Inside Stuxnet: Researcher drops new clues about origin of worm
By Ryan Naraine | September 30, 2010, 6:12pm PDT
The mysterious Stuxnet worm took center stage at the Virus Bulletin 2010 conference with a prominent security researcher dropping a raw hint that Israel may be behind the industrial-strength malware attack.
VANCOUVER — The mysterious Stuxnet worm took center stage at the Virus Bulletin 2010 conference here with a prominent security researcher dropping a raw hint that Israel may be behind the industrial-strength malware attack.
Symantec security researcher Liam O Murchu (photo above) says he found the “05091979″ date in the Stuxnet code, a possible link to the May 9, 1979 execution of Jewish Iranian businessman and philantropist Habib Elghanian.
Ever since the discovery of the worm, which Microsoft says dates back to January 2009, there has been incessant speculation that Stuxnet is a nation-state attack against Iranian nuclear plants. We’ve heard murmurings of biblical references and public confirmation that the Iran’s Buescher nuclear reactor was the main target.
Now comes O Murchu with this tittilating disclosure suggesting a direct link to Israel. However, security experts are cautioning against reading too much into anything deliberately left in the code by the Stuxnet authors because, at this level, there could be all kinds of decoys and misdirection.
O Murchu’s presentation, complete with a live demo of an attack against a Siemens PLC, provided the first detailed glimpse into the Stuxnet code. He explained that the malware targets only two models of the Siemens PLC (S7 300 and S7 400) and injects rootkit code based on very specific configurations.
The code is so narrowly targeted that it will not infect the PLC unless it finds a specific network card (CP 342-5), he added.
“Stuxnet uses ‘man-in-the-app’ attack,” O Murchu said. Once Stuxnet is on your computer, you have lost control of your PLC.”
“We know everything that Stuxnet does on an infected PLC but we’re just unsure of real world effects of this code. It is difficult to understand the real world actions without knowing what is connected on the inputs and outputs [of the PLCs],” he added.
During the demonstration, O Murchu used proof-of-concept code (not based on Stuxnet’s) to infect a Siemens S7-300 PLC device connected to a humming air pump. Using just eight lines of code, he programmed the pump to run for a few seconds, inflating a red balloon.
Hethen modified the code slightly to run the pump for 140 seconds, again inflating the balloon until it popped with a loud bang.
“If this PLC was connected to an oil pipeline, you can see that the result would be much worse,” he declared to applause from the audience.
During a separate presentation, representatives from Kaspersky Lab (see disclosure), Symantec and Microsoft provided a discovery timeline and details on the four zero-day vulnerabilities used by Stuxnet.