Here are some very interesting facts about the worm of the decade:
“The Stuxnet Worm”
- In June 2009 Stuxnet came into existence, and it was first discovered in June 2012. It was named after security researchers discovered some keywords in the code of this worm. Its driver was signed with valid certificate from realtek semiconductor corps and JMicron Technology Corporation. Later Verisign revoked Realtek Semiconductor Corps certificate.
- Stuxnet is able to inject and hide code on a PLC (Programmable Logic Controller). PLCs are small embedded industrial control systems that run automated processes on factory floors, chemical and nuclear plants, oil refineries, etc . It is also reported that it is able to self-replicate through removable USB and other drives. It did so by exploiting a vulnerability allowing auto-execution of the program.
- It spreads in LAN network through vulnerability in Windows Print Spooler. It uses the same vulnerability to copy and execute itself on remote computers through network shares and on remote computers running a WinCC database server.
- It used to update itself using a peer-to-peer mechanism within the LAN network. In total it exploited 4 different 0-day Microsoft Windows vulnerabilities.
- It is able to contact and control the server which is responsible for the downloading and execution of codes. To make it worse, it contains a window rootkit, which makes its binary invisible.
- It can bypass any security product easily. Virusblokada reports W32.Stuxnet named RootkitTmphider and Symantec adds detection known as W32.Temphid. All efforts in vain as its ability to change the code makes it undetectable again.
- The author of this worm is yet to be discovered, but it is said that this worm was developed by USA and Israel to attack Iran’s Nuclear Program. On 1 June 2012, an article in The New York Times said that Stuxnet is part of a U.S. and Israeli intelligence operation called “Operation Olympic Games”, started under President George W. Bush and expanded under President Barack Obama. Iran is the most affected country by stuxnet worm. This worm leads to the delay of Iran Nuclear Project in Bushehr.
- Some of its achievements are: It was first to exploit 4 Zero-day vulnerabilities in Microsoft Windows. It also compromised 2 digital certificates. Most of the programmers consider Stuxnet as the most complex virus ever created in the history of cyber security.
- A study by Symantec showed that Stuxnet affected 58.85% computer of Iran, 18.22% computers of Indonesia, and 8.31 % computers of India. Sky News reports they got information from an Anonymous source that Worm similar to Stuxnet had been heavily traded on the black market.
- Siemens has released a detection and removal tool for Stuxnet. Siemens recommends contacting customer support if an infection is detected and advises installing Microsoft patches for security vulnerabilities and prohibiting the use of third-party USB flash drives.