Monday, October 4, 2010

Stuxnet- the missile worm

In the month of June, a deadly worm called as the Stuxnet was discovered and as experts began studying this worm, they realised that it had the capabilities of a missile which could destroy a factory or even a nuclear plant.

Following the detection of this super cyber worm, there is a rumour afloat that it may have already reached its target and that is the Bushehr nuclear power plant at Iran. Cyber crime experts in India although Iran has pointed a finger at India and the US saying that this worm has generated from here, we do not agree since several of our own establishments face this risk.There is a need to be on guard since worm is extremely complicated and very highly encrypted and hence controlling it could be a problem. The Stuxnet takes control of a system and like in the case of other worms or malware there is no action required for the user to be taken. This means that it could enter into your system without you having done anything. The worst part about this worm is that it has been developed to hit at a physical target.

David Hall, Senior Manager, Regional Product Marketing, Symantec, Asia Pacific explains to more about the Stuxnet worm. We’ve heard about the possibilities and it is like nothing we’ve seen before – both in what it does, and how it came to exist. Stuxnet is the first publicly known worm to target industrial control systems, often referred to as SCADA systems. W32.Stuxnet was first categorized in July of 2010. Stuxnet looks for industrial control systems and then changes the code in them to allow the attackers to take control of these systems without the operators knowing. Stuxnet was the first piece of malware to exploit the Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability (BID 41732) in order to spread. The worm drops a copy of itself as well as a link to that copy on a removable drive. When a removable drive is attached to a system and browsed with an application that can display icons, such as Windows Explorer, the link file runs the copy of the worm. Stuxnet uses two different and most importantly legitimate certificates signed by well-known companies to avoid detection by antivirus applications.

Stuxnet has been attacking industrial control systems across the globe. We’ve seen infections in 90 different countries with high numbers in Indonesia, Korea and India, apart from Iran where we saw 60 per cent of the infections. Like in other countries Stuxnet attacks in India target systems with SCADA software installed, mainly in factories and power plants.

This malicious threat is designed to allow hackers to manipulate real-world equipment, which makes it very dangerous. It is the first computer virus to be able to wreak havoc in the physical world. Stuxnet searches for industrial control systems and specifically targets systems with supervisory control and data acquisition (SCADA) software installed. If it finds these systems on the compromised computer, it attempts to steal code and design projects. It may also take advantage of the programming software interface to also upload its own code to the Programmable Logic Controllers (PLC), which are ‘mini-computers’, in an industrial control system that is typically monitored by SCADA systems. Stuxnet then hides this code, so when a programmer using a compromised computer tries to view all of the code on a PLC, they will not see the code injected by Stuxnet. Moreover, Stuxnet uses stolen legitimate certificates, which makes it difficult to detect it.

Stuxnet is a complex and impactful threat that is trying to make groundbreaking changes, which is a matter of concern. Earlier, a threat such as this might have been speculation, now it’s a real threat.

What’s worrying is that Stuxnet is one of the most complex we’ve seen and one of the most impactful. A worm that is trying to make these types of changes is groundbreaking and very worrying. What is even more worrying is that this threat exploits four zero-day vulnerabilities. A zero-day is a bug within software that the attacker knows about, but no one else does. Stuxnet is designed to manipulate real-world equipment. This malicious worm is a strong example of how sophisticated and targeted threats are becoming, which makes it extremely dangerous. To give you perspective, we saw 12 zero-day vulnerabilities in total in 2009. This further emphasizes the high level of sophistication of Stuxnet.

This is the first publicly widespread threat that has shown a possibility of gaining control of industrial processes and placing that control in the wrong hands. It also shows that in this interconnected world, security solutions and technologies such as reputation are more important than ever.

A cyber crime official in New Delhi says that Iran had pointed a finger at India saying that it had generated over here. However our investigations show that this particular worm is government backed and could have generated out of Israel. While intelligence reports point towards that angle there is also this name 'Myrtus which is a referrence to a Hebrew word. However it is too early to come to any sort of conclusion. We have found during out investigations that some of our own systems have been affected, but no crucial installations have been targeted as yet.

This particular worm has been created and will be alternative for a full fledged war. There is a reason why they have targeted Iran since many countries feel that they are lying about their nuclear capabilities and hence they feel that this would be the best way to target them. He also points out that Iran has claimed that it has made a couple of arrests of nuclear spies who are responsible for infecting their systems. We are keeping a watch on the developments, but nothing really concrete has come out of this arrest as yet.

Moreover this is important to India since there has been talk that the same worm is what hit the Insat 4 B in the month of June, the same month this worm was discovered. This satellite which was responsible for the telecast of several channels shut down due to a power supply anomaly in one of the two solar panels that supplied power to the satellite. ISRO however says that they have not found any such traces to the worm and maintain that their ongoing investigation has not found anything in this regard as yet. Cyber security experts however maintain that this worm is perfectly capable of hitting even satellites and if not controlled it could erupt into a full fledged cyber war as has never been seen before. Although currently it continues to remain in the hands of government sponsored agencies, the worry will begin for India once the bad guys lay their hands on it which means it would be used to target defence installations and nuclear stations in India as well. We are in talks and also taking the assistance of various other experts in trying to ensure that our installations remain Stuxnet free

No comments: