Updated W32.Stuxnet Dossier is Available

When we released our paper on Stuxnet by Nicolas Falliere, Liam O Murchu, and Eric Chien in September, we mentioned we’d likely continue to make revisions.

We have two major updates to the paper and some other minor changes throughout. A summary of these updates follows and more detailed information can be found in the paper. Please note that these new details are included in version 1.4 or higher.

First, in September, we mentioned that Stuxnet will record a timestamp along with other system information within itself each time a new infection occurs. However, at the time, this information was largely useless as we did not have enough samples to draw any meaningful conclusions. Over the last few months, we’ve continued to gather samples and in addition, samples were provided by our friends at ESET, F-Secure, Kaspersky Labs, Microsoft, McAfee, and Trend. We have a total of 3,280 unique samples representing approximately 12,000 infections. While this is only a percentage of all known infections, we were able to learn some interesting aspects of how Stuxnet spread and where it was targeted.

• Stuxnet was a targeted attack on five different organizations.
• 12,000 infections can be traced back to these five organizations.
• Three organizations were targeted once, one was targeted twice, and another was targeted three times.
• Organizations were targeted in June 2009, July 2009, March 2010, April 2010, and May 2010.
• All targeted organizations have a presence in Iran.
• Three variants exist (Jun 2009, Apr 2010, Mar 2010) and a fourth variant likely exists but has never been recovered.

Here is a graph of the clusters of infections. More information on interpreting this graph and other interesting statistical information of the spread and infections of Stuxnet can be found in the paper.

Secondly, we published that Stuxnet had two sabotage strategies (often referred to as the 315 code and 417 code), but that the 417 code was disabled. Because the code is disabled, we did not publicly document the intended behavior of the code. However, due to recent renewed interest, we’ve documented the intended behavior of the 417 code in this latest paper update. Since the code is not complete and has been disabled, we cannot definitely state its exact behavior or intended purpose. However, the code is clearly a second independent attack strategy.

• The code expects six groups of 164 peripherals.
• The sum of activity for all groups must be 297 days or for a single group greater than 35 days before the sabotage routine begins.
• A semi-random 110 out of 164 peripherals will be sabotaged.
• The sabotage routine lasts for approximately seven minutes.

However, its worth restating that this code has been disabled.

You can download the latest version of the paper here.