Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


The Stuxnet worm not just malware, but possibly part of a Black operation?

  • Please log in to reply
3 replies to this topic

#1 Grinler


    Lawrence Abrams

  • Admin
  • 43,614 posts
  • Gender:Male
  • Location:USA
  • Local time:07:32 PM

Posted 22 September 2010 - 08:06 PM

Security researcher Ralph Langner has stated that after thorough analysis, the Stuxnet worm was designed to attack a specific target. This target possibly being Iran's Bushehr nuclear plant.The Stuxnet malware is a worm that was created to target industrial control systems in order to take control of industrial facilities, such as power plants. Ralph states that analysis of the malware shows that it does not target all industrial control systems but rather a very specific installation and does not perform any actions until certain criteria are met. Once those criteria are met it has the ability to reprogram the control system so that it literally takes control over the facility. Ralph states in his analysis:
Interpretation: Stuxnet manipulates a fast running process. Based on process conditions, the original code that controls this fast running process will no longer be executed. (Some people will now want to have their process engineers explain what the DEADF could mean.) After the original code is no longer executed, we can expect that something will blow up soon. Something big.
Ralph also theorizes that the target may have been Iran's Bushehr nuclear plant due to the fact that 58% of the infections were located in Iran. He states:
It is hard to ignore the fact that the highest number of infections seems to be in Iran. Can we think of any reasonable target that would match the scenario? Yes, we can. Look at the Iranian nuclear program. Strange -- they are presently having some technical difficulties down there in Bushehr. There also seem to be indications that the people in Bushehr don't seem to be overly concerned about cyber security. When I saw this screenshot last year (http://www.upi.com/News_Photos/Features/The-Nuclear-Issue-in-Iran/1581/2/) I thought, these guys seem to be begging to be attacked. If the picture is authentic, which I have no means of verifying, it suggests that approximately one and a half year before scheduled going operational of a nuke plant they're playing around with software that is not properly licensed and configured. I have never seen anything like that even in the smallest cookie plant. The pure fact that the relevant authorities did not seem to make efforts to get this off the web suggests to me that they don't understand (and therefore don't worry about) the deeper message that this tells. Now you may ask, what about the many other infections in India, Indonesia, Pakistan etc. Strange for such a directed attack. Than, on the other hand, probably not. Check who comissions the Bushehr plant. It's a Russian integrator that also has business in some of the countries where we see high infection rates. What we also see is that this company too doesn't seem to be overly concerned about IT security. As I am writing this, they're having a compromised web site (http://www.atomstroyexport.com/index-e.htm) that tries to download stuff from a malware site that had been shut down more than two years ago (www.bubamubaches.info). So we're talking about a company in nukes that seems to be running a compromised web presence for over two years? Strange. I could give some other hints that have a smell for me but I think other researchers may be able to do a much better job on checking the validity of all this completely non-technical stuff. The one last bit of information that makes some sense for me is the clue that the attackers left in the code, as the fellows from Symantec pointed out -- use your own imagination because you will think I'm completely nuts when I tell you my idea.
Ralph also feels that the sophistication of this malware lends itself to a team of expert coders and security professionals with specific skills and expertise rather than a malware developer working alone. The scare thought is that this type of malware represents a new facet of Cyberwarfare and should be viewed not only as malware, but as a piece of a bigger operation that targets a specific physical device or location.

There is a lot of very interesting information at all of the sites listed below for those who are looking for more information.

BC AdBot (Login to Remove)


#2 Andrew


    Bleepin' Night Watchman

  • Moderator
  • 8,260 posts
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:04:32 PM

Posted 23 September 2010 - 01:58 PM

As an interesting addendum: it seems that the vulnerability in the Windows print spooler, which is one of the vulnerabilities that Stuxnet exploits, was not a zero-day exploit since it had been discovered and published a full year and a half before Stuxnet emerged and Microsoft patched the the service.


#3 aureagle


  • Members
  • 1 posts
  • Local time:04:32 AM

Posted 23 September 2010 - 03:52 PM

Stuxnet sounds like a cool but dangerous piece of software Posted Image but if you ask me. I think that the possibilities about this software are just mere guesses and not realities... may be it's what they're saying, but may be it's nothing... we don't know for sure. And the media mostly try to frighten people just to increase the ratings!!!

#4 Casey_boy


    Bleeping physicist

  • Malware Response Team
  • 7,765 posts
  • Gender:Male
  • Location:UK
  • Local time:11:32 PM

Posted 27 September 2010 - 03:52 AM

The BBC are reporting, today, that PCs of some staff at the Bushehr nuclear plant have indeed been infected with the Stuxnet worm. No reports, yet, that it has actually hit any control systems.

A complex computer worm has infected the personal computers of staff at Iran's first nuclear power station, the official IRNA news agency reported.



Edited by Casey_boy, 27 September 2010 - 03:55 AM.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.

* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users