Stuxnet was designed by the Israeli and US intelligence forces to shut down the Iranian nuclear weapons programme. It did its job rather well and even took down a few Middle Eastern businesses too.
Now, researchers have disclosed a piece of industrial control systems (ICS) malware inspired heavily by Stuxnet. Dubbed IRONGATE the code replaces certain types of files, and was seemingly written to target a specific control system configuration.
Security outfit Fireeye says that it is may not be a government which has released IRONGATE but whoever did it was clearly inspired by Stuxnet.
He said that the code is a blend of techniques written by someone who understands Stuxnet really well.
IRONGATE attacks, a Siemens testing environment called PLCSIM. Like Stuxnet, IRONGATE replaces a Dynamic Link Library (DLL), a small collection of code that can be used by different programs at the same time, with a malicious one of its own.
It records five seconds of traffic from the Siemens’ system to the user interface, and replays it over again, potentially tricking whoever is monitoring the system into thinking everything is fine, while the malware might manipulate something else in the background.
It was so good that when FireEye tested it no anti-virus vendors thought the files were malicious.
“Siemens Product Computer Emergency Readiness Team (ProductCERT) confirmed that IRONGATE is not viable against operational Siemens control systems and determined that IRONGATE does not exploit any vulnerabilities in Siemens products,” FireEye’s report reads.
But IRONGATE differs from Stuxnet in the way it avoids detection. IRONGATE will sense if it’s within a VMware virtual machine or a Cuckoo Sandbox environment. Stuxnet only looked for various antivirus programs on the target system, FireEye note.
FireEye team does not think that IRONGATE is the work of Stuxnet’s authors. For a start it is much older and its history only stretches back to 2012. IRONGATE lacks the sophistication you would expect from a nation state.