Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon

by Kim Zetter

Information about VirusBlokAda’s encounter with the malware comes from interviews with Sergey Ulasen and Oleg Kupreev, as well as from an account published by Kaspersky Lab in 2011, after the Russian antivirus firm hired Ulasen away from VirusBlokAda. That interview, “The Man Who Found Stuxnet—Sergey Ulasen in the Spotlight,” was published November 2, 2011, at eugene.​kaspersky.​com/​2011/​11/​02/​the-​man-​who-​found-​stuxnet-​sergey-​ulasen-​in-​the-​spotlight.

Nicolas Falliere, Liam O’Murchu, and Eric Chien, “W32.Stuxnet Dossier” (report, February 2011), 13–15, available at symantec.​com/​content/​en/​us/​enterprise/​media/​security_response/​whitepapers/​w32_stuxnet_dossier.​pdf. Symantec’s extensive dossier describes in detail Stuxnet’s technical specs and what each function in the code is designed to do.

Alex Gostev, chief malware expert at Kaspersky Lab in Russia, found that Stuxnet sent to the command servers a file—named Oem6c.pnf—that identified not only which Siemens program was installed on the computer (the Siemens Step 7 programming software or the WinCC program, which operators use to monitor conditions on their PLCs) but also included a list of any Step 7 project files on the machine and the path string that showed where on the computer the files were located. The Step 7 project files contain the programming commands for PLCs. Gostev suspects that anytime the attackers found project files on a machine, they may have sent a separate tool to the computer to steal the files and examine them for configuration data to determine if Stuxnet had found the systems it was seeking.

the IP address 127.0.01, which is commonly used to return traffic to the sender’s machine.

Centrifuges are metal cylinders with rotors inside that can spin at speeds in excess of 100,000 revolutions per minute to enrich uranium hexafluoride gas, produced from uranium ore found in earth and seawater. The hexafluoride gas is piped into “cascades” of centrifuges—groups of centrifuges connected by pipes and valves. And as the rotors inside them spin, the centrifugal force separates the slightly lighter U-235 isotopes in the gas—the fissile isotopes needed for atomic energy—from the heavier U-238 isotopes, in a process likened to panning for gold.23 Gas containing the heavier isotopes gets pushed to the outer wall, while gas containing lighter isotopes gathers closer to the center. Coils wrapped around the outside of the centrifuge that are filled with heated water create a varying temperature that sets the gas in vertical motion, in an oval pattern along the wall of the centrifuge, to further separate the isotopes. Scoops divert the gas containing the concentration of lighter isotopes into other centrifuges at a “higher” stage in the cascade, where further separation occurs, while the heavier gas, the depleted uranium, is diverted into a second set of centrifuges in a lower stage of the cascade for further separation. When additional U-235 isotopes are separated from this gas, it gets fed back into the higher stages to be recombined with the other U-235 isotopes while the depleted gas is sent to “waste”—that is, the tail end of the cascade, where it gets discarded. ...

Khan later secretly gave Iran components for five hundred P-1 centrifuges, as well as instructions for setting up a quality-assurance program for making and testing the centrifuges. The latter was badly needed because Iran was having trouble with the centrifuges it had created from Pakistan’s prototypes. Sometimes they spun out of control and crashed; other times they didn’t work at all.29 By 1994, Iran had succeeded in operating only one centrifuge successfully at “nearly full speed.”30 As a result, the Iranians accused Khan of selling them a bill of goods. So in 1996, he handed over drawings for Pakistan’s P-2 centrifuge, a more advanced centrifuge based on another design stolen from Urenco.31 The P-2 was much more efficient than the IR-1 and could enrich about two and a half times the amount of uranium in the same amount of time. It also used a rotor made from maraging steel—a more resilient material than the breakage-prone aluminum rotors in the IR-1.

The Melissa virus in 1999

the Love Letter worm

the Code Red worm—hit

One of the first things Stuxnet did was determine if the computer was a 32-bit or 64-bit Windows machine; Stuxnet only worked with 32-bit Windows machines.

It also determined if the machine was already infected with Stuxnet. If it was, Stuxnet made sure the resident malware was up to date and simply swapped out any old files for the latest ones.

Despite the fact that Conficker spread so rapidly and so successfully, it never really did anything to most of the machines it infected, leaving an enduring mystery about the motives for creating and unleashing it. Some thought the attackers were trying to create a giant botnet of infected machines to distribute spam or conduct denial-of-service (DoS) attacks against websites—a later variant of Conficker was used to scare some users into downloading a rogue antivirus program. Others feared it might install a “logic bomb” on infected systems that would cause data to self-destruct at a future date. But when none of these scenarios materialized, some thought Conficker might have been unleashed as a test

What’s more, the first version of Conficker avoided infecting any machines in Ukraine, suggesting this may have been its country of origin.

Although many of Stuxnet’s methods were entirely modern and unique, it owes its roots to the Morris worm and shares some characteristics with it. Morris unleashed his worm in 1988 on the ARPAnet, a communications network built by the Defense Department’s Advanced Research Projects Agency in the late 1960s, which was the precursor to the internet. Like Stuxnet, the worm did a number of things to hide itself, such as placing its files in memory and deleting parts of itself once they were no longer needed to reduce its footprint on a machine.

he had the worm infect every seventh machine it encountered anyway. He forgot to take into account the interconnectedness of the ARPAnet, however, and the worm made repeated rounds to the same machines, reinfecting some of them hundreds of times until they collapsed under the weight of multiple versions of the worm running on them at once. Machines at the University of Pennsylvania, for example, were attacked 210 times in twelve hours.

One method for doing this, as Nate Lawson points out in his blog post, is to take detailed configuration data on the targeted machine and use it to derive a cryptographic hash for a key that unlocks the payload. The key is useless unless the malware encounters a machine with the exact configuration or someone is able to brute-force the key by reproducing all known combinations of configuration data until it achieves the correct one. But the latter can be thwarted by deriving the hash from an extensive selection of configuration data that makes this unfeasible. Stuxnet did a low-rent version of the technique Lawson describes. It used basic configuration data about the hardware it was seeking to trigger a key to unlock its payload, but the key itself wasn’t derived from the configuration data and was independent of it. So once the researchers located the key, they could simply unlock the payload with the key without needing to know the actual configuration. Researchers at Kaspersky Lab did, however, later encounter a piece of malware that used the more sophisticated technique to lock its payload. That payload has never been deciphered as a result.

Uranium in its natural state contains less than 1 percent of U-235, the isotope needed for reactors and bombs. Most nuclear reactors need uranium enriched to just 3 to 5 percent. Highly enriched uranium is enriched to 20 percent or more. Although 20 percent enrichment can be used for crude nuclear devices, in addition to some types of nuclear reactors, weapons-grade uranium is enriched to 90 percent or above.

Miller caused an uproar in 2007 when he published a paper about the zero-day market and admitted publicly that he sold exploits to the government.

VUPEN’s founder and CEO, Chaouki Bekrar,

Timothy McVeigh blew up a federal building in Oklahoma City in 1995

Vitek Boden,

One of the main problems security researchers have found with the system is that smart meters have a remote-disconnect feature that allows utility companies to initiate or cut off power to a building without having to send a technician. But by using this feature an attacker could seize control of the meters to disconnect power to thousands of customers in a way that would not be easily recoverable. In 2009, a researcher named Mike Davis developed a worm that did just this.