STUXNET: THE ERA OF CYBER WAR

Kunal Shah Esha Shah

shahesha01@gmail.com

5/17,malad co.op.hsg.soc,
Poddar road, malad(E)
Mumbai-400 097
Abstract:-

The era we live in has created a situation of cyber warfare. The growth of cyber weapons is
happening at a rapid rate. Stuxnet is a cyber weapon of high destructive value by writing some
very effective code. It is essentially a sophisticated worm designed specifically to attack the
Siemens (PLCs) of Iran's nuclear enrichment facilities. Stuxnet, as it came to be known, was
different than other virus or worm that came before. It has proved to be the first software weapon
used against a nation. In this paper, we discuss etiology, working and mitigation techniques to
counter this threat in the cyber world. The first industrial and sophisticated of all viruses is here
to stay, yet the affected world at large refuses to accept its existence. Stuxnet searches for
industrial control systems, often known as SCADA systems, and if it finds these systems on the
compromised computer, it attempts to attack. The Stuxnet team had experts both in Windows
and Siemens controller internals. According to some researchers, some functions called by
Stuxnet have not been positively identified. This paper takes a look at its main purpose of
creation and also discusses the minimum changes we can make to overcome this challenge. We
list the interesting features and at the same time explore the simple techniques that can add some
grain to the counter attacks of this nature.

I. Introduction:- them. Kaspersky Lab's Roel Schouwenberg

Stuxnet is not only a malware but also the
beginning of a new era of cyber wars. It was
first detected on 17th June 2010, but was
found affecting Iran's nuclear enrichment
estimated that it took a team of ten coders
and two to three years to create the worm in
its final form.
The assassination of a nuclear scientist in

facilities since before. Being a 500 kilo-byte Iran in addition with details from the code

computer worm it has affected over 60,000 made it obvious that it was particularly

computers. This name was given by the targeting the Iran’s Natanz nuclear plant.

“antivirus-guys” (the people who studied The code repeatedly contained “164” which

and detected it) by combining strings (“stub” was an exact match to the number of

and “xnet”) from the code. While the centrifuges in each cascade of Natanz

individual engineers behind Stuxnet haven't nuclear enrichment facility. There were 15

been identified, we know that they were stages in which these cascades were

very skilled, and that there were a lot of arranged which resembled and explained
some more parts of the code. The code is
dense and 20 times the size of an average
malware code which is available on github.
The most attractive feature of the code is
that it does not contain any bugs. Almost
every malware code contains bugs but
Stuxnet had its own ways to prove itself
unique. Each line of code was written to
perform a specific task and right in order to
conduct the attack. There were no lines
intended to draw the attention of the testers
unlike the other malwares. Most of the code
was written in C, C++ and many other
object oriented languages. It contains four
zero day vulnerabilities-means that a large
amount of money has been spent on it which
makes it clear that some nation is involved
and it is not the work of a small hacker’s
team. While neither government has ever
officially acknowledged developing Stuxnet,
a 2011 video created to celebrate the
retirement of Israeli Defense Forces head
Gabi Ashkenazi listed Stuxnet as one of the
successes under his watch. According to
some researchers the two main nations that
are suspected for the creation of this worm
are USA and Israel but there is no evidence
beyond rumors. Israel is being suspected as
there are lines in the code that match the
Hebrew bible. USA is being suspected for
performing the development and testing of
the code. None of these nations have
actually accepted it, but is now widely
accepted that it was created by the
intelligence agencies of the United States
and Israel. The CIA i.e. Central Intelligence
Agency was deeply involved. The CIA is a
civilian foreign intelligence service of the
federal government of the United States.
Much of the code was written by the
national security agency of the United States
of America (NSA) and Unit 8200, its Israeli
equivalent. It began under President George
W. Bush and continued under President
Obama. The United States Cyber Command
was also involved as it had the authority to
perform attacks. Eventually, we can say that
all these agencies came together and formed
the Stuxnet. The classified program to
develop the worm was given the code name
"Operation Olympic Games". Other
countries where it was detected include
India, Indonesia, China, Azerbaijan, South
Korea, Malaysia, the United States, the
United Kingdom, Australia, Finland and
Germany. Several other worms with
infection capabilities similar to Stuxnet,
including those dubbed Duqu and Flame,
have been identified in the wild, although
their purposes are quite different than
Stuxnet's. Their similarity to Stuxnet leads
experts to believe that they are products of
the same development shop, which is
apparently still active.
II. Working
 It is proved that Stuxnet targeted the system in order to gain access to target
Iran’s Natanz nuclear enrichment facility PLCs. It then injects code blocks into the
and so it does not cause any harm to the target PLCs that can interrupt processes,
Widows machine remaining dormant. It inject traffic on to the Profibus, and modify
activates itself once it finds the target PLCs. the PLC output bits, effectively establishing
Its main purpose is to change the speed, itself as a hidden root kit that can inject
pressure, frequency or other parameters of commands to the target PLCs. It makes use
the centrifuges which are controlled by the of the infected PLCs to watch for specific
respective PLCs. Stuxnet infects the behaviors by monitoring Profibus
Windows systems using a variety of zero- (The industrial network protocol used by
day exploits and stolen certificates, and Siemens). If certain frequency controller
installs a Windows root kit on compatible settings are found, Stuxnet will throttle the
machines. The stolen certificates belonged frequency settings from 1410 to 2 Hz, in a
to two huge companies. It then attempts to cycle. It includes the capabilities to remove
bypass behavior-blocking and host intrusion itself from incompatible systems, lie
protection based technologies that monitor dormant, reinfect cleaned systems, and
LoadLibrary calls by using special processes communicate peer to peer in order to self-
to load any required DLLs, including update within infected networks.
injection into pre-existing trusted processes.
It typically infects by injecting the entire
DLL into another process and only exports
additional DLLs as needed. It performs
several checks to make sure that its host is
running a compatible version of Windows,
whether or not it is already infected, and
checks for installed Anti-Virus before
attempting to inject its initial payload.
Spreading laterally through infected
networks, using removable media, network
connections, and/or Step7 project files, it
looks for target industrial systems (Siemens
WinCC SCADA). When found, it uses hard- Fig 1: Working of Stuxnet

coded SQL authentication within the system

to inject code into the database, infecting the
III. Dissemination Mechanisms: remote computers, and schedules a
task to execute it. ESET says the task
Methods by which Stuxnet disseminates are
is scheduled to run the next day,
listed below:-
whereas Symantec claims that it is

USB flash drives: The ultimate goal scheduled for two minutes after the

of Stuxnet is to target the computers file is shared.

that control the centrifuges. These

are called PLCs (Programmable The MS10-061 print spooler 0-day

Logic Controllers), and are special- vulnerability: Stuxnet copies itself

purpose computers, used for and places the copy on remote

controlling electronic devices or computers via this vulnerability. It

systems, such as industrial systems. then executes the copy, thereby

The PLCs are connected to infecting the remote machines. It

computers that control and monitor means, Stuxnet “prints” itself to two

them, and typically, none are files in the %system% directory on

connected to the Internet. Therefore, each target machine, using the 0-day

Stuxnet needs some other vector to privilege escalation or vulnerability.

reach those computers, and it’s It then executes the dropper file and

capability of propagating via USB infects the computer.

flash drives helps it to do so.

The MS08-067 SMB vulnerability:

WinCC: Stuxnet searches for If a remote computer has this

computers running Siemens WinCC vulnerability, Stuxnet can send a

which is an interface to their malformed path over SMB (a

SCADA systems. It connects using a protocol for sharing files and other

hardcoded password into WinCC, resources between computers); this

and attacks its database using SQL allows it to execute arbitrary code on

commands to upload and start a copy the remote machine in order to

of itself on the WinCC computer. propagate itself to it.

Network shares: Stuxnet uses Step7 Projects: Stuxnet infects

Windows shared folders to propagate Siemens SIMATIC Step7 industrial

itself over a local network. It places a control projects that are opened on

dropper file that are shared on an infected computer. It modifies

 DLLs (Windows Dynamic Link caused by Stuxnet in power
Library; a library of shared objects: networks, and it was successfully
code, data, and resources) and an tested.
.exe file in the WinCC Simatic
Iran has successfully made a firewall
manager, so that they can execute
against the Stuxnet worm, this
Stuxnet code as well. The additional
created tension amongst Nations like
code will be inserted by Stuxnet into
United States.
Step7 project directories.

The Other firewalls used against

stuxnet are:-

F-Secure: Trojan-
Dropper:W32/Stuxnet
Kaspersky:
Rootkit.Win32.Stuxnet.b or
Rootkit.Win32.Stuxnet.a
McAfee: Stuxnet
Norman: W32/Stuxnet.A
Sophos: Troj/Stuxnet-A or
Fig 2: Dissemination of Stuxnet
W32/Stuxnet-B
Symantec: W32.Temphid
IV. Firewall for Stuxnet:-
TrendMicro:
This was thought to be the first time WORM_STUXNET.A
that malware had been used to attack
industrial machinery.But in 2013 V. Mitigation techniques:-
Symantec researchers said they had
Since Siemens software is what is
uncovered a version of Stuxnet that
compromised when a computer is infected
may have first been pushed out as
with Stuxnet, it's important to contact them
early as 2005.
if an infection is suspected.

Iran’s university scientists have

Also run a full system scan with an antivirus
developed a firewall for industrial
program like Avast or AVG, or an on-
automation systems to neutralize
demand virus scanner such as malware
industrial systems such as that
bytes.
It's also necessary to keep your Windows
updated, which you can do with Windows
Update.
VI. Our Addition
Stuxnet has proved to be the most dangerous
worms till date. It has various capabilities to
hide its existence from the user. After
understanding the attack caused and the
ways, in which Stuxnet spreads, we can
infer that the main threat to any industrial
company is its physical security policy. To
prevent such attacks one should follow a
good security policy. Unauthorized people
should not be given access to the PCs.
Specific people should be assigned for
specific tasks and the head should monitor
the tasks on regular basis. Pen drives should
always be scanned before use. The Auto
Run feature should be disabled by default
for non-optical removable drives in recent
versions of Windows. The antivirus software
and the firewall must be up to date and
operational. Another important aspect to be
taken care is peer trust. As seen in case of
Iran, it was an insider to use a pen drive and
allow Stuxnet to perform its destruction.
Trusted authorities should also be monitored
regularly and should be answerable for their
tasks.
Conclusion:-
It is likely that Stuxnet had have caused a
greater damage had it not been noticed by
security
researchers, who subsequently published
detailed reports on it. It delayed Iran’s
nuclear weapon program, but likely didn’t
have as much impact as its creators had
hoped for. It has also increased awareness of
the vulnerabilities of industrial control
systems, which haven’t been the target of
many attacks yet. This should make the
industrial organizations more hardened
against attack as time goes on, but this is
balanced against the increased risk of such
attacks. After understanding the working of
the worm and the spreading techniques, one
should know where to have a higher security
policy. It makes it easy to conclude that
security is the most important factor may it
be physical or cyber.
References:-
1) https://www.codeproject.com/Articles/2
46545/Stuxnet-Malware-Analysis-Paper
2) https://www.wired.com/2014/11/countdo
wn-to-zero-day-stuxnet/
3) Movie-zero days
4) https://www2.cs.arizona.edu/~collberg/T
eaching/466-
566/2012/Resources/presentations/2012/
topic9-final/report.pdf
5) https://www.forbes.com/2010/10/06/iran
-nuclear-computer-technology-security-
stuxnet-worm.html#1279974651e8
6) https://spectrum.ieee.org/telecom/securit
y/the-real-story-of-stuxnet
7) https://www.csoonline.com/article/3218
104/what-is-stuxnet-who-created-it-and-
how-does-it-work.html
8) https://www.lifewire.com/stuxnet-worm-
computer-virus-153570
9) https://www.symantec.com/connect/blog
s/stuxnet-using-three-additional-zero-
day-vulnerabilities
10) https://security.stackexchange.com/quest
ions/7587/what-programming-language-
is-stuxnet-written-in
11) https://www2.cs.duke.edu/courses/comm
on/compsci092/papers/cyberwar/stuxnet
2.pdf
12) https://www.symantec.com/security-
center/writeup/2010-071400-3123-99
13) Nicolas Falliere, Liam O Murchu, and
Eric Chien. W32.stuxnet dossier (version
1.4). Technical
report, World Wide Web,
http://www.symantec.com/content/en
/us/enterprise/media/
security_respons
%e/whitepapers/w32_stuxnet_dossie
r.pdf, February 2011.
14) Aleksandr Matrosov, Eugene Rodionov,
David Harley, and Juraj Malcho.

15) https://us.norton.com/online-
threats/w32.stuxnet-2010-071400-3123-99-
writeup.html