An Analysis of the Stuxnet Malware Virus, Case Study Example

By definition, as one of the most complex and destructive types of malware, Stuxnet was designed as “a threat that was primarily written to target an industrial control system or set of similar systems” with the goal being to “reprogram industrial control systems by modifying code on programmable logic controllers.” The main focus of the attacker was to make the code operate in a particular way so as to disrupt the ICS while also hiding alterations to the code from the operator of the ICS and its users (Falliere, Murchu & Chien, 2011, p. 1).

In relation to the Stuxnet malware virus and the disruption of the computer system at the Natanz uranium enrichment plant in central Iran, the researchers from Symantec discovered that two domains were responsible for the infection–www.mypremierfutbol.

com and www.todaysfutbol.com–which were based in host servers in Malaysia and Denmark. For the attackers, the command and control servers allowed them to “update Stuxnet on infected machines with new functionality or even install more malicious files.” Also, the DNS or Domain Name System providers had cleverly thought ahead by dead-lettering or delaying “incoming traffic to prevent it from reaching the attackers” (Mittal, 2011).

Thus, as a forensic technique, the Symantec researchers contacted the DNS providers and requested that they reroute all traffic to a sinkhole or a computer that “spoofs the authoritative DNS servers for malicious and unwanted hosts and domains” and returns false IP addresses which in effect “denies the client a connection to the target host” (Bruneau, 2010, p. 2). This computer sinkhole was of course under the control of the Symantec researchers and once reports from infected computers had been returned to them, they immediately began to share the information and data with other firms that specialize in computer security (Mittal, 2011). What the researchers found as a result of utilizing this sinkhole computer was that some 38,000 computers worldwide were infected with the Stuxnet malware virus. This number increased to more than 100,000 infected computers and efforts by antivirus companies to stop the spread of the virus via signatures failed to do so (Mittal, 2011).

In addition, the researchers discovered through their analysis of the malware virus that along with infecting LNKs or computer file extensions, the virus had “exploited a print spooler vulnerability in Windows computers” which allowed the virus to infect shared printers. Also, the virus attacked several kinds of “vulnerabilities in a Windows keyboard file and task scheduler file” which gave the attackers free rein in regards to controlling computer functionality. The virus had also “exploited a static password that Siemens,” a German-based engineering and electronics company, had “hard-coded into its Step7 software.” Thus, the Stuxnet malware virus utilized this weakness to infect servers that hosted databases installed with Step7 software which allowed it to infect additional computers linked up with the server (Mittal, 2011).

As to Stuxnet’s DLL file, researchers from Symantec came to realize that if an infected computer system had been installed with the Siemens’ Step7 software, the Stuxnet malware virus was able to decrypt and load up a very malicious DLL file or a library of various computer functions. This DLL file “impersonated a legitimate DLL file” known as s7otbxdx.dll which “served as a common repository for functions used by different pieces of the Step7 software.” Another area of concern was that the malicious Stuxnet DLL file was capable of intercepting “commands going from the Step7 software to the PLC” or programmable logic controller and “replacing them with its own malicious commands.” Stuxnet was also capable of disabling automated alarms that would signal to the user that malicious commands were at work inside of the computer system. In addition, the malware virus “masked what was happening on the PLC by intercepting status reports sent from the PLC to the Step7 machine,” thus concealing all indications of the Stuxnet commands (Mittal, 2011).

As noted by Mittal, this type of malicious DLL file holds the potential to inflict serious harm on society. As an example, Mittal describes the 1982 CIA digital attack on a Siberian pipeline that “resulted in an explosion a fifth the size of the atomic bomb detonated over Hiroshima” Japan in 1945. What the CIA did was to insert a disruptive DLL file into the software that controlled the pumps and valves on a natural gas pipeline which caused it to malfunction, thus “creating a pressure buildup that exploded into a fireball so large it was captured by orbiting satellites” (2011). Imagine the consequences of such a malicious DLL file being inserted into the computer systems of America’s nuclear power plants. The results of this would certainly be catastrophic. Mittal also notes that critical computer systems are far more vulnerable to attack by malware viruses and malicious DLL files because of the existence of the Internet which allows computer systems to link up together as networks, thus providing the opportunity for malware viruses like Stuxnet to spread among the systems, much like an infectious disease spreading among an indigenous group of people (2011).

Lastly, it is obvious that the Stuxnet creators and attackers had deliberately targeted the Natanz uranium enrichment plant in Iran. This is due to three specific findings made by the Symantec researchers–1), the attackers had “focused their attack on computers at five organizations in Iran that they believed would be gateways to the target they were seeking” with the target being Natanz; and 2), the “nominal frequency at which Natanz’s centrifuges operated was 1,064 Hz,” the same frequency Stuxnet “restored converters to after drastically increasing and decreasing it” during the initial attack; and 3), data in the Stuxnet malware virus “indicated that it was targeting devices configured in groups of 164,” the same number of Natanz’s cascades with 164 centrifuges (Mittal, 2011).

References

Bruneau, G. (2010). DNS sinkhole. SANS Institute. Retrieved from http://www.sans.org/reading-room/whitepapers/dns/dns-sinkhole-33523

Falliere, N., Murchu, L.O., and Chien, E. (2011). W32. Stuxnet dossier. Symantec Security Response. Retrieved from http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

Mittal, P. (2011). How digital detectives deciphered Stuxnet, the most menacing malware in history. Wired. Retrieved from http://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/all/1