STUXNET Worm :
Stuxnet is a Windows-specific computer worm first discovered in June 2010 by VirusBlokAda, a security firm based in Belarus. It is the first discovered worm that spies on and reprograms industrial systems. It was specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes. Stuxnet includes the capability to reprogram the programmable logic controllers (PLCs) and hide the changes.
The idea that Israel might be waging cyberwar against Iran was first floated in a 2009 article by Dan Williams of Reuters. It is the first-ever computer worm to include a PLC rootkit. It is also the first known worm to target critical industrial infrastructure. Furthermore, the worm's probable target has been said to have been high value infrastructures in Iran using Siemens control systems. According to news reports the infestation by this worm might have damaged Iran's nuclear facilities in Natanz and eventually delayed the start up of Iran's Bushehr Nuclear Power Plant. Siemens has stated, however, that the worm has not in fact caused any damage.
Russian digital security company Kaspersky Labs released a statement that described Stuxnet as "a working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race in the world." Kevin Hogan, Senior Director of Security Response at Symantec, noted that 60 percent of the infected computers worldwide were in Iran, suggesting its industrial plants were the target. Kaspersky Labs concluded that the attacks could only have been conducted "with nation-state support", making Iran the first target of real cyber warfare.
Speaking to TOI from Bangalore on Monday, Isro officials, requesting anonymity, said that the worm only strikes a satellite’s programme logic controller (PLC).
“We can confirm that Insat-4 B doesn’t have a PLC. So the chances of the Stuxnet worm attacking it appear remote. In PLC’s place, Insat-4 B had its own indigenously-designed software which controlled the logic of the spacecraft,’’ said a source.
PLC’s main function is to control the entire “logic of the spacecraft’’. Other space experts described PLC as a digital computer used for automation of electro-mechanical processes.
Sources, however, said Isro is awaiting Jeffrey Carr’s presentation at Abu Dhabi next to know the full details of the Stuxnet internet worm. Carr in a blog published in Forbes recently suggested that the resumes of two former engineers at Isro’s Liquid Propulsion Systems Centre (LPSC) at Mahendra Giri in Tamil Nadu said that the Siemens S7-400 PLC was used in Insat-4 B, which can activate the Stuxnet worm.
An Isro announcement on July 9 said that “due to a power supply anomaly in one of its (Insat-4 B) two solar panels, there is a partial non-availability on India’s Insat-4 B communication satellite’’. It said that the satellite has been in operation since March 2007 and the power supply glitch had led to the switching off of 50% of the transponder capacity.
The worm infects only computers equipped with certain Siemens software systems. Isro, however, reiterated that the Siemens software wasn’t used in Insat-4 B. The Stuxnet worm was first discovered in June, a month before Insat-4 B was crippled by power failure.
Carr’s blog says, “China and India are competing with each other to see who will be the first to land another astronaut on the Moon.’’
Operation
Stuxnet attacks Windows systems using four zero-day attacks (including the CPLINK vulnerability and a vulnerability used by the Conficker worm) and targets systems using Siemens' WinCC/PCS 7 SCADA software. It is initially spread using infected USB flash drives and then uses other exploits to infect other WinCC computers in the network. Once inside the system it uses the default passwords to command the software. Siemens, however, advises against changing the default passwords because it "could impact plant operations."
The complexity of the software is very unusual for malware. The attack requires knowledge of industrial processes and an interest in attacking industrial infrastructure. The number of used zero-day Windows exploits is also unusual, as zero-day Windows exploits are valued, and hackers do not normally waste the use of four different ones in the same worm. Stuxnet is unusually large at half a megabyte in size, and written in different programming languages (including C and C++) which is also irregular for malware. It is digitally signed with two authentic certificates which were stolen from two certification authorities (JMicron and Realtek) which helped it remain undetected for a relatively long period of time. It also has the capability to upgrade via peer to peer, allowing it to be updated after the initial command and control server was disabled. These capabilities would have required a team of people to program, as well as check that the malware would not crash the PLCs. Eric Byres, who has years of experience maintaining and troubleshooting Siemens systems, told Wired that writing the code would have taken many man-months, if not years.
A Siemens spokesperson said that the worm was found on 15 systems with five of the infected systems being process manufacturing plants in Germany. Siemens claims that no active infections have been found and there were no reports of damages caused by the worm. Jeffrey Carr raised the possibility that the Stuxnet took India’s INSAT-4B Satellite out of action, making it effectively dead. However, ISRO has provisionally ruled out the possibility of Stuxnet attack, and awaits further details from Carr's presentation on the topic.
Removal
Siemens has released a detection and removal tool for Stuxnet. Siemens recommends contacting customer support if an infection is detected and advises installing the Microsoft patch for vulnerabilities and disallowing the use of third-party USB sticks.
The worm's ability to reprogram external programmable logic controllers (PLCs) may complicate the removal procedure. Symantec's Liam O'Murchu warns that fixing Windows systems may not completely solve the infection; a thorough audit of PLCs is recommended. In addition, it has been speculated that incorrect removal of the worm could cause a significant amount of damage.
|
Post a Comment