A different kind of worm

Stuxnet virus makes industrial processes go haywire, and it is feared that some government or organisation may have created it

October 23, 2010 05:14 pm | Updated November 28, 2021 09:37 pm IST

A securityman stands next to journalists outside the reactor building at the Russian-built Bushehr nuclear power plant in Iran. Some experts believe the Stuxnet worm targeted the plant.

A securityman stands next to journalists outside the reactor building at the Russian-built Bushehr nuclear power plant in Iran. Some experts believe the Stuxnet worm targeted the plant.

A computer virus of a different kind has been making waves in recent months. Stuxnet is different in that it does not launch a malicious attack that targets standalone computer systems used by individuals. Nor does it target enterprise-wide systems. Instead, it exploits multiple vulnerabilities in Windows-based computers that provide an interface to industrial control systems (ICS) that run industrial processes.

This results in industrial processes going haywire, which can be potentially devastating. Significantly, the worm targeted only a particular kind of programmable logic controllers (PLC) developed by Siemens.

These small embedded industrial control systems run various automated processes in a range of industries – from large scale power plants and refineries to small and medium-sized auto component manufacturers and pharmaceutical companies.

The interface to these PLCs is usually through computers — often Windows-based systems. And, Stuxnet is essentially looking for a particular target — the Siemens SIMATIC WinCC/Step 7 controller software.

Stuxnet was discovered in June 2010 by a security firm based in Belarus. The attacks soon acquired a mystique usually associated with international spy thrillers. Its sophisticated design — and unusual method of targeting — led to speculation that a government (or governments acting in unison) had designed and propagated it. Specifically, the fact that one of the first targets was the Bushehr nuclear power plant in Iran strengthened apprehensions based on this line of reasoning.

Main targets

Symantec's latest security report on the worm, released earlier this month, observed: “Approximately 60 per cent of infected hosts are in Iran.” According to the report Indonesia ranks second, accounting for about 15 per cent of the infections. Significantly, India accounts for about 10 per cent of the 40,000 “unique external IP addresses, from over 155 countries,” that Symantec observed.

Speaking to The Hindu , Sanjay Katkar, Chief Technology Officer at Pune-based Quick Heal Technologies, said the worm has “exploited at least four zero-day vulnerabilities in the system.”

A zero-day attack is a computer threat that arises before the developer (or others) could even identify a potential threat or a security hole in the software.

Sophisticated worm

The sophisticated worm typically uses the ubiquitous USB drive to gain entry into the victim's system, says Mr. Katkar. Unlike most other viruses, which require the hapless user to invoke the virus by executing an action (such as opening an attachment or visiting a website),

Stuxnet requires no such initiation to gain entry and start working. The worm also installs drivers, using legitimate digital certificates obtained from two Taiwanese companies, Realtek Semiconductor Corporation and Jmicron Technology Corporation.

Speculation on the Net focused on the Stuxnet virus as being responsible for the failure of India's INSAT-4B satellite in July, which affected the operations of several Direct to Home (DTH) TV broadcasts.

Mr. Katkar said the Stuxnet threat has been particularly difficult to address because most security labs in India do not have access to the environment in which the virus grows. Although the threat has abated significantly in the last few weeks, particularly after Microsoft plugged the holes by releasing a security patch, there have been some indications that the virus may have mutated. Although Siemens, a leading PLC supplier, has upgraded its software, two new variants of the virus emerged in July and September, Mr. Katkar said.

Strong backing

“The complexity of the virus”, Mr. Katkar said, “makes me believe that the virus originated with strong organisational backing.” “It would have required well-motivated research and development and a team, which is not normally seen in hackers of security systems,” he remarked. “It has certainly not been unleashed by an individual,” he asserted.

Quick Heal, which has offered solutions to the problem in India, reported about 16,000 infections per day in September.

Mr. Katkar said the number has been “declining by the day since then.” The company has provided solutions to address the virus threat in small and medium units that manufacture telecommunications equipment, pharmaceuticals, automobiles and auto components and several other industries.

“The Stuxnet threat may have abated, but it is still spreading, although at a slower rate,” Mr. Katkar remarked.

Top News Today

Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.