|Creator||Mossad, the Pentagon|
|Place of Origin||Israel, USA|
|Source Language||C++, C, Several others|
|File Type(s)||.dll, .tmp|
Stuxnet is a worm sometimes referred to as the first "cyber super weapon". It is both the first worm to spy on industrial as well as the first to reprogram them. The worm specifically targets industrial control systems, like the kinds found in nuclear power plants among other facilities. It was later revealed to have been a weapon of the US and Israeli governments against Iranian nuclear facilities.
Table of Contents
Stuxnet exploits a vulnerability in the Windows Print Spooler service to spread over networked machines. It sends a specially crafted print request to a networked printer. This allows its code to be executed on that remote system. It "prints" two files, winsta.exe, a dropper in the system folder and one additional file, sysnullevnt.mof, to the subdirectory wbemmof in the system folder.
When a removable drive infected with Stuxnet is connected to a computer, it copies itself as the files mrxcls.sys and mrxnet.sys in the "drivers" subdirectory of the system folder. It then creates two local machine registry keys that register these files as a service*.
When it is unable to gain administrator privileges in other ways, it exploits a vulnerability in Win32k.sys to elevate its privileges. The worm loads a file as a keyboard layout file which contains exploit code allowing it to execute code with SYSTEM privileges.
The worm copies itself to the root of any removable drives as the files ~WTR4132.tmp and ~WTR4141.tmp. While they have a .tmp extension, they are actually .dll files. It also copies the shortcuts linking to ~WTR4132.tmp named Copy of Shortcut to.lnk, Copy of Copy of Shortcut to.lnk, Copy of Copy of Copy of Shortcut to.lnk and Copy of Copy of Copy of Copy of Shortcut to.lnk.
Stuxnet exploits the zero-day LNK/PIF (shortcut file) automatic execution vulnerability to execute on the target system. When an application that can view an executable icon views the link files, the files show it the code that executes ~WTR4132.tmp. ~WTR4132.tmp exists for little other purpose than executing ~WTR4141.tmp. This file has a certificate issued by VeriSign to Realtek Semiconductor.
It spreads over network shares, copying itself as the file "DEFRAG(random number).tmp. The random number will be the tick count, the number of milliseconds since the system started in hexadecimal numbers. Like the files it copies to removable drives, this is also a .dll file. This file is set to be run by Rundll32.exe the next day.
It creates encrypted copies of itself in the inf subdirectory of the Windows folder named oem6C.PNF, oem7A.PNF, mdmcpq3.PNF and mdmeric3.PNF. The mrxcls.sys file in the drivers directory decrypts these if an attempt is made to remove the worm from the system.
Stuxnet disables or bypasses the system security to protect itself, while performing its intended actions. It gets past firewalls by injecting itself into the iexplorer.exe process. It also ends 10 processes, all security related:
The worm is set to self-destruct on 2012.06.24.
It uses different methods of hiding itself depending on the file. For ~WTR4132.tmp, it hooks the functions FindFirstFileW, FindNextFileW and FindFirstFileExW in Kernel32.dll and NtQueryDirectoryFile and ZwQueryDirectoryFile in Ntdll.dll. The worm replaces the code of these functions with code that looks for files with names ending with .lnk and names beginning with ~WTR and ending in .tmp. When the user attempts to check for those files, it will tell the user that none like that exist.
When ~WTR4132.tmp loads ~WTR4141.tmp, it first loads several Ntdll.dll functions, including ZwMapViewOfSection, ZwCreateSection, ZwOpenFile, ZwCloseFile, ZwQueryAttributesFile and ZwQuerySection. It calls LoadLibrary to load a file name that does not actually exist on the disk. Usually LoadLibrary would crash under these conditions, however the worm has the hooked Ntdll.dll monitor for files with specially crafted file names being loaded, and loads a .dll file that actually does exist.
It contacts two URL's to test connectivity, www.mypremierfutbol.com and www.todaysfutbol.com (sites based in Denmark and Malaysia), sending an encrypted http request to them. These URL's belong to a server which acts as the worm's command and control. The request is encrypted with XOR using a 31-byte key, which is contained in the worm. It can be used to decipher traffic between the C&C and the worm. Information sent to the server includes the Windows version, computer name, network group name, if SCADA software is installed and IP addresses for the network interfaces.
The C&C will send one of two types of responses. It may give a response that will tell the worm to execute a function already built into the code, or it may send a new .dll file with additional functions. The C&C can command the worm to read, write to or delete a file create a process, inject a .dll into lsass.exe, Load an additional .dll file, extract a resource from the main .dll of the worm or update the worm's configuration data.
Targeting SCADA Software
Stuxnet specifically targets systems with Siemens Step 7 SCADA software. It takes advantage of the fact that most Siemens Simatic WinCC products have a default password that may allow the worm access to the software. The worm interacts with .dll files associated with Step 7 SCADA software. It tries to access files associated with the software, including cc_tag.sav, cc_alg.sav, db_log.sav, cc_tlg7.sav (these four are in a subdirectory named "GracS") as well as any files with the extensions, .S7P, .MCP and .LDF.
It checks for certain types of Programmable Logic Controllers (sub-computers used for automation of electromechanical processes, such as controlling machinery). Only PLC's with CPU types 6ES7-417 and 6ES7-315-2 will be infected. It chooses how it will infect the PLC based on the values it finds in the system data blocks. It also checks for the presence of the bytes 2C CB 00 01 at offset 50h and will not infect the PLC if it does not find it.
It prepends code to OB1 (Organization Block 1, the entry point of the PLC program) and OB35 (entry point of the program that monitors critical input). The worm finds the file DP_RECV, the PLC's standard co-processor and copies it as the file FC1869, and replaces it with a copy of its own, allowing it to intercept communications on the Profibus. It may also send information the attacker wants to be sent. Under certain conditions, it will read and write I/O information in the memory mapped areas of the PLC.
The worm installs itself in the PLC of the industrial systems the SCADA monitors. If someone tries to view all code blocks on the infected PLC, they will not see Stuxnet. The worm modifies the s7otbxdx.dll file to allow it to manipulate files on the PLC. It hooks enumeration, read, and write functions, so it can't be overwritten. The worm looks for a specific factory environment that would be used in an Iranian nuclear facility and stops there if it does not find it. If the worm finds that it is in an Iranian nuclear facility, it can make modifications to it.
Stuxnet searches for frequency converter drives made by Fararo Paya of Iran and Vacon of Finland. In addition, Stuxnet is only interested in frequency converter drives that operate between 807 Hz and 1210 Hz and will not do anything to the drives until they operate in that range for some time. It changes the output frequencies of the drives, and therefore the speed of associated motors, for short intervals over periods of months. It changes the frequencies to 1410Hz, then to 2Hz and then to 1064Hz abruptly, tearing whatever they are connected to apart. The worm will intercept any attempts to shut down the frequency converter drives. Anyone in a room where this is happening with centrifuges may be killed by shrapnel.
Stuxnet at Iran's Nuclear Facilities
Iran's Natanz facility was revealed to be the target of Stuxnet. Centrifuges at that facility had to be replaced for defects far more often than normal. A little under 1,000 centrifuges were damaged by the worm according to some sources, but other reports suggest that number may be higher. Normally Iran has to replace 10% of its 8,700 centrifuges every year for defects. The International Atomic Energy Agency noted that over a few months (when Stuxnet would have been in the plant) around 1,000 to 2,000 centrifuges had been replaced. One incident occured in January of 2010 when the International Atomic Energy Agency had just completed an inspection at the uranium enrichment plant. Workers had to haul out several centrifuges as the inspectors were leaving.
Initially the Iranians were convinced that the problems with their centrifuges stemmed from faulty parts, incompetence or more conventional sabotage. They blamed their own staff at the plants as well as their black market Pakistani suppliers. Some specialists were fired over this.
The Bushehr nuclear plant, which experienced a number of setbacks, was thought to be the intended target before the real target was revealed. The expected startup of the Bushehr nuclear plant was delayed three to four months, for unclear reasons (one Iranian official cited hot weather, and later a leak was blamed). Tehran denied the worm infected critical systems at the Bushehr plant, but a plant director claimed staff computers of people connected with the plant were infected.
The worm received a great amount of attention from the Iranian government. The Iranian Atomic Energy Organisation met in late September to discuss how to remove the worm. A former Iranian official appeared on the Al-Jazeera program "Behind the News", to vehemently deny that Iran was seriously affected by the worm, but indicated he believed the worm was targeted at Iran.
The Iranian government would later almost completely reverse itself on this. Mahmoud Ahmadinejad made some statements at the end of November 2010 that some observers interpreted as him admitting that Stuxnet had directly caused some problems with Iran's nuclear plants. He said the virus damaged several uranium enrichment centrifuges. The Israel Defense Force confirmed that some technological difficulties with its centrifuges at the Natanz facility.
Debka, an Israeli news site reporting primarily on conflicts in the Middle East, reported on the Iranian government seeking help with removing the worm as early as September of that year. According to Debka's European sources, Iran was desperate to have the worm removed. It also reported that attempts to remove the worm made it more agressive, though this is dubious, as none of the tests on it have revealed this capability.
Langner Communications, an organization that had been closely monitoring Stuxnet and analyzing its code since about the time it became well-known said they believed Iran had been severely damaged by the worm. A consultant for the company told the Jerusalem Post that the worm was "nearly as effective as a military strike" and that the Iranian nuclear program had been set back two years.
Questions about effectiveness
There are others however who believe that the worm was ineffective against Iran at best and even helped them in the long run at worst. Researcher Ivanka Barzashka studied the incident and found no direct link between Stuxnet and some of the problems faced at the Iranian nuclear facilities. The number of centrifuges at the Iranian facilities actually increased during the second and third waves of attacks in March and April of 2010. Barzashka also notes that the ability to install new centrifuges was not hindered. Iran's nuclear potential actually increased during the time of the attacks, though it did slow down the rate of expansion.
In addition to Iran, Stuxnet also infected systems in several other countries. By July 23, 60 percent of all infection were in Iran, but it had also spread to India and Indonesia. By the end of summer, these three nations represented 80% of all Stuxnet infections. Other nations with high percentages of infections include from the highest, Pakistan, Uzbekistan, Russia, Kazakhstan, Belarus, Kyrghyzstan, Azerbaijan, the United States, Cuba, Tajikistan and Afghanistan. The rest of the world accounted for 4.6 of Stuxnet infections.
Early in the worm's run, Symantec estimated between 15,000 and 20,000 systems were infected. Around 14,000 IP addresses tried to connect to the command and control server, and some of those IP addresses contained more than one infected system. In addition, some systems were not connected to the Internet. Siemens counted 15 plants with a Stuxnet infection with their SCADA software installed. There was no damage or modifications to any of them, according to Siemens.
By the end of September, Stuxnet had become popular in China. Rising International estimated the worm infected six million personal and 1,000 corporate computer accounts there. The number of known infections is 100,000 computers worldwide, but it did not destroy anything but centrifuges, so may have gone unnoticed in some places.
If it had one effect that most people regardless of country would agree was positive, it was that VirusBlokAda went from being an obscure security company in Belarus to a pretty big name for having discovered the worm. Siemens, which had ironically been scaling back its Iran operations at the time, suffered a major PR setback because of the worm.
Stuxnet was found in a Russian nuclear plant in late 2013 and allegedly caused heavy (but unspecified) damage. It was also found on the International Space Station. Eugene Kaspersky commented on these infections, subtly condemning the military creators of the worm by saying such things would "boomerang".
Stuxnet was discussed at the Virus Bulletin 2010 conference in Vancouver. Liam O'Murchu, a Symantec security researcher gave a presentation and a demonstration of what a program with similar capabilities could do. He inserted his own code (not Stuxnet) into a PLC controlling an air pump to fill a balloon with air until it popped. O'Murchu said the same action on an oil pipeline would be catastrophic.
Stuxnet's origin was subject to a great deal of speculation until its true origin and creators were revealed in the book Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power by David Sanger, whose information came from a leak, which some speculate came from the White House itself. The leak revealed that the US and Israeli governments were behind the worm in what some say was a desperate attempt to put up a strong face shortly before an election while facing slipping poll numbers. The US Government may have "winked" at the idea of having created the worm a few times before making it official. The Israelis rarely mentioned Stuxnet before the White House leaks, but it did admit to funding cyberweapons.
Mossad and some unnamed Israeli officials say the US actually had less of a hand in the creation of the worm than the leak would lead one to believe. The Israelis said they originated the idea of cyberwarfare and the US was very reluctant at first to join Israel and only got on board later. The Israelis said they did not want to fight over who got credit and "spoil the party for President Obama". Former Haaretz journalist Yossi Melman and former CBS journalist Dan Raviv will describe the details further in the upcoming book Spies Against Armageddon.
Duqu and Flame may in some way be related to Stuxnet. Hungarian researchers discovered Duqu a while after Stuxnet became widely known. There has been some speculation that Duqu was an early test version of Stuxnet. Neither the US or Israeli governments have admitted to creating Duqu or Flame. Duqu was especially similar with regards to its drivers and some file names.
Coding and Testing
On the 1st of June in 2012, the US government admitted Stuxnet was created and deployed in a joint US-Israel effort to prevent Iran from producing nuclear weapons. The operation code named "Olympic Games" began under the Bush administration and was allegedly intensified under his successor. Using a worm to attack Iranian nuclear facilities was seen as a less deadly alternative to a more conventional military attack.
The worm was created in part by a small cyber operation unit within the United States Strategic Command. Israeli programmers from Unit 8200, which the Israeli government was reportedly "pouring money" into also contributed a great deal of code. Exactly who contributed what components has not yet been revealed. A Symantec strategist estimates that 30 different people had a hand in the coding of Stuxnet. One security researcher, Tom Parker, noted that the injector and the payload appeared to have notably different coding styles. He posited the idea that these two elements were designed in two different countries. Stuxnet was coded in a few different languages, with significant portions in C++ and C. It appears to have taken six months to complete.
Stuxnet was tested on centrifuges surrendered in 2003 by then-Libyan leader Muammar Qadhafi. They were the same type of centrifuges used in Iran. The primary target was not Bushehr, which received most coverage related to the worm, but the Natanz facility. The worm was designed to destroy centrifuges by abruptly speeding them up and slowing them down, essentially tearing them apart.
It went wild when Stuxnet infected the laptop of an engineer at the Natanz plant and spread from there. US officials blamed Israel for a coding mistake that allowed the worm to spread out of control. Vice President Biden accused the Israelis of going "too far". The code that allowed Stuxnet to escape was probably not a mistake, but entirely intentional. It is however still unknown what the change was that Israel made and if it had anything to do with spreading.
One of the Russian contractors building the Bushehr plant also worked in other countries where Stuxnet was popular. Before it was revealed that Stuxnet was an American-Israeli creation targeting Iran, he was considered a suspect for planting the worm. He may however have accidentally carried the worm with him from Iran to those countries.
It was first discovered in the wild by VirusBlokAda, an antivirus company based in Belarus, on the systems of a client in Iran. Sergey Ulasen, head of the Anti-Virus Kernel department of VirusBlokAda, received a report from a client in Iran about a computer that was stuck in a reboot loop. Ironically, this problem was never again reported with a connection to Stuxnet. When he ran the code through a debugger, he discovered that it was a worm that used more than one zero-day vulnerability. Parts of it were heavily encrypted and could not be completely examined.
Iran placed the blame squarely on "foreign enemies", and said this and other attempts would not stop Iran from using nuclear power for peaceful purposes. Several spies were arrested in late September in relation to spying on Iran's nuclear facilities. While it is unknown if these spies had any connection to the worm, Iran's intelligence minister mentioned the spies, the worm and sabotage of the plants in the same statement to the semi-official Mehr news agency.
Most of the speculation about Stuxnet's origin turned out to have some truth to it. Given the political climate of the time, it is little surprise to some that from time the worm was discovered, Israel and the US were accused of creating the worm. Many things surrounding the story of the worm remain unknown, have a sort of urban legend status or are outright false.
Subtle Connections to Judaism and Israel
A text string inside the code was sometimes taken as a biblical reference. However, the text string myrtussrcobjfre_w2k_x86i386guava.pdb simply tells us where the coder stored his source code. Myrtus is a plant mentioned in the Bible and Torah though it really exists, but aside from this, no other connection to any religious text has been found in the worm. Another name for Myrtus is Hadassah, the Hebrew name of the biblical heroine Esther, who is central to the Purim celebration. Esther saved the Jewish people from genocide by the Persians (an old name for the Iranians). It could possibly stand for My RTUs, since RTU's are important to SCADA software.
The worm itself sets a registry key with a value of 19790509, which was taken by some observers as a significant clue. 1979.05.09 was the date of the execution of a Jewish Iranian businessman for spying for Israel. He was however not an Israeli citizen and it is unknown if he ever had any intention to move to Israel or if he had any connection to the nation at all aside from sharing the main religion. He was the only Jew executed that day, but not the only person, as 37 others were executed that day, some also accused of spying.
Another date that appears in Stuxnet in manually coded functions is 2007.09.24. This was the day that Iranian president Mahmoud Ahmadinejad spoke at Columbia University, in New York. Among other things in his speech, including the famous "no homosexuals in Iran" line, he questioned the existence of the Holocaust.
Other Speculations on its Origin
Germany was also named as a possible source of the worm, but the evidence for this theory was all circumstantial, just like all the others. German intelligence works very close with American intelligence. The worm attacks the software of a German company and was first found to have infected a system there. It is possible that Siemens itself may have had something to do with the attack.
The possibility that Jordan had something to do with the worm was also considered, particularly in its deployment. The US had problems with making contact with Iranian scientists, but Jordan had a connection with a project known as Synchrotron-light for Experimental Science and Applications in the Middle East (SESAME). An Iranian nuclear scientist Majid Shahriari, killed in a bomb attack for which the Iranian government blames Israel and the US, was involved in SESAME. SESAME had plans to build a research center in Jordan and Jordan is friendly with the US.
The sites the worm contacts are in Denmark and Malaysia. Stuxnet's forged Verisign certificates both came from two different companies in the Hsuchin Science park in Taiwan. It was never speculated much that the worm might come from these countries.
One theory suggests it may be a tool of China against India in their race to the moon. The Chinese government said they could land a man on the moon in 2025, while India said its own program could in 2020. This theory was posited by someone a bit skeptical of the theory that Stuxnet came from Israel to attack Iran and that other, possibly better, theories exist.
Stuxnet Source Code for Sale
The source code was reportedly for sale in late November of 2010. It caused some fear that the worm could be adapted to target anything. Whether the worm is being sold by a criminal organization or leaked from a government agency or corporation (or even if the people claiming they were selling the code even had it) is as of yet unknown. While some analysts gave dire warnings about what could happen if the worm source code is sold, others described these warnings as "irresponsible", "alarmist" and "sensationalist". In addition, they noted that for a new variant to be successful and do something as destructive as the alarmists were saying, the people modifying the worm would have to be as capable as the people who created it. So far, nothing has come of it and some experts believe the source code was never available to the people claiming to sell it.
There was some speculation about why the US had suddenly become so public about the operation. One researcher at F-Secure speculated that Obama wanted credit for the worm so he would look tough during an election year. It is notable that the project that spawned the worm was started in 2006 and that deployment at the Natanz facility began in 2008, both under his predecessor George W. Bush.
Two of the zero-day vulnerabilities Stuxnet exploits were patched in October. They were two of the record 49 Microsoft patched that month.
A trojan later identified by Symantec as Trojan.Fadeluxnet claimed to clean up Stuxnet. While it did remove the worm from drive C:, it also changes some registry keys to make it impossible to run or open executables, MP3's and some popular image formats. It also terminates some processes and may wipe everything from the C: drive.
In the late 1980's, the Swap virus, which came from Israel, contained text indicating it came from the CIA. This however was likely for humor or simply a lie. The virus likely has no relation at all to Stuxnet except for coming from Israel.
Jarrad Shearer. Symantec, W32.Stuxnet. 2010.09.17
Aleksandr Matrosov, Eugene Rodionov, David Harley, Juraj Malcho. Eset, Stuxnet Under The Microscope (PDF).
Nicholas Falliere. Symantec, Exploring Stuxnet's PLC Infection Process. 2010.09.21
Mary Landesman. About.com Antivirus, How does the Stuxnet worm spread?.
Robert McMillan. Computer World, Siemens: Stuxnet worm hit industrial systems. 2010.09.14
F-Secure Blog, Stuxnet Questions and Answers. 2010.10.01
Mary Landesman. About.com Antivirus, Stuxnet: Is Stuxnet Really Targeting Iran?.
Gadi Evron. Security Dark Reading, Stuxnet: An Amateur's Weapon. 2010.10.15
Robert McMillan. Computerworld, Iran was prime target of SCADA worm. 2010.07.23
Mark Clayton. Christian Science Monitor, Stuxnet malware is 'weapon' out to destroy ... Iran's Bushehr nuclear plant?. 2010.09.21
Leila al-Sheikhly. Al-Jazeera, اجمة أنظمة المعلومات الإيرانية إلكترونيا. 2010.09.27
AlJazeera, Iran 'attacked' by computer worm. 2010.09.25
-, 'State-sabotage' behind Iran virus. 2010.09.26
-, Delay hits Iran Bushehr plant. 2010.09.29
-, Inside Story, A new frontier in cyber war?. 2010.10.02
-, Iran holds 'nuclear spies'. 2010.10.03
David E. Sanger. The New York Times, Obama Order Sped Up Wave of Cyberattacks Against Iran. 2012.06.01
RT, US unleashed Stuxnet cyber war on Iran to appease Israel. 2012.06.01
John Leyden. The Register, US officials confirm Stuxnet was a joint US-Israeli op. 2012.06.01
Yossi Melman. Spies Against Armageddon, The Spin about Centrifuges: Let America Take Credit For Delaying Iran’s Nuclear Ambitions. 2012.06.03
Kim Zetter. Wired, Report: Obama Ordered Stuxnet to Continue After Bug Caused It to Spread Wildly. 2012.06.01
Gregg Keizer. InfoWorld, Is Stuxnet the 'best' malware ever? 2010.09.16
Vanity Fair, STUXNET WORM A Declaration of Cyber-War. 2011,04
Erin Chapman, Win Rosenfeld. PBS.org, Cracking the code: Defending against the superweapons of the 21st century cyberwar. 2011.05.20
Yaakov Katz. The Jerusalem Post, IDF admits to using cyber space to attack enemies. 2012.06.03
Ryan Naraine. ZDNet, Inside Stuxnet: Researcher drops new clues about origin of worm. 2010.09.30
Jeffrey Carr. Forbes, Did The Stuxnet Worm Kill India's INSAT-4B Satellite. 2010.09.29
Brian Krebs. KrebsonSecurity, Microsoft Plugs a Record 49 Security Holes. 2010.10.13
Shunichi Imano. Symantec Connect, Fake Stuxnet cleaner literally cleans up your computer. 2010.10.15
Reuters. Ynet News, Wary of naked force, Israel eyes cyberwar on Iran. 2009.07.07
Agence France-Presse, Google, Stuxnet 'cyber superweapon' moves to China. 2010.09.30
Tyler Durden. Zero Hedge, Is Stuxnet The Secret Weapon To Attack Iran's Nukes; Is A Virus About To Revolutionize Modern Warfare?. 2010.09.23
Peter Apps. Reuters, Analysis: Cyber defenders, attackers probe Stuxnet's secrets, Page 2. 2010.10.28
Frank Rieger. Die Frankfurter Allegemeine Zeitung. Der digitale Erstschlag ist erfolgt.
Associated Press. Fox News, Iran Claims Computer Worm is Western Plot. 2010.10.05
Justin Fishel. Fox News, Pentagon Silent on Iranian Nuke Virus. 2010.09.27
John Leyden. The Register, Stuxnet code leak to cause CYBER-APOCALYPSE NOW! 2010.11.26
Larry Seltzer. PCMagazine, Experts Doubt Stuxnet Source Code for Sale. 2010.11.27
Eric Chien. Symantec, Stuxnet: A Breakthrough. 2010.11.12
Chris Williams. Enterprise Security, The Register, Iran admits cyberattack hit nuke programme. 2010.11.29
Yaakov Katz. The Jerusalem Post, Stuxnet virus set back Iran’s nuclear program by 2 years. 2010.12.15
Bare Naked Islam, IRAN begs for help with the rampaging StuxNet Cyber Worm. 2010.09.29
Ivanka Barzashka (2013): Are Cyber-Weapons Effective?, The RUSI Journal, 158:2, 48-56
Alexander Gostev, Igor Soumenkov. SecureList, Stuxnet/Duqu: The Evolution of Drivers. 2011.12.28
David Shamah. The Times of Israel, Stuxnet, gone rogue, hit Russian nuke plant, space station. 2013.11.11