Wednesday, February 16, 2011

Anonymous Hackers Release Stuxnet Worm Online

The group of anonymous "hacktivists" that made headlines for online cyberattacks in December just released a bombshell online: a decrypted version of the same cyberworm that crippled Iran's nuclear power program.

The ones and zeroes that make up the code called the Stuxnet worm -- described as the most sophisticated cyberweapon ever created -- were reportedly found when the faceless group hacked into the computers of HBGary, a U.S. security company that the anonymous collective viewed as an enemy. And the security experts spoke with said the leaked code was serious cause for concern.
"There is the real potential that others will build on what is being released," Michael Gregg, chief operating officer of cybersecurity firm Superior Solutions. Gregg was quick to clarify that the group hasn't released the Stuxnet worm itself, but rather a decrypted version of it HBGary had been studying -- which could act almost like a building block for cybercrooks.
"As an attacker you need to understand how something works. The better you understand how it works the easier it is to build something similar that servers the same purpose," Gregg explained. The "decompiled" code the group made available is in that sense akin to a recipe book for disaster, he said.
"With the right tools -- and these guys have shown themselves more than once to be a fairly technical bunch of individuals -- then it gives others a cookbook to start modifying,".

Careful examination of the Stuxnet worm by armies of security analysts have shown it to be a cybermissile designed to penetrate advanced security systems. It was equipped with a warhead that targeted and took over the controls of the centrifuge systems at Iran’s uranium processing center in Natanz, and it had a second warhead that targeted the massive turbine at the nuclear reactor in Bashehr.
Stuxnet was designed specifically to take over those control systems and evade detection, and it apparently was very successful. But Dave Aitel, CEO of Immunity Inc., painted a firm line between the version of the worm that destroyed Iran's nuclear plant and the code released by Anonymous.
"What they've released is essentially incomprehensible,", saying that what the group found was far removed from the raw worm that has been "travelling around Iran destroying nuclear things."
"This is essentially just a translation. HBGary took the worm in the wild and translated it into a slightly easier to read format," Aitel said. He notes that Stuxnet is still a threat, however, and the more dangerous raw version of the worm -- or the "binary" version -- is still easily accessible for those wishing to use it maliciously.
"The stuxnet binary is widely available," Aitel told . "The people who would use the binary would know how to find it."
Orla Cox, a security operations manager at Symantec, told The Guardian that it was "very difficult to tell" how dangerous Anonymous' copy of Stuxnet is.
"It would be possible [for Anonymous to use Stuxnet in an attack]," Cox said. "But it would require a lot of work; it's certainly not trivial." A hacker would need to repurpose the single-minded code and retarget it, a likely challenge, experts said.
The Anonymous group released the Stuxnet code on February 13, after finding it in a database of e-mails it stole from HBGary. "First public Stuxnet decompile is to be found here," one representative of the group wrote over Twitter.
Anonymous claims the hacking was a response to HBGary's purported efforts to penetrate the group and identify its members. But the reasons for releasing the Stuxnet code are unclear, be they malicious or merely anarchist.
The ramifications, experts say, are far less obscure.
"Now that pieces of that code become available, it's not a far step to others developing their own attack kits, Gregg told  "Just because they don’t have malicious intent with it doesn't mean others wouldn't."
This won't lead to an immediate threat. But it could lead to something soon, in some weeks wouldn't surprise me.

France24 - Stuxnet computer worm

Stuxnet Computer Worm  Cyber Weapon Targets Power Plants, Factories - ABC News

Wath is the Stuxnet virus?

Stuxnet is a Windows computer worm discovered in July 2010 that targets industrial software and equipment.[1] While it is not the first time that hackers have targeted industrial systems,[2] it is the first discovered malware that spies on and subverts industrial systems,[3] and the first to include a programmable logic controller (PLC) rootkit.[4][5]
The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only Siemens Supervisory Control And Data Acquisition (SCADA) systems that are configured to control and monitor specific industrial processes.[6][7] Stuxnet infects PLCs by subverting the Step-7 software application that is used to reprogram these devices.[8]
The probable target of Stuxnet is widely suspected to be uranium enrichment infrastructure in Iran;[9][10] Symantec noted in August 2010 that 60% of the infected computers worldwide were in Iran.[11] Although Siemens initially stated that the worm had not caused any damage,[12] on November 29, Iran confirmed that its nuclear program had indeed been damaged by Stuxnet.[13] The infestation by this worm may therefore have damaged Iran's nuclear facilities in Natanz[14][15] and eventually delayed the start up of Iran's Bushehr Nuclear Power Plant.[16] Kaspersky Labs concluded that the sophisticated attack could only have been conducted "with nation-state support"[17] and it has been speculated that Israel may have been involved.[18]


The worm was first reported by the security company VirusBlokAda in mid-June 2010, and roots of it have been traced back to June 2009.[8] It contains a component with a build time stamp from 3 February 2010.[19] Kaspersky virus experts believe that Stuxnet started spreading around March or April 2010.[20] In the United Kingdom on 25 November 2010, Sky News reported that it had received information that the Stuxnet worm, or a variation of the virus, had been traded on the black market.[21] The name is derived from some keywords discovered in the software.[22]

Affected countries

A study of the spread of Stuxnet by Symantec showed that the main affected countries as of August 6, 2010 were:[23]
Country Infected computers
Iran 62,867
Indonesia 13,336
India 6,552
United States 2,913
Australia 2,436
United Kingdom 1,038
Malaysia 1,013
Pakistan 993
Finland 7[24]
Germany 5[25] (September)


Unlike most malware, Stuxnet does little harm to computers and networks that do not meet specific configuration requirements;[dubious ] "The attackers took great care to make sure that only their designated targets were hit...It was a marksman’s job."[26] The attack requires in-depth knowledge of industrial processes and an interest in attacking industrial infrastructure.[3][8] The worm contains, among other things, code for a man-in-the-middle attack that fakes industrial process control sensor signals so an infected system does not shut down due to abnormal behavior.[26] These capabilities would have required a team of people to program, as well as check that the malware would not crash the PLCs. Eric Byres, who has years of experience maintaining and troubleshooting Siemens systems, told Wired that writing the code would have taken many man-months, if not years.[27]
The complexity of the software is very unusual for malware, and consists of a layered attack against three different systems:
  1. The Windows operating system,
  2. Step 7 industrial software application that runs on Windows and
  3. a Siemens PLC.

Windows infection

Stuxnet attacked Windows systems using four zero-day attacks (plus the CPLINK vulnerability and a vulnerability used by the Conficker worm[28]). It is initially spread using infected removable drives such as USB flash drives, and then uses other exploits and techniques such as peer-to-peer RPC to infect and update other computers inside private networks that are not directly connected to the Internet.[27][29][30] The number of zero-day Windows exploits used is unusual, as zero-day Windows exploits are valued, and hackers do not normally waste the use of four different ones in the same worm.[9] Stuxnet is unusually large at half a megabyte in size,[27] and written in different programming languages (including C and C++) which is also irregular for malware.[3][8] The Windows component of the malware is promiscuous in that it spreads relatively quickly and indiscriminately.[31]
The malware has both user-mode and kernel-mode rootkit capability under Windows,[30] and its device drivers have been digitally signed with the private keys of two certificates that were stolen from separate companies, JMicron and Realtek, that are both located at Hsinchu Science Park in Taiwan.[27][31] The driver signing helped it install kernel-mode rootkit drivers successfully and therefore remain undetected for a relatively long period of time.[32] Both compromised certificates have been revoked by VeriSign.
Two websites were configured as command and control servers for the malware, allowing it to be updated, and for industrial espionage to be conducted by uploading information. Both of these websites have subsequently been taken down as part of a global effort to disable the malware.[30]

Step 7 software infection

Once installed on a Windows system, Stuxnet infects project files belonging to Siemens' WinCC/PCS 7 SCADA control software[33] (Step 7), and subverts a key communication library of WinCC called s7otbxdx.dll. The purpose of this subversion is to intercept communications between the WinCC software running under Windows and the target Siemens PLC devices that the software is able to configure and program when the two are connected via a data cable. In this way, the malware is able to install itself on PLC devices unnoticed, and subsequently to mask its presence from WinCC if the control software attempts to read an infected block of memory from the PLC system.[30][30]
The malware furthermore used a zero-day exploit in the WinCC/SCADA database software in the form of a hard-coded database password.[34]

PLC infection

Siemens Simatic S7-300 PLC CPU with three I/O modules attached
The entirety of the Stuxnet code has not yet been understood, but its payload targets only those SCADA configurations that meet criteria that it is programmed to identify. Stuxnet requires specific slave variable-frequency drives (frequency converter drives) to be attached to the targeted Siemens S7-300 system and its associated modules. It only attacks those PLC systems with variable-frequency drives from two specific vendors: Vacon based in Finland and Fararo Paya based in Iran.[35] Furthermore, it monitors the frequency of the attached motors, and only attacks systems that spin between 807 Hz and 1210 Hz. The industrial applications of motors with these parameters are diverse, and may include pumps or centrifuges.
Stuxnet installs malware into memory block DB890 of the PLC that monitors the Profibus messaging bus of the system.[30] When certain criteria are met, it periodically modifies the frequency to 1410 Hz and then to 2 Hz and then to 1064 Hz, and thus affects the operation of the connected motors by changing their rotational speed.[35] It also installs a rootkit—the first such documented case on this platform—that hides the malware on the system and masks the changes in rotational speed from monitoring systems.


Siemens has released a detection and removal tool for Stuxnet. Siemens recommends contacting customer support if an infection is detected and advises installing Microsoft patches for security vulnerabilities and prohibiting the use of third-party USB flash drives.[36] Siemens also advises immediately upgrading password access codes.[37]
The worm's ability to reprogram external PLCs may complicate the removal procedure. Symantec's Liam O'Murchu warns that fixing Windows systems may not completely solve the infection; a thorough audit of PLCs may be necessary. Despite speculation that incorrect removal of the worm could cause damage,[38] Siemens reports that in the first four months since discovery, the malware was successfully removed from the systems of twenty-two customers without any adverse impact.[25][36]

Speculations about the target and origin

Symantec estimates that the group developing Stuxnet would have been well-funded, consisting of five to ten people, and would have taken six months to prepare.[47] The Guardian, the BBC and The New York Times all reported that experts studying Stuxnet considered that the complexity of the code indicates that only a nation state would have the capabilities to produce it.[9][47][48]
Israel, perhaps through Unit 8200,[49] has been speculated to be the country behind Stuxnet in many media reports[47][50][51] and by experts such as Richard Falkenrath, former Senior Director for Policy and Plans within the United States Department of Homeland Security.[52][48] Yossi Melman, who covers intelligence for the Israeli daily newspaper Haaretz and is writing a book about Israeli intelligence, also suspected that Israel was involved, noting that Meir Dagan, the former (2011) head of the national intelligence agency Mossad, had his term extended in 2009 because he was said to be involved in important projects. Additionally, Israel now expects that Iran will have a nuclear weapon in 2014 or 2015—at least three years later than earlier estimates—without the need for an Israeli military attack on Iranian nuclear facilities; "They seem to know something, that they have more time than originally thought”, he added.[14][26] Israel has not publicly commented on the Stuxnet attack but confirmed that cyberwarfare is now among the pillars of its defense doctrine, with a military intelligence unit set up to pursue both defensive and offensive options.[53][54] When questioned whether Israel was behind the virus in the fall of 2010, some Israeli officials broke into "wide smiles", fueling speculation that the government of Israel was involved with its genesis.[55] American presidential advisor Gary Samore also smiled when Stuxnet was mentioned,[26] although American officials have indicated that the virus originated abroad.[55]
In 2009, a year before Stuxnet was discovered, Scott Borg of the United States Cyber-Consequences Unit (US-CCU) suggested that Israel might prefer to mount a cyber-attack rather than a military strike on Iran's nuclear facilities.[56] According to Borg this kind of attack could involve disrupting sensitive equipment such as centrifuges using malware introduced via infected memory sticks: "Since the autumn of 2002, I have regularly predicted that this sort of cyber-attack tool would eventually be developed ... Israel certainly has the ability to create Stuxnet and there is little downside to such an attack, because it would be virtually impossible to prove who did it. So a tool like Stuxnet is Israel's obvious weapon of choice."[22] Iran uses P-1 centrifuges at Natanz, the design for which A. Q. Khan stole in 1976 and took to Pakistan. His black market nuclear-proliferation network sold P-1s to, among other customers, Iran. Experts believe that Israel also somehow acquired P-1s and tested Stuxnet on the centrifuges, installed at the Dimona facility that is part of its own nuclear program.[26] The equipment may be from the United States, which received P-1s from Libya's former nuclear program.[57][26].
There has also been speculation on the involvement of NATO, the United States and other Western nations.[58] It has been reported that the United States, under one of its most secret programs, initiated by the Bush administration and accelerated by the Obama administration, has sought to destroy Iran's nuclear program by novel methods such as undermining Iranian computer systems. A diplomatic cable obtained by WikiLeaks showed how the United States was advised to target Iran's nuclear capabilities through 'covert sabotage'.[59]
Some have also referred to several clues in the code such as a concealed reference to the word "MYRTUS", believed to refer to the Myrtle tree, or Hadassah in Hebrew. Hadassah was the birth name of the former Jewish queen of Persia, Queen Esther.[60][61] However, it may be that the "MYRTUS" reference is simply a misinterpreted reference to SCADA components known as RTUs (Remote Terminal Units) and that this reference is actually "My RTUs"–a management feature of SCADA.[62] Also, the number 19790509 appears once in the code and might refer to the date "1979 May 09", the day Habib Elghanian, a Persian Jew, was executed in Tehran.[30][63][64] This data is not conclusive, since, as written by Symantec, "Attackers would have the natural desire to implicate another party."[30]
Ralph Langner, a German cyber-security researcher, called the malware "a one-shot weapon" and said that the intended target was probably hit,[65] although he admitted this was speculation.[27] Langner also speculated that the infection may have spread from USB drives belonging to Russian contractors.[66]
Kevin Hogan, Senior Director of Security Response at Symantec, has reported that the majority of infected systems were in Iran (about 60%),[67] which has led to speculation that it may have been deliberately targeting "high-value infrastructure" in Iran[9] including either the Bushehr Nuclear Power Plant or the Natanz nuclear facility.[27][68][69]
Bruce Schneier, a computer security expert, condemned the news coverage of Stuxnet as hype – stating that it's almost entirely based on speculations[70] Additionally, an analysis made by the Federation of American Scientists concluded that Iran's enrichment program had actually progressed in the last year, contrary to claims that it had been damaged by the worm.[71]


  1. ^ "Israel tests on worm called crucial in Iran nuclear delay". 
  2. ^ "Building a Cyber Secure Plant". Siemens. 30 September 2010. Retrieved 5 December 2010. 
  3. ^ a b c Robert McMillan (16 September 2010). "Siemens: Stuxnet worm hit industrial systems". Computerworld. Retrieved 16 September 2010. 
  4. ^ "Last-minute paper: An indepth look into Stuxnet". Virus Bulletin. 
  5. ^ "Stuxnet worm hits Iran nuclear plant staff computers". BBC News. 26 September 2010. 
  6. ^ Nicolas Falliere (6 August 2010). "Stuxnet Introduces the First Known Rootkit for Industrial Control Systems". Symantec. 
  7. ^ a b "Iran's Nuclear Agency Trying to Stop Computer Worm". Tehran: Associated Press. 25 September 2010. Archived from the original on 25 September 2010. Retrieved 25 September 2010. 
  8. ^ a b c d Gregg Keizer (16 September 2010). "Is Stuxnet the 'best' malware ever?". Infoworld. Retrieved 16 September 2010. 
  9. ^ a b c d Fildes, Jonathan (23 September 2010). "Stuxnet worm 'targeted high-value Iranian assets'". BBC News. Retrieved 23 September 2010. 
  10. ^ Beaumont, Claudine (23 September 2010). "Stuxnet virus: worm 'could be aimed at high-profile Iranian targets'". London: The Daily Telegraph. Retrieved 28 September 2010. 
  11. ^ MacLean, William (24 September 2010). "UPDATE 2-Cyber attack appears to target Iran-tech firms". Reuters. 
  12. ^ ComputerWorld (September 14, 2010). "Siemens: Stuxnet worm hit industrial systems". Computerworld. Retrieved 3 October 2010. 
  13. ^ "Iran Confirms Stuxnet Worm Halted Centrifuges". CBS News. 29 November 2010. 
  14. ^ a b Ethan Bronner & William J. Broad: In a Computer Worm, a Possible Biblical Clue. In: NYTimes. 29 September 2010. Retrieved on 2 October 2010. (en)
  15. ^ a b "Iran Confirms Stuxnet Damage to Nuclear Facilities". Tikun Olam. 25 September 2010. Retrieved 28 September 2010. 
  16. ^ "Software smart bomb fired at Iranian nuclear plant: Experts". 24 September 2010. Retrieved 28 September 2010. 
  17. ^
  18. ^ Markoff, John, "Malware Aimed at Iran Hit Five Sites, Report Says", New York Times, 13 February 2011, p. 15.
  19. ^ Aleksandr Matrosov, Eugene Rodionov, David Harley, and Juraj Malcho. "Stuxnet under the microscope" (PDF). Retrieved 24 September 2010. 
  20. ^ Alexander Gostev (26 September 2010). "Myrtus and Guava: the epidemic, the trends, the numbers". Retrieved 22 January 2011. 
  21. ^ Sam Kiley. "Super Virus A Target For Cyber Terrorists". Retrieved 25 November 2010. 
  22. ^ a b A worm in the centrifuge:An unusually sophisticated cyber-weapon is mysterious but important. The Economist, 30 September 2010 [1]
  23. ^ "Factbox: What is Stuxnet?". Reuters. 24 September 2010. Retrieved 30 September 2010. 
  24. ^ cert-fi (1 October 2010). "Stuxnetista havaintoja myös suomalaisissa verkoissa" (in Finnish). CERT-FI. Retrieved 14 October 2010. 
  25. ^ a b crve (17 September 2010). "Stuxnet also found at industrial plants in Germany". The H. Retrieved 18 September 2010. 
  26. ^ a b c d e f g Broad, William J., John Markoff, and David E. Sanger (2011-01-15). "Israel Tests on Worm Called Crucial in Iran Nuclear Delay". New York Times. Retrieved 2011-01-16. 
  27. ^ a b c d e f Kim Zetter (23 September 2010). "Blockbuster Worm Aimed for Infrastructure, But No Proof Iran Nukes Were Target". Wired. Retrieved 24 September 2010. 
  28. ^ "Conficker Worm: Help Protect Windows from Conficker". Microsoft. 10 April 2009. Retrieved 6 December 2010. 
  29. ^ Liam O Murchu (17 September 2010). "Stuxnet P2P component". Symantec. Retrieved 24 September 2010. 
  30. ^ a b c d e f g h "W32.Stuxnet Dossier". Symantec Corporation. 
  31. ^ a b (PDF) Stuxnet Under the Microscope. ESET. 2 November 2010. Retrieved 7 December 2010. 
  32. ^ "Kaspersky Lab provides its insights on Stuxnet worm". Kaspersky Lab. 24 September 2010. Retrieved 27 September 2010. 
  33. ^ Nicolas Falliere (26 September 2010). "Stuxnet Infection of Step 7 Projects". Symantec. 
  34. ^ "Vulnerability Summary for CVE-2010-2772". National Vulnerability Database. 22 July 2010. Retrieved 7 December 2010. 
  35. ^ a b Eric Chien (12 November 2010). "Stuxnet: A Breakthrough". Symantec. Retrieved 14 November 2010. 
  36. ^ a b "SIMATIC WinCC / SIMATIC PCS 7: Information concerning Malware / Virus / Trojan". Siemens. Retrieved 24 September 2010. 
  37. ^ Tom Espiner (20 July 2010). "Siemens warns Stuxnet targets of password risk". cnet. Retrieved 17 September 2010. 
  38. ^ "Siemens: Stuxnet Worm Hit Industrial Systems". IDG News. 
  39. ^ "Repository of Industrial Security Incidents". Security Incidents Organization. Retrieved 14 October 2010. 
  40. ^ "DHS National Cyber Security Division's CSSP". DHS. Retrieved 14 October 2010. 
  41. ^ "ISA99, Industrial Automation and Control System Security". ISA. Retrieved 14 October 2010. 
  42. ^ "Industrial communication networks – Network and system security – Part 2-1: Establishing an industrial automation and control system security program". IEC. Retrieved 14 October 2010. 
  43. ^ "Chemical Sector Cyber Security Program". ACC ChemITC. Retrieved 14 October 2010. 
  44. ^ "Pipeline SCADA Security Standard". API. Retrieved 19 November 2010. 
  45. ^ Marty Edwards (Idaho National Laboratory) & Todd Stauffer (Siemens). "2008 Automation Summit: A User's Conference". United States Department of Homeland Security. p. 35. 
  46. ^ "The Can of Worms Is Open-Now What?". ControlGlobal. Retrieved 14 October 2010. 
  47. ^ a b c Halliday, Josh (24 September 2010). "Stuxnet worm is the 'work of a national government agency'". London: The Guardian. Retrieved 27 September 2010. 
  48. ^ a b c Markoff, John (26 September 2010). "A Silent Attack, but Not a Subtle One". New York Times. Retrieved 27 September 2010. 
  49. ^ Stuxnet worm heralds new era of global cyberwar,, 30 September 2010
  50. ^ Hounshell, Blake (27 September 2010). "6 mysteries about Stuxnet". Foreign Policy. Retrieved 28 September 2010. 
  51. ^ a b "The Stuxnet worm: A cyber-missile aimed at Iran?". The Economist. 24 September 2010. Retrieved 28 September 2010. 
  52. ^ "Falkenrath Says Stuxnet Virus May Have Origin in Israel: Video. Bloomberg Television". 24 September 2010. 
  53. ^ Dan Williams. "Cyber takes centre stage in Israel's war strategy". Reuters, September 28, 2010. 
  54. ^ Antonin Gregoire. "Stuxnet, the real face of cyber warfare"., November 25, 2010.,-the-real-face-of-Cyber-Warfare. 
  55. ^ a b Broad, William J.; Sanger, David E. (18 November 2010). "Worm in Iran Can Wreck Nuclear Centrifuges". The New York Times. 
  56. ^ Heller, Jeffrey; Mark Trevelyan (7 July 2009). "Analysis: Wary of naked force, Israelis eye cyberwar on Iran". Reuters. Retrieved 19 November 2010. 
  57. ^ David Sanger (25 September 2010). "Iran Fights Malware Attacking Computers". New York Times. Retrieved 28 September 2010. 
  58. ^ Reals, Tucker (24 September 2010). "Stuxnet Worm a U.S. Cyber-Attack on Iran Nukes?". CBS News. 
  59. ^ Halliday, Josh (18 January 2011). "WikiLeaks: US advised to sabotage Iran nuclear sites by German thinktank". The Guardian (London). Retrieved 19 January 2011. 
  60. ^ Iran/Critical National Infrastructure: Cyber Security Experts See The Hand Of Israel's Signals Intelligence Service In The "Stuxnet" Virus Which Has Infected Iranian Nuclear Facilities, 01 September 2010. [2].
  61. ^ Riddle, Warren (1 October 2010). "Mysterious 'Myrtus' Biblical Reference Spotted in Stuxnet Code". SWITCHED. Retrieved 6 October 2010. 
  62. ^ "SCADA Systems Whitepaper". Motorola. 
  63. ^ "Symantec Puts 'Stuxnet' Malware Under the Knife". PC Magazine.,2817,2370107,00.asp. 
  64. ^ "New Clues Point to Israel as Author of Blockbuster Worm, Or Not". Wired. 
  65. ^ Clayton, Mark (21 September 2010). "Stuxnet malware is 'weapon' out to destroy ... Iran's Bushehr nuclear plant?". Christian Science Monitor. Retrieved 23 September 2010. 
  66. ^ Clayton, Mark (24 September 2010). "Stuxnet worm mystery: What's the cyber weapon after?". Christian Science Monitor. Retrieved 21 January 2011. 
  67. ^ Robert McMillan (23 July 2010). "Iran was prime target of SCADA worm". Computerworld. Retrieved 17 September 2010. 
  68. ^ Paul Woodward (22 September 2010). "Iran confirms Stuxnet found at Bushehr nuclear power plant". Retrieved 28 September 2010. 
  69. ^ "6 mysteries about Stuxnet". Retrieved 28 September 2010. 
  70. ^ The Story Behind The Stuxnet Virus, Bruce Schneier
  71. ^ [Using Enrichment Capacity to Estimate Iran’s Breakout Potential]


  1. hello we are anonymous we did not do that right?

  2. Your doctors may need to be able to various types
    of exercise machines for the role. The MOS certification for Go
    beyond and Access were prized in some occupations.

    Feel free to surf to my web-site: rolety tychy