: what the Stuxnet virus is and why it was so successful


I mean Worm not Virus

In: 18

Stuxnet was a virus probably designed by CIA and/or Mossad, it had one goal and one goal only, to fuck up centrifuges Iran used to enrich Uranium, and it was successful. It successfully delayed Iranian efforts to build nuclear weapons, it fucked up the equipment Iran used and only recently Iran was caught having enritched Uranium to 85ish%.

That said, Stuxnet was a delay tactic, it was never meant to prevent Iran from developing nuclear weapons, it was meant to delay Iranian ability to develop nukes. If you want to go into conspiracy territory, you need only to look at the map of that part of the world on early 2000’s. US has invaded Afghanistan in 2001, Iraq in 2003 and smack dab in the middle, right between the two was Iran. It’s easy to speculate that maybe, just maybe, US was thinking of invading Iran too at the time.

The other commenter has already answers what is was.

Why was it so successful?

1. It was probably developed by one of the best cyber security agencies in the world (Mossad / Israel) in partnership with a country with really, really deep pockets and a huge intelligence industry (usa)

2. It was magnitudes more complex and involved than any other malware before it, using 4 different 0-day-exploits (exploits in software that aren’t known to the vendor/public). Pretty much every piece of malware uses no 0-day, with the best ones using one or two 0-days. These 0-day-exploits are valued in the 100 000s and millions of €, to give you a sense of scale.

3. It was IIRC the first time a country used malware to attack another country (that the public knows of), so it was pretty much unexpected

4. The attackers were lucky that such a complicated piece of malware worked

It was successful, because it was a relatively novel approach of exploiting a very common vulnerability in colossal quantities in hopes that if it infects enough Windows machines, some of them would be the ones in contact with the PLCs of the centrifuges used in uranium depletion, or enrichment, or whatever they were using to develop their nuclear weaponry.

It’s said that at one point over half of all Iranian Windows machines were infected. The worm would then keep infecting all flash drives the computer interfaces with, hoping to get transported to a matching PLC, where it would lay in wait for a scheduled delayed execution.

That is it’s last “advantage” – since it didn’t mess up the centrifuges as soon as it infected them, it was much harder to spot. It’s almost certain that if it took them out one by one, they would have stopped the spread much sooner.

So, there’s lots of explanations of what Stuxnet was, who likely made it, and what it was for. But for an explanation of how it worked:

Stuxnet was a computer worm, which is a particular kind of virus. You might have heard the term before, but it’s fairly rare because worms are much harder to create than other viruses. The defining feature of a worm is that worms can spread on their own, with no outside assistance. Most viruses require you to do something like download a shady infected file, or run an infected program, or otherwise do something to “active” the virus. Worms, however, can run *themselves*, and usually in a way that the user doesn’t even notice.

This worm would install itself on any kind of portable storage, such as a flash drive, that was plugged into an infected computer. Once the drive was infected, it would automatically run an infection script to install Stuxnet on any computer that it was plugged into, allowing it to silently spread.

Once Stuxnet was installed onto a machine, it would install a rootkit to ensure it was difficult to remove. Rootkits are another class of virus that are more difficult to create than usual — they are capable of taking complete control of the target machine (in other words, they are a kit to gain “root” access). Once they have root control, they are able to hijack and fool any other software on the machine, including things like antivirus that would otherwise be able to detect and remove the virus.

The final part of Stuxnet was the payload, which is the actual malicious software that it was trying to execute. For Stuxnet, the purpose of the payload was incredibly specialized — it attempted to infect a very specific kind of computer that was used in industrial settings, most notably in Iran’s uranium centrifuges. These machines were not directly connected to the internet, which is why the worm was designed to spread via flash drives. Once Stuxnet detected that it was plugged into one of these target machines, it would deploy its malware payload that would do several things:

1. It would install another rootkit specifically designed to infiltrate a particular model of Siemens industrial equipment connected to a particular kind of industrial motor running at a frequency that pretty much only uranium gas centrifuges operate at.
1. The rootkit would take over control over the motor, while sending fake signals to the control computer to make it look like they were running normally, so that the operators didn’t notice anything wrong with them.
1. The rootkit would then modify the maximum speed of the uranium centrifuges to far, far past the safe limit for 15 minutes, before returning to normal speed. This put stress on the centrifuges and warped them.
1. It would then lay dormant for 27 days, to make detection more difficult.
1. Finally, it would suddenly slow the centrifuges down to much, much lower speeds than they were meant to handle. Combined with the warping caused by the earlier overspeed, this was intended to cause them to catastrophically fail and destroy themselves.

Finally, if Stuxnet did *not* detect any industrial centrifuge equipment, it was designed to silently self-delete on June 24, 2012.

Stuxnet’s design was incredibly complex, used a number of so-called “0-day exploits” (security holes that are not yet known to security researchers, ensuring that no patches for them exist), and was remarkably gentle to all the computers it installed itself on except the targeted industrial centrifuges, causing no lasting harm and eventually deleting itself. All of these factors made it very clear to security researchers that this was almost certainly a virus designed by a nation-state actor specifically to disrupt Iranian uranium processing while causing minimal collateral damage. (It’s generally believed to have come from a joint US-Israli team of hackers)

Stuxnet was a 0 day exploit – meaning the centrifuges controlling systems in the plant were infected with the original software release for the centrifuges. Siemen the manufacturer of the equipment and software released the exploit with its production installations. The Worm was given to five different companies who were working with Siemens. The worm was introduced into these subcontractors via thumb drives that were plugged into desktops by employees of the subcontractors. Siemens internal systems were infected by the interfacing with these subcontractors, Stuxnet was successful because it didn’t cripple the machines quickly, and by regulating the centrifuge speed it would cause physical failures in the equipment and because the failures were mechanical they didnt look for software exploits for a long time. . The exploit was specifically targeted at unique machines used in this plant.