CSIA 301

09/21/2014

Research Paper

Stuxnet worm

The Stuxnet worm was first discovered in June 2010 and has since been labeled the most complex weapon in cyber warfare to this dayto date. Norton Symantec stated “It’s like nothing we’ve seen before – both in what it does, and how it came to exist. It is the first computer virus to be able to wreak havoc in the physical world CITATION The11 l 1033 (The Stuxnet Worm, 2011)” The Stuxnet worm is A form of malware, e or malicious software, that has over 1500 lines of code embedded in it, the Stuxnet. This worm can has the ability to infect computer systems that where with running a Microsoft Wwindows operating system,s and llyingay dormant without being undetected while itand replicatinges itself until it finds its true target. After the worm’s target is acquired it then makescauses the targeted equipment to raise its rate of rotation per minute at to a dangerously high speed and ultimatelyconsequently causinge the target to rip itself apart. Meanwhile As this is occurring, another poartion of the worm creates false positive readings to indicate showing the workers that the equipment is still working at the suggestive rate . The wormwhile simultaneously overr ridinges the manual kill switch thereby disabling any preventative or reactionary measuresso workers cannot stop this action from happening if they wanted toomight attempt.

The only known attack of the Stuxnet virus is the attack against the Iranian nuclear facilities. Although no country or group has come forward and confirmed that they initiated the cyber-attack on the Iranian nuclear facilities, due to the complexity of the worm and the amount of founding it must have taken to create it tthis cyber super weapon it is rumored that thehas led theorists to believe that the attack was carried out by the U.S. and Israeli governments for political reasons.gain. Kushner (2013) supportsSupports this belief and states that “Analysts then realized that financial gain had not been the objective. It was a politically motivated attack. Kushner (2013). CITATION Dav13 l 1033 (Kushner, 2013)” Whether staged for financial or political gain, tThe Stuxnet attack on the Iranian nuclear faculties was devastating to the whole of their nuclear program. The creator of the StuxnetWhen launched against the Iranian nuclear system, the Stuxnet worm exploited 4 different zero day vulnerabilities on Microsoft’s website. This was the first worm to exploit so many zero-days. This is howBy exploiting these vulnerabilities, the worm was able to infect it infected other computers that used the Microsoft operating system by. The worm was able to creatinge a false yet seemingly n authentic digital certificate that stated shows the update wasat it is coming from a trusted company. As a result of this seemingly authentic digital certificate, the patch was downloaded many times and traces of this worm have been tracked to personal computer systems in countries around the world. By far the most traces were found in computers in Iran and surrounding countries such as Indonesia and India. Though the impact has not been as severe or widespread, traces of the virus have even been found on some computers in the United States. When it wasThe download was just the beginning of the attack, however, and it was not until after the virus was downloaded into the systems, that the worm then replicatesbegan replicating itself and started searching fors to look for its target which is now known to be a specific Siemen software and hardware combination that runs on Microsoft operation systems. Specifically, The “Stuxnet is designed to attack the Siemens Simatic WinCC SCADA system. These SCADA systems are installed in big facilities to manage operations. CITATION Jan10 l 1033 (McEntegart, 2010) ” (McEntegart, 2010). To operate in such a way, But in order for the worm to find itself from the PC’s to the target the worm replicated itself and had to traveled on the drivers of removable USB drives. After the worm infected the drivers on the USB, it is said that an employee at the nuclear facility brought one of the infected USB’s to the nuclear facility and plugged it into a computer at theon site. Traces of this worm have been tracked to have infected personal computer systems in countries around the world. By far the most traces where found in computers in Iran and surrounding countries such as Indonesia, India and even some computers in the United states where infected by the Stuxnet virus. After the worm infected the drivers on the USB it is said that an employee at the nuclear facility brought one of the infected USB’s to the nuclear facility and plugged it into a computer at the site. After t Once the worm searched the new computer system and realized that the computerand realized it was on the same network that tas the target was ontarget, it went to work. The worm then travelbegan traveling though out the network, and found the particular targeted Siemens Simatic WinCC SCADA system, and as well as the software associated with the system, . The worm thenand raised the level of rotations per minute on the hardware on the Siemens Simatic WinCC SCADA system. The worm continues to raise the speed of rotations on the hardware,Then causing the rotors to spin extremely fast and causing eventually forcing the system to spiral out of control. As this was occurring, the worm began to complete the job it was designed to do by causing While the system was spinning out of control the worm also made the software checks to look as if the hardware was working properly . During this time the worm had alsoand takingen over the controls for the system kill switch. The workers at the facility had no way to ever prepare for a meltdown of this magnitude and. this silentThis was an attack twas one for whichhat no one was prepared. had any idea that anyone or group was capable of doing the attackers had all the angles covered besides destroy all the evidence. This attack was so deviously designed that it could have gone completely unnoticed had the designers taken the time to design a method by which all evidence would be destroyed after the attack, but they did not do so and their neglect in doing so raises questions of future motives. By not neglecting to destroying all the evidence, from the designers actually increase and enhance the effects and impact of Stuxnet. Kelley (2013) puts it this way,the attack greatly increased the effects and impact of the Stuxnet attack. “ThTat’s because the initial attack provided a useful blueprint to future attackers by highlighting the royal road to infiltration of hard targets, humans working as contractors. CITATION Mic13 l 1033 (Kelley, 2013)” The fact idea that the target now could be humansa human damages the confidentiality. In addition, Now the code that was used to create the Stuxnet worm is now openly available out on the World Wide Web and. tEven though the code is very extremely complicated, many hackers are tryingstill attempt to duplicate what it can do and while possible working on targeting other systems that will be able to cripple society as we know, such as it like electrical grids and water dams. This Stuxnet attack made the use of the nuclear facility power unavailable. If another attack was to happen to something like an electrical grid and shut down a cities electricity lives will be lost. Being that the virus was walked into the nuclear plant hurt the integrity of the system. Also the fact that the worm was able to make the software project false positives stating that the hardware was working correctly also messed up the integrity of the facility.Ways to protect computers from a Stuxnet attack. Due to the complexity of the Stuxnet worm, the most conventional ways of defending protecting computers systems are were not as affectiveineffective. This attack was totally unexpected. But since the attack patches and updates for Microsoft, have come out to fix the zero day vulnerabilities. Siemens has also put out a tool that will detect and remove the stuxnet worms from any infected system. Most anti-virus software have made changes to their software to look for the Stuxnet worm also. Now companies are coming up with ways to check a systems integrity. There is now a program called Hypercheck and “HyperCheck uses an out-of-band network card utilizing the CPU’s System Managed Mode (SMM) to check the integrity of core libraries on the target system, including hypervisor code and the host operating system kernel. CITATION Def10 l 1033 (Defending Against Stuxnet Type Threats, 2010)” If you uses While some basic core methods of protecting computers systems will improve detection of a possible Stuxnet invasion, they might may not aid in completely dhelp defending or protecting your computer or network against the Stuxnet virus.

The most important way to protect against any computer or network attack is to engage in cyber security educationbe educated and educate your employees. Everyone Every employee should have a basic understanding of computer security and . Everyone should have basic knowledge of what to look for as it pertains to computer security. Each All companiesy should have a cyber security personnel in charge aand nd also policies and procedures in place just in case there is an attack. The company should review its policies and procedures should be reviewed and modified annually and then the companies should hold mandatory annual training should be conducted for all employees and as well as introductory information security training for all new employees should be a part of the company’s practices.

The nuclear facility should put in place better physical security to check employees for things like USB drives, removable hard drives, CD and any type of equipment that data can be transferred from. Also the facility should have done more physical check of the systems and had manual ways to shut down the system before in destroyed itself. The Stuxnet worm was the first of its kind. It was malicious software that can do physical damage. It changed the way cyber war is fought it has truly raised the bar when it comes to malware or any cyber-attack. With a few copycat virus now showing up such as Duqu and Flame. The need for companies and governments to secure all systems and educate all personal are at an all-time high. Works Cited BIBLIOGRAPHY Defending Against Stuxnet Type Threats. (2010, OCT. 1). Retrieved from http://www.invincea.com: http://www.invincea.com/2010/10/defending-against-stuxnet-type-threats/

Kelley, M. B. (2013, Nov. 20). The Stuxnet Attack On Iran’s Nuclear Plant Was ‘Far More Dangerous’ Than Previously Thought. Retrieved from http://www.businessinsider.com: http://www.businessinsider.com/stuxnet-was-far-more-dangerous-than-previous-thought-2013-11

Kushner, D. (2013, Feb 26). The Real Story of the Stuxnet . Retrieved from http://spectrum.ieee.org: http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet

McEntegart, J. (2010, September 27). Stuxnet is World’s First Cyber Super Weapon. Retrieved from http://www.tomsguide.com: http://www.tomsguide.com/us/stuxnet-cyber-weapon-worm-trojan,news-8122.html

The Stuxnet Worm. (2011, Nov. 21). Retrieved from http://us.norton.com/: http://us.norton.com/stuxnet

To protect against the Stuxnet virus companies