Thursday, May 19, 2011

What is Stuxnet?

Stuxnet made big news about a year ago in summer 2010 when it was discovered to be installed on many Windows systems that were controlling Siemens SCADA systems. Stuxnet made news because it was the most sophisticated malware seen to date. The intent of Stuxnet seems to have been industrial espionage, and due to the complexity of its code, it is thought to have been written by an organization with the resources to design and test such complex code. Some noteworthy aspects of Stuxnet:
  1. It exploited 4 different "0-day" Windows vulnerabilities. This is unheard of due to the difficulty of finding even 1 exploitable vulnerability in Windows. This suggests that the organization that sponsored Stuxnet development had a lot of resources.
  2. Stuxnet exploited Siemens software and centrifuges used for Uranium purification. As with any software development effort, resources must be allocated to testing. In this case, testing would involve using the code to run the centrifuges. This requires a lot of money.
  3. Pure code complexity-Stuxnet's code was relatively large compared to the codes of other malware that exists. Additionally, Stuxnet was a Windows rootkit (kernel mode malware). Unlike userland malware, kernel mode malware requires special skill to write, because kernel programming is usually more difficult than userland programming, as it is very easy to crash the system, and requires an intricate knowledge of Operating Systems internals (Windows kernel in this specific case).
A sample of Stuxnet comes as 3 files:

Stuxnet files

The shortcut file is interesting. When opened in a Hex editor, one can see the following text:
This implies that the exploit takes advantage of the specific device name that is registered with windows when it is mounted(Kingston Data Traveler). Due to its complexity and the estimated resources that its development required, it is hypothesized that a Nation's Government was behind the development of Stuxnet. Stuxnet is known as the turning point in the world of cyberwarfare as the one of the first malcodes of this complexity to attack another nation's infrastructure. According to multiple sources on the internet, it is supposed that Stuxnet has set Iran's nuclear program back by about 2 years, approximately as effective as a physical military attack.


  1. Very interesting Neil...

    So if Stuxnet is so complex that it could only have been sponsored by some Govt/Country willing to put in the resources, have we established which country is behind Stuxnet ? If Stuxnet has put Iran's nuclear capability behind by 2 years, then clearly Iran is not the country writing this malware. Who else could it be ?

    And my other question has to do with this Hex editor...does this editor translate the malware code into English, so one can understand what the code is doing, or trying to do ?

    Good stuff...enjoyed reading your blog very much !

  2. I have been reading that this was a collaboration between Israel and USA, but neither has taken responsibility for it. I was reading

    that some US officer alluded to it or something, but it might just have been someone misinterperating his words. If you search for

    it, you might find more clues about it. Whoever did this though, is obviously _REALLY_ good.

    Interesting question. there are 2 types of digital information:
    1)executable code-this is also refered to as software/programs, it is all the ".exe" files that you run. this is what programmers

    write, and it is instructions that are understood by the computer processor hardware and control a computer's operation.
    2)data-this is regular data(like a jpg picture file or a text file). Data is read, interperated and understood by a program(see

    above) which can understand it's format. For example, you cannot open a mp3 audio file with a picture viewer, because the picture

    viewer software does not understand the mp3 file format. You can only open an mp3 audio file with a program that understands the mo3 file format(like itunes). This type of digital information is not executable, but rather meant to be interperated by programs.

    NOTE: a major source of security flaws and hacking is when data is interperated as executable code

    In the end of the day, _ALL_ digital information(both types above) is nothing but 0's and 1's. A well known mathematical fact is that 0's and 1's can be interperated in many different number systems like Binary(0/1), octet(01234567), decimal(0123456789) and hexadecimal(0123456789abcdef).

    In the case of the shortcut file above, i opened it with a hex editor(just another program) rather than with the program that reads shortcut files. A hex editor is just a program that interperates the 0's and 1's of the file and displays those 0's and 1's in the hexadecimal numbering system.

    Since i said _ALL_ digital information is 0s and 1's, this also includes text like a letter, and email, or even the contents of this blog post. Behind the scenes, these words that you are reading are stored on a computer hard disk somewhere as 0's and 1's. Each letter has a different numerical value( The fact that we can convert 0's and 1's to letters via that table, means that the hex editor can also display the value of whatever file you open as letters via a chart similar to the one in the link posted above(the sequence of characters might not always be human readable depending on the content that you open in the hex editor).

    Thats a hex Editor.

    As far as translating executable code to english goes, thats a process called "decompiling". you give a decomplier the executable code, and it translates it from 0's and 1's to something more understandable(like a programming language such as C or Java). There is still a gap between the english language and computer languages. The best result of a decomplier will be a programming language source code that only a programmer can read.

    I'm glad and honored that you enjoy reading my posts :)