Security researchers at Symantec have uncovered details about the Stuxnet worm that indicate it was aimed at nuclear facilities in Iran. As the analysis of Stuxnet continues, the world's first worm for industrial systems clearly emerges one of the most complex malware programs ever devised. To that end, Symantec's rival, Trend Micro, has released a free tool that will help all Windows network users scan their PCs and servers for Stuxnet infections.
Symantec's conclusions are fascinating. As we learned earlier, "The ultimate goal of Stuxnet is to sabotage [the] facility by reprogramming programmable logic controllers (PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries," the researchers explain.
Nuclear power plant in Germany
While they came short of outright declaring that nuclear facilities in Iran were the intended victims, the researchers' new discoveries detailed in a blog post and paper (PDF) made a pretty good circumstantial case. If Stuxnet was a defendant we bet that even Perry Mason couldn't get it acquitted. We'll summarize:
1. The worm requires frequency converter drives from one of two vendors, one headquartered in Finland and the other in Tehran, Iran.
2. Stuxnet will infect lots of machines, but only takes action on PLCs for frequency converters that operate between 807 Hz and 1210 Hz. A frequency converter drive converts AC power from the grid into fast oscillating frequencies that can be used for granular speed control of electric motors. Higher frequencies equal faster motors.
3) While there may be many uses for such "efficient low-harmonic frequency converter drives" Symantec notes that drives "that output over 600Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment."
4) Some 60% of infected hosts were in Iran which lead researchers to conclude that Iran was the spot where the infection was initially seeded and hence the target.
Ergo nuclear power plants in Iran were the most likely target. We rest our case.
Most anti-malware companies say that their wares detect Stuxnet and the W32 worms it was based on. But during the year before Stuxnet was detected, it ran amuck. Malware vendors say they are finding it everywhere. It infects Windows clients and servers and can be spread by USB sticks or via file-sharing over the network.
Trend Micro released the free Stuxnet Scanner tool that tricks the worm into revealing itself. It sends spoofed Stuxnet packets so that infected servers will respond and a network administrator can identify them.
Since Stuxnet was discovered, Microsoft has issued patches for the three most critical Windows holes known to have played a part: a shortcut hole that let's a USB drive automatically load malware, a print spooler hole that lets malware spread via the LAN and a Windows Server hole that lets it spread through Window's file sharing protocol, SMB.
With these holes patched, W32 and Stuxnet infections should be harder to pull off. Time and antivirus software will tell.