The Stuxnet worm has already infected 30,000 IP addresses in Iran and is still mutating, according to Monday press reports.
"The attack is still ongoing and new versions of this virus are spreading," Hamid Alipour, deputy head of Iran's Information Technology Company, was quoted as saying by IRNA, Iran's official news agency, AFP reported.
Stuxnet was created for Siemens supervisory control and data acquisition (SCADA) systems, which control water supplies, oil rigs, power plants, and other industrial facilities.
It also also affected India, Indonesia, and Pakistan, but Iran appears to be affected most. Iranian authorities have denied that the country's Bushehr nuclear plant was targeted, AFP said, though Computerworld reported that while some computers at the facility were infected, none were in control of crucial control systems.
Stuxnet appears to be more than just another malware attack or another targeted attack. Many believe that it is a government-sponsored attack against Iran's nuclear facilities.
Stuxnet first came to our attention as the first attack using Microsoft Windows Shortcut 'LNK/PIF' vulnerability, described first by Belorussian security firm VirusBlokAda.
The worm drops itself on the system and adds a link to that copy on any removable drives. Loading that drive on another system exploits the LNK vulnerability and loads the malware automatically on that system.
This was impressive enough when it came to light, but in fact Stuxnet uses three other zero-day vulnerabilities to spread under various circumstances. To make the programs look legitimate, at least two compromised code signing certificates of legitimate companies were used to sign the malicious code, perhaps letting it slip through other defenses.
Together, all this sets a new record of Bob Beamon caliber and definitely merits further scrutiny.
Another aspect of Stuxnet that stood out early on was that the actual purpose behind all the sophisticated penetration is to locate and take control of SCADA systems. If it finds such systems, it attempts to steal code and design projects. But wait, there's more.
Stuxnet also looks for a programming interface to PLCs (Programmable Logic Controllers) to inject its own code in that PLC. It also monitors access to the PLCs so that when someone attempts to view the code on them, the injected code is not viewed. This makes Stuxnet a new kind of rootkit.
All this and more produces a certain amount of admiration for Stuxnet's authors. They're very good at their work and brought their A game to this one. This is why German security firm Langner called it the "hack of the century." Roel Schouwenberg of Kaspersky also said it was groundbreaking.
Finally, it was also noticed by many that Stuxnet has an unusual geographical distribution. How would a high-quality attack such as this become so prevalent in Iran? Liam O Murchu, manager of operations with Symantec's security response team, told Computerworld that "[t]his threat was specifically targeting Iran."
"All the different circumstances, from the multiple zero-days to stolen certificates to its distribution, the most plausible scenario is a nation-state-backed group," he continued.
Experts disagree over when the attacks began, as it seems that they may have been ongoing for some time before they were discovered. Consider this report of a "serious nuclear accident" in Iran on Wikileaks from July 2009.
But even the Iranians are admitting that their nuclear agency has a computer worm problem. All manner of industrial facilities could be the target, but the most mentioned are the Bushehr nuclear reactor and the uranium centrifuge farm at Natanz.
Who has a high level of computer security sophistication and an interest in attacking Iranian industrial control systems? Some speculate it's the U.S., but other says Israel. Look for more research about Stuxnet to emege this week at the Virus Bulletin Conference in Vancouver.
Originally posted on PCMag's Security Watch blog.