Stuxnet In Pictures: The Cyber-Weapon Said to Target Iran's Nuclear Infrastructure

A programmable logic controller (PLC) is a specialized, self-contained computer system used in manufacturing and processing plants around the world.

Most PLCs utilize a diagrammatic programming language called "ladder logic", not dissimilar to traditional flow charts, to allow engineers to schedule activities, turn switches on and off, regulate work-in-process queues and perform many other functions using "code blocks".

For example, a refinery might employ a PLC to control the flow of oil and byproducts between multiple stages of the refining process. It would perform these tasks by opening and closing valves, reading level sensors, etc.

PLCs are often network-attached. The term SCADA (Supervisory Control and Data Acquisition) refers to a network of PLCs and related devices that are supervised by control systems.

With that as a bit of background, let's rewind to July 2010. That month security vendors began warning of a new type of malware identified as either "Tmphider" or "W32.Stuxnet". The malware used a zero-day Windows vulnerability (involving .lnk or .pif shortcut files) to install both kernel- and user-mode attack software.

Virtually every version of Windows was vulnerable. But, interestingly, the malware had first been spotted infesting Siemens WinCC SCADA systems. Siemens makes one of the world's most popular lines of PLCs and was, as of a few years ago, reported to have a third of the world's market share.

When Stuxnet infects a Windows machine, it reports back to a C&C (command and control) server the following information within an encrypted HTTP request.

• The Windows version information
• The computer name
• The network group name
• Flag for whether SCADA software was installed or not
• IP addresses of all network interfaces

Symantec reports that the malware has some amazing capabilities targeting SCADA directly: "Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC."

It appears that Stuxnet contains 70 or more hidden code blocks for PLC operations including some of the most basic operations. It can also customize the code blocks based upon PLC model and type. It is not yet clear, however, what the modified PLC code blocks are intended to do.

However, it is rather certain that the code is not intended to streamline processes and improve efficiencies:

A previous historic example includes a reported case of stolen code that impacted a pipeline. Code was secretly “Trojanized” to function properly and only some time after installation instruct the host system to increase the pipeline's pressure beyond its capacity. This resulted in a three kiloton explosion, about 1/5 the size of the Hiroshima bomb.

Given the countries targeted -- Iran appears to be a primary 'beneficiary' of Stuxnet -- researchers speculate that the malware was designed to destroy the Islamic Republic's burgeoning nuclear infrastructure.

If that is the case, I have only one word for Stuxnet: Godspeed.


Update: The AP reports that 'Worm hits computers of staff at Iran nuclear plant.'