The Blog

How Stuxnet is Scaring the Tech World Half to Death

A complex computer virus and its imminent threat.

2:30 PM, Sep 30, 2010 • By JONATHAN V. LAST
Widget tooltip
Single Page Print Larger Text Smaller Text Alerts

The functionality of Stuxnet is particularly interesting. The worm gains initial access to a system through a simple USB drive. When an infected USB drive is plugged into a machine, the computer does a number of things automatically. One of them is that it pulls up icons to be displayed on your screen to represent the data on the drive. Stuxnet exploited this routine to pull the worm onto the computer. The problem, then, is that once on the machine, the worm becomes visible to security protocols, which constantly query files looking for malware. To disguise itself, Stuxnet installs what’s called a “rootkit”—essentially a piece of software which intercepts the security queries and sends back false “safe” messages, indicating that the worm is innocuous.

The trick is that installing a rootkit requires using drivers, which Windows machines are well-trained to be suspicious of. Windows requests that all drivers provide verification that they’re on the up-and-up through presentation of a secure digital signature. These digital keys are closely-guarded secrets. Yet Stuxnet’s malicious drivers were able to present genuine signatures from two genuine computer companies, Realtek Semiconductor and JMichron Technologies. Both firms have offices in the same facility, Hsinchu Science Park, in Taiwan. No one knows how the Stuxnet creators got hold of these keys, but it seems possible that they were physically—as opposed to digitally—stolen.

So the security keys enable the drivers, which allow the installation of the rootkit, which hides the worm that was delivered by the corrupt USB drive. Stuxnet’s next job was to propagate itself efficiently, but quietly. Whenever another USB drive was inserted into an infected computer, it becomes infected, too. But in order to reduce visibility and avoid detection, the Stuxnet creators set up a system so that each infected USB drive could only pass the worm on to three other computers.

Stuxnet was not designed to spread over the Internet at large. (We think.) It was, however, able to spread over local networks—primarily by using the print spooler that runs printers shared by a group of computers. And once it reached a computer with access to the Internet it began communicating with a command-and-control server—the Stuxnet mothership. The C&C servers were located in Denmark and Malaysia and were taken off-line after they were discovered. But while they were operational, Stuxnet would contact them to deliver information it had gathered about the system it had invaded and to request updated versions of itself. You see, the worm’s programmers had also devised a peer-to-peer sharing system by which a Stuxnet machine in contact with C&C would download newer versions of itself and then use it to update the older worms on the network.

And then there’s the actual payload. Once a resident of a Windows machine, Stuxnet sought out systems running the WinCC and PCS 7 SCADA programs. It then began reprogramming the programmable logic control (PLC) software and making changes in a piece of code called Operational Block 35. It’s this last bit—the vulnerability of PLC—which is at the heart of the concern about Stuxnet. A normal worm has Internet consequences. It might eat up bandwidth or slow computers down or destroy code or even cost people money. But PLC protocols interact with real-world machinery – for instance, turn this cooling system on when a temperature reaches a certain point, shut that electrical system off if the load exceeds a given level, and so on.

Recent Blog Posts