rediff.com
News APP

NewsApp (Free)

Read news as it happens
Download NewsApp

Available on  gplay

Rediff.com  » News » The cyber worm that can destroy N-plants
This article was first published 13 years ago

The cyber worm that can destroy N-plants

Last updated on: October 5, 2010 07:51 IST

Image: A general view of the Bushehr main nuclear reactor in Iran
Photographs: Raheb Homavandi/Reuters

Vicky Nanjappa

In June, a deadly cyber worm called the 'Stuxnet' was discovered in Belarus, and experts worldwide realised that it had the capabilities of a missile, which could destroy a factory or even a nuclear plant.

Following the detection of this super cyber worm, there is a rumour afloat that it may have already reached its target -- the Bushehr nuclear power plant in Iran.

Cyber crime experts in India say that they do not agree to Iran and US' apprehensions that the worm was generated from India, saying, 'our own establishments face this risk.'

There is a need to be on guard against Stuxnet, since the worm is extremely complicated, highly encrypted and controlling it could be a major problem.

The Stuxnet takes control of a system and like in the case of other worms or malware, there is no action required for the user to be taken. This means that it could enter into your system without you having done anything. The worst part about this worm is that it has been developed to hit at a physical target.

..

 

How Stuxnet hijacks systems

Image: Participants compete in an international open-air hacker conference in Germany
Photographs: Hannibal Hanschke/Reuters

David Hall, senior manager, Symantec (a US company that makes anti-virus software), explains to rediff.com more about the Stuxnet worm.

"We've heard about the possibilities and it is like nothing we've seen before -- both in what it does, and how it came to exist," Hall said.

Stuxnet is the first publicly known worm to target industrial control systems, often referred to as supervisory control and data acquisition (SCADA) systems. W32.Stuxnet was first categorised in July, 2010. Stuxnet looks for industrial control systems and then changes the code in them to allow the attackers to take control of these systems without the operators knowing, he added.

Stuxnet was the first piece of malware to exploit the Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability (BID 41732) in order to spread. The worm drops a copy of itself as well as a link to that copy on a removable drive. When a removable drive is attached to a system and browsed with an application that can display icons, such as Windows Explorer, the link file runs the copy of the worm.

Stuxnet uses two different and most importantly legitimate certificates signed by well-known companies to avoid detection by anti-virus applications, Hall also noted.

Stuxnet has been attacking industrial control systems across the globe. "We've seen infections in 90 different countries with high numbers in Indonesia, Korea and India, apart from Iran where we saw 60 per cent of the infections," Hall said.

'The most complex, impactful worm'

Image: Researchers at Symantec Corp Anti-Virus Research Center study a code
Photographs: Reuters

Like in other countries, Stuxnet attacks in India target systems with SCADA software installed, mainly in factories and power plants, he said.

This malicious threat is designed to allow hackers to manipulate real-world equipment, which makes it very dangerous. It is the first computer virus to be able to wreak havoc in the physical world.

Stuxnet searches for industrial control systems and specifically targets systems with SCADA software installed. If it finds these systems on the compromised computer, it attempts to steal code and design projects. It may also take advantage of the programming software interface upload its own code to the Programmable Logic Controllers, which are 'mini-computers', in an industrial control system that is typically monitored by SCADA systems, Hall said.

Stuxnet then hides this code, so when a programmer using a compromised computer tries to view all of the code on a PLC, they will not see the code injected by Stuxnet. Moreover, Stuxnet uses stolen legitimate certificates, which makes it difficult to detect it, he added.

Stuxnet is a complex and impactful threat that is trying to make groundbreaking changes, which is a matter of concern. Earlier, a threat such as this might have been speculation, now it's a real threat, he said.

What's worrying is that Stuxnet is one of the most complex worm we've seen and one of the most impactful. A worm that is trying to make these types of changes is groundbreaking and very worrying. What is even more worrying is that this threat exploits four zero-day vulnerabilities.

A zero-day is a bug within software that the attacker knows about, but no one else does. Stuxnet is designed to manipulate real-world equipment. This malicious worm is a strong example of how sophisticated and targeted threats are becoming, which makes it extremely dangerous. To give you perspective, we saw 12 zero-day vulnerabilities in total in 2009.  This further emphasises the high level of sophistication of Stuxnet, Hall noted.

This is the first publicly widespread threat that has shown a possibility of gaining control of industrial processes and placing that control in the wrong hands.  It also shows that in this interconnected world, security solutions and technologies are more important than ever.

'This worm will be alternative to a full-fledged war'


Photographs: Lee Jae-Wo/Reuters

A cyber crime official in New Delhi said that Iran had pointed a finger at India saying that the worm had been generated in India. "However, our investigations show that this particular worm is 'government backed' and could have been generated out of Israel," the official said.

While intelligence reports point towards the angle that there is also this name 'Myrtus' which has a referrence to a Hebrew word. "However, it is too early to come to any sort of conclusion. We have found during out investigations that some of our systems have been affected, but no crucial installations have been targeted as yet," he added.

"This particular worm has been created and will be alternative for a full-fledged war. There is a reason why they have targeted Iran since many countries feel that Iran is lying about their nuclear capabilities and hence they feel that this would be the best way to target them," he said.

Stuxnet responsible for Indian satellite's shut down?

Image: The Insat 4B satellite

He also pointed out that Iran has claimed that it has made a couple of arrests of nuclear spies who are responsible for infecting their systems. "We are keeping a watch on the developments, but nothing really concrete has come out of this arrest as yet," he added.

Moreover this is important to India since there has been a talk that the same worm may have hit the Insat 4 B satellite in June, the same month when this worm was discovered, he noted.

This satellite, which was responsible for the telecast of several channels, shut down due to a power supply anomaly in one of the two solar panels that supplied power to the satellite.

The Indian Space Research Organisation, however, said that they have not found any such traces to the worm and maintain that their ongoing investigation has not found anything in this regard as yet.

Cyber security experts, meanwhile, maintain that this worm is perfectly capable of hitting even satellites.

Although currently it continues to remain in the hands of government sponsored agencies, the worry will begin for India once the bad guys lay their hands on it, which means it would be used to target defence installations and nuclear stations in India as well.

"We are in talks and also taking the assistance of various other experts in trying to ensure that our installations remain Stuxnet-free," the security official added.