Stuxnet Trojan
Stuxnet is the most complex computer worm to date. This worm targeted and destroyed a real-world infrastructure. This sophisticated piece of malware shut down 1,000 IR-1 centrifuges in the Fuel Enrichment Plant at Natanz, Iran (1). This worm was the first of its kind to not only include malicious STL (Statement List) code, complicated assembly line code, but also include programmable logic controller (PLC) rootkit, which hid the code (2). Stuxnet infects Windows systems in search for industrial control systems by using STL. It is only able to do this because of the rootkit. With PLC/STL rootkit giving Stuxnet almost full coverage, over 60% of Iran became infected in a relatively short amount of time (3). Among the many things that make Stuxnet unique is the fact that it contains 50 times more information in the code than a typical virus (3). People speculate many reasons why this attack occurred and the reasons why, however a unanimous decision has yet to be reached.
History
The code name, “Olympic Games” is what Stuxnet was referred to by cyber officials at the Pentagon (6). However, the actual name “Stuxnet” was derived from keywords in the code (7). Stuxnet was discovered in June 2010 by VirusBlokAda, a security firm based in Belarus (4). On June 17th, 2010, two new malware samples were found that were capable of infecting a Windows 7 machine (5). Data from this first discovery was later used to analyze what the worm actually did.
Implementation
There are two theories as to how Stuxnet enters a system; either through a USB drive or by sharing networks between printers (8). In the first situation, once the infected USB drive is inserted, shortcut files are immediately executed (5). Shortcut files, link to icons that in turn link to a certain executable program. For Stuxnet to work, the computer needs to have some sort of display icons so it can immediately start infecting (5). The second possibility of infection would be an instance where Stuxnet exploits a hole in the Windows printing software. RPC is a service that allows two computers to interact, and was improperly secured. This could have allowed Stuxnet to break into the main computer and spread to the network (8).
Infection
There are two theories as to how Stuxnet enters a system; either through a USB drive or by sharing networks between printers (8). In the first situation, once the infected USB drive is inserted, shortcut files are immediately executed (5). Shortcut files, link to icons that in turn link to a certain executable program. For Stuxnet to work, the computer needs to have some sort of display icons so it can immediately start infecting (5). The second possibility of infection would be an instance where Stuxnet exploits a hole in the Windows printing software. RPC is a service that allows two computers to interact, and was improperly secured. This could have allowed Stuxnet to break into the main computer and spread to the network (8).
Windows
Stuxnet was able to enter Windows by using digitally signed certificates (3). The rootkit included two digitally signed certificates which had encryption keys that signaled to the computer that the program was legitimate (8). These private keys were stolen from JMicron and Realtek, which are technological companies based in Taiwan (8). Once inside of Windows, the malware copies itself to open file share. Files are then copied from drive to drive because Stuxnet has the capability to find open shares and automatically propagate to those computers; it does not need any interaction (8). Stuxnet automatically copies itself to any subsequent files that are shared, therefore infecting the next consumer on launch. If connected to the network, Stuxnet will update itself.
Step 7 and PLC
Step 7 is from Seimans, data base software, is used to program industrial control systems. After building software on Step 7, you then put it on PLC to implement the code and run the centrifuges. Stuxnet was able to invade PLC using the manufactures password from Seimans. Verifies that PLC controls at least 155 total frequency converters (8). Consequently the Uranium Fuel Enrichment Plant uses 160 centrifuges, which could indicate that this plant was Stuxnet’s target.
