Mystery lingers over stealthy Stuxnet infection

Cloak and dagger


Analysis The infamous Stuxnet worm infected 14,000 systems inside Iran, according to new estimates.

The sophisticated and complex malware was tuned to infect supervisory control and data acquisition (SCADA) systems that are used to control power plants and factories. Stuxnet was tuned to attack specific configurations of Siemens Simatic WinCC SCADA system software. The technology is used in industrial control systems in power plants, oil pipelines and factories.

In addition to exploiting four zero-day vulnerabilities, Stuxnet also used two valid certificates (from Realtek and JMicron) and rootlet-style technology, factors that helped the malware stay under the radar for much longer than might normally be the case. The malware is capable of reprogramming the programmable logic controllers (PLCs) of control systems. Infected USB sticks are reckoned to be the main route of initial infection but once established Stuxnet spreads via default shares.

It was first detected by VirusBlokAda, an anti-virus firm based in Belarus, in late June, and confirmed by other security firms shortly afterwards in July.

Some have used this, along with the pattern of the worm's infection and sophistication, to suggest it was the work of an intelligence agency rather than regular cybercrooks and that its objective may have been to damage Iran's new nuclear reactor in Bushehr.

"Studies conducted show some personal computers of the Bushehr nuclear-power plant workers are infected with the virus," Mahmoud Jafari, a facility projects manager, at Bushehr, told Iran's official Islamic Republic News Agency, the Wall Street Journal reports. He added that no significant damage was caused and the infection is unlikely to delay the scheduled completion of the plant next month. State media, by contrast, is reporting no infection at Iranian nuclear facilities.

Figures from Kaspersky Lab suggest far more systems in India (86,000) and Indonesia (34,000) have been affected than those inside Iran since the malware was first detected, back in July. However, binaries later associated with the malware were detected months before this, leading some to suggest Stuxnet may have been around for as long as a year.

The Russian anti-virus firm said that there's no firm evidence of the intended target much less who the creators of the attack are. However it is possible to narrow down the possibilities. Kaspersky describes the worm as a "one-of-a-kind, sophisticated malware attack" backed by a "well-funded, highly skilled attack team with intimate knowledge of SCADA technology".

"We believe this type of attack could only be conducted with nation-state support and backing," it concludes.

Other antivirus analysts agree with Kaspersky that the primary aim of the malware was sabotage rather than to information extraction (spying).

A comprehensive technical FAQ on the Stuxnet from McAfee can be found here. More detail on how Stuxnet infects systems can be found in an overview, complete with helpful diagrams, from Symantec, here.

Theories and further analysis about Stuxnet, which has started to receive widespread mainstream coverage over the last few days thanks to the Iranian nuke plant angle, are due to be discussed at the Virus Bulletin conference in Vancover later this week. For a contrary view, that the whole thing has been ridiculously overhyped, see Vmyths here. ®

Similar topics


Other stories you might like

  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • Chinese-sponsored gang Gallium upgrades to sneaky PingPull RAT
    Broadens targets from telecoms to finance and government orgs

    The Gallium group, believed to be a Chinese state-sponsored team, is going on the warpath with an upgraded remote access trojan (RAT) that threat hunters say is difficult to detect.

    The deployment of this "PingPull" RAT comes as the gang is broadening the types of organizations in its sights from telecommunications companies to financial services firms and government entities across Asia, Southeast Asia, Europe and Africa, according to researchers with Palo Alto Networks' Unit 42 threat intelligence group.

    The backdoor, once in a compromised system, comes in three variants, each of which can communicate with the command-and-control (C2) system in one of three protocols: ICMP, HTTPS and raw TCP. All three PingPull variants have the same functionality, but each creates a custom string of code that it sends to the C2 server, which will use the unique string to identify the compromised system.

    Continue reading
  • EnemyBot malware adds enterprise flaws to exploit arsenal
    Fast-evolving botnet targets critical VMware, F5 BIG-IP bugs, we're told

    The botnet malware EnemyBot has added exploits to its arsenal, allowing it to infect and spread from enterprise-grade gear.

    What's worse, EnemyBot's core source code, minus its exploits, can be found on GitHub, so any miscreant can use the malware to start crafting their own outbreaks of this software nasty.

    The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining cryptocurrency. Securonix first wrote about EnemyBot in March.

    Continue reading
  • Clipminer rakes in $1.7m in crypto hijacking scam
    Crooks divert transactions to own wallets while running mining on the side

    A crew using malware that performs cryptomining and clipboard-hacking operations have made off with at least $1.7 million in stolen cryptocurrency.

    The malware, dubbed Trojan.Clipminer, leverages the compute power of compromised systems to mine for cryptocurrency as well as identify crypto-wallet addresses in clipboard text and replace it to redirect transactions, according to researchers with Symantec's Threat Intelligence Team.

    The first samples of the Windows malware appeared in January 2021 and began to accelerate in their spread the following month, the Symantec researchers wrote in a blog post this week. They also observed that there are several design similarities between Clipminer and KryptoCibule – another cryptomining trojan that, a few months before Clipminer hit the scene, was detected and written about by ESET analysts.

    Continue reading

Biting the hand that feeds IT © 1998–2022