Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

W32.Stuxnet Dossier

Created: 01 Oct 2010 06:50:21 GMT • Updated: 23 Jan 2014 18:24:41 GMT • Translations available: 日本語
Eric Chien's picture
+3 3 Votes
Login to vote

We’re pleased to announce that we’ve compiled the results of many weeks of fast-paced analysis of Stuxnet into a white paper entitled the W32.Stuxnet Dossier. On top of finding elements we described in the ongoing Stuxnet summer blog series, you will find all technical details about the threat’s components and data structures, as well as high level information, including:

  • Attack scenario and timeline
  • Infection statistics
  • Malware architecture
  • Description of all the exported routines
  • Injection techniques and anti-AV
  • The RPC component
  • Propagation methods
  • Command and control feature
  • The PLC infector

The paper is scheduled to be delivered at the Virus Bulletin 2010 conference and can be downloaded here.

Our investigations into Stuxnet started on July 13 of this year when the Symantec Security Response team began a journey full of surprises, wrong turns, frustrating moments, and moments of validation. Virusblokada, a security company in Belarus, announced they found a new interesting malware sample using an unpatched vulnerability to spread to removable drives and much of the media focused on the zero-day vulnerability. However, there was much more. Soon people began describing a threat now known as Stuxnet as a tool for cyber espionage stealing design data for industrial control systems, such as gas pipelines and power plants.

Stuxnet then had difficulty shedding those initial reports with most only noting its use of a zero-day exploit and its ability to potentially steal design documents. Only more recently did the general public realize Stuxnet’s ultimate goal was to sabotage an industrial control system.

Analyzing Stuxnet has been one of the most challenging issues we have worked on. The code is sophisticated, incredibly large, required numerous experts in different fields, and mostly bug-free, which is rare for your average piece of malware. Stuxnet is clearly not average. We estimate the core team was five to ten people and they developed Stuxnet over six months. The development was in all likelihood highly organized and thus this estimate doesn’t include the quality assurance and management resources needed to organize the development as well as a probable host of other resources required, such as people to setup test systems to mirror the target environment and maintain the command and control server.

When looking through our archive, we were able to find a sample from June 2009. Therefore the attackers had been active for at least a year. We would not be surprised if they started even prior to that.

Typical threats attack virtual or individual assets like credit card numbers. The real-world implications of Stuxnet are beyond any threat we have seen in the past and despite the exciting challenge in reverse engineering Stuxnet and understanding its purpose, Stuxnet is the type of threat we hope to never see again.

In addition, we want to acknowledge the entire Symantec Security Response Team. Analyzing Stuxnet was a huge effort that involved many individuals who worked tirelessly to uncover Stuxnet’s ultimate motivation. Without each individual’s contribution, our exclusive analysis would have not been possible.

Finally, while we believe we have uncovered all the major and even minor details of Stuxnet, the ultimate target of Stuxnet remains unknown. We have reversed and extracted all the STL code used, but the STL code does not provide any context of what it is controlling in the real world. For those that aren’t familiar with ICS systems, essentially the STL code will set a certain address to a number. But what is behind that address – a pump, a centrifuge, a conveyor belt – cannot be seen from the code. However, we suspect there might be some common constructs, such as certain values you’d only see when activating a centrifuge versus a pump used in STL coding that might give more clues to the target. Therefore if you are a verifiable expert in STL coding that has worked in multiple critical infrastructure industries and coded large STL programs for large industrial control systems in those multiple industries and wish to help, please contact me. You can click on my name at the top to send me a private message.  

Here is the link again to our comprehensive paper: W32.Stuxnet Dossier.