Stuxnet is a Windows-specific computer worm first discovered in June 2010 by VirusBlokAda, a security firm based in Belarus. It is the first discovered worm that spies on and reprograms industrial systems. It was specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes. Stuxnet includes the capability to reprogram the programmable logic controllers (PLCs) and hide the changes.
It is the first-ever computer worm to include a PLC rootkit. It is also the first known worm to target critical industrial infrastructure.Furthermore, the worm's probable target has been said[by whom?] to have been high value infrastructures in Iran using Siemens control systems. According to news reports the infestation by this worm might have damaged Iran's nuclear facilities in Natanz and eventually delayed the start up of Iran's Bushehr Nuclear Power Plant.
European digital security company Kaspersky Labs released a statement that described Stuxnet as "a working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race in the world." Kevin Hogan, Senior Director of Security Response at Symantec, noted that 60 percent of the infected computers worldwide were in Iran, suggesting its industrial plants were the target. Kaspersky Labs concluded that the attacks could only have been conducted "with nation-state support", making Iran the first target of real cyber warfare.
Operation
Stuxnet attacks Windows systems using four zero-day attacks (including the CPLINK vulnerability and a vulnerability used by the Conficker worm) and targets systems using Siemens' WinCC/PCS 7 SCADA software. It is initially spread using infected USB flash drives and then uses other exploits to infect other WinCC computers in the network. Once inside the system it uses the default passwords to command the software. Siemens, however, advises against changing the default passwords because it "could impact plant operations."
The complexity of the software is very unusual for malware. The attack requires knowledge of industrial processes and an interest in attacking industrial infrastructure. The number of used zero-day Windows exploits is also unusual, as zero-day Windows exploits are valued, and crackers do not normally waste the use of four different ones in the same worm. Stuxnet is unusually large at half a megabyte in size, and written in different programming languages (including C and C++) which is also irregular for malware. It is digitally signed with two authentic certificates which were stolen from two certification authorities (JMicron and Realtek) which helped it remain undetected for a relatively long period of time. It also has the capability to upgrade via peer to peer, allowing it to be updated after the initial command and control server was disabled. These capabilities would have required a team of people to program, as well as check that the malware would not crash the PLCs. Eric Byres, who has years of experience maintaining and troubleshooting Siemens systems, told Wired that writing the code would have taken many man-months, if not years.
A Siemens spokesperson said that the worm was found on 15 systems with five of the infected systems being process manufacturing plants in Germany. Siemens claims that no active infections have been found and there were no reports of damages caused by the worm.
 Removal
Siemens has released a detection and removal tool for Stuxnet. Siemens recommends contacting customer support if an infection is detected and advises installing the Microsoft patch for vulnerabilities and disallowing the use of third-party USB sticks.
The worm's ability to reprogram external programmable logic controllers (PLCs) may complicate the removal procedure. Symantec's Liam O'Murchu warns that fixing Windows systems may not completely solve the infection; a thorough audit of PLCs is recommended. In addition, it has been speculated that incorrect removal of the worm could cause a significant amount of damage.
 Speculations about the target and origin
Alan Bentley of security firm Lumension has said that Stuxnet is "the most refined piece of malware ever discovered ... mischief or financial reward wasn’t its purpose, it was aimed right at the heart of a critical infrastructure". Symantec estimates that the group developing Stuxnet would have been well-funded, consisting of five to ten people, and would have taken six months to prepare.
The Guardian, the BBC and The New York Times all reported that experts studying Stuxnet considered that the complexity of the code indicates that only a nation state would have the capabilities to produce it. Israel, perhaps through Unit 8200, has been speculated to be the country behind Stuxnet in many of the media reports and by experts such as Richard Falkenrath, former Senior Director for Policy and Plans within the Office of Homeland Security. There has also been speculation on the involvement of NATO, the United States and other Western nations.
Symantec claims that the majority of infected systems were in Iran (about 60%), which has led to speculation that it may have been deliberately targeting "high-value infrastructure" in Iran including either the Bushehr Nuclear Power Plant or the Natanz nuclear facility. Ralph Langner, a German cyber-security researcher, called the malware "a one-shot weapon" and said that the intended target was probably hit, although he admitted this was speculation.
There are reports that Iran's uranium enrichment facility at the Natanz facility was the target of Stuxnet and the site sustained damage because of it causing a sudden 15% reduction in its production capabilities. There was also a previous report by wikileaks disclosing a "serious nuclear accident" at the said site in 2009. According to statistics published by the Federation of American Scientists (FAS) the number of enriched centrifuges operational in Iran mysteriously declined from about 4,700 to about 3,900 beginning around the time the nuclear incident WikiLeaks mentioned would have occurred.
The name is derived some keywords discovered in the software.  Since the whole Stuxnet code has not yet been decrypted, its intent remains unknown. Among its peculiar capabilities is a fingerprinting technology which allows it to precisely identify the systems it infects. It appears to be looking for a particular system to destroy at a specific time and place. Once it has infected a system it performs a check every 5 seconds to determine if its parameters for launching an attack are met. The exact way through which Stuxnet destroys its target is still a mystery but it is thought[by whom?] that it may be programmed to cause a catastrophic physical failure by, for example, overriding turbine RPM limits, shutting down lubrication or cooling systems, or sabotaging the high-speed spinning process of centrifuge arrays at Iran's Natanz nuclear facility. Since the complex code of Stuxnet looks for a very particular type of system and controller, it has been theorized that the target is of a high importance for the attacker.