Posted by: Harold Ennulat | October 18, 2010

Stuxnet Virus Attacks PLCs

Stuxnet is the first publicly known worm to target industrial control systems

As of September 2010, there have been thousands of attacks already made on PC’s and Siemens S7 PLC’s around the world by the “Stuxnet” virus (or worm). This apparently in spite of Microsofts patch for PCs that should have eliminated its spread. It may be that PC’s on industrial networks are not getting Microsoft updates automatically.
While this virus is considered fairly benign, if disconcerting, the concern is with the sophistication of the virus and the specific targeting of industrial control systems. There are special concerns that this may well be a fore runner for more of such types of viruses.
Originally it was only reported to have attacked winCC HMI’s. Now the same virus has been found to attack S7 PLC’s in a very sophisticated and targeted way. For background on this virus see this authors earlier blog article at
An article by Symantec on what they know about the virus has been reprinted below with highlighting added for emphasis:
Stuxnet is the first publicly known worm to target industrial control systems, often generically referred to as SCADA systems. Not only did Stuxnet include malicious STL (Statement List) code, an assembly-like programming language, which is used to control industrial control systems, it included the first ever PLC (programmable logic controller) rootkit hiding the STL code. It also included a zero-day vulnerability to spread via USB drives, a Windows rootkit to hide its Windows binary components, and it signed its files with certificates stolen from other unrelated third-party companies. All of these characteristics are noteworthy in their own right, however when they all converge within one threat it is clear that there is a special force at work. Any threat that is capable of taking control of a real-life physical system is worthy of a closer look, and here we present our analysis of such a threat.

We will report on the conclusions from our extensive analysis of the Stuxnet threat including outlining the functionality of the vast array of components used by the threat and illuminating how each component is used. The analysis exposes the true intention of the creators to takeover industrial control systems (ICS) and details exactly how this is performed. The threat’s ability to control physical machinery is what sets it apart from any other threat we have seen to date and is the aspect of the threat that we find most concerning.

In addition to analysis of the code we also examine the data we received from compromised systems via the command and control servers. Using this data allows us to draw conclusions about who was the target of this threat and who may have been responsible for creating the threat.

How Stuxnet infects PLCs - click to see enlarged view

During the presentation we will also show the code used and give demonstrations on the more malevolent and intriguing parts of the threat, namely the PLC/STL rootkit and the ability to control real-life physical systems. With this threat, the attackers are capable of injecting code into industrial control systems and hiding that code from the designers and operators of the ICS giving the attackers full control over the day-to-day functionality of the physical system under attack.

Many aspects of the threat have not been reported widely in public, but we believe they have significant repercussions within the security industry and they will no doubt become more commonplace in the future threat landscape.


Here is the link to the article by Symantec on what they know about the virus.
There is a PDF slide show located at the Symantec link that provides additional detail as to how this virus attacks the S7 PLC by intercepting all internal PLC operating system communications and even changing certain PLC code.

Updated: January 3rd, 9:56 pm CST | Published October 18th, 2010 10:01 pm CST

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: