Symantec Research into Stuxnet Unravels its Payload

Paul Mah
Slide Show

Five Places Where Malware Hides

Malware has to live somewhere. And while some Web filtering solutions can detect known malware hosts, most malware hides in sites that are otherwise benign.

New research from Symantec has unveiled another piece of the puzzle relating to the elusive and troublesome Stuxnet malware. It's already known that the malware targets systems that control the PLC, or Programmable Logic Controller, which is a programmable microprocessor-based device typically used to control production machinery on an assembly line.


While researchers have ascertained that Stuxnet comes with a payload that will quietly modify selective bits of PLC code sent out from a controlling workstation, the very specialized nature of the changes has kept them from determining its exact purpose.


The Stuxnet Conspiracy


According to Symantec, however, the final piece of the mystery is now in place. The key clue appears to be the confirmation that Stuxnet requires the industrial control system to have a component known as the "frequency converter drive." Used to control the speed of a motor, the malware only attempts to meddle with frequency converter drivers that operate at very high speeds.


A Wired article puts it this way:

It [Stuxnet] inventories a plant's network and only springs to life if the plant has at least 33 frequency converter drives made by Fararo Paya in Teheran, Iran, or by the Finland-based Vacon ... Stuxnet targets only frequency drives from these two companies that are running at high speeds-between 807 Hz and 1210 Hz. Such high speeds are used only for select applications.

While Symantec was careful not to claim that Stuxnet was designed to target a nuclear facility, the security company did note in the same blog that

... efficient low-harmonic frequency converter drives that output over 600Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment.

That's not all. The modification of the output frequency is only changed for short periods of time, effectively sabotaging whatever automation is in place and making detection even more difficult. To be clear: The fact that Stuxnet intercepts the commands between workstation and PLC without corrupting or replacing other software makes it extremely difficult to detect in the first place.


The Chilling Possibilities


Whether it's government-level action or industrial espionage, the entire incident highlights highly uncomfortable facts on the computer security front. For one, it's proven that the advanced state of IT integration today means that remote cyber attacks can result in "real world" damage. Rather than the unrealistic portrayal of hacking as seen in some movies of yesteryear, the sombre details involving Stuxnet show that such attacks can be pulled off with just a smattering of zero-day exploits and mundane ways of delivering them. My point? It is entirely possible to target an entity or corporation in a cyber attack and cause damage.


So what does this have to do with the small and mid-sized business? SMBs need to know that security lapses are no longer limited to mid- and long-term problems that are often the case from simple data leakages. Today, it is altogether possible for bank accounts to be emptied or "live" production systems to be sabotaged. While I've often belabored that security is for all, including SMBs, it is a topic I cannot emphasize enough. And yes, hackers are already increasingly targeting mid-sized organizations, too.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.