Who Wrote the Nefarious Stuxnet Worm? And Why?

Imagine a nefarious computer virus, one some industry experts say may be the most sophisticated piece of malware ever written. Imagine this worm, loaded onto a Siemens Programmable Logic Controller (PLC), creating two hexadecimal words as its output: DEAD F007. Now imagine this piece of malware, Stuxnet -- or something like it -- coming to an industrial plant near you. [login] Let's start by dispelling one myth that seems to be growing up around this piece of PLC-controlling software: PLCs are not super-secret devices, but are standard bits of industrial control equipment that can cost as little as $200 (and, for really complicated ones, many thousands), and are available from industrial supply houses all over the world without any kind of security check. The software used to program PLCs is no more secret than the devices themselves. WinCC, the compromised program, may not be known to many programmers or sysadmins who work in offices, but it is a familiar tool for industrial plant people in many different fields.

Siemens, based in Germany is one of the biggest of multinational big dogs in the PLC field. They sell into the U.S., China, Brazil, India, and almost anywhere else there's any industry at all. Want to count cereal boxes on an assembly line and measure out the right amount of cereal for each one? You can program a Siemens PLC for that application, no problem. Want to spin your Uranium-enrichment centrifuges at just the right speed? Ditto. Or run track-mounted speed detectors and switch gear for your high-speed rail system or the moisture control on your Yankee dryer? No problem. If there isn't a PLC app for that already, writing one is no big deal. An early article about the Stuxnet infection in Iran claimed that it infected "millions" of industrial control computers there. This is unlikely. Indeed, it's unlikely that Iran has millions of industrial control computers, period. And Stuxnet is not -- at least in forms discovered so far -- an Internet-spread problem, but one that typically infects a computer network when someone plugs a USB stick containing the worm into a computer on that network.

Another article, on Forbes.com, postulated that the Stuxnet worm's purpose was to disable satellites run by the Indian Space Research Organization, which would mean more business and prestige for China's AsiaSat. And maybe some Siemens PLCs are not supposed to be going to Iran, after all. A New York Times story published on Sept. 29 said, "...last year officials in Dubai seized a large shipment of those controllers — known as the Simatic S-7 — after Western intelligence agencies warned that the shipment was bound for Iran and would likely be used in its nuclear program."

That same story mentions the Biblical-sounding connection of one of the worm's file names to the Book of Esther, "a clear warning in a mounting technological and psychological battle as Israel and its allies try to breach Tehran’s most heavily guarded project." But it also says, "Others doubt the Israelis were involved and say the word could have been inserted as deliberate misinformation, to implicate Israel." And then there's that DEAD F007 "leetspeak" PLC output. Eric Loyd, President of Bitnetix, says that no matter how juvenile DEAD F007 sounds, "Stuxnet is far from a kid-hacker attack." Indeed, Loyd is one of many IT experts who believes Stuxnet may be the most sophisticated piece of malware ever written, with its use of four seperate Windows zero-day attacks, not one but two genuine security certificates (now revoked), and it's ability to not only monitor but modify instructions for the targeted Siemens PLCs.

While PLCs may be a mystery to many -- even most -- programmers and syadmins, they are not complicated, nor do they take advanced degrees to figure out. In most of the industrial world, they are the responsibility of guys who wear their names on their shirts. Indeed, the whole point of SCADA is that it makes plant processes easy to visualize and control. So far there is no concrete evidence that Stuxnet-infected computers or PLCs have affected Iran's nuclear fuel enrichment program or delayed the startup of the country's one nuclear reactor. But there are suspicious coincidences that make it seems like Stuxnet might have done something to Iran's nuclear efforts, depending on which contradictory reports coming out of Iran you want to believe.

On one hand Iranian government sources say Stuxnet has not caused problems or delays to anything nuclear, and on the other they claim they have arrested "Nuclear Cyberspace Spies" and is "fully aware of the activities of 'enemies' spy services.'"

Stuxnet may not be the biggest problem

Whether Stuxnet is the work of Chinese or Israeli government cyberwarriors or a computer science student's prank that got out of hand, there are cures for it, and Microsoft is closing the four Windows zero-day vulnerabilities that allows the worm to do its mischief and to propagate laterally within a government or corporate computer network. And with the right malware protection, a Stuxnet infection can be detected immediately, says Kurt Bertone, Vice President of Strategic Alliances for Fidelity Security Systems, who says his company's XPS cyber defense products has no trouble dealing with Stuxnet. Other virus detection and malware control companies also now have a handle on Stuxnet, including Siemens, which offers complete Stuxnet detection and removal instructions.

But the problem now, Bertone warns, is not so much Stuxnet but other pieces of malware that are out there but may not have been discovered. He and Eric Loyd both worry that there may be some "Son of Stuxnet" worm out there, spread manually, like Stuxnet, or by some other vector, that will one day cause dangereous problems at nuclear plants, oil refineries or chemical plants or.... ...there are millions of critical points in our modern industrial infrastructure that use PLCs and other computer-based controls, some of which are carefully secured against malware infections -- and some of which are not secure at all but have not yet been attacked.