STUXNET, a malicious software program also known as W32.Stuxnet, is a zero day-exploit that was used for monitoring and destroying programmable logic controllers (PLCs) and supervisory control and data acquisition (SCADA) systems. At its peak, it was discovered to have impacted computers across a number of countries, including Iran, Indonesia, India and the United States. Taking its name from the MAC OS Stub library (.stub) extension, and the mrxnet.sys driver which is widely considered to be harmful to Windows environments, the Stuxnet worm is known for its marksmanship, spreading indiscriminately but inflicting damage upon systems with specific configurations.
While it is believed that the very first version of Stuxnet came into view around June 2009, its official discovery is attributed to anti-malware expert Sergey Ulasen, who in 2010, was briefed about a client experiencing reboots and blue screens of death (BSOD). The company he worked for at the time, VirusBlokAda, a small but leading antivirus developer in the Belarusian market, would eventually classify these glitches as results of malware infection.
The Stuxnet worm would also undergo several name changes during its early days of propagation—from Rootkit.Tmphider to W32.Temphid, to its final incarnation of W32.Stuxnet. Enhanced versions of the worm were also popping up; once in March 2010 and another in April. By mid-2010 the Stuxnet worm was in full effect and responsible for an array of exploits. The most notable of these was a distributed denial of service (DDoS) attack that was orchestrated against an industrial system in July of that year, disabling its leading mailing list while obscuring its origin and whereabouts.
The Role of Stuxnet in Cyber Warfare
In a controversial turn of events, it was reported that the Stuxnet suite of tools were sophisticated weapons of cyber disruption, jointly developed by the Israeli and United States governments. Believed to be a prominent, yet, unconfirmed part of their joint covert, the campaign known as “Operation Olympic Games” used the Stuxnet worm to help compromise Iran’s nuclear program. It specifically attacked the country’s uranium enrichment facility in November 2017, thereby subverting nearly one-fifth of its nuclear centrifuges. The worm has since infected over 200,000 computer systems in assembly lines and power plants around the world and has caused thousands of systems to physically deteriorate. It should be noted that 60% of these computer systems were in Iran.
How it Works
As previously described, the Stuxnet worm typically operates by exploiting zero-day flaws. It specifically targets computers running Microsoft Windows operating systems with unique configurations. It is commonly spread by USB flash drives and other removable devices which carry (and ultimately deploy) its remote executable programs.
Once the worm takes root, it is capable of spreading across networks and infecting systems, nodes and other endpoints that are connected to them. It scans for files belonging to the Siemens WinCC/PCS 7 SCADA control software suite to disrupt the s7otbxdx.dll file, a key communication library. While doing so, it works to remain undetected from the control software’s attempts to read infected blocks of memory from within the PLC system.
The Stuxnet worm propagates fast and randomly regardless of what computer system it invades. But systems and networks which do not meet the worm’s target configuration are left virtually unscathed. In both cases, however, the Stuxnet worm cannot fully be considered benign, as it installs rootkits onto every system it is present on. The rootkits enable it to launch man-in-the-middle (MITM) while masking its identity.
Removing W32.Stuxnet and Preventing Infection
Regardless of your choice of antivirus (AV), you should begin with a full system scan if you think your device might be infected with the Stuxnet worm. In some cases, you might even need to run a Windows Installation CD or executable file if your system files have been corrupted or removed altogether. Monitoring the peripheral and removable devices you plug into your system, as well as regularly using a reputable antivirus (AV) product, can prevent the likelihood future infections of the Stuxnet worm.