The computer worm Stuxnet broke out of the tech underworld and into the mass media this week. It’s an amazing story: Stuxnet has infected roughly 45,000 computers. Sixty percent of these machines happen to be in Iran. Which is odd. What is odder still is that Stuxnet is designed specifically to attack a computer system using software from Siemens which controls industrial facilities such as factories, oil refineries, and oh, by the way, nuclear power plants. As you might imagine, Stuxnet raises big, interesting geo-strategic questions. Did a state design it as an attack on the Iranian nuclear program? Was it a private group of vigilantes? Some combination of the two? Or something else altogether?
But it’s worth pausing to contemplate Stuxnet on its own terms, and understand why the tech nerds were so doomsday-ish about it in the first place. We should start at the beginning.
A computer worm is distinct from a virus. A virus is a piece of code which attaches itself to other programs. A worm is a program by itself, which exists on its own within a computer. A good (meaning really bad) worm must do several things quite subtly: It must find its way onto the first machine by stealth. While a resident, it must remain concealed. Then it must have another stealthy method of propagating to other computers. And finally, it must have a purpose. Stuxnet achieved all of these goals with astounding elegance.
The Stuxnet worm was first discovered on June 17, 2010 by VirusBlokAda, a digital security company in Minsk. Over the next few weeks, tech security firms began trying to understand the program, but the overall response was slow because Stuxnet was so sophisticated. On July 14, Siemens was notified of the danger Stuxnet posed to its systems. At the time, it was believed that Stuxnet exploited a “zero day” vulnerability (that is, a weak point in the code never foreseen by the original programmers) in Microsoft’s Windows OS. Microsoft moved within days to issue a patch.
By August, the details of Stuxnet were becoming clearer. Researchers learned troubling news: The virus sought to over-ride supervisory control and data acquisition (SCADA) systems in Siemens installations. SCADA systems are not bits of virtual ether—they control all sorts of important industrial functions. As the Christian Science Monitor notes, a SCADA system could, for instance, override the maximum safety setting for RPMs on a turbine. Cyber security giant Symantec warned:
Stuxnet can potentially control or alter how [an industrial] system operates. A previous historic example includes a reported case of stolen code that impacted a pipeline. Code was secretly “Trojanized’” to function properly and only some time after installation instruct the host system to increase the pipeline’s pressure beyond its capacity. This resulted in a three kiloton explosion, about 1/5 the size of the Hiroshima bomb.
As the days ticked by, Microsoft realized that Stuxnet was using not just one zero-day exploit but four of them. Symantec’s Liam O’Murchu told Computer World, “Using four zero-days, that’s really, really crazy. We’ve never seen that before.”
Still, no one knew where Stuxnet had come from. A version of the worm from June 2009 was discovered and when the final version of the worm had its encryption broken, several of the components bore digital time stamps indicating when they were compiled. The ~wtr4141.tmp file was compiled on February 3, 2010. One of the drivers, MRXCLS.sys, is timestamped January 1, 2009.*
The functionality of Stuxnet is particularly interesting. The worm gains initial access to a system through a simple USB drive. When an infected USB drive is plugged into a machine, the computer does a number of things automatically. One of them is that it pulls up icons to be displayed on your screen to represent the data on the drive. Stuxnet exploited this routine to pull the worm onto the computer. The problem, then, is that once on the machine, the worm becomes visible to security protocols, which constantly query files looking for malware. To disguise itself, Stuxnet installs what’s called a “rootkit”—essentially a piece of software which intercepts the security queries and sends back false “safe” messages, indicating that the worm is innocuous.
The trick is that installing a rootkit requires using drivers, which Windows machines are well-trained to be suspicious of. Windows requests that all drivers provide verification that they’re on the up-and-up through presentation of a secure digital signature. These digital keys are closely-guarded secrets. Yet Stuxnet’s malicious drivers were able to present genuine signatures from two genuine computer companies, Realtek Semiconductor and JMichron Technologies. Both firms have offices in the same facility, Hsinchu Science Park, in Taiwan. No one knows how the Stuxnet creators got hold of these keys, but it seems possible that they were physically—as opposed to digitally—stolen.
So the security keys enable the drivers, which allow the installation of the rootkit, which hides the worm that was delivered by the corrupt USB drive. Stuxnet’s next job was to propagate itself efficiently, but quietly. Whenever another USB drive was inserted into an infected computer, it becomes infected, too. But in order to reduce visibility and avoid detection, the Stuxnet creators set up a system so that each infected USB drive could only pass the worm on to three other computers.
Stuxnet was not designed to spread over the Internet at large. (We think.) It was, however, able to spread over local networks—primarily by using the print spooler that runs printers shared by a group of computers. And once it reached a computer with access to the Internet it began communicating with a command-and-control server—the Stuxnet mothership. The C&C servers were located in Denmark and Malaysia and were taken off-line after they were discovered. But while they were operational, Stuxnet would contact them to deliver information it had gathered about the system it had invaded and to request updated versions of itself. You see, the worm’s programmers had also devised a peer-to-peer sharing system by which a Stuxnet machine in contact with C&C would download newer versions of itself and then use it to update the older worms on the network.
And then there’s the actual payload. Once a resident of a Windows machine, Stuxnet sought out systems running the WinCC and PCS 7 SCADA programs. It then began reprogramming the programmable logic control (PLC) software and making changes in a piece of code called Operational Block 35. It’s this last bit—the vulnerability of PLC—which is at the heart of the concern about Stuxnet. A normal worm has Internet consequences. It might eat up bandwidth or slow computers down or destroy code or even cost people money. But PLC protocols interact with real-world machinery – for instance, turn this cooling system on when a temperature reaches a certain point, shut that electrical system off if the load exceeds a given level, and so on.
To date, no one knows exactly what Stuxnet was doing in the Siemens PLC. “It’s looking for specific things in specific places in these PLC devices,” Digital Bond CEO Dale Peterson told PC World. “And that would really mean that it’s designed to look for a specific plant.” Tofino Security Chief Technology Officer Eric Byres was even more ominous, saying, “The only thing I can say is that it is something designed to go bang.” Even the worm’s code suggests calamity. Ralph Langner is the most prominent Stuxnet sleuth and he notes that one of the last bits of code in the worm is the line “DEADF007.” (Presumably a dark joke about “deadf*ckers” and the James Bond call-sign “007.") “After the original code is no longer executed, we can expect that something will blow up soon,” Langner says somewhat dramatically. “Something big.”
The most important question is what that “something big” might be.
But there is another intriguing question: How did Stuxnet spread as far as it did? The worm is, as a physical piece of code, very large. It’s written in multiple languages and weighs in at nearly half a megabyte, which is one of the reasons there are still many pieces of it that we don’t understand. And one of those puzzles is how Stuxnet found its way onto so many computers so far away from one another. Iran is the epicenter, but Stuxnet is found in heavy concentrations in Pakistan, Indonesia, and India, too, and even as far away as Russia, Uzbekistan, and Azerbaijan. By the standards of modern worms, the 45,000 computers infected by Stuxnet is piddling. But if Stuxnet really can only propagate via local networks and USB drives, how did it reach even that far?
Stuxnet is already the most studied piece of malware ever, absorbing the attention of engineers and programmers across the globe, from private companies to academics, to government specialists. And yet despite this intense scrutiny, the worm still holds many secrets.
*An earlier version of this article stated that the compilation date for the ~wtr4141.tmp file was February 3, 2009.