Archive for December, 2010

Stuxnet Redux: Questions and Answers – F-Secure Weblog : News from the Lab

December 14, 2010 2 comments

There is a lot of research going into the Stuxnet worm that infiltrated sensitive uranium enrichment plants in Iran. This worm was developed for a very specific purpose, not to steal money or information but to CREATE HAVOC IN THE URANIUM ENRICHMENT PROCESS.

Virus researchers figure that the worm has been in the wild for about a year and a half, uses 4 zero day exploits (at a cost of $50,000 to $500,000 per exploit) and cost a total of about 10 man-years worth of work to develop. This was NOT the result of script kiddies working in Mom’s basement.

Here are some of the questions asked and answered:

Q: Would the Stuxnet code cause centrifuges to disintegrate into projectiles traveling at around Mach 2?
A: It’s more likely the modifications would cause the centrifuges to produce bad-quality uranium. The changes could go undetected for extended periods of time.

Q: Why is Stuxnet considered to be so complex?
A: It uses multiple vulnerabilities and drops its own driver to the system.

Q: How can it install its own driver? Shouldn’t drivers be signed for them to work in Windows?
A: Stuxnet driver was signed with a certificate stolen from Realtek Semiconductor Corp.

Q: How do you steal a certificate?
A: Maybe with malware looking for certificate files and using a keylogger to collect the passphrase when it’s typed in. Or breaking in and stealing the signing gear, then brute-forcing the passphrase.

Q: Has the stolen certificate been revoked?
A: Yes. VeriSign revoked it on July 16th. A modified variant signed with a certificate stolen from JMicron Technology Corp was found on July 17th.

Q: What’s the relation between Realtek and Jmicron?
A: Nothing. But these companies have their HQs in the same office park in Taiwan… which is weird.

Fascinating read. Read more at:

Stuxnet Redux: Questions and Answers – F-Secure Weblog : News from the Lab.