“A piece of highly sophisticated malicious software that has infected an unknown number of power plants, pipelines and factories over the past year is the first program designed to cause serious damage in the physical world, security experts are warning,” Joseph Menn and Mary Watkins report for The Financial Times.
“The Stuxnet computer worm spreads through previously unknown holes in Microsoft’s Windows operating system and then looks for a type of software made by Siemens and used to control industrial components, including valves and brakes,” Menn and Watkins report. “Stuxnet can hide itself, wait for certain conditions and give new orders to the components that reverse what they would normally do, the experts said. The commands are so specific that they appear aimed at an industrial sector, but officials do not know which one or what the affected equipment would do.”
Menn and Watkins report, “At a closed-door conference this week in Maryland, Ralph Langner, a German industrial controls safety expert, said Stuxnet might be targeting not a sector but perhaps only one plant, and he speculated that it could be a controversial nuclear facility in Iran. According to Symantec, which has been investigating the virus and plans to publish details of the rogue commands on Wednesday, Iran has had far more infections than any other country.”
“Experts say Stuxnet’s knowledge of Microsoft’s Windows operating system, the Siemens program and the associated hardware of the target industry make it the work of a well-financed, highly organised team,” Menn and Watkins report. “They suggest that it is most likely associated with a national government and that terrorism, ideological motivation or even extortion cannot be ruled out.”
Full article here.
John Markoff reports for The New York Times that Stuxnet “is continuing to spread through computer systems around the world through the Internet. It is also raising fear of dangerous proliferation. Stuxnet has laid bare significant vulnerabilities in industrial control systems. The program is being examined for clues not only by the world’s computer security companies, but also by intelligence agencies and countless hackers.”
Markoff reports, “‘Proliferation is a real problem, and no country is prepared to deal with it,’ said Melissa Hathaway, a former United States national cybersecurity coordinator. The widespread availability of the attack techniques revealed by the software has set off alarms among industrial control specialists, she said: ‘All of these guys are scared to death. We have about 90 days to fix this before some hacker begins using it.'”
Full article here.
Nicolas Falliere reports for Symantec, “Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems. Industrial control systems consist of Programmable Logic Controllers (PLCs), which can be thought of as mini-computers that can be programmed from a Windows system. These PLCs contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory. Programmers use software (e.g., on a Windows PC) to create code and then upload their code to the PLCs.”
“Previously, we reported that Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems,” Falliere reports. “In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.”
“In particular, Stuxnet hooks the programming software, which means that when someone uses the software to view code blocks on the PLC, the injected blocks are nowhere to be found,” Falliere reports. “This is done by hooking enumeration, read, and write functions so that you can’t accidentally overwrite the hidden blocks as well.”
“Stuxnet contains 70 encrypted code blocks that appear to replace some ‘foundation routines’ that take care of simple yet very common tasks, such as comparing file times and others that are custom code and data blocks. Before some of these blocks are uploaded to the PLC, they are customized depending on the PLC,” Falliere reports. “By writing code to the PLC, Stuxnet can potentially control or alter how the system operates.”
Read more in the full article here.
MacDailyNews Take: The common denominator, as always, is Microsoft’s Windows.
[Thanks to MacDailyNews Reader “Patty D.” for the heads up.]