Last-minute paper: An indepth look into Stuxnet
Liam O'Murchu Symantec
download slides (PDF)
Stuxnet is the first publicly known worm to target industrial control systems, often generically referred to as SCADA
systems. Not only did Stuxnet include malicious STL (Statement List) code, an assembly-like programming language, which
is used to control industrial control systems, it included the first ever PLC (programmable logic controller) rootkit
hiding the STL code. It also included a zero-day vulnerability to spread via USB drives, a Windows rootkit to hide its
Windows binary components, and it signed its files with certificates stolen from other unrelated third-party companies.
All of these characteristics are noteworthy in their own right, however when they all converge within one threat it is
clear that there is a special force at work. Any threat that is capable of taking control of a real-life physical system
is worthy of a closer look, and here we present our analysis of such a threat.
We will report on the conclusions from our extensive analysis of the Stuxnet threat including outlining the functionality
of the vast array of components used by the threat and illuminating how each component is used. The analysis exposes the
true intention of the creators to takeover industrial control systems (ICS) and details exactly how this is performed. The
threat's ability to control physical machinery is what sets it apart from any other threat we have seen to date and is the
aspect of the threat that we find most concerning.
In addition to analysis of the code we also examine the data we received from compromised systems via the command and
control servers. Using this data allows us to draw conclusions about who was the target of this threat and who may have
been responsible for creating the threat.
During the presentation we will also show the code used and give demonstrations on the more malevolent and intriguing
parts of the threat, namely the PLC/STL rootkit and the ability to control real-life physical systems. With this threat,
the attackers are capable of injecting code into industrial control systems and hiding that code from the designers and
operators of the ICS giving the attackers full control over the day-to-day functionality of the physical system under
Many aspects of the threat have not been reported widely in public, but we believe they have significant repercussions
within the security industry and they will no doubt become more commonplace in the future threat landscape.