September 14, 2010

The “Stuxnet” computer worm made international headlines in July, when security experts discovered that it was designed to exploit a previously unknown security hole in Microsoft Windows computers to steal industrial secrets and potentially disrupt operations of critical information networks. But new information about the worm shows that it leverages at least three other previously unknown security holes in Windows PCs, including a vulnerability that Redmond fixed in a software patch released today.

Image courtesy Kaspersky Lab

As first reported on July 15 by, Stuxnet uses a vulnerability in the way Windows handles shortcut files to spread to new systems. Experts say the worm was designed from the bottom up to attack so-called Supervisory Control and Data Acquisition (SCADA) systems, or those used to manage complex industrial networks, such as systems at power plants and chemical manufacturing facilities.

The worm was originally thought to spread mainly through the use of removable drives, such as USB sticks. But roughly two weeks after news of Stuxnet first surfaced, researchers at Moscow-based Kaspersky Lab discovered that the Stuxnet worm also could spread using an unknown security flaw in the way Windows shares printer resources. Microsoft fixed this vulnerability today, with the release of MS10-061, which is rated critical for Windows XP systems and assigned a lesser “important” threat rating for Windows Vista and Windows 7 computers.

In a blog post today, Microsoft group manager Jerry Bryant said Stuxnet targeted two other previously unknown security vulnerabilities in Windows, including another one reported by Kaspersky. Microsoft has yet to address either of these two vulnerabilities – known as “privilege escalation” flaws because they let attackers elevate their user rights on computers where regular user accounts are blocked from making important system modifications.

Anti-virus researchers also discovered that Stuxnet leverages a Windows vulnerability that Microsoft patched back in 2008. Roel Schouwenberg, a senior anti-virus researcher at Kaspersky, said initially it wasn’t clear why the worm’s designers included such an antiquated vulnerability, which would almost certainly set off alarm bells inside of any organization using common intrusion detection and prevention tools.

But Schouwenberg said the inclusion of that 2008 vulnerability made more sense when he learned that most industrial control system networks do not employ these defensive tools or even basic network logging, as is common in most corporate networks. Consequently, he said, Stuxnet behaves differently depending on what type of network it thinks it is running on. Stuxnet performs some rudimentary checking to see whether it is on a corporate network or a control systems network: If it detects that it is running on a corporate network, it won’t invoke the older 2008 vulnerability, Schouwenberg said.

The Kaspersky analyst said that whoever is responsible for writing the Stuxnet worm appears to be quite familiar with the way that SCADA systems are configured. Stuxnet, which targeted specific SCADA systems manufactured by Siemens, also disguised two critical files by signing them with the legitimate digital signatures belonging to industrial giants Realtek Semiconductor Corp. and JMicron.

“If you look at the way they must have organized the entire attack, it’s very impressive,” Schouwenberg said. “These guys are absolutely top of the line in terms of sophistication.”

News of just how successful this stealthy malware family has been in compromising SCADA systems is still trickling out. Earlier today, IDG News’s Robert McMillan quoted Siemens as saying the worm had infected SCADA systems in at least 14 plants in operation, although Siemens said the infections did not impair production at those plants or cause any malfunction. Stuxnet has infected systems in the U.K., North America and Korea, however the largest number of infections, by far, have been in Iran, IDG reports.

But Joe Weiss, managing partner at Cupertino, Calif. based Applied Control Systems, said far too many people have been fixated on Stuxnet’s impact on Microsoft Windows systems and are missing the fact that its authors are using the worm as a means to an end. For example, researchers at Symantec found that Stuxnet uses default passwords built into Siemens systems to gain access to and reprogram the SCADA systems’  “programmable logic controllers” — mini-computers that can be programmed from a Windows system. According to Symantec:

Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.

“The Department of Homeland Security put out an advisory on Stuxnet on September 2nd, and  the only two things it didn’t say anything about is how to find it or get rid of it at the PLC level,” Weiss said. “People are focusing on what they know and understand, which are the standard Microsoft vulnerabilities. But that’s not the scary part. The really scary thing is that right now we don’t even know which controllers are trusted and which ones aren’t trusted.”

While the intended target of Stuxnet appears to be the manipulation of Siemens PLCs, Weiss said Stuxnet could have just as easily been designed to attack PLCs made by other SCADA manufacturers. These and other topics will be the center of discussion at the ACS Control System Cyber Security Conference next week in Rockville, Md. — although the event is closed to the media.

“The mechanism [the Stuxnet worm] used to install the Siemens payload came at the very end, which means this isn’t a Siemens problem and that they could have substituted [General Electric], Rockwell or any other PLCs as the target system,” Weiss said. “At least one aspect of what Stuxnet does is to take control of the process and to be able to do…whatever the author or programmer wants it to do. That may be opening or closing a plant valve, turning a pump on or off, or speeding up a motor or slowing one down. This has potentially devastating consequences, and there needs to be a lot more attention focused on it.”

Update, Sept. 22, 9:45 a.m. ET: Secunia has published a bit more information about these unpatched privilege escalation flaws in Windows, here and here.

29 thoughts on “‘Stuxnet’ Worm Far More Sophisticated Than Previously Thought

  1. H. Carvey

    “But Schouwenberg said the inclusion of that 2008 vulnerability made more sense when he learned that most industrial control system networks do not employ these defensive tools or even basic network logging…”

    Learned? Interesting. Bad guys know it, included it in their malware. Researchers don’t know it and can’t fathom it…b/c after all, who in their right mind would leave something like the infrastructure un-protected.

    Where does that leave the folks managing the SCADA systems and DHS?

  2. P Allen

    A serious problem that needs solving – I’m really hoping DHS has the CIP (Critical Infrastructure Program) security and programming folks working on this problem.

    And will then PDQ share the solution across the spectrum so a solid, consistent and usable fix is able to be implemented, fairly quickly.

    Then again, I might be asking quite a bit much but I’m like H. Carvey – “who in their right mind….”
    Can you imagine if some nation state level actors (malicious) got involved in this (if they aren’t already)????

  3. Michael

    I remember reading something about public utility companies wanting to install computer-interfaced utility systems in homes (replaces human meter readers for one thing) and security researchers found their software to be completely insecure. Seems crazy to deploy known-to-be-unsafe systems; I wouldn’t want one in my home.

    1. john clark

      Michael, I believe you are referring to “smart grid” technology. This is one of the reasons stuxnet has piqued
      my interest anyway. This technology is going to become part of the grid infrastructure and the implications with things like stuxnet are enormous.

  4. jrj

    Having worked at a large U.S. electrical utility, TVA, I know the thinking is that these SCADA controllers are safe because the malware writers have no knowledge of how they work or how to access them. Hopefully they have awoken from this errant thinking.

    In 2008, this is what was reported on TVA:
    The GAO found that TVA’s Internet-connected corporate network was linked with systems used to control power production, and that security weaknesses pervasive in the corporate side could be used by attackers to manipulate or destroy vital control systems.

    1. F-3000

      “the thinking is that these SCADA controllers are safe because the malware writers have no knowledge of how they work or how to access them.”

      Security thru obscurity. Just perfect. That’s just insanely stupid naiveness, IMHO. I could have said that even before all this happening (but I didn’t because before this topic, I didn’t even know about SCADA).

      You know, it seems to be a sad fact, that to become “a professor” (same includes engineers?), all you need is good memory, and least a bit of limited capability for creative thinking. Eventually, intelligence and wisdom has nothing to do with the title (not trying to insult those who REALLY deserve the title, hell, never!). And then, those “so-called-professors” get hired into important positions, and because we assume that they do their work properly, we end into deep **** like this. Just because they’re good with doing stuff as in book, but lack the real wits.

      (I repeat myself: not trying to insult those who REALLY deserve the title, hell, never!)

    2. Russ

      That’s a great article from Washington Post you found, jrj. They should give the author his own website or something.

      I would say this is an endemic issue across all lines of business and technology; decision makers and those who advise them don’t understand what an exploit is or how attacks work.

      An otherwise knowledgeable technical person once argued with me that a compromised DMZ server can transmit whatever it wants through a port opened to our internal management console with no security risk, because the software on the console wasn’t designed to accept that info as input and therefore couldn’t do anything with it.

      Since that time I’ve described an exploit as “crafted input that a software cannot handle properly and leads to unexpected and undesirable behavior.” Nonetheless some folks can’t wrap their heads around it.

      1. BrianKrebs Post author

        “That’s a great article from Washington Post you found, jrj. They should give the author his own website or something.”

        Hey! I thought I recognized that story! 😛

  5. Huh?

    I workwith/support engineers who program these SCADA controllers in the US and we, the utility, and the state does not allow default passwords to be used. It is audited yearly to make sure the systems are in compliance. The manufactures that create the SCADA software should follow the same security policies that most auditors require for corporate authentication procedures. (Password changes, complexity, etc)

    1. hhhobbit

      Tell that to the worm. I don’t think the worm gives a kerflooey you have made all of that effort. SCADA systems should have never been put on MS Windows in the first place. Ditto for Linux. We need something safer for them to run on. Try OpenBSD. SCADA systems don’t need to run OpenOffice but they have a pivotal role and need to be more secure. Look for more multiple vulnerability exploit malware in the future.

  6. Anon

    Any chance this is an Israeli government attempt to disrupt the Iranian nuclear program?

    1. hhhobbit

      Most likely it is the NSA, Bundesamt für Verfassungsschutz (Domestic German Intelligence) or British SS or SIS. They are getting tired of the SCADA people not taking the issue seriously enough. Protecting a nation’s utility grid is serious business. I am not saying the Israeli’s can’t do it but what is their motive for doing it to companies in Germany?

      1. hhhobbit

        In case you cannot tell, I was not serious. Do not make the mistake that this “must” be a state sponsored effort just because Iranian systems were the hardest hit. Maybe the hackers even live in Iran. Despite what some AV companies have said, there are non-government hacker groups that are capable of doing this! The most important thing is that they are utilizing multiple vulnerabilities. They have been doing the limited spread in multiple ways for quite a while now to avoid being detected. But look for the multiple vulnerability exploit to be repeated in the future. In the meantime, turn off auto-run since the exploit used by Conficker was mentioned. I have a humorous read on it:

        You have to download the needed binaries from Microsoft yourself. Auto-run is an exploit just waiting to be abused. What if your AV program cannot detect what is on that USB stick yet? And Aunt Martha (a fictitious normal Windows user) probably cannot turn off auto-run. Microsoft should do it for them. I even have that darn auto-run in limited form on one version of Linux now. Drat! At least it asks me what I want to do. I would rather the OS do NOTHING but just attach the device. But automatically running a program on a device when it is inserted is a dumb idea.

      2. Bob

        I honestly don’t think the Germans, especially not their governmental institutions, could do it. I mean both technically and politically. Germany do sell equipment to Iran through is civilian companies, although the German government is one of initiators of the sanctions against Iran. Israel have both motive and capability, possibly through one of the elite small units of unit 8200.

  7. JBV

    I don’t get automatic downloads of anything, so I’m confused by this.

    If Stuxnet “leverages at least three other previously unknown security holes in Windows PCs, including a vulnerability that Redmond fixed in a software patch released today,” does this mean that home PC users should download this patch, or is it just for industry and critical information networks?

    1. BrianKrebs Post author

      It’s a vulnerability in Windows, and Microsoft has shipped a patch for it. So, yes, you should apply the update, whether you’re a business or home user.

  8. Steven Johnson

    Perhaps it is time to recognize the root cause of these infestations, which is the underlying operating system. Perhaps also there should be a discussion about moving critical applications to open source platforms.

    1. xAdmin

      That may provide a temporary respite, but is NOT a real solution. All that would do is move the target. If the bad guys really want to exploit a system, they will find a vulnerbility to do so, such as this one:

      Circa 2007 Linux Kernel Vulnerability Resurfaces

      “The vulnerability exists in the 32-bit compatibility mode of the kernel and upon execution can result in a local root

      1. hhhobbit

        Then use OpenBSD or something else which is what I proposed elsewhere here. Look, I see dozens (hundreds?) of problems with Windows in one security bulletin I subscribe to every month. I also see lots for almost every Linux distro every month but they are usually much less than Windows. I think the shortest period of time before I have saw one report to the next with OpenBSD was three months. I cannot remember the last one I saw for OpenBSD. So I hope Linux and Windows are not the only alternatives we have for safer SCADA systems.
        If all you can do is diss Linux then I suggest you take over my thankless task at looking at some way to improve all of these systems security ( / I look at dozens of malware targeting Windows every week. It is becoming obvious to me that instead of Microsoft doing something to improve this deplorable situation they have instead hired some goons to do nothing but trash talk Linux. These goons are reminding me of the security forces companies hired back in the early 20th century to destroy labor unions. Since you don’t like Linux and it is obvious that Windows is failing miserably, what do you propose as a better alternative? That is what we need, something that improves things. Are you saying we are going to have to endure this miserable situation we have now forever? I have been trying to come up with something to help normal people with the Adobe PDF problem on Windows (most ‘nix users use something other than Adobe Reader) only to be delayed because a close collaborator who works on Windows was taken out by an infection on his Windows machine. It didn’t happen because he is dumb, he is bright. It just illustrates how bad the Windows malware situation is now. The only solution I can some up with for Aunt Martha (interpreted – a normal human being, not a geek) to more safely view PDF files online is gpdf plugged into Firefox or Chrome. I will let you geeks thrash around with EMET. I already have .NET because some of the time I use Fiddler. I’ll bet you don’t even know what Fiddler is. But I think that EMET is something Aunt Martha cannot handle. I don’t care if this close collaborator works on Windows. When he asked if he should use Linux my only question was, why? If he is comfortable using Windows, he should continue to use it. But I think right now he is reviewing what he should use. All it shows is just how bad the Windows malware situation is now. So instead of trash talking Linux, come up with something positive to help people. I can guarantee you will see more multiple vulnerability malware exploits for Windows in the future. I have saw too many certs stuffed into other binaries to not believe the hackers won’t come up with more of something like Stuxnet in the future. It may be the first but it won’t be the last.

        1. xAdmin

          With all due respect…

          Huh? Dude, what are you smokin’? You’re all over the place here. I’m a goon attacking Linux?

          Where did I ever diss or trash talk Linux or say I don’t like it? I simply used a recent resurfacing of a Linux kernel vulnerability to make a point.

          As to providing solutions; I’ve espoused on this blog ad nauseum that a layered defense is a real solution! It works! There is a ton of information readily available for anyone to learn about it and configure their system with it! It’s not difficult to do! It does take some effort and discipline, but the payoff is priceless! I’ve never been compromised in any way in over 13+ years of using Windows systems and with IE as my browser!! How the hell is that possible unless it really does work?

          As to your collaborator’s system that got infected, did it have a layered defense? Most importantly, was it logged in as full administrator? Exactly how did it get compromised? These answers are relevant to your claim of “how bad the Windows malware situation is now.”

          Finally, even though I know what Fiddler is and have used it, what relevance is that here? Seriously?

        2. timeless

          what you’re missing is that basically the windows computers are clients (think of them as web browsers). effectively they speak some protocol (call it proprietary, it doesn’t matter – security through obscurity, hackers can reverse engineer it, think of it as http) to the control server (think of this as an open unsecured web server with a default password).

          if you can get any computer running on the network which can talk to the “control server” (and authenticate – with that default account/password), then you can ask it to do whatever. this basically amounts to a requirement for “arbitrary code execution” on *any* computer in the target network. if the server happens to be tied to a specific client address, then one would need to either capture that computer or knock it off and steal/forge its address. in that case it *might* require root access (privelege escalation, which is rarer than code execution vulnerabilities). actually, here, diversity of systems on the target network doesn’t improve things – if an attacker can send a broadcast attack to all systems, it only needs to succeed on one.

          the only right answer is “not to play” (war games). do not connect scada systems to any networks *period*. require people to walk across a real barrier with simple, easy to audit, verify, understand and reproduce command sequences.

          disclaimer: i work on web browsers and hope never to meet a scada.

          1. Matt

            “if you can get any computer running on the network which can talk to the “control server” (and authenticate – with that default account/password), then you can ask it to do whatever. this basically amounts to a requirement for “arbitrary code execution” on *any* computer in the target network.”

            This is a complete crock. I’m not sure what you’re describing but there’s nothing in Windows that lets you do anything remotely like that. I *think* you’re describing LDAP but I’m not sure. I’m pretty sure you’re just talking out of your ass.

        3. john clark

          Far from wanting to get into an OS cat fight…

          A) Any OS is a better pick than Windoz for manifold reasons.

          B) Any OS (that’s public) is vulnerable

          Bitter irony…

          The world is full up with folks doing complicated (and dangerous) things with computing machinery that have
          difficulty learning even windows. This is why there are Macs.

          Suddenly with stuxnet we have very smart folks that have discovered how to reprogram a PLC (something I’ve been awaiting from the hacking community for a while). Better! They figured out a way to keep us good guys from knowing the PLC’s have _been_ reprogrammed. This is the real issue.

    1. john clark

      That’s the second time I’ve seen Natanz speculated as the target. Both by strong sources. That would mean Langner was wrong about that. I dont think that dissuades me after my research out of believing that this was a targeted attack on a single facility. I also believe (like Langner) the target was hit. Heck, the things been out there for months and finally after a congressional hearing and many press releases the Iranians come back :

      “the effect and damage of this spy worm in government systems is not serious” and that it had been “more or less” halted.

      I just dont buy it. Now the real question is, how much damage was done? Because I think that will have an impact on how many stuxnet like attacks are made in the near future.

  9. hhhobbit

    You can count on more worms like Stuxnet. The first one is hardest and from there on they shove them out much faster with even more stealthy qualities. Contrary to a belief expressed by somebody else here, the German (pick your own ethnicity / country) hackers do have the ability to write something like this. Hackers are all over the world and even a lower level hacker in some obscure country can have a one time hit that can cause big problems. This does not have to be done by state sponsored hackers. I am speaking only ot the technical aspects of the case. How much damage was done? Doesn’t that depend on whether you got Stuxnet or not? But what if it had shut down a power grid or turned off the controls in water filter plant allowing unfiltered water to go out? I would feel much better if water, the power grid and similar services were controlled and monitored by a safer OS like OpenBSD.

  10. stanz

    What about the control server? If there is a control server it must be located somewhere, and someone must be responsible for it. What is police doing about that?.

    1. hhhobbit

      It was taken down a long time ago. I thought that was written here but I guess not.

      I have been able to dig up far more information than you should be able to about PLC (not saved and only transitory in the browser) so information about PLC is not as hidden as people would like to believe it is. It is the fact that each SCADA installation is unique that leads some to believe that the person / people who created Stuxnet had inside information.

      That is not the point of Stuxnet. It is the fact that it leverages off of multiple vulnerabilities, has the ability to sense where it is at, and refuses to replicate after a given number of infections have occured (thus insuring it takes a long time to detect if it is ever detected) that makes it very dangerous. Watch and see if this happens in the future with other malware.. If nothing like Stuxnet ever shows up again it argues even further that it is state sponsored. My only statement was that everybody said it was out of the realm of ordinary hackers . But since (extra)ordindary hackers are stuffing in encryption certs from other companies into their code and cracking encryption is not trivial I believe they are capable of writing something like this.

Comments are closed.