VANCOUVER – A Symantec researcher filled in more critical details about the Stuxnet worm here, demonstrating the worm’s ability to take control of programmable logic controllers (PLCs) by Siemens Inc. and disable machinery connected to them.
Liam O’Murchu of Symantec, speaking at the Virus Bulletin Conference here, provided the first detailed public analysis of the worm’s inner workings to an audience of some of the world’s top computer virus experts. O’Murchu described a sophisticated and highly targeted virus and demonstrated a proof of concept exploit that showed how the virus could cause machines using infected PLCs to run out of control.
O’Murchu said that Symantec analysts were able to reverse engineer the virus’s code and now understand exactly what Stuxnet does. However, without understanding what types of machinery the targeted logic controllers were connected to, it is impossible to know what harm the worm caused on infected industrial control systems – if any.
“We know what Stuxnet does on PLCs, but not the “real world effects of this code,” he said.
The worm used a novel method to compromise the PLCs, with the first ever root kit program designed to control PLCs. O’Murchu told attendees that Stuxnet was highly targeted, looking for systems using a specific type of network adapter card by Profibus and connected to specific models of programmable logic controllers, Siemens model S7-300 and S7-400 devices. The virus also compromised specialized software known as Step 7 to program the PLC for specific tasks, inserting a rootkit to intercept and modify instructions sent to and from the PLC.
The result for victims would be to secretly program PLCs, but deny
their owners the ability to know what code was really running inside the
devices, he said. To demonstrate the real world impact of that loss of
control, O Murch demonstrated the infection of an S7-300 PLC device
connected to an airpump. Using the Step 7 software, he programmed the
pump to run for three seconds, gently inflating a balloon attached to the
pump. O’Murchu then demonstrated how a Stuxnet infected PLC would
instruct the pump to run, instead, for 140 seconds, quickly bursting the
“If this PLC was connected to an oil pipeline, you can see that the result would be much worse,” he said.
Speculation about the Stuxnet work has grown rampant in the last week, as everyone from computer security experts to political scientists to divinity experts have weighed in on details of the worm, which was first identified in July. The story burst into the popular media after security and industrial control experts – looking at the capabilities and infection statistics from the Stuxnet worm — suggested that it may have been a targeted attack aimed at Iran’s nuclear enrichment facilities, and each day has brought new revelations about the impact of the worm and its possible origins.
Recent discussions have focused on Israel as a possible source of the virus, given its sophistication and in Israel’s stated interest in disrupting Iran’s development of a nuclear weapon and clues in the malware itself, including a reference to Myrtus, the biblical character of Miriam.
Though most of the conversation about Stuxnet is still based on conjecture, O’Murchu said that Symantec’s analysis of Stuxnet’s code for manipulating PLCs on industrial control systems by Siemens backs up both the speculation that Iran was the intended target and that Israel was the possible source of the virus. As for Iran, O’Murchu merely pointed to Symantec data that show the country was the source of the most Stuxnet infections. Iran has since blocked communications to Stuxnet’s command and control infrastructure, he said.
As for suggestions that Israeli intelligence may have authored the virus, O’Murchu noted that researchers had uncovered the reference to an obscure date in the worm’s code, May 9, 1979, which, he noted, was the date on which a prominent Iranian Jew, Habib Elghanian, who was executed by the new Islamic government shortly after the revolution.
Anti virus experts said O’Murchu’s hypothesis about the origins of the virus were plausible, though some continue to wonder how the authors of such a sophisticated piece of malware allowed it to break into the wild and attract attention.
“It should have been more successful and stayed off the radar,” saidThe virus is a “game changing event” for the anti malware industry, he said – expanding the scope of virus analysis into the political realm and beyond the purview of systems running the Windows operating system.