The Stuxnet Worm Computer Virus?

mealworms on a computer keyboard

Steve Zabel / Getty Images

Stuxnet is a computer worm that targets the types of industrial control systems (ICS) that are commonly used in infrastructure supporting facilities (i.e. power plants, water treatment facilities, gas lines, etc).

The worm is often said to have been first discovered in 2009 or 2010 but was actually found to have attacked Iran's nuclear program as early as 2007. In those days, Stuxnet was found mainly in Iran, Indonesia, and India, accounting for over 85% of all infections.

Since then, the worm has affected thousands of computers in many countries, even completely ruining some machines and wiping out a large portion of Iran's nuclear centrifuges.

What Does Stuxnet Do?

Stuxnet is designed to alter Programmable Logic Controllers (PLCs) used in those facilities. In an ICS environment, the PLCs automate industrial type tasks such as regulating flow rate to maintain pressure and temperature controls.

It's built to only spread to three computers, but each of those can spread to three others, which is how it propagates.

Another one of its characteristics is to spread to devices on a local network that isn't connected to the internet. For example, it might move to one computer via USB but then spread to some other private machines behind the router that are not set up to reach outside networks, effectively causing intranet devices to infect each other.

Initially, Stuxnet's device drivers were digitally signed since they were stolen from legitimate certificates that applied to JMicron and Realtek devices, which allowed it to easily install itself without any suspicious prompts to the user. Since then, however, VeriSign has revoked the certificates.

If the virus lands on a computer that doesn't have the correct Siemens software installed, it will remain useless. This is one major difference between this virus and others, in that it was built for an extremely specific purpose and does not "want" to do anything nefarious on other machines.

How Does Stuxnet Reach PLCs?

For security reasons, many of the hardware devices used in industrial control systems are not internet-connected (and often not even connected to any local networks). To counter this, the Stuxnet worm incorporates several sophisticated means of propagation with the goal of eventually reaching and infecting STEP 7 project files used to program the PLC devices.

For initial propagation purposes, the worm targets computers running the Windows operating systems and usually does this through a flash drive. However, the PLC itself is not a Windows-based system but rather a proprietary machine-language device. Hence Stuxnet simply traverses Windows computers in order to get to the systems that manage the PLCs, upon which it renders its payload.

To reprogram the PLC, the Stuxnet worm seeks out and infects STEP 7 project files, which are used by Siemens SIMATIC WinCC, a supervisory control and data acquisition (SCADA) and human-machine interface (HMI) system used to program the PLCs.

Stuxnet contains various routines to identify the specific PLC model. This model check is necessary as machine-level instructions will vary on different PLC devices. Once the target device has been identified and infected, Stuxnet gains the control to intercept all data flowing into or out of the PLC, including the ability to tamper with that data.

Names Stuxnet Goes By

Following are some ways your antivirus program might identify the Stuxnet worm:

  • F-Secure: Trojan-Dropper:W32/Stuxnet
  • Kaspersky: Rootkit.Win32.Stuxnet.b or Rootkit.Win32.Stuxnet.a
  • McAfee: Stuxnet
  • Norman: W32/Stuxnet.A
  • Sophos: Troj/Stuxnet-A or W32/Stuxnet-B
  • Symantec: W32.Temphid
  • Trend Micro: WORM_STUXNET.A

Stuxnet might also have some "relatives" that go by names like Duqu or Flame.

How to Remove Stuxnet

Since Siemens software is what's compromised when a computer is infected with Stuxnet, it's important to contact them if an infection is suspected.

Also run a full system scan with an antivirus program like Avast or AVG, or an on-demand virus scanner such as Malwarebytes.

It's also necessary to keep Windows updated, which you can do with Windows Update.