Iran’s nuclear program remains in chaos, despite claims from Iran that it has exterminated the Stuxnet computer worm.
One of the leading experts on the Stuxnet worm says it has likely penetrated just about every computer in Iran’s nuclear program and cannot be purged without throwing out all of Iran’s computers and starting from scratch.
A number of American and European security websites, which deal with Stuxnet, continue to be swamped with traffic from Tehran and other places in the Islamic Republic, an indication that the worm continues to infect the computers there.
The Stuxnet worm, named after initials found in its code, is generally rated the most sophisticated cyberweapon yet created. Examination of the worm shows it was a “cybermissile” designed to penetrate only a very narrow range of security systems. It was equipped with a warhead that appears to have taken over the controls of the centrifuge systems at Iran’s uranium enrichment center in Natanz.
President Ahmadi-nejad, after months of denials, recently admitted that the worm had penetrated Iran’s nuclear sites, but he insisted it had been detected and removed without doing any harm.
The second part of that claim, the experts say, doesn’t ring true.
Eric Byres, a computer expert who has studied the Stuxnet worm, said his site was still being hit with a surge in traffic from Iran, meaning that efforts to get things functioning normally have failed. The web traffic, he says, shows Iran still hasn’t come to grips with the complexity of the malware.
“The effort has been stunning,” Byres told Fox News. “Two years ago American users on my site outnumbered Iranians by 100 to 1. Today, we are close to a majority of Iranian users.”
He said that while there may be some individual computer owners from Iran looking for information about the virus, it was unlikely that they were responsible for the vast majority of the inquiries because the worm targeted only a handful of computers and did no damage to the thousands of other computers it infiltrated.
Stuxnet was designed to attack only computers with a very narrow range of specific components. When Stuxnet enters any computer without those components, it does nothing.
At another of the large American web companies offering advice on how to eliminate the worm, traffic from Iran has swamped that of its largest user: the United States.
“Our traffic from Iran has really spiked,” said a corporate officer who asked that neither he nor his company be named. “Iran now represents 14.9 percent of total traffic, surpassing the United States with a total of 12.1 percent. Given the different population sizes, that is a significant number.”
Ron Southworth, who runs the SCADA (the Supervisory Control and Data Access control system that the worm targets) list server, said that until two years ago he had clearly identified users from Iran, “but they all unsubscribed at about the same time.”
Since the announcement of the Stuxnet malware, he said, he has seen a jump in users, but few openly from Iran. He suspects there is a cat-and-mouse game going on that involves hiding the e-mail addresses, but he said it was clear his site was being searched by a number of users who have gone to a great deal of effort to hide their country of origin.
Byres said there are a growing number of impostors signing on to Stuxnet security sites. “I had one guy sign up who I knew and called him. He said it wasn’t his account. In another case a guy saying he was Israeli tried to sign up. He wasn’t.” The implication, he says, is that such a massive effort is a sign of a coordinated effort.
Ralph Langner, the German expert who was among the first to study and raise alarms about Stuxnet, said he was not surprised by the development.
“The Iranians don’t have the depth of knowledge to handle the worm or understand its complexity,” he said, raising the possibility that they may never succeed in eliminating it.
“Here is their problem,” he said. “They should throw out every personal computer involved with the nuclear program and start over, but they can’t do that.” The personal computers would lack the SCADA that Stuxnet seeks out and so would not be harmed by Stuxnet—but the Stuxnet worm would still reside in those personal computers and, like Typhoid Mary, could re-infect other computers with SCADA long after Iran thought it had purged Stuxnet from the computers with SCADA.
Moreover, said Langner, the Iranians “are completely dependent on outside companies for the construction and maintenance of their nuclear facilities. They should throw out their computers as well. But they can’t,” he explained. As a result, “They will just continually re-infect themselves.”
“With the best of expertise and equipment it would take another year for the plants to function normally again because it is so hard to get the worm out. It even hides in the back-up systems. But they can’t do it,” he said.
And Iran’s anti-worm effort may have had another setback when Majid Shahriari was assassinated by a motorcyclist carrying a bomb last month. Fox News says it was told Shahriari was in charge of dealing with the Stuxnet virus at the nuclear plants.
Most western news reports talk about Stuxnet attacking the Bushehr nuclear power plant. But many specialists say it was probably targeted only at Iran’s centrifuge program, which is based at Natanz.
Liam O Murchu, manager of operations with Symantec’s security response team, told Computer World that Stuxnet’s target may never be known with certainty, but the evidence points to Natanz.
“Stuxnet targeted PLCs,” O Murchu said, referring to the “programmable logic controllers” that the worm modified. “It targeted drive converters at the frequencies used for [uranium] enrichment. There really aren’t a lot of options left other than uranium enrichment.”
O Murchu and fellow Symantec security researchers Eric Chien and Nicolas Falliere have spent months analyzing Stuxnet. Last month, the three said clues in the worm’s code indicated that Stuxnet targeted industrial systems that control high-speed electrical motors, like those used to spin gas centrifuges.
According to O Murchu, Chien and Falliere, Stuxnet looked specifically for devices called “frequency converter drives.” Such drives take electrical current from a power grid, then change the output to a much higher frequency, typically 600 Hz or higher.
When the worm found converter drives operating between 807 Hz and 1210 Hz, Stuxnet reset the frequency to 1410 Hz, then after 27 days, dropped the frequency to just 2 Hz and later bumped it up to 1064 Hz. It then repeated the process.
After Symantec released its latest findings, experts said the 807-1210 Hz range was consistent with drive converters used to power gas centrifuges, and that the changes Stuxnet ordered could hamper enrichment efforts or cause the high-speed rotors inside the centrifuges to fly apart.
