Federal experts on the trail of the Stuxnet virus

By Max Cacas
Federal News Radio

The Homeland Security Department has been tracking one of the most dangerous computer malware attacks since it emerged in July.

And so far, Stuxnet hasn’t had any malicious effect on industrial systems and networks in the United States, but DHS knows the potential harm to industrial systems it could cause and that makes it worth watching and tracking very, very closely.

Sean McGurk, director of the Homeland Security Department’s National Cybersecurity and Communications Integration Center (NCCIC) in a briefing with reporters Friday, waved a USB thumb drive hanging from a lanyard on his neck, declaring, “This is actually Stuxnet.”


Experts believe Stuxnet is being spread from computer to computer using widely available portable memory devices, and McGurk said he has a copy of the virus on his thumb drive for testing and monitoring purposes.

“Stuxnet is going in and manipulating devices in native code, and by that I mean it actually lets you take control of systems, but more importantly, from an intellectual property standpoint, what Stuxnet enables you to do is let you read at the manufacturing level how things are made,” he said.

McGurk likened the abilities of the Stuxnet virus to being able to determine how CocaCola is made, not by reading the formula for mixing the product, but by reading the operating system of the machine that mixes together the ingredients.

Cybersecurity experts at Symantec say that 60 percent of the computers worldwide that are affected by the Stuxnet virus are in Iran, and suggest that industrial plants there were the targets in that country, according to a report by Reuters.

Experts have been able to locate the IP addresses of the infected systems, and thus are able to track the spread of the virus on more than 62,000 systems in Iran alone.

Reuters also reports that the virus has been found on systems in Indonesia, India, Australia, Britain, Malaysia, Pakistan — and the United States.

McGurk said of particular concern is that the virus targets the operating system of a specific company’s products that is used in a wide variety of applications

“The payload, or the malcode, focuses on a Siemens platform,” he said. “It runs in a Windows environment. It’s Siemens software, and the hardware is also Siemens. It’s used in several industries around the world. It’s not just power facilities. It’s used in the United States in pharmaceutical companies, it’s used in water purification companies, and it’s used in chemical manufacturing facilities.”

McGurk says he’s had people carefully studying and examining the Stuxnet virus in DHS’s Malware laboratories here in the states. So far, this is what they know about how it does what it does.

“It takes advantage of a vulnerability in an operating system in the Windows operating platform, and loads a series of files, which then loads another series of files. And it starts spreading through the network, like a virus that you would identify. It looks for a particular combination of a software code, and an application, and a platform. If it finds something, it starts manipulating some of the settings. If it doesn’t see anything, it remains dormant and it sits there.”

Symantec said a snippet of computer code known as a rootkit makes it possible for the virus to hide itself on a system. McGurk said Stuxnet also focuses on hardware known as programmable logic controllers.

McGurk added that both Microsoft and Symantec have created a patches to handle the vulnerability that the Stuxnet virus exploits. So far, DHS and companies are keeping an eye out on potential malicious capabilities of this piece of malware.

“So far, we haven’t seen any impacts or effects of what it does,” McGurk said. “We know it has the capability of physically addressing a component, but so far, we haven’t seen it do anything.”

McGurk said the DHS Malware lab has been working with the Stuxnet virus.

“In our malware lab, we actually have this hardware and software, and I’ve let this run wild to see what it would do, and so far, we haven’t seen a lot of smoke coming out,” he said.

McGurk refused to speculate on who might have created the Stuxnet virus, but many in the cybersecurity community believe that a nation state may have the only resources available to create a piece of malware with the powerful feature set of Stuxnet.

German cyber expert Ralph Lanner wrote in a blog post last week that Iran’s Busher Nuclear power plant may have been the target of the Stuxnet malware virus, attempting to exploit the fact that parts of the plant were built with the help of Siemens almost 30 years ago, and that the nuclear plant’s systems use unlicensed copies of the Windows operating system.

(Copyright 2010 by FederalNewsRadio.com. All Rights Reserved.)