stuxnet

Stuxnet is a worm sometimes referred to as the first "cyber super weapon". It is both the first worm to spy on industrial as well as the first to reprogram them. The worm specifically targets industrial control systems, like the kinds found in nuclear power plants among other facilities. It was later revealed to have been a weapon of the US and Israeli governments against Iranian nuclear facilities.

Stuxnet exploits a vulnerability in the Windows Print Spooler service to spread over networked machines. It sends a specially crafted print request to a networked printer. This allows its code to be executed on that remote system. It "prints" two files, winsta.exe, a dropper in the system folder and one additional file, sysnullevnt.mof, to the subdirectory wbemmof in the system folder.

It spreads over network shares, copying itself as the file "DEFRAG(random number).tmp. The random number will be the tick count, the number of milliseconds since the system started in hexadecimal numbers. Like the files it copies to removable drives, this is also a .dll file. This file is set to be run by Rundll32.exe the next day.

It creates encrypted copies of itself in the inf subdirectory of the Windows folder named oem6C.PNF, oem7A.PNF, mdmcpq3.PNF and mdmeric3.PNF. The mrxcls.sys file in the drivers directory decrypts these if an attempt is made to remove the worm from the system.

Stuxnet disables or bypasses the system security to protect itself, while performing its intended actions. It gets past firewalls by injecting itself into the iexplorer.exe process. It also ends 10 processes, all security related:

• avguard.exe
• bdagent.exe
• ccSvcHst.exe
• ekrn.exe
• fsdfwd.exe,
• Mcshield.exe
• rtvscan.exe
• tmpproxy.exe
• UmxCfg.exe
• vp.exe

Iran's Natanz facility was revealed to be the target of Stuxnet. Centrifuges at that facility had to be replaced for defects far more often than normal. A little under 1,000 centrifuges were damaged by the worm according to some sources, but other reports suggest that number may be higher. Normally Iran has to replace 10% of its 8,700 centrifuges every year for defects. The International Atomic Energy Agency noted that over a few months (when Stuxnet would have been in the plant) around 1,000 to 2,000 centrifuges had been replaced. One incident occured in January of 2010 when the International Atomic Energy Agency had just completed an inspection at the uranium enrichment plant. Workers had to haul out several centrifuges as the inspectors were leaving.

In addition to Iran, Stuxnet also infected systems in several other countries. By July 23, 60 percent of all infection were in Iran, but it had also spread to India and Indonesia. By the end of summer, these three nations represented 80% of all Stuxnet infections. Other nations with high percentages of infections include from the highest, Pakistan, Uzbekistan, Russia, Kazakhstan, Belarus, Kyrghyzstan, Azerbaijan, the United States, Cuba, Tajikistan and Afghanistan. The rest of the world accounted for 4.6 of Stuxnet infections.

Early in the worm's run, Symantec estimated between 15,000 and 20,000 systems were infected. Around 14,000 IP addresses tried to connect to the command and control server, and some of those IP addresses contained more than one infected system. In addition, some systems were not connected to the Internet. Siemens counted 15 plants with a Stuxnet infection with their SCADA software installed. There was no damage or modifications to any of them, according to Siemens.