Basically Stuxnet is a Computerworm. It is discovered in June 2010. It is believed that STUXNET createdby the United States and Israel toattack Irans nuclear facilities. Roel Schouwenberg spends his days(and many nights) to creating theSTUXNET.
A 500-kilobyte computer worm thatinfected the software of at least 14industrial sites in Iran, including auranium-enrichment plant. A computer virus relies on anunwitting victim to install it,a worm spreads on its own, oftenover a computer network. This worm was an unprecedentedlymasterful and malicious piece ofcode that attacked in three phases.
2009 June: Earliest Stuxnet seen◦ Does not use MS10-046◦ Does not have signed drivers 2010 Jan: Stuxnet driver signed◦ With a valid certificate belonging to RealtekSemiconductors 2010 June: Virusblokada reports W32.Stuxnet◦ Stuxnet use MS10-46◦ Verisign revokes Realtek certificate 2010 July: Eset identify new Stuxnet driver◦ With a valid certificate belonging to JMicronTechnology Corp 2010 July: Siemens report they are investigatingmalware SCADA systems◦ Verisign revokes JMicron certificate
2010 Aug: Microsoft issues MS10-046◦ Patches windows shell shortcut vulnerability 2010 Sept: Microsoft issues MS10-061◦ Patches Printer Spooler Vulnerability 2010 Sept: Iran nuclear plant hit by delay◦ Warm weather blamed◦ Measured temperatures were at historical averages 2010 Oct: Iran arrest “spies”◦ Spies who attempted to sabotage the countrysnuclear programme◦ Russian nuclear nuclear experts flee Iran
Organization◦ Stuxnet consists of a large .dll file◦ 32 Exports (Function goals)◦ 15 Resources (Function methods) Stuxnet calls LoadLibrary◦ With a specially crafted file name that does notexist◦ Which causes LoadLibrary to fail. However, W32.Stuxnet has hooked Ntdll.dll◦ To monitor for requests to load specially craftedfile names.◦ These specially crafted filenames are mapped toanother location instead◦ A location specified by W32.Stuxnet.◦ Where a .dll file has been decrypted and storedby the Stuxnet previously.
Stuxnet collects and store the following information:◦ Major OS Version and Minor OS Version◦ Flags used by Stuxnet◦ Flag specifying if the computer is part of aworkgroup or domain◦ Time of infection◦ IP address of the compromised computer◦ file name of infected project file Win 2K WinXP Windows 200 Vista Windows Server 2008 Windows 7 Windows Server 2008 R2
Iran◦ Iran blames Stuxnet worm on Western plot (Ministryof Foreign Affairs)◦ "Western states are trying to stop Irans (nuclear)activities by embarking on psychological warfareand aggrandizing, but Iran would by no means giveup its rights by such measures,“◦ "Nothing would cause a delay in Irans nuclearactivities“◦ "enemy spy services" were responsible for Stuxnet(Minister of intelligence)
Israel (DEBKA file)◦ An alarmed Iran asks for outside help to stoprampaging Stuxnet malworm◦ Not only have their own attempts to defeat theinvading worm failed, but they made mattersworse: The malworm became more aggressive and returned tothe attack on parts of the systems damaged in theinitial attack.◦ One expert said: "The Iranians have been forcedto realize that they would be better off notirritating the invader because it hits back with abigger punch.“◦ These statements were copied verbatim by mayor
India 8.31% Azerbaijan 2.57% United States 1.56% Pakistan 1.28% Others 9.2% Iran 60% Indonesia 18.22%
Stuxnet represents the first of many milestones inmalicious code history◦ It is the first to exploit multiple 0-dayvulnerabilities,◦ Compromise two digital certificates,◦ And inject code into industrial control systems◦ and hide the code from the operator. Stuxnet is of such great complexity◦ Requiring significant resources to develop◦ That few attackers will be capable of producing asimilar threat Stuxnet has highlighted direct-attack attempts oncritical infrastructure are possible and not justtheory or movie plotlines.