Schouwenberg believes it's because the initial attack, which relied on infected USB drives, failed to do what Stuxnet's makers wanted.

"My guess is that the first variant didn't achieve its target," said Schouwenberg, referring to the worm's 2009 version that lacked the more aggressive propagation mechanisms, including multiple Windows zero-day vulnerabilities. "So they went on to create a more sophisticated version to reach their target."

That more complex edition, which O Murchu said was developed in March of this year, was the one that "got all the attention," according to Schouwenberg. But the earlier edition had already been at work for months by then -- and even longer before a little-known antivirus vendor from Belarus first found it in June. "The first version didn't spread enough, and so Stuxnet's creators took a gamble, and abandoned the idea of making it stealthy," said Schouwenberg.

In Schouwenberg's theory, Stuxnet's developers realized their first attempt had failed to penetrate the intended target or targets, and rather than simply repeat the attack, decided to raise the ante.

"They spent a lot of time and money on Stuxnet," Schouwenberg said. "They could try again [with the USB-only vector] and maybe fail again, or they could take the risk of it spreading by adding more functionality to the worm."

O Murchu agreed that it was possible the worm's creators had failed to infect, and thus gain control, of the industrial systems running at their objective(s), but said the code itself didn't provide clear clues.

What is clear, O Murchu said in a news conference Friday morning, is that Stuxnet evolved over time, adding new ways to spread on networks in the hope of finding specific PLCs (programming logic control) hardware to hijack. "It's possible that [the attackers] didn't manage to get to all of their targets [with the earlier version]," O Murchu said. "The increased sophistication of Stuxnet in 2010 may indicate that they had not reached their target."

With the proliferation of Stuxnet, Schouwenberg said that the country or countries that created the worm may have themselves been impacted by its spread. But that was likely a calculated risk the worm's developers gladly took.

And that risk may have been quite small. "Perhaps they knew that their own critical infrastructure wouldn't be affected by Stuxnet because it's not using Siemens PLCs," Schouwenberg said.

Stuxnet only tried to grab control of PLCs manufactured by German electronics giant Siemens, which has supplied large amounts of industrial control hardware and software to Iran.

O Murchu's research seemed to back up Schouwenberg's speculation. "Stuxnet looks to see that a specific type of PLCs are present," he said today. "Those are quite popular models, but it does show that they knew what hardware was being used at the target or targets." Additionally, the code only infected PLCs that used a specific model of network card.

The identity of Stuxnet's makers may never be known, both Schouwenberg and O Murchu said. However, some clues in the code point to Israel, or at least the hackers wanted everyone to think Israel was behind the cyber attack against Iran:

"But as long as no one takes responsibility for the attack, the authors really had nothing to lose by letting the worm spread," said Schouwenberg.



  • SCF Administrator
  • *****
  • Posts: 7512
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum
Re: Is Stuxnet worm work of a nation state?!
« Reply #2 on: 11. October 2010., 18:01:11 »

Download "Stuxnet" Removal Tool from BitDefender:,4623.0.html


  • SCF Newbie
  • *
  • Posts: 9
  • KARMA: 2
Re: Is Stuxnet worm work of a nation state?!
« Reply #3 on: 12. October 2010., 19:57:50 »
IT Director:
McAfee EPO 4.6, Virusscan Enterprise 8.8i Patch 3, DLP 9.3


  • SCF Member
  • **
  • Posts: 39
  • KARMA: 4
Re: Is Stuxnet worm work of a nation state?!
« Reply #4 on: 18. October 2010., 09:16:56 »
thanks man


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising