We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Why Stuxnet could be the best malware ever

Experts believe worm could be state-backed

The Stuxnet virus, which infiltrates the systems used to run factories, may have been discovered only in June this year but has been labelled by some researchers as a "groundbreaking" piece of malware. We look at why Stuxnet could be the 'best' malware ever.

With a sample of Stuxnet in hand, researchers at both Kaspersky and Symantec went to work, digging deep into its code to learn how it ticked.

The two companies independently found attack code that targeted three more unpatched Windows bugs.

"Within a week or week and a half [of news of Stuxnet], we discovered the print spooler bug," said Schouwenberg. "Then we found one of the EoP [elevation of privilege] bugs." Microsoft researchers discovered a second EoP flaw, Schouwenberg said.

Working independently, Symantec researchers found the print spooler bug and two EoP vulnerabilities in August.

Both firms reported their findings to Microsoft, which patched the print spooler vulnerability this month. The company said it would address the less-dangerous EoP bugs in a future security update.

"Using four zero-days, that's really, really crazy," said Symantec's O Murchu. "We've never seen that before."

Neither has Kaspersky, said Schouwenberg.

But the Stuxnet wonders didn't stop there. The worm also exploited a Windows bug patched in 2008 with Microsoft's MS08-067 update. That bug was the same vulnerability used to devastating effect by the notorious Conficker worm in late 2008 and early 2009 to infect millions of machines.

Once within a network - initially delivered via an infected USB device - Stuxnet used the EoP vulnerabilities to gain administrative access to other PCs, sought out systems running the WinCC and PCS 7 SCADA management programs, hijacked them by exploiting either the print spooler or MS08-067 bugs, then tried the default Siemens passwords to commandeer the SCADA software.

They could then reprogram the so-called PLC (programmable logic control) software to give machinery new instructions.

On top of all that, the attack code seemed legitimate because the people behind Stuxnet had stolen at least two signed digital certificates.

"The organisation and sophistication to execute the entire package is extremely impressive," said Schouwenberg. "Whoever is behind this was on a mission to get into whatever company or companies they were targeting."

O Murchu seconded that.

"There are so many different types of execution needs that it's clear this is a team of people with varied backgrounds, from the rootkit side to the database side to writing exploits," he said.

The malware, which weighed in a nearly half a megabyte - an astounding size according to Schouwenberg - was written in multiple languages, including C, C++ and other object-oriented languages, O Murchu added.

"And from the SCADA side of things, which is a very specialised area, they would have needed the actual physical hardware for testing, and [they would have had to] know how the specific factory floor works," said O Murchu.

"Someone had to sit down and say, 'I want to be able to control something on the factory floor, I want it to spread quietly, I need to have several zero-days,'" O Murchu continued. "And then pull together all these resources. It was a big, big project."

NEXT PAGE: Minimising the risk

  1. Worm could be state-backed
  2. Never seen before
  3. Minimising the risk
  4. When did attacks begin?

IDG UK Sites

Android M Developer Preview announced at Google I/O: Android M UK release date and new features. Wh?......

IDG UK Sites

Why I think the Apple Watch sucks and you'd be mad to buy it

IDG UK Sites

Ben & Holly's Game of Thrones titles spoof is delightfully silly

IDG UK Sites

Mac OS X 10.11 release date rumours: all the new features expected in Yosemite successor