Stuxnet: Propagation


Historical background

What's inside a nuclear facility?

How did Stuxnet spread?

What did it do?

Results and implications

What is Stuxnet?

Stuxnet is a computer worm named for .stub and mrxnet.sys, two keywords in its source code. As malware on an infected USB flash drive, it could spread to a Windows computer through zero-day exploits and then spread to any other flash drives that were subsequently connected to the computer1. Stuxnet could also spread over network connections, but it was the worm's USB flash drive infection capabilities that gave it the power to infiltrate industrial networks not connected to the Internet.

Once the worm had infected a computer, it was able to run with high level permissions and had the capability to impair other programs' functionality. Stuxnet is infamous for attacking computers in an Iranian uranium enrichment facility and causing machinery they controlled to break down, but it actually infected computers in 155 countries including the United States2. Although the worm was probably introduced in multiple source locations by its creators, the sheer number of countries it managed to reach is a testament to its ability to propagate and proliferate.

Diagram of Stuxnet's spread
How Stuxnet infiltrated the Natanz enrichment facility and spread within the network3

How did Stuxnet get into Iran's enrichment facility?

The networks of many industrial factories (especially top secret nuclear facilities) are not connected to the internet, making it much harder to introduce malware to the system. Stuxnet was physically brought to the uranium enrichment facility in Natanz, Iran, by a person carrying an infected USB stick.

We do not know for sure who this person was and whether or not they intended to infect the factory. Stuxnet log files4 indicate that the worm first targeted other companies associated with Iran's nuclear program and with the Natanz facility. These companies could have been independently targeted, but Stuxnet's creators likely hoped that the employees would visit Natanz and bring the worm with them. Additionally, according to an Industrial Safety and Security Source report5, anonymous US intelligence sources have suggested that a double agent employed at the Natanz facility was responsible for deliberately introducing Stuxnet to the system with an infected USB stick.

How did Stuxnet get from device to device?

Once installed on a computer, Stuxnet was able to use remote procedure calls to spread to other computers on shared local networks6. There is controversy7 about whether or not Stuxnet was capable of spreading across Internet connections. The most important way Stuxnet was able to spread was through USB flash drives, allowing it to penetrate industrial systems disconnected from the Internet and thought to be safe from malware.

Stuxnet spread from USB flash drives to Windows computers by exploiting a vulnerability with Windows autorun and shortcuts. It could spread even if users didn't intentionally execute a program on a flash drive8. Early versions of the worm used an autorun file on infected USB drives to automatically execute malware when the drives were plugged into a computer.

Later versions of Stuxnet relied on malicious "shortcut" files to spread. Infected flash drives contained both the computer worm and a malicious shortcut file to the worm. If a user simply viewed the shortcut icons for the infected flash drive's contents in a program such as Windows Explorer, the shortcut would be processed and thus the malware would execute, spreading the worm to the computer.

Similarly, once Stuxnet had infected a computer, the worm could copy itself to any flash drives subsequently connected to the computer, and then spread from those flash drives to other computers.

How did Stuxnet spread without being detected?

Stuxnet was designed to limit the acceleration of its spread by infecting a maximum of three computers from a single flash drive and was also coded to stop spreading to other devices by June of 20129. Additionally, Stuxnet was very good at hiding on systems. It covered its tracks using stolen digital certificates to trick the operating system into letting Stuxnet install a rootkit10. A rootkit is a type of software that gains root access to the machine and then shows the human administrator only what the software wants them to see11. Since the malware had root access, it could disguise malicious activity as normal system activity and stop anti-malware detectors from functioning normally.

Stuxnet was also extremely targeted in its actual attacks. If the worm had wreaked havoc on any old computer it encountered, like typical malware, people would have noticed the havoc and investigated the problem. Instead, while the worm could replicate and spread to many computers, it remained dormant and didn't do anything else to a computer it had infected unless certain conditions were met.

Stuxnet was designed to look for computers on the same industrial SCADA network as PLCs with particular configurations, effectively targeting computers in Iran's uranium enrichment facility. These constraints were that the PLC must be attached to a variable-frequency drive (a monitor that controls motor speeds) from one of two specific vendors known to be used in Iranian nuclear facilities, and the machine attached to the PLC must contain a motor that normally spins between 807 and 1210 Hz12, matching nuclear centrifuges that Iran used.

  1. Terdiman, Daniel. ""
  2. Falliere, Nicholas, Liam Murchu, and Eric Chien.
  3. Diagram created by Anne Grosse.
  4. Zetter, Kim.
  5. Sale, Richard.
  6. Stevenson, Alastair.
  7. Leyden, John.
  8. Mueller, Paul and Babak Yadegari.
  9. Mueller and Yadegari.
  10. "Kaspersky Lab provides its insights on Stuxnet worm"
  11. "Rootkits, Part 1 of 3: The Growing Threat"
  12. Chien, Eric.