STUXNET – a highly sophisticated computer virus has created a havoc in Iran since it had attacked the Nuclear plant in Iran and led to misoperation and finally shut down. This malware was basically meant to attack the SIEMENS systems which the Nuclear Plant used and attacked the PLC ( Proggamable Logic control ) unit of the hardware.

Many believe that this virus was intentionally created by USA and ISRAEL to attack IRAN’s nuclear power ( Which was reported that the innovations in Nuclear domain has gained a straight 60% increase than its previous year in 2009 ). So these counter contries wanted to attack the power of IRAN.

Discovered in June 2010, Stuxnet initially spreads via Microsoft Windows, and targets Siemens industrial software and equipment. While it is not the first time that hackers have targeted industrial systems, it is the first discovered malware that spies on and subverts industrial systems,and the first to include a programmable logic controller (PLC) rootkit.

History

The worm was at first identified by the security company VirusBlokAda in mid-June 2010. Journalist Brian Krebs’s 15 July 2010 blog posting was the first widely read report on the worm. Its name is derived from some keywords discovered in the software. The reason for the discovery at this time is attributed to the virus accidentally spreading beyond its intended target (the Natanz plant) due to a programming error introduced in an update; this led to the worm spreading to an engineer’s computer that had been hooked up to the centrifuges, and then spread when said engineer returned home and hooked his computer up to the internet.

Kaspersky Lab experts at first estimated that Stuxnet started spreading around March or April 2010, but the first variant of the worm appeared in June 2009. On 15 July 2010, the day the worm’s existence became widely known, a distributed denial-of-service attack was made on the servers for two leading mailing lists on industrial-systems security. This attack from an unknown source but likely related to Stuxnet, disabled one of the lists and thereby interrupted an important source of information for power plants and factories.

The second variant, with substantial improvements, appeared in March 2010, apparently because its authors believed that Stuxnet was not spreading fast enough; a third, with minor improvements, appeared in April 2010. The worm contains a component with a build time-stamp from 3 February 2010. In the United Kingdom on 25 November 2010, Sky News reported that it had received information from an anonymous source at an unidentified IT security organization that Stuxnet, or a variation of the worm, had been traded on the black market. However, other security experts disagreed.

Countries affected by STUXNET

IRAN – 58.85%

Indonesia – 18.22%

India – 8.31%

etc.,

STUXNET Intensity

Unlike most malware, Stuxnet does little harm to computers and networks that do not meet specific configuration requirements; “The attackers took great care to make sure that only their designated targets were hit…It was a marksman’s job.” While the worm is promiscuous, it makes itself inert if Siemens software is not found on infected computers, and contains safeguards to prevent each infected computer from spreading the worm to more than three others, and to erase itself on 24 June 2012.

For its targets, Stuxnet contains, among other things, code for a man-in-the-middle attack that fakes industrial process control sensor signals so an infected system does not shut down due to abnormal behavior. Such complexity is very unusual for malware. The worm consists of a layered attack against three different systems:

  1. The Windows operating system,
  2. Siemens PCS 7, WinCC and STEP7 industrial software applications that run on Windows and
  3. One or more Siemens S7 PLCs.

STUXNET Removal

Siemens has released a detection and removal tool for Stuxnet. Siemens recommends contacting customer support if an infection is detected and advises installing Microsoft patches for security vulnerabilities and prohibiting the use of third-party USB flash drives. Siemens also advises immediately upgrading password access codes.

The worm’s ability to reprogram external PLCs may complicate the removal procedure. Symantec’s Liam O’Murchu warns that fixing Windows systems may not completely solve the infection; a thorough audit of PLCs may be necessary. Despite speculation that incorrect removal of the worm could cause damage, Siemens reports that in the first four months since discovery, the malware was successfully removed from the systems of twenty-two customers without any adverse impact.

NATANZ and BUSHEHR Nuclear plants were effected with STUXNET in IRAN.

World wide organizations are working to validate the source of the WORM and remove it.

Courtesy : http://www.wikipedia.org

Posted By

Mahesh.P

Advertisements