Beware of the Stuxnet worm!

Stuxnet has wrecked havoc across the world. Last June, this deadly worm capable of destroying nuclear plants was discovered at the Bushehr nuclear power plant in Iran.

A study by Symantec now confirms that the Stuxnet worm can control high-speed motors.

Till September this year, 100,000 infected hosts and over 40,000 unique external IP addresses were affected.

Stuxnet has destroyed industrial control systems in as many as 155 countries, including India.

Stuxnet, the first computer worm to affect real-world equipment has impacted critical infrastructure such as nuclear power plants, dams, water treatment facilities and other factories.

While 60 per cent of the infections were observed in Iran, India had the third highest infection rate globally, just behind Indonesia. Nearly ten per cent of Stuxnet infections were observed in India.

Symantec observed that Stuxnet is sophisticated, well-funded, requires numerous experts in different fields, and is mostly bug-free, which is rare.

It would have taken a team of 5-10 people up to six months to write the Stuxnet code which leverages four zero-day vulnerabilities.

Symantec tracked 12 zero-day vulnerabilities in 2009.

Stuxnet can propagate through multiple infection vectors such as USB drives, to infect systems that are typically not connected to the internet for security purposes, and aims to identify those hosts which have Step7 a software used to program PLCs (Programmable Logic Controllers) installed.

After the threat has installed itself, dropped its files, and gathered some information about the system it contacts the command and control server and sends some basic information about the compromised computer to the attacker via http.

The two URLs above previously pointed to servers in Malaysia and Denmark; however they have since been redirected to prevent the attackers from controlling any compromised computers.

On seeking Industrial Control Systems, Stuxnet changes the code in them to allow attackers to surreptitiously take control of these systems.

From Symantec's analysis, it is evident that authors are capable of monitoring inputs and changing outputs, which could mean this malware could lead to system shut-downs, explosions or the inability to control important attributes like pressure and temperature.

how to control the missile worm

Identify critical infrastructure within your enterprise that may be at risk.

Many of today's threats are designed to steal information. Enterprises need to practice information intelligence and be able to guard against threats that get into an environment, as well as protect information from leaving the environment.

Enterprises should continually measure and assess their environments and understand the potential for infection/compromise within their systems and have a plan for remediation.

Organisations running industrial control systems consider protections against intellectual property theft on their corporate networks.

The adversaries behind this attack clearly had extensive knowledge of industrial control systems and their means of operation.

A likely prequel of attack against an industrial control system could be theft of key forms of intellectual property (design documents, vendor names and system configurations) from the corporate network, as a means of planning an attack against a company's critical infrastructure.

It is recommended that enterprises have a system in place to audit current controls and assess and prepare for any possible means of infection of critical systems.