Stuxnet: Fact vs. theory

The Stuxnet worm has taken the computer security world by storm, inspiring talk of a top secret, government-sponsored cyberwar, and of a software program laden with obscure biblical references that call to mind not computer code, but "The Da Vinci Code."

Stuxnet, which first made headlines in July, (CNET FAQ here) is believed to be the first known malware that targets the controls at industrial facilities such as power plants. At the time of its discovery, the assumption was that espionage lay behind the effort, but subsequent analysis by Symantec uncovered the ability of the malware to control plant operations outright, as CNET first reported back in mid-August.

What's the real story on Stuxnet?

A German security researcher specializing in industrial-control systems suggested in mid-September that Stuxnet may have been created to sabotage a nuclear power plant in Iran. The hype and speculation have only grown from there.

Here's a breakdown of fact versus theory regarding this intriguing worm.

Theory: The malware was distributed by Israel or the United States in an attempt to interfere with Iran's nuclear program.

Fact: There's no hard evidence as to who is behind the malware or even what country or operation was the intended target, though it's clear most of the infections have been in Iran (about 60 percent, followed by Indonesia at about 18 percent and India at close to 10 percent, according to Symantec). Rather than establishing the target for Stuxnet, that statistic could merely indicate that Iran was less diligent about using security software to protect its systems, said Eric Chien, technical director of Symantec Security Response.

German researcher Ralph Langner speculates that the Bushehr nuclear plant in Iran could be a target because it is believed to run the Siemens software Stuxnet was written to target. Others suspect the target was actually the uranium centrifuges in Natanz, a theory that seems more plausible to Gary McGraw, chief technology officer of Cigital. "Everyone seems to agree that Iran is the target, and data regarding the geography of the infection lends credence to that notion," he writes.

In July 2009, Wikileaks posted a notice (formerly here, but unavailable at publication time) that said:

Two weeks ago, a source associated with Iran's nuclear program confidentially told WikiLeaks of a serious, recent, nuclear accident at Natanz. Natanz is the primary location of Iran's nuclear enrichment program. WikiLeaks had reason to believe the source was credible, however contact with this source was lost. WikiLeaks would not normally mention such an incident without additional confirmation, however according to Iranian media and the BBC, today the head of Iran's Atomic Energy Organization, Gholam Reza Aghazadeh, has resigned under mysterious circumstances. According to these reports, the resignation was tendered around 20 days ago.

On his blog, Frank Rieger, chief technology officer at security firm GSMK in Berlin, confirmed the resignation through official sources. He also noted that the number of operating centrifuges in Natanz shrank significantly around the time the accident mentioned by Wikileaks purportedly happened, based on data from Iran's Atom Energy Agency.

An Iranian intelligence official said this weekend that authorities had detained several "spies" connected to cyberattacks against its nuclear program. Iranian officials have said that 30,000 computers were affected in the country as part of "electronic warfare against Iran," according to The New York Times. Iran's Mehr news agency quoted a top official in the Ministry of Communications and Information Technology as saying that the effect of "this spy worm in government systems is not serious" and had been "more or less" halted, the Times report said. The project manager at the Bushehr nuclear plant said workers there were trying to remove the malware from several affected computers, though it "has not caused any damage to major systems of the plant," according to an Associated Press report. Officials at Iran's Atomic Energy Organization said the Bushehr plant opening was delayed because of a "small leak" that had nothing to do with Stuxnet. Meanwhile, Iran's Intelligence Minister, commenting on the situation over the weekend, said a number of "nuclear spies" had been arrested, though he declined to provide further details, according to the Tehran Times.

Specialists have hypothesized that it would take the resources of a nation state to create the software. It uses two forged digital signatures to sneak software onto computers and exploits five different Windows vulnerabilities, four of which are zero-day (two have been patched by Microsoft). Stuxnet also hides code in a rootkit on the infected system and exploits knowledge of a database server password hardcoded into the Siemens software. And it propagates in a number of ways, including through the four Windows holes, peer-to-peer communications, network shares, and USB drives. Stuxnet involves inside knowledge of Siemens WinCC/Step 7 software as it fingerprints a specific industrial control system, uploads an encrypted program, and modifies the code on the Siemens programmable logic controllers (PLCs) that control the automation of industrial processes like pressure valves, water pumps, turbines, and nuclear centrifuges, according to various researchers.

Symantec has reverse engineered the Stuxnet code and uncovered some references that could bolster the argument that Israel was behind the malware, all presented in this report (PDF). But it's just as likely that the references are red herrings designed to divert attention away from the actual source. Stuxnet, for instance, will not infect a computer if "19790509" is in a registry key. Symantec noted that that could stand for the May 9, 1979 date of a famous execution of a prominent Iranian Jew in Tehran. But it's also the day a Northwestern University graduate student was injured by a bomb made by the Unabomber. The numbers could also represent a birthday, some other event, or be completely random. There are also references to two file directory names in the code that Symantec said could be Jewish biblical references: "guavas" and "myrtus." "Myrtus" is the Latin word for "Myrtle," which was another name for Esther, the Jewish queen who saved her people from death in Persia. But "myrtus" could also stand for "my remote terminal units," referring to a chip-controlled device that interfaces real-world objects to a distributed control system such as those used in critical infrastructure. "Symantec cautions readers on drawing any attribution conclusions," the Symantec report says. "Attackers would have the natural desire to implicate another party."

Theory: Stuxnet is designed to sabotage a plant, or blow something up.

Fact:Through its analysis of the code, Symantec has figured out the intricacies of files and instructions that Stuxnet injects into the programmable logic controller commands, but Symantec doesn't have the context involving what the software is intended to do, because the outcome depends on the operation and equipment infected. "We know that it says to set this address to this value, but we don't know what that translates to in the real world," Chien said. To map what the code does in different environments, Symantec is looking to work with experts who have experience in multiple critical infrastructure industries.

Symantec's report found the use of "0xDEADF007" to indicate when a process has reached its final state. The report suggests that it may refer to Dead Fool or Dead Foot, which refers to engine failure in an airplane. Even with those hints, it's unclear whether the suggested intention would be to blow a system up or merely halt its operation.

In a demonstration at the Virus Bulletin Conference in Vancouver late last week, Symantec researcher Liam O'Murchu showed the potential real world effects of Stuxnet. He used an S7-300 PLC device connected to an air pump to program the pump to run for three seconds. He then showed how a Stuxnet-infected PLC could change the operation so the pump ran for 140 seconds instead, which burst an attached balloon in a dramatic climax, according to Threat Post.

Theory: The malware has already done its damage.

Fact: That actually could be the case and whomever was targeted has simply not disclosed it publicly, experts said. But, again, there's no evidence of this. The software has definitely been around long enough for lots of things to have happened. Microsoft learned of the Stuxnet vulnerability in early July, but its research indicates that the worm was under development at least a year prior to that, said Jerry Bryant, group manager for Microsoft Response Communications. "However, according to an article that appeared last week in Hacking IT Security Magazine, the Windows Print Spooler vulnerability (MS10-061) was first made public in early 2009," he said. "This vulnerability was independently rediscovered during the investigation of the Stuxnet malware by Kaspersky Labs and reported to Microsoft in late July of 2010."

"They've been doing this for almost a year," Chien said. "It's possible they hit their target again and again."

Theory: The code will stop spreading on June 24, 2012.

Fact: There is a "kill date" encoded into the malware, and it is designed to stop spreading on June 24, 2012. However, infected computers will still be able to communicate via peer-to-peer connections, and machines that are configured with the wrong date and time will continue to spread the malware after that date, according to Chien.

Theory: Stuxnet caused or contributed to the Gulf of Mexico oil spill at Deepwater Horizon.

Fact: Unlikely, though Deepwater Horizon did have some Siemens PLC systems on it, according to F-Secure.

Theory: Stuxnet infects only critical infrastructure systems.

Fact: Stuxnet has infected hundreds of thousands of computers, mostly home or office PCs not connected to industrial control systems, and only about 14 such systems, a Siemens representative told IDG News Service.

And more theories and predictions abound.

F-Secure's blog discusses some theoretical possibilities for Stuxnet. "It could adjust motors, conveyor belts, pumps. It could stop a factory. With [the] right modifications, it could cause things to explode," in theory, the blog post says. Siemens, the F-Secure post continues, announced last year that the code that Stuxnet infects "can now also control alarm systems, access controls, and doors. In theory, this could be used to gain access to top secret locations. Think Tom Cruise and 'Mission Impossible.'"

Symantec's Murchu outlines a possible attack scenario on CNET sister site ZDNet.

And Rodney Joffe, senior technologist at Neustar, calls Stuxnet a "precision guided cybermunition" and predicts that criminals will try to use Stuxnet to infect ATMs run by PLCs to steal money from the machines.

"If you ever needed real world evidence that malware could spread that ultimately could have life or death ramifications in ways people just don't accept, this is your example," said Joffe.

Updated 4:40 p.m. PST with Iran officials saying Bushehr plant opening delay had nothing to do with Stuxnet and 3:50 p.m. PST to clarify that Wikileaks post was in 2009.