Stuxnet Analysis

This is the detailed, technical comments to Stuxnet, and the Agency recommendation. This is a subset of the Agency press release of 07/10/2010, on this topic, and should be read in conjunction with the press release.

 

 

1. Technical analysis of the problem

Stuxnet is a specialised malware targeting SCADA systems running Siemens SIMATIC® WinCC or SIMATIC® Siemens STEP 7 software for process visualisation and system control. SCADA in general refers to computer systems that monitor and control industrial processes, such as e.g. those in nuclear power plants,  or in facilities for water treatment.
This highly sophisticated malware uses several vulnerabilities in the underlying Windows® operating system for infection and propagation. Infection works via USB-drives or open network shares. A root kit component hides the content of the malware on infected WinCC systems. An infected system can usually be controlled remotely by the attacker. In the end this means that means the attacker has full control of the respective facility.


2. Detection and mitigation
It is highly recommended that users of the above mentioned systems check them for infection. Siemens published a tool and a manual on how to proceed. Also the respective security bulletins issued by Microsoft should be studied and followed (which is true for any user of Windows® operating systems). Please refer to the links list  below at the end of this text.

 

Further, sample links for updated information:

• Siemens tool & procedures for removal
http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=43876783&caller=view
• Symantec ongoing analysis of stuxnet
http://www.symantec.com/business/theme.jsp?themeid=stuxnet&inid=us_ghp_banner1_stuxnet
o Stuxnet White Paper
 http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

o Ongoing stuxnet Response Blog
 http://www.symantec.com/connect/blogs/w32stuxnet-dossier
• ENISA country reports, which gives an overview of national actors whom  may provide updated information in your own language:
http://www.enisa.europa.eu/act/sr/country-reports

 

See Agency press release on Stuxnet.