Iran was prime target of Stuxnet SCADA worm

Discussion in 'Anti-Virus' started by Virus Guy, Sep 17, 2010.

  1. Virus Guy

    Virus Guy Guest

    I've read a few different articles about Stuxnet, and curiously none of
    them make any public speculation that either the US or Israel is behind


    Iran was prime target of SCADA worm
    By Robert McMillan
    July 23, 2010 08:40 PM ET

    IDG News Service - Computers in Iran have been hardest hit by a
    dangerous computer worm that tries to steal information from industrial
    control systems.

    According to data compiled by Symantec, nearly 60 percent of all systems
    infected by the worm are located in Iran. Indonesia and India have also
    been hard-hit by the malicious software, known as Stuxnet.

    Looking at the dates on digital signatures generated by the worm, the
    malicious software may have been in circulation since as long ago as
    January, said Elias Levy, senior technical director with Symantec
    Security Response.

    Stuxnet was discovered last month by VirusBlokAda, a Belarus-based
    antivirus company that said it found the software on a system belonging
    to an Iranian customer. The worm seeks out Siemens SCADA (supervisory
    control and data acquisition) management systems, used in large
    manufacturing and utility plants, and tries to upload industrial secrets
    to the Internet.

    Symantec isn't sure why Iran and the other countries are reporting so
    many infections. "The most we can say is whoever developed these
    particular threats was targeting companies in those geographic areas,"
    Levy said.

    The U.S. has a long-running trade embargo against Iran. "Although Iran
    is probably one of the countries that has the worst infections of this,
    they are also probably a place where they don't have much AV right now,"
    Levy said.

    Siemens wouldn't say how many customers it has in Iran, but the company
    now says that two German companies have been infected by the virus. A
    free virus scanner posted by Siemens earlier this week has been
    downloaded 1,500 times, a company spokesman said.

    Earlier this year, Siemens said it planned to wind down its Iranian
    business -- a 290-employee unit that netted €438 million (US$562.9
    million) in 2008, according to the Wall Street Journal. Critics say the
    company's trade there has helped feed Iran's nuclear development effort.

    Symantec compiled its data by working with the industry and redirecting
    traffic aimed at the worm's command and control servers to its own
    computers. Over a three-day period this week, computers located at
    14,000 IP addresses tried to connect with the command and control
    servers, indicating that a very small number of PCs worldwide have been
    hit by the worm. The actual number of infected machines is probably in
    the 15,000 to 20,000 range, because many companies place several systems
    behind one IP address, according to Symantec's Levy.

    Because Symantec can see the IP address used by machines that try to
    connect with the command and control servers, it can tell which
    companies have been infected. "Not surprisingly, infected machines
    include a variety of organizations that would use SCADA software and
    systems, which is clearly the target of the attackers," the company said
    in its blog post Thursday.

    Stuxnet spreads via USB devices. When an infected USB stick is viewed on
    a Windows machine, the code looks for a Siemens system and copies itself
    to any other USB devices it can find.

    A temporary workaround for the Windows bug that allows Stuxnet to spread
    can be found here.

    See also:
    Virus Guy, Sep 17, 2010
    1. Advertisements

  2. From: "Virus Guy" <>

    | I've read a few different articles about Stuxnet, and curiously none of
    | them make any public speculation that either the US or Israel is behind
    | it...

    < snip >

    There is no reason why they should.
    David H. Lipman, Sep 18, 2010
    1. Advertisements

  3. Virus Guy

    Virus Guy Guest

    Those same articles say that Stuxnet had to be the work of a state, and
    that there was no obvious economic benefit to the malware authors based
    on where it was found and what it did.

    Stuxnet uses Siemens' default passwords to seek out and try to gain
    access to systems that run the WinCC and PCS 7 programs — so-called PLC
    (programmable logic controller) programs that are used to manage
    large-scale industrial systems on factory floors and in military
    installations and chemical and power plants.

    The likely distribution method (USB thumb drives) would also point to
    Israel agents who can more easily enter and circulate within Iran than
    US agents.

    Here, I'll give you the following to read:


    Stuxnet Target Theory

    Ralph Langner has posted even more technical data on Stuxnet, breaking
    down the technical info so it can be more easily understood. For
    example, “if the return from FC1874 is ‘DEADF007?, original code is
    skipped”. He also theorizes the target is the Iranian Bushehr nuclear

    It is difficult or impossible to know the exact target process of
    Stuxnet without having access to the attacked process. Here are some
    fact and conjecture that support the theory the target was the Iranian
    Bushehr Nuclear Plant

    Consider the following:

    * the largest number of infected systems, almost 60%, were in Iran,
    data from Symantec What control system in Iran are many organizations
    with sophisticated cyber warfare capabilities interested in stopping
    from going into production? The Bushehr Nuclear Plant.

    * The Bushehr plant has been delayed from its scheduled August
    commissioning due to “severe hot weather”. Temperatures have been at
    their historical averages.

    * the Bushehr plant was originally being built by a division of
    Siemens. Siemens withdrew from the project in 1979. I do not know if
    Siemens PLC’s are used in the plant – - if they are not using the S7 or
    similar technology it would negate the whole theory. Confirmation

    * so how or why did Stuxnet spread beyond the target. One way would
    be for the attack being initiated from the vendor finishing the plant,
    the Russian firm Atomstroyexport. If you have seen a plant or any other
    control system being commissioned you know that making it work is
    priority 1, 2, 3, … not cyber security and scanning USB sticks.

    Atomstroyexport also happens to have a current project in India
    where 8% of the infections occurred. Their site does not show a project
    in Indonesia where 18% of the infections took place.

    As a side note – this was probably not an insider attack at the
    process site. There would have been no reason to develop this elaborate
    delivery mechanism if inside access was available.

    * Israel is one of the countries with an interest in stopping
    Bushehr, and known for their cyber security skills – - including
    offensive skills. Here is one of many articles talking about this and
    coincidently even discusses an attack on the Iranian nuclear systems via
    a USB key. Scott Borg may have been prescient.,7340,L-3742960,00.html

    * I’m surprised at how often project names for secret projects have
    some relation on the project. This is really for you conspiracy
    theorists, but read the Book of Esther in the bible where Esther informs
    the King of a plot against the Jews. The King then allows the Jews to
    defend themselves, kill their enemies, … Esther’s was born as Hadassah
    which means Myrtle. According to Symantec, “While we don’t know who the
    attackers are yet, they did leave a clue. The project string
    b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb appears in one of their
    drivers.” Myrtus is Myrtle. Yes this is a stretch, and of course even if
    this naming meant something it could be a feint to draw suspicion away
    from the actual attacker.

    * the Microsoft 0days, stolen certificates, knowledge of Siemens S7
    and the process being attacked indicates a highly motivated and highly
    skilled attacker. The attacker also did not want to affect other
    processes, as if they expected this could or would spread beyond their
    target. They only wanted to affect one facility, perhaps one power plant
    not multiple nuclear plants or anyone with a S7 PLC.

    As I mentioned in the beginning, this is just a theory. Definitely check
    out the additional technical details provided by Langner Communication.

    See also:

    The video report on that page has a short bit about stuxnet about 8:35
    into the video. The video has some otherwise interesting news pieces
    about current malware events.

    The EFF commercial (or PSA?) about 11:35 into the video was really
    Virus Guy, Sep 18, 2010
  4. Virus Guy

    Dustin Guest

    Not all malware authors wrote for monetary profit. I see no reason why
    that's changed. I never charged for my work. <G> If they think all
    malware has monetary profit in mind, they need to open their eyes.

    Paranoia, for sure. autorun.inf infection vectors have been around for
    awhile now. Nothing special about it.

    <skip tons of paranoid marketing fud>
    Dustin, Sep 18, 2010
  5. Virus Guy

    Virus Guy Guest

    It's not the delivery mechanism that is of interest here.

    It's the particular target of the payload:


    The Stuxnet worm first discovered in connection with the LNK hole has
    globally infiltrated 14 Siemens industrial control systems which run the
    Windows Control Center (WinCC) SCADA software, in the US, South Korea,
    the UK and Iran. Stuxnet is specifically designed to compromise systems
    running this software. Researchers at Symantec say that the worm can
    even infect Programmable Logic Controllers (PLCs), used on site to
    control such components as pumps and valves, via the WinCC system.

    According to Symantec's analysis, Stuxnet can replace or add individual
    blocks of PLC code – it apparently includes a total of 70 (encrypted)
    blocks to implement new functions. The malware even goes to the trouble
    of hiding its PLC manipulations: If a WinCC user accesses the code
    blocks, any blocks that were added by the worm are said to be invisible.
    Symantec has, therefore, called the malware the first publicly known
    rootkit for industrial control systems.

    Instead of acting autonomously, however, Stuxnet allows its creators to
    remotely access WinCC systems and select, as well as manipulate, the
    behaviour of individual PLCs. Which functions are implemented by the new
    code and whether the code is designed to allow its operators just to
    monitor or, even worse, to disrupt systems remains unclear. Symantec's
    blog mentions a historic example where a "trojanised" valve controller
    was reportedly manipulated to increase the pressure in a pipeline beyond
    the pipeline's capacity. Even if the operators of an industrial plant
    have removed the Stuxnet worm from their WinCC systems, parts of the
    Programmable Logic Controllers potentially remain affected.

    When analysing the worm, the security experts also discovered further,
    previously undisclosed, security holes in Windows the worm apparently
    exploits to proliferate through the network and to elevate its
    privileges on infected systems. Microsoft closed one of these holes on
    its recent Patch Tuesday.

    The worm uses Siemens' hard-coded MS SQL database access credentials to
    obtain access to the SCADA system's data.

    Tell me how many hackers have test-bench Siemens SCADA systems with
    PLC's that they would have needed to debug their code before
    distributing it?

    How many hackers have access to "previously undisclosed, security holes
    in Windows the worm apparently exploits to proliferate through the
    network and to elevate its privileges on infected systems" ?

    It's been speculated for years that cyber-warfare and sabotage could
    theoretically be performed by one state against another. The sabotage
    of Iranian industrial and even nuclear facilities by the Israeli gov't
    would have to be near the top of the list of state-vs-state
    cyber-sabotage possibilities.

    And I don't know why there are people here trying to quash such
    speculation. I'm sure we would all agree that any such sabotage against
    Iran is a "Good Thing" (tm) - regardless who does it.
    Virus Guy, Sep 18, 2010
  6. Virus Guy

    ASCII Guest

    Was this a test?
    ASCII, Sep 18, 2010
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.