5)+Stuxnet+Worm

= ** What is Stuxnet? ** =
 * Stuxnet is a computer worm that targets the types of industrial control systems (ICS) that are commonly used in infrastructure supporting facilities (i.e. power plants, water treatment facilities, gas lines, etc). It spreads not only via USB sticks, it also can spread through anything that you can mount as a drive such as a USB hard drive, mobile phone, picture frame and so on. Once inside an organization, it can also spread by copying itself to network shares if they have weak passwords or any flaws in general.**

= ** History ** =
 * Stuxnet or w32.Stuxnet is one of the most destructive computer worm/virus discovered in June 2010. That is believed that worm has been created by USA and Israel to attack the nuclear facilities of Iran. But some of researches believe that Iran was infected by this virus from any Russian Laptop. But there is still no prof. This virus quickly spreads via Microsoft Windows Operating Systems, and then targeted Siemens software and equipment. While it is not the first time that hackers have targeted industrial systemsm, It is the first discovered [|malware] that spies on and subverts industrial systems and the first to include a [|programmable logic controller] (PLC) [|rootkit].**

I**t infects the system, hides itself with a rootkit and sees if the infected computer is connected to a Siemens Simatic (Step7) factory system. Stuxnet is designed to programmatically alter Programmable Logic Controllers (PLCs) used in those facilities. In an ICS environment, the PLCs automate industrial type tasks such as regulating flow rate to maintain pressure and temperature controls. It modifies commands sent from the Windows computer to the PLC. Once running on the PLC, it looks for a specific factory environment. If this is not found, it does nothing; however, if it finds it, It makes complex modifications to the system. Results of those modifications can not be detected and varied depending on the actual environment. In theory, It could adjust motors, conveyor belts, pumps. It could stop a factory. With right modifications, it could cause things to explode!** = ** Why Stuxnet is Difficult to Detect? ** =
 * What Does Stuxnet Do? **
 * Mainly, it is so complex; It uses multiple vulnerabilities and drops its own driver to the system. Although most of us know that drivers should be signed for applications in order to be able to work in Windows, Stuxnet driver was signed with a certificate stolen from Realtek Semiconductor Corp. The stolen certificate has been revoked on 16th of July, but a modified variant signed with a certificate stolen from**
 * JMicron Technology Corporation was found on 17th of July!**


 * The latest version of this Stuxnet is not as file destructive as the previous one, but it is more difficult to detect and remove from system; this newer version has the ability to attach with your any trusted installed system program so that it is difficult for the anti-virus to catch it. However, an anti-virus can detect it when your computer is running in safe mode. **


 * Stuxnet could spread stealthily between computers running windows even those not connected to the internet. If a worker stuck a USB into a infected machine, Stuxnet can be copy itself to the USB drive **

= What Vulnerabilities Does Stuxnet Exploit? = ** The two Privilege escalations (points 4 and 5) have not yet been patched by Microsoft. ** = ** Why Stuxnet is Different? ** =
 * 1) **LNK ([|MS10-046]).**
 * 2) **Print Spooler ([|MS10-061]).**
 * 3) **Server Service ([|MS08-067]).**
 * 4) **Privilege escalation via Keyboard layout file.**
 * 5) **Privilege escalation via Task Scheduler.**
 * Let's start with a an example; by breaking into a home of an employee, finding his USB sticks and infecting it. Then wait for the employee to take the sticks to work and infect his work computer. The infection will spread further inside the secure facility via USB sticks, eventually hitting the target. As a side effect, it will continue spread elsewhere also. This is why Stuxnet has spread worldwide.**


 * What is unique about Stuxnet is that it utilizes a new method of propagation. Specifically, it takes advantage of specially-crafted shortcut files (also known as .lnk files) placed on USB drives to automatically execute malware as soon as the .lnk file is read by the operating system. In other words, simply browsing to the removable media drive using an application that displays shortcut icons (like Windows Explorer) runs the malware without any additional user interaction. Stuxnet will infect any USB drive that is attached to the system and, for this reason, the malware is classified as a worm. **


 * For more information about the vulnerability ([]). **


 * Two variants are identified by Anti-virus signatures :**
 * Worm:Win32/Stuxnet.A alias Stuxnet (McAfee), W32/Stuxnet.A.worm (Panda)**
 * Worm:Win32/Stuxnet.B alias Stuxnet (McAfee), W32/Stuxnet.B.worm (Panda)**


 * The most dangerous part of Stuxnet is that it automatically installs a driver signed from a well-known hardware manufacturer called Realtek Semiconductor Corp. Because it has been signed by a Microsoft trusted source, the driver is installed without any prompt to the user. This driver is a rootkit that will hide Stuxnet from any applications – even the user’s Anti-Virus. The worm will then also copy itself onto any USB devices plugged into the infected workstation risking further propagation.**


 * Also, it takes a lot to analyze Stuxnet. It is unusually complex and unusually big (Stuxnet is over 1.5MB in size).**

= ** What is Stuxnet's Architecture? ** =

= ** How Does it Spread via USB? ** =
 * Stuxnet can propagate via the autorun feature, as well as via malformed .LNK files that exploit a vulnerability in the Windows shell. This enables Stuxnet to spread easily on network devices, and more importantly, to piggy-back from machine to machine via removable drives such as USB thumb drives.**
 * Disabling the AutoRun in Windows will NOT stop USB worms. There are several other spreading mechanisms USB worms use. The LNK vulnerability used by Stuxnet would infect you even if AutoRun and AutoPlay were disabled. However, it is worth it to try to guard against this type of spread by applying the patch described in Microsoft Security Bulletin MS10-046 and [|disable autorun] on your computer.**
 * Stuxnet can also propagate by exploiting a vulnerability in Windows Print Spooler Service. To guard against this type of spread, apply the patch described in Microsoft Security Bulletin MS10-061.**

= ** How Does Stuxnet Reach the PLCs? ** =

media type="youtube" key="cf0jlzVCyOI" width="616" height="346" align="center"


 * For security reasons, many of the hardware devices used in industrial control systems (ICS) are not Internet-connected (and often not network connected). To counter this, the Stuxnet worm incorporates several sophisticated means of propagation with the goal of eventually reaching and infecting STEP 7 project files used to program the PLC devices. **
 * For initial propagation purposes, the worm targets computers running the Windows operating systems. However, the PLC itself is not a Windows-based system but rather a proprietary machine-language device. **
 * To reprogram the PLC, the Stuxnet worm seeks out and infects STEP 7 project files. STEP 7 project files are used by Siemens SIMATIC WinCC, A supervisory control and data acquisition (SCADA) and human-machine interface (HMI) system used to program the PLCs. **
 * Stuxnet contains various routines to identify the specific PLC model. This model check is necessary as machine level instructions will vary on different PLC devices. Once the target device has been identified and infected, Stuxnet gains the control to intercept all data flowing into or out of the PLC, including the ability to tamper with that data. **

= So, What is its Mechanism? =



**Want to remove Stuxnet from your system? Read the document below:** **Want to know more technical details about Stuxnet and Siemens? Read the document below:** **For more information about Stuxnet, please check:** **Stuxnet: Anatomy of a Computer Virus** **Stuxnet 0.5: The Missing Link**
 * Once it gets activated to your Computer, it works by worm in to your computer’s operating system. It is able to grow deep in to the system, corrupt system files and reprogramming some aspects if the computer’s capabilities. It can enable terrorist or cyber criminals to take remote access of your network or system, allows them to shut down it or issues new instruction to computer within the system. **