How digital detectives deciphered Stuxnet, the most menacing malware in history

July 16, 2011

(If you read just one thing this weekend, let this be it.)

If you guys haven't been following this story, then you've been missing out on what no doubt is the wildest and scariest better-than-fiction cyber-drama ever to be set in motion. I just can't get enough of it, and I feel like new information keeps emerging.

Let's see if these choice bits can entice you into spending an hour with this 10,000-word(!) article, which is by far the most informative and engaging I've seen on the subject. (Be warned: Once you start reading it you won't be able to stop.)

What most stood out, though, was the way the malware hid those functions. Normally, Windows functions are loaded as needed from a DLL file stored on the hard drive. Doing the same with malicious files, however, would be a giveaway to antivirus software. Instead, Stuxnet stored its decrypted malicious DLL file only in memory as a kind of virtual file with a specially crafted name.

It then reprogrammed the Windows API -- the interface between the operating system and the programs that run on top of it -- so that every time a program tried to load a function from a library with that specially crafted name, it would pull it from memory instead of the hard drive. Stuxnet was essentially creating an entirely new breed of ghost file that would not be stored on the hard drive at all, and hence would be almost impossible to find. […]

The sophistication of the code, plus the fraudulent certificates, and now Iran at the center of the fallout made it look like Stuxnet could be the work of a government cyberarmy -- maybe even a United States cyberarmy. […]

Whether the "bad guy" was the United States or one of its allies, the attack was causing collateral damage to thousands of systems, and Symantec felt no patriotic duty to preserve its activity. "We're not beholden to a nation," Chien said. "We're a multinational, private company protecting customers." […]

It appeared the attackers were targeting systems they knew were not connected to the internet. And given that they were using four zero-days to do it, the targets had to be high-value. […]

Falliere determined that Stuxnet had three main parts and 15 components, all wrapped together in layers of encryption like Russian nesting dolls. Stuxnet decrypted and extracted each component as needed, depending on the conditions it found on an infected machine. […]

The fact that Stuxnet was injecting commands into the PLC and masking that it was doing so was evidence that it was designed, not for espionage as everyone had believed, but for physical sabotage. The researchers were stunned. It was the first time anyone had seen digital code in the wild being used to physically destroy something in the real world. […]

Murchu began noticing weird clicking noises on his phone, and one Friday told Chien and Falliere, "If I turn up dead and I committed suicide on Monday, I just want to tell you guys, I'm not suicidal."

You should follow me on Twitter here