The document discusses the Stuxnet computer worm that targeted Iran's nuclear facilities. It describes how Stuxnet infected industrial sites in Iran starting in 2009, including a uranium enrichment plant. It spread through computer networks and used several zero-day exploits to infect systems and remain undetected. Stuxnet is believed to have been created by the United States and Israel to sabotage Iran's nuclear program.

2. Your computer is not
handled by you.
You have loss your
data.
You do not know what
your computer do.

3. Presentation By :
Atif Hasnain Zaidi

4.  Basically Stuxnet is a Computer
worm.
 It is discovered in June 2010.
 It is believed that STUXNET created
by the United States and Israel to
attack Iran's nuclear facilities.
 Roel Schouwenberg spends his days
(and many nights) to creating the
STUXNET.

5.  A 500-kilobyte computer worm that
infected the software of at least 14
industrial sites in Iran, including a
uranium-enrichment plant.
 A computer virus relies on an
unwitting victim to install it,
a worm spreads on its own, often
over a computer network.
 This worm was an unprecedentedly
masterful and malicious piece of
code that attacked in three phases.

6.  2009 June: Earliest Stuxnet seen
◦ Does not use MS10-046
◦ Does not have signed drivers
 2010 Jan: Stuxnet driver signed
◦ With a valid certificate belonging to Realtek
Semiconductors
 2010 June: Virusblokada reports W32.Stuxnet
◦ Stuxnet use MS10-46
◦ Verisign revokes Realtek certificate
 2010 July: Eset identify new Stuxnet driver
◦ With a valid certificate belonging to JMicron
Technology Corp
 2010 July: Siemens report they are investigating
malware SCADA systems
◦ Verisign revokes JMicron certificate

7.  2010 Aug: Microsoft issues MS10-046
◦ Patches windows shell shortcut vulnerability
 2010 Sept: Microsoft issues MS10-061
◦ Patches Printer Spooler Vulnerability
 2010 Sept: Iran nuclear plant hit by delay
◦ Warm weather blamed
◦ Measured temperatures were at historical averages
 2010 Oct: Iran arrest “spies”
◦ Spies who attempted to sabotage the country's
nuclear programme
◦ Russian nuclear nuclear experts flee Iran

8.  Organization
◦ Stuxnet consists of a large .dll file
◦ 32 Exports (Function goals)
◦ 15 Resources (Function methods)
 Stuxnet calls LoadLibrary
◦ With a specially crafted file name that does not
exist
◦ Which causes LoadLibrary to fail.
 However, W32.Stuxnet has hooked Ntdll.dll
◦ To monitor for requests to load specially crafted
file names.
◦ These specially crafted filenames are mapped to
another location instead
◦ A location specified by W32.Stuxnet.
◦ Where a .dll file has been decrypted and stored
by the Stuxnet previously.

9.  Stuxnet collects and store the following information:
◦ Major OS Version and Minor OS Version
◦ Flags used by Stuxnet
◦ Flag specifying if the computer is part of a
workgroup or domain
◦ Time of infection
◦ IP address of the compromised computer
◦ file name of infected project file
 Win 2K
 WinXP
 Windows 200
 Vista
 Windows Server 2008
 Windows 7
 Windows Server 2008 R2

11.  Iran
◦ Iran blames Stuxnet worm on Western plot (Ministry
of Foreign Affairs)
◦ "Western states are trying to stop Iran's (nuclear)
activities by embarking on psychological warfare
and aggrandizing, but Iran would by no means give
up its rights by such measures,“
◦ "Nothing would cause a delay in Iran's nuclear
activities“
◦ "enemy spy services" were responsible for Stuxnet
(Minister of intelligence)

12.  Israel (DEBKA file)
◦ An alarmed Iran asks for outside help to stop
rampaging Stuxnet malworm
◦ Not only have their own attempts to defeat the
invading worm failed, but they made matters
worse:
 The malworm became more aggressive and returned to
the attack on parts of the systems damaged in the
initial attack.
◦ One expert said: "The Iranians have been forced
to realize that they would be better off not
'irritating' the invader because it hits back with a
bigger punch.“
◦ These statements were copied verbatim by mayor

13.  India 8.31%
 Azerbaijan 2.57%
 United States 1.56%
 Pakistan 1.28%
 Others 9.2%
 Iran 60%
 Indonesia 18.22%

14.  Stuxnet represents the first of many milestones in
malicious code history
◦ It is the first to exploit multiple 0-day
vulnerabilities,
◦ Compromise two digital certificates,
◦ And inject code into industrial control systems
◦ and hide the code from the operator.
 Stuxnet is of such great complexity
◦ Requiring significant resources to develop
◦ That few attackers will be capable of producing a
similar threat
 Stuxnet has highlighted direct-attack attempts on
critical infrastructure are possible and not just
theory or movie plotlines.