Professional Documents
Culture Documents
shahesha01@gmail.com
5/17,malad co.op.hsg.soc,
Poddar road, malad(E)
Mumbai-400 097
Abstract:-
The era we live in has created a situation of cyber warfare. The growth of cyber weapons is
happening at a rapid rate. Stuxnet is a cyber weapon of high destructive value by writing some
very effective code. It is essentially a sophisticated worm designed specifically to attack the
Siemens (PLCs) of Iran's nuclear enrichment facilities. Stuxnet, as it came to be known, was
different than other virus or worm that came before. It has proved to be the first software weapon
used against a nation. In this paper, we discuss etiology, working and mitigation techniques to
counter this threat in the cyber world. The first industrial and sophisticated of all viruses is here
to stay, yet the affected world at large refuses to accept its existence. Stuxnet searches for
industrial control systems, often known as SCADA systems, and if it finds these systems on the
compromised computer, it attempts to attack. The Stuxnet team had experts both in Windows
and Siemens controller internals. According to some researchers, some functions called by
Stuxnet have not been positively identified. This paper takes a look at its main purpose of
creation and also discusses the minimum changes we can make to overcome this challenge. We
list the interesting features and at the same time explore the simple techniques that can add some
grain to the counter attacks of this nature.
facilities since before. Being a 500 kilo-byte Iran in addition with details from the code
computer worm it has affected over 60,000 made it obvious that it was particularly
computers. This name was given by the targeting the Iran’s Natanz nuclear plant.
“antivirus-guys” (the people who studied The code repeatedly contained “164” which
and detected it) by combining strings (“stub” was an exact match to the number of
and “xnet”) from the code. While the centrifuges in each cascade of Natanz
individual engineers behind Stuxnet haven't nuclear enrichment facility. There were 15
been identified, we know that they were stages in which these cascades were
very skilled, and that there were a lot of arranged which resembled and explained
some more parts of the code. The code is intelligence agencies of the United States
dense and 20 times the size of an average and Israel. The CIA i.e. Central Intelligence
malware code which is available on github. Agency was deeply involved. The CIA is a
The most attractive feature of the code is civilian foreign intelligence service of the
that it does not contain any bugs. Almost federal government of the United States.
every malware code contains bugs but Much of the code was written by the
Stuxnet had its own ways to prove itself national security agency of the United States
unique. Each line of code was written to of America (NSA) and Unit 8200, its Israeli
perform a specific task and right in order to equivalent. It began under President George
conduct the attack. There were no lines W. Bush and continued under President
intended to draw the attention of the testers Obama. The United States Cyber Command
unlike the other malwares. Most of the code was also involved as it had the authority to
was written in C, C++ and many other perform attacks. Eventually, we can say that
object oriented languages. It contains four all these agencies came together and formed
zero day vulnerabilities-means that a large the Stuxnet. The classified program to
amount of money has been spent on it which develop the worm was given the code name
makes it clear that some nation is involved "Operation Olympic Games". Other
and it is not the work of a small hacker’s countries where it was detected include
team. While neither government has ever India, Indonesia, China, Azerbaijan, South
officially acknowledged developing Stuxnet, Korea, Malaysia, the United States, the
a 2011 video created to celebrate the United Kingdom, Australia, Finland and
retirement of Israeli Defense Forces head Germany. Several other worms with
Gabi Ashkenazi listed Stuxnet as one of the infection capabilities similar to Stuxnet,
successes under his watch. According to including those dubbed Duqu and Flame,
some researchers the two main nations that have been identified in the wild, although
are suspected for the creation of this worm their purposes are quite different than
are USA and Israel but there is no evidence Stuxnet's. Their similarity to Stuxnet leads
beyond rumors. Israel is being suspected as experts to believe that they are products of
there are lines in the code that match the the same development shop, which is
Hebrew bible. USA is being suspected for apparently still active.
performing the development and testing of
the code. None of these nations have
actually accepted it, but is now widely II. Working
accepted that it was created by the
It is proved that Stuxnet targeted the system in order to gain access to target
Iran’s Natanz nuclear enrichment facility PLCs. It then injects code blocks into the
and so it does not cause any harm to the target PLCs that can interrupt processes,
Widows machine remaining dormant. It inject traffic on to the Profibus, and modify
activates itself once it finds the target PLCs. the PLC output bits, effectively establishing
Its main purpose is to change the speed, itself as a hidden root kit that can inject
pressure, frequency or other parameters of commands to the target PLCs. It makes use
the centrifuges which are controlled by the of the infected PLCs to watch for specific
respective PLCs. Stuxnet infects the behaviors by monitoring Profibus
Windows systems using a variety of zero- (The industrial network protocol used by
day exploits and stolen certificates, and Siemens). If certain frequency controller
installs a Windows root kit on compatible settings are found, Stuxnet will throttle the
machines. The stolen certificates belonged frequency settings from 1410 to 2 Hz, in a
to two huge companies. It then attempts to cycle. It includes the capabilities to remove
bypass behavior-blocking and host intrusion itself from incompatible systems, lie
protection based technologies that monitor dormant, reinfect cleaned systems, and
LoadLibrary calls by using special processes communicate peer to peer in order to self-
to load any required DLLs, including update within infected networks.
injection into pre-existing trusted processes.
It typically infects by injecting the entire
DLL into another process and only exports
additional DLLs as needed. It performs
several checks to make sure that its host is
running a compatible version of Windows,
whether or not it is already infected, and
checks for installed Anti-Virus before
attempting to inject its initial payload.
Spreading laterally through infected
networks, using removable media, network
connections, and/or Step7 project files, it
looks for target industrial systems (Siemens
WinCC SCADA). When found, it uses hard- Fig 1: Working of Stuxnet
USB flash drives: The ultimate goal scheduled for two minutes after the
computers that control and monitor means, Stuxnet “prints” itself to two
connected to the Internet. Therefore, each target machine, using the 0-day
reach those computers, and it’s It then executes the dropper file and
SCADA systems. It connects using a protocol for sharing files and other
and attacks its database using SQL allows it to execute arbitrary code on
itself over a local network. It places a control projects that are opened on
F-Secure: Trojan-
Dropper:W32/Stuxnet
Kaspersky:
Rootkit.Win32.Stuxnet.b or
Rootkit.Win32.Stuxnet.a
McAfee: Stuxnet
Norman: W32/Stuxnet.A
Sophos: Troj/Stuxnet-A or
Fig 2: Dissemination of Stuxnet
W32/Stuxnet-B
Symantec: W32.Temphid
IV. Firewall for Stuxnet:-
TrendMicro:
This was thought to be the first time WORM_STUXNET.A
that malware had been used to attack
industrial machinery.But in 2013 V. Mitigation techniques:-
Symantec researchers said they had
Since Siemens software is what is
uncovered a version of Stuxnet that
compromised when a computer is infected
may have first been pushed out as
with Stuxnet, it's important to contact them
early as 2005.
if an infection is suspected.
15) https://us.norton.com/online-
threats/w32.stuxnet-2010-071400-3123-99-
writeup.html