Inside Stuxnet: Researcher drops new clues about origin of worm

Summary:The mysterious Stuxnet worm took center stage at the Virus Bulletin 2010 conference with a prominent security researcher dropping a raw hint that Israel may be behind the industrial-strength malware attack.

VANCOUVER -- The mysterious Stuxnet worm took center stage at the Virus Bulletin 2010 conference here with a prominent security researcher dropping a raw hint that Israel may be behind the industrial-strength malware attack.

Symantec security researcher Liam O Murchu (photo above) says he found the "05091979" date in the Stuxnet code, a possible link to the May 9, 1979 execution of Jewish Iranian businessman and philantropist Habib Elghanian.

Ever since the discovery of the worm, which Microsoft says dates back to January 2009, there has been incessant speculation that Stuxnet is a nation-state attack against Iranian nuclear plants.  We've heard murmurings of biblical references and public confirmation that the Iran's Buescher nuclear reactor was the main target.

Now comes O Murchu with this tittilating disclosure suggesting a direct link to Israel.  However, security experts are cautioning against reading too much into anything deliberately left in the code by the Stuxnet authors because, at this level, there could be all kinds of decoys and misdirection.

O Murchu's presentation, complete with a live demo of an attack against a Siemens PLC, provided the first detailed glimpse into the Stuxnet code.  He explained that the malware targets only two models of the Siemens PLC (S7 300 and S7 400) and injects rootkit code based on very specific configurations.

The code is so narrowly targeted that it will not infect the PLC unless it finds a specific network card (CP 342-5), he added.

"Stuxnet uses 'man-in-the-app' attack," O Murchu said.  Once Stuxnet is on your computer, you have lost control of your PLC."

"We know everything that Stuxnet does on an infected PLC but we're just unsure of real world effects of this code.  It is difficult to understand the real world actions without knowing what is connected on the inputs and outputs [of the PLCs]," he added.

During the demonstration, O Murchu used proof-of-concept code (not based on Stuxnet's) to infect a Siemens S7-300 PLC device connected to a humming air pump.   Using just eight lines of code, he programmed the pump to run for a few seconds, inflating a red balloon.

Hethen modified the code slightly to run the pump for 140 seconds, again inflating the balloon until it popped with a loud bang.

"If this PLC was connected to an oil pipeline, you can see that the result would be much worse," he declared to applause from the audience.

During a separate presentation, representatives from Kaspersky Lab (see disclosure), Symantec and Microsoft provided a discovery timeline and details on the four zero-day vulnerabilities used by Stuxnet.

Topics: Security, Malware

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.