Endpoint Protector Appliance: Stop data theft on Windows and Mac

New concerning clues in the “Stuxnet” case

November 18th, 2010 by Agent Smith (0) Malware Infections
New and concerning discoveries have surfaced in the Stuxnet case. According to Symantec, the worm is apparently designed to sabotage specific types of facilities, like nuclear plants and other key locations. It employs a subtle sabotage technique that is meant to overload physical machinery by briefly speeding them up over a span of weeks.

Discovered this year in June in Iran, Stuxnet has already infected more then 100000 computer systems world wide and is not as it first seemed a sophisticated windows virus designed to steal data. It apparently contains code targeting Siemens Simatic WinCC SCADA systems, which are control systems that manage pipelines, nuclear plants and various utility and manufacturing equipment. Despite these discoveries, the specific sabotage function has no yet been discovered.

Symantec researches have also uncovered the fact that Stuxnet targets specific frequency-converter drives, which are basically power supplies used to control the speed of a physical device, such as a motor. The malware replaces commands intercepted from SCADA systems with it’s own malicious routines.

However, Stuxnet does not target any frequency converters, but specific ones like the ones made by made by Fararo Paya in Teheran, Iran, or by the Finland-based Vacon.

“There’s only a limited number of circumstances where you would want something to spin that quickly -– such as in uranium enrichment,” said Liam O Murchu, researcher with Symantec Security Response. “I imagine there are not too many countries outside of Iran that are using an Iranian device. I can’t imagine any facility in the U.S. using an Iranian device,” he added.

Stuxnet was publicly exposed in Belarus, the country where the most infections occurred, by   VirusBlokAda, an obscure security company.

“Stuxnet changes the output frequency for short periods of time to 1410Hz and then to 2Hz and then to 1064Hz,” writes Symantec’s Eric Chien on the company’s blog. “Modification of the output frequency essentially sabotages the automation system from operating properly. Other parameter changes may also cause unexpected effects.”

Stuxnet’s internal security systems hides it even from system administrators, and many such infections would have been passed over if official information about it would not have been published in July.

To prevent Stuxnet infections, follow this simple four-step guide.

Leave a Reply