Slashdot Mirror
Iran Admits Stuxnet Affected Their Nuclear Program
plover writes "According to this article in the Guardian, 'Ahmadinejad admitted the [Stuxnet] worm had affected Iran's uranium enrichment. "They succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts," the president said. "They did a bad thing. Fortunately our experts discovered that, and today they are not able [to do that] anymore."'"
Their PM accidentally admitted, back in 2006, that they did have nuclear weapons.
Just disconnect any sensitive nuclear facility from the freaking Internet. Are they so stupid?
No, they're not stupid. Of course the nuclear plant's control network is isolated from other networks. You just don't understand how this worm works.
Using one of four different previously unknown (0-day) Windows exploits, it finds its way onto new machines. Two of the exploits are network attacks (one print spooler, one RPC.) One of the exploits strikes using a bug in how Windows reads the AUTORUN.INF file, and will install the virus whenever infected removable media is inserted, such as USB sticks or CD-ROM discs. Stuxnet is written to all removable media on an infected machine. AUTORUN can be disabled, but the bug is such that it doesn't matter -- simply inserting the infected media spreads the infection.
It's stealthy, and hides itself using Windows rootkit methodology. It looks for specific 32-bit Windows operating systems and which antivirus software packages are installed, and will either fail to install if the antivirus can't be worked around, or it uses different exploits to elevate privileges depending on the security environment of the machine.
It contacts a set of command and control servers (that were taken offline) to download updates to the virus. The virus-infected machines periodically check in to those servers to see if there's new payload or software, update themselves, then spread it around to the other infected machines.
Once it finds its way onto a machine running "Step 7", a programming environment for programming Siemens industrial control systems, it modifies the code that is compiled for the control system. It uses another kind of hiding technology that acts like a rootkit here, telling the engineer that the deployed code is OK.
The engineers do their work on an infected machine connected to the regular networks. They then have to transfer their newly compiled control program data onto the isolated control network. They typically do so using USB sticks or CD-ROMs, which then infect the machine that is transmitting the code to the industrial control network.
The modifications to the data sent to the control network are subtle. Stuxnet has two payloads. The first tries to figure out that it's in an environment that matches the target by comparing frequency controller IDs with those of specific Iranian-made controllers, looks for an array of more than 32 of them, and then watches to see if they run at high speeds for a couple weeks. If so, it'll switch to a damage cycle where it over-revs the centrifuge motors, then suddenly slows them, then suddenly speeds them up again. It repeats this hour-long cycle once every 27 days or so. Even if the over-revving doesn't damage the centrifuges, the sudden slowdowns and speed-ups mixes the uranium up again, rendering the purity of the uranium inexplicably unrefined.
The other payload appears to be intended to cause more damage. It's believed to be designed to attack the control systems at the Buhesher nuclear reactor, opening and closing steam valves in order to over-stress the turbine, with the intent of destroying the 150 foot long shaft and its enclosure. It also pretends to be the reactor's environmental sensors, and reports false data back to the controller; all of this faked data makes the turbine look like everything's operating normally, but in reality a hellstorm is going on inside the turbine enclosure.
It's quite a sophisticated worm.
John