To begin with Stuxnet was incredibly complicated and sophisticated, beyond the cutting edge. It had been out in the wild for a year without drawing anyone's attention, and seemed to spread by way of USB thumb drives, not over the Internet. O Murchu's job was to try and unlock its secrets and assess the threat for Symantec's clients by figuring out what the malicious software was engineered to do and who was behind it.
Steve Kroft: How long was the Stuxnet code?
O Murchu: You're talking tens of thousands of lines of code, a very, very long project, very well written, very professionally written and very difficult to analyze.
Unlike the millions of worms and viruses that turn up on the Internet every year, this one was not trying to steal passwords, identities or money. Stuxnet appeared to be crawling around the world, computer by computer, looking for some sort of industrial operation that was using a specific piece of equipment, a Siemens S7-300 programmable logic controller.
O Murchu: This gray box here is essentially what runs factory floors. And you program this box to control your equipment. And you say, turn on the conveyor belt. Turn on the heater, turn on the cooler, shut the plant down. It's all contained in that box. And that's what Stuxnet was looking for. It wanted to get its malicious code onto that box.
The programmable logic controller, or PLC, is one of the most critical pieces of technology you've never heard of. They contain circuitry and software essential for modern life and control the machines that run traffic lights, assembly lines, oil and gas pipelines, not to mention water treatment facilities, electric companies and nuclear power plants.
O Murchu: And that was very worrying to us because we thought it could've been a water treatment facility here in the U.S. or it could've been trying to take down electricity plants here in the U.S.
The first breakthrough came when O Murchu and his five man team discovered that Stuxnet was programmed to collect information every time it infected a computer and to send it on to two websites in Denmark and Malaysia. Both had been registered with a stolen credit card, and the operators were nowhere to be found. But O Murchu was able to monitor the communications.
O Murchu: Well the first thing we did is we looked at where the infections were occurring in the world and we mapped them out. And that's what we see here. We saw that 70% of the infections occur in Iran and that's very unusual for malware that we see. We don't normally see high infections in Iran.
[Ralph Langner: Please learn from Stuxnet...]
Two months later, Ralph Langner, a German expert on industrial control systems, added another piece of important information: Stuxnet didn't attack every computer it infected.
Langner: This whole virus is designed only to hit one specific target in the world.
Kroft: How could you tell that?
Langner: It goes through a sequence of checks to actually determine if this is the right target. It's kind of a fingerprinting process, a process of probing if this is the target I'm looking for, and if not, it just leaves the controller alone.
Stuxnet wasn't just looking for a Siemens controller that ran a factory floor, it was looking for a specific factory floor, with a specific type and configuration of equipment including Iranian components that weren't used anywhere else in the world, and variable speed motors that might be used to regulate spinning centrifuges; a fragile piece of equipment essential to the enrichment of uranium. And Langner speculated publicly that Stuxnet was out to sabotage Iran's nuclear program.