Stuxnet

Stuxnet discovered,

Stuxnet is a computer worm first discovered in June 2010 by a security firm based in Belarus. It is notable because it is the first discovered worm that spies on and reprograms industrial systems.It was specifically written to attack SCADA systems which are used to control and monitor industrial processes. Stuxnet includes the capability to reprogram the programmable logic controllers (PLCs) and hide the changes. It was first reported by the security company VirusBlokAda in mid-June 2010, and roots of it have been traced back to June 2009. It attacks Windows systems using four zero-day attacks (including the CPLINK vulnerability and a vulnerability used by the Conficker worm) and targets systems using Siemens' WinCC/PCS 7 SCADA sofware. It is initially spread using infected USB flash drives and then uses other exploits to infect other WinCC computers in the network. Once inside the system it uses the default passwords to commandeer the software. Siemens however advises against changing the default passwords because it “could impact plant operations”.

The complexity of the software is very unusual for malware. The attack requires knowledge of industrial processes and an interest in attacking industrial infrastructure. The number of used zero-day Windows exploits is also unusual as undiscovered zero-day Windows exploits are valued and hackers do not normally waste using four different ones in the same worm. Stuxnet is unusually large at half a megabyte in size, and written in different programming languages (including C and C++) which is also irregular for malware. It is digitally signed with two authentic certificates which were stolen from two certification authorities. It also has the capability to upgrade via peer to peer, allowing it to be updated after the initial command and control server was disabled. These capablities would have required a team of people to program, as well as check that the malware would not crash the PLCs. Eric Byres, who has years of experience maintaining and troubleshooting Siemens systems, told Wired that writing the code would have taken many man-months if not years.

A Siemens spokesperson said that the worm was found on 15 systems with five of the infected systems being process manufacturing plants in Germany. Siemens claims that no active infections have been found and there were no reports of damages caused by the worm. Symantec claims that the majority of infected systems were in Iran, which has led to speculation that it may have been deliberately targeting "high-value infrastructure" in Iran including either the Bushehr Nuclear Power Plant or the Natanz nuclear facility. Ralph Langner, a German cyber-security researcher, called the malware a "a one-shot weapon" and said that the intended target was probably hit, although he admitted this was speculation.Bruce Schneier described this theory as interesting, but pointed out that there was little evidence to support it.

(source:wikipedia)