Wired magazine has an absolutely fascinating article on how the most menacing malware in the history of computer security was deciphered by malware researchers from Symantec and other companies.
Most computer viruses are amateur efforts, quickly slapped together, and are usually made with the intention of taking control of people's PCs, stealing credit card numbers, launching DDoS attacks at internet websites by using infected PCs, or in rare cases, industrial espionage. Sometimes, cyber-criminals use threats of DDoS or infection to extort money from companies ("Give us $50,000 or we'll DDoS your website").
But, amazingly, Stuxnet was a worm that was built to attack just one specific facility, and to simply shut itself down if it discovered that it was in the wrong place. And to do this, it appears that they spent large amounts of money, lots of effort and some really high quality hackers wrote the code for the worm.
What sort of attack justifies all this expense and effort? How was all this discovered by security researchers? And is this real life or a Hollywood movie?
Read below for some of the answers:
Ulasen's research team got hold of the virus infecting their client's computer and realized it was using a "zero-day" exploit to spread. Zero-days are the hacking world's most potent weapons: They exploit vulnerabilities in software that are yet unknown to the software maker or antivirus vendors. They're also exceedingly rare; it takes considerable skill and persistence to find such vulnerabilities and exploit them. Out of more than 12 million pieces of malware that antivirus researchers discover each year, fewer than a dozen use a zero-day exploit.
In this case, the exploit allowed the virus to cleverly spread from one computer to another via infected USB sticks. The vulnerability was in the LNK file of Windows Explorer, a fundamental component of Microsoft Windows. When an infected USB stick was inserted into a computer, as Explorer automatically scanned the contents of the stick, the exploit code awakened and surreptitiously dropped a large, partially encrypted file onto the computer, like a military transport plane dropping camouflaged soldiers into target territory
The worm used not one, but four different zero day vulnerabilities - all to be able to reprogram PLCs (programmable logic controllers) on factory shop floors. And it went to great lengths to ensure that it was not discovered. For example:
This is where Stuxnet's malicious DLL file came in. Falliere discovered that it would intercept commands going from the Step7 software to the PLC and replace them with its own malicious commands.
At the same time, another portion of Stuxnet disabled any automated alarms that might go off in the system as a result of the malicious commands. It also masked what was happening on the PLC by intercepting status reports sent from the PLC to the Step7 machine, and stripping out any sign of the malicious commands. Workers monitoring the PLC from the Step7 machine would then see only legitimate commands on the device - like a Hollywood heist film where jewelry thieves insert a looped video clip into a surveillance camera feed so that guards watching monitors see only a benign image instead of a live feed of the thieves in action.
The fact that Stuxnet was injecting commands into the PLC and masking that it was doing so was evidence that it was designed, not for espionage as everyone had believed, but for physical sabotage. The researchers were stunned. It was the first time anyone had seen digital code in the wild being used to physically destroy something in the real world. Hollywood had imagined such a scenario years earlier in a Die Hard flick. Now reality had caught up with fantasy.
In reality, the story is much more Hollywood-like. The worm was programmed to attack only one specific installation - a nuclear plant in Iran:
"I was expecting some dumb DoS type of attack against any Siemens PLC," Langner later recalled. "So this was absolutely freaking. To see that somebody built such sophisticated piece of malware - using four zero-day vulnerabilities, using two stolen certificates - to attack one single installation? That's unbelievable.
And this is the final analysis:
In the end, Stuxnet's creators invested years and perhaps hundreds of thousands of dollars in an attack that was derailed by a single rebooting PC, a trio of naive researchers who knew nothing about centrifuges, and a brash-talking German who didn't even have an internet connection at home.
If you have any interest in computer security, I strongly suggest that you read the full article - it is far more interesting than what these small excerpts can convey. It is long - and will take you 45 minutes to read, but it is worth it.