Code clues point to Stuxnet maker By Mark Ward

Technology correspondent, BBC News Published duration 19 November 2010

image caption Stuxnet seems to have been designed to target uranium enrichment systems

Detailed analysis of the code in the Stuxnet worm has narrowed the list of suspects who could have created it.

The sophisticated malware is among the first to target the industrial equipment used in power plants and other large scale installations.

New research suggests it was designed to disrupt centrifuges often used to enrich uranium.

Detailed analysis of the worm has revealed more about the team behind it and what it was supposed to do.

Code secrets

The close look at the code inside Stuxnet was carried out by Tom Parker from security firm Securicon who specialises in picking out the digital fingerprints hackers leave behind in malware.

His analysis of Stuxnet shows it is made of several distinct blocks. One part targets industrial control systems, another handles the worm's methods of spreading itself and another concerns the way its creators planned to communicate with and control it.

The most sophisticated part of Stuxnet targeted the Programmable Logic Controllers used in industrial plants to automate the operation of components such as motors or pumps.

Subverting PLCs required detailed knowledge of one manufacturer's product line, the programming language written for it and insight into how it could be subverted. That meant, said Mr Parker, the list of suspects was pretty short.

"I do believe the PLC components were written in the West," he said. "It's western companies that are investing most heavily in automation of industrial processes, whether it's putting coke in cans or nuclear enrichment."

"However, the bits that drop it into a system and the command and control parts are not that advanced at all," said Mr Parker.

image caption Iran has the highest number of machines infected with Stuxnet

"I've compared this less advanced code to other malware and it does not score very highly," he said.

Dedicated hi-tech criminals would not have used such crude methods of distribution and control, he said, suggesting that it was put together by a nation rather than organised crime.

What this implies, he said, is that whichever country put Stuxnet together commissioned the creation of the PLC part from a Western nation, then added its own distribution and control code to it.

The analysis suggests that a team of 6-10 people were behind Stuxnet and were involved with it for some time. Whoever wrote it would also need information about and access to industrial plants in Iran if that was the actual target, said Mr Parker.

Motor control

More information has also emerged about how Stuxnet disrupts the industrial control systems it managed to compromise.

Research by security firm Symantec has shown that the likely target were frequency controllers that many PLCs are hooked up to in order to regulate a motor.

In particular, said Symantec, Stuxnet targeted those operating at frequencies between 807 and 1210Hz.

"There's a limited amount of equipment operating at that speed," said Orla Cox, security operations manager at Symantec. "It knew exactly what it was going after."

"Those operating at 600hz or above are regulated for export by the US because they can be used to control centrifuges for uranium enrichment," she said.

If Stuxnet did manage to infect a PLC connected to a centrifuge, it would seriously disrupt its working, said Ms Cox.

What is not clear, said Ms Cox, is whether Stuxnet hit its target. If it did not, she said, then the fact that the command and control system has been taken over by security firms has ended any chance of it being used again.

"Our expectation is that the attack is done at this point," she said. "We've not seen any more variants out there and I don't suspect we will."

Mr Parker said that whoever did write it failed in one respect because Stuxnet has not stayed live for as long as its creators hoped.

The control system set up needed to have been in place for years to have a seriously disruptive effect on its intended targets, he said.