14 DAY TRIAL // It seems that the recently discovered Stuxnet rootkit, which shocked the security industry through its sophistication, hides even more secrets. According to Symantec, an in-depth analysis revealed that in addition to stealing trade secrets, the malware can also inject rogue code into SCADA systems, which are used to control critical infrastructure worldwide.
Stuxnet is the name given by the antivirus industry to a highly sophisticated rootkit found last month in the wild. The threat is unusual is several ways. For one, at the time of its discovery it exploited a previously unknown critical vulnerability affecting all Windows systems in order to spread. Secondly, its rootkit components were signed using digital certificates stolen from legit hardware manufacturers.
And finally the characteristic that earned it the reputation of industrial espionage malware, is its ability to access and steal data from databases used by Supervisory Control and Data Acquisition (SCADA) systems. These systems control and monitor industrial processes used in manufacturing, oil and gas extraction and refining, electrical power generation and transmission, water treatment and distribution, waste collection and even civil defense and communications.
"Previously, we reported that Stuxnet can steal SCADA code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own SCADA code to the PLC [Programmable Logic Controllers]," security researchers from Symantec warn. "These PLCs contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory," they explain.
So, not only does Stuxnet allow hackers to steal trade secrets, it can also be used to sabotage critical equipment, possibly in order to cause damage. Symantec gives one example, unrelated to this malware, where rogue SCADA code was used to cause a three kiloton explosion by increasing the pressure in a pipeline beyond acceptable levels.
What's even worse is that Stuxnet can also hide the rogue code it injects in PLCs, making the whole attack transparent to the engineers overseeing the SCADA systems. "In addition to cleaning up the Stuxnet malware, administrators with machines infected with Stuxnet need to audit for unexpected code in their SCADA devices. We are still examining some of the code blocks to determine exactly what they do and will have more information soon on how Stuxnet impacts real-world SCADA systems," the Symantec researchers conclude.
You can follow the editor on Twitter @lconstantin