Security researchers have uncovered some unexpected behaviors in a piece of malware called Stuxnet. The worm exploits a number of zero-day vulnerabilities in order to propagate itself over Windows networks, but it also targets embedded software developed by Siemens that runs in industrial equipment. The worm could be used to disrupt factories and other industrial environments.

Researchers have found that the highest concentration of Stuxnet infections is located in Iran. That discovery, coupled with the very high level of sophistication exhibited by the malware, has led some researchers to speculate that it was crafted by a major government body with the aim of disabling Iran's nuclear power plant.

Reports indicate that the worm can exploit four separate zero-day vulnerabilities in Windows, giving it substantial spreading power compared to average malware. According to Symantec researcher Liam O. Murchu, who has been analyzing the worm, it relied on command and control severs located in Malaysia and Denmark. Those servers have been disabled, but the worm has a peer-to-peer update mechanism that allows the attacker to propagate changes and new control server addresses. The update feature will make it more difficult to centrally disable the malware.

Symantec believes that Stuxnet has been under development since June 2009, but that it has been updated periodically as the developers rolled out new capabilities and exploits. One of the vulnerabilities that it exploits in order to propagate itself is a flaw in Windows that allows a specially crafted shortcut (LNK file) on a removable storage device to automatically launch arbitrary code when the device is connected to a computer. Exploiting that vulnerability makes it possible for the worm to infect USB thumb drives, for example, and then infect Windows computers where that thumb drive is subsequently used.

In an analysis of the worm, independent security researcher Ralph Langner contends that the design of the malware leaves no doubt that its function is sabotage and that it is a highly targeted attack developed with insider knowledge by a skilled group of attackers. Because of the manner in which it targets programmable logic controllers in industrial equipment, he says, it's unlikely that the equipment itself can be modified to deflect such an attack.