Why did Stuxnet worm spread?

Propagation hints that first attack failed, say researchers

Stuxnet's inability to stay stealthy may be fall-out from a failure to hit its intended targets last year, security researchers said today.

The worm, which was designed to infiltrate heavy-duty industrial control programs that monitor and manage factories, oil pipelines, power plants and other critical installations, only popped onto researchers' radars this summer, nearly a year after it was likely first launched.

"Obviously, it spread beyond its intended target or targets," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab, one of the two security companies that has spent the most time analyzing Stuxnet.

Most researchers have agreed that Stuxnet's sophistication -- they've called it "groundbreaking" -- means that it was almost certainly built by a well-financed, high-powered team backed by a government. The worm's probable target was Iran, possibly the systems in its budding nuclear power program.

Earlier this week, Iranian officials acknowledged that tens of thousands of Windows PCs had been infected with Stuxnet, including some in place at a nuclear power plant in southwestern Iran. They have denied that the attack had damaged any facilities, however, or that Stuxnet contributed to well-known delays in the reactor's construction.

But if Stuxnet was aimed at a specific target list, why has it spread to thousands of PCs outside Iran, in countries as far flung as China and Germany, Kazakhstan and Indonesia?

"That's something we find puzzling," said Liam O Murchu, operations manager with Symantec's security response, and a co-author of a paper that analyzed the worm's code.

Even though the Stuxnet makers obviously included measures to limit its spread, something went amiss, O Murchu said.

The original infection method, which relied on infected USB drives, included a counter that limited the spread to just three PCs, said O Murchu. "It's clear that the attackers did not want Stuxnet to spread very far," he said. "They wanted it to remain close to the original infection point."

O Murchu's research also found a 21-day propagation window; in other words, the worm would migrate to other machines in a network only for three weeks before calling it quits.

Those anti-propagation measures notwithstanding, Stuxnet has spread widely. Why?

Kaspersky's Schouwenberg believes it's because the initial attack, which relied on infected USB drives, failed to do what Stuxnet's makers wanted.

"My guess is that the first variant didn't achieve its target," said Schouwenberg, referring to the worm's 2009 version that lacked the more aggressive propagation mechanisms, including multiple Windows zero-day vulnerabilities. "So they went on to create a more sophisticated version to reach their target."

That more complex edition, which O Murchu said was developed in March of this year, was the one that "got all the attention," according to Schouwenberg. But the earlier edition had already been at work for months by then -- and even longer before a little-known antivirus vendor from Belarus first found it in June. "The first version didn't spread enough, and so Stuxnet's creators took a gamble, and abandoned the idea of making it stealthy," said Schouwenberg.

In Schouwenberg's theory, Stuxnet's developers realized their first attempt had failed to penetrate the intended target or targets, and rather than simply repeat the attack, decided to raise the ante.

"They spent a lot of time and money on Stuxnet," Schouwenberg said. "They could try again [with the USB-only vector] and maybe fail again, or they could take the risk of it spreading by adding more functionality to the worm."

O Murchu agreed that it was possible the worm's creators had failed to infect, and thus gain control, of the industrial systems running at their objective(s), but said the code itself didn't provide clear clues.

What is clear, O Murchu said in a news conference Friday morning, is that Stuxnet evolved over time, adding new ways to spread on networks in the hope of finding specific PLCs (programming logic control) hardware to hijack. "It's possible that [the attackers] didn't manage to get to all of their targets [with the earlier version]," O Murchu said. "The increased sophistication of Stuxnet in 2010 may indicate that they had not reached their target."

With the proliferation of Stuxnet, Schouwenberg said that the country or countries that created the worm may have themselves been impacted by its spread. But that was likely a calculated risk the worm's developers gladly took.

And that risk may have been quite small. "Perhaps they knew that their own critical infrastructure wouldn't be affected by Stuxnet because it's not using Siemens PLCs," Schouwenberg said.

Stuxnet only tried to grab control of PLCs manufactured by German electronics giant Siemens, which has supplied large amounts of industrial control hardware and software to Iran.

O Murchu's research seemed to back up Schouwenberg's speculation. "Stuxnet looks to see that a specific type of PLCs are present," he said today. "Those are quite popular models, but it does show that they knew what hardware was being used at the target or targets." Additionally, the code only infected PLCs that used a specific model of network card.

The identity of Stuxnet's makers may never be known, both Schouwenberg and O Murchu said. However, some clues in the code point to Israel , or at least the hackers wanted everyone to think Israel was behind the cyber attack against Iran.

"But as long as no one takes responsibility for the attack, the authors really had nothing to lose by letting the worm spread," said Schouwenberg.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityWindowssoftwareMalware and Vulnerabilitiesoperating systemskaspersky lab

More about etworkKasperskyKasperskySiemensSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts