Win32 Virus Removal

Iran announced Saturday it had detained multiple individuals accused of pursuing computer-based assaults on the nation's nuclear program, Agence France-Presse reported (see GSN, Oct. 1; Agence France-Presse I/Yahoo!News, Oct. 2).

(Oct. 4) - The reactor building at Iran's Bushehr nuclear power plant, shown in August. Days after a computer worm was said to have infected the Bushehr plant, Tehran announced arrests over alleged efforts to launch computer-based attacks on its atomic work (Atta Kenare/Getty Images).

The announcement followed statements by Iranian officials that "Stuxnet," a computer worm designed to target industrial control systems, had infected personal computers but not critical systems at the country's Bushehr nuclear power plant, Reuters reported. Washington and other governments suspect the Middle Eastern nation's nuclear program is geared toward bomb development, a contention Tehran has consistently denied (Robin Pomeroy, Reuters, Oct. 4).

Iran has "prevented the enemies' destructive activity," state media quoted Iranian Intelligence Minister Heydar Moslehi as saying.

Iranian intelligence officials have learned of "destructive activities of the arrogance (Western powers) in cyberspace, and different ways to confront them have been designed and implemented," Moslehi said. "I assure all citizens that the intelligence apparatus currently has complete supervision on cyberspace and will not allow any leak or destruction of our country's nuclear activities."

The Intelligence Ministry identified actions being carried out by "enemies' spy services," the official stressed.

"We have always faced the destructive action of these (spy) services and a number of nuclear spies have been arrested," Moslehi said (AFP I).

Security analysts have suggested the worm could be the work of a government, with Israel and the United States as the leading candidates, Reuters reported. Western powers as well as Israel considered clandestine interference to be an option for undermining Iran's atomic advancement, diplomats and security specialists said.

Still, Tehran asserted the worm had no role in postponing the Bushehr plant's opening until 2011, instead blaming escaped material for the delay.

"A small leak was observed in a pool next to the reactor and was curbed," Iranian Atomic Energy Organization head Ali Akbar Salehi said today, according to state media. "This leak caused the activities to be delayed for a few days. The leak has been fixed and the core of the reactor is working properly."

Salehi could have been describing a leak in a cooling pond for holding the site's spent nuclear fuel, an issue that would not be "very serious," former State Department nonproliferation analyst Mark Fitzpatrick said.

"Typically Iran exaggerates everything about their nuclear program in a positive way," he said. "It could be more serious trouble than he has stated" (Pomeroy, Reuters).

The Iranian intelligence minister on Saturday said his nation had devised a means of countering the Stuxnet worm, the Associated Press reported (Associated Press/Globe and Mail, Oct. 3). On Sunday, another official reported wiping the worm from Iranian systems, AFP reported.

"The industrial computers infected by the Stuxnet virus have been cleaned," state media quoted Iranian Deputy Industry Minister Mohsen Hatam as saying. "All platforms have been cleaned and delivered to the industrial units."

"The virus infected these computers because they lacked high security firewalls," he said, adding that the worm had been "designed and dispatched about a year ago to gather information from industrial computers" (Agence France-Presse II/Spacewar.com, Oct. 3).

Some experts suggested the United States could be intentionally limiting its efforts to counter the worm, the Christian Science Monitor reported.

Technical assessments of the malicious software by the U.S. Industrial Control Systems Cyber Emergency Response Team have generally only recounted findings by independent security firms days after the information's release, according to industrial security system security specialists.

“Name me one new or helpful piece of information that ICS-CERT provided to the community on Stuxnet? Or any other helpful contribution on the biggest control system security event to date,” Dale Peterson, head of the control systems security company Digital Bond, wrote in a blog post. “It seems to me to have been a delayed clipping service.”

“They had the expertise, the relationship with vendors, the equipment in their labs and the ability to analyze Stuxnet,” Peterson told the Monitor. “But those bulletins they put out were missing key data or late. Getting this information out quickly was their sole mission, and they failed.”

"We took a broad all-hazards approach to the (Stuxnet) malcode,” countered Sean McGurk, head of the Homeland Security Department's Control System Security Program. “We immediately began to analyze it and produce information to get into the hands of the community so they could begin taking protective measures."

“We were able to reverse engineer the (Stuxnet) code and monitor how it works,” McGurk said. “There have been individuals speculating on attribution and intent. ... Our main focus has been on understanding the malware and putting mitigation in place -- how to prevent the spread and how to protect the physical infrastructure.”

One computer security specialist, though, speculated the United States was withholding information on the worm to hinder its removal from Iranian systems.

“Did the U.S. government know Stuxnet’s target and say, ‘No, no, no -- we don’t want this information (about how to defang Stuxnet) out there. It’s highly plausible that people knew Iran was the target and didn’t want all the details about how to fix Stuxnet to get out right away,” the expert said.

Still, the difficulty of tracing such software to its author makes it difficult to assert the worm was specifically aimed at Iran, said Scott Borg, head of the independent U.S. Cyber Consequences Unit (Mark Clayton, Christian Science Monitor, Oct. 3).

Meanwhile, Indonesia on Friday reaffirmed its backing of Iran's civilian nuclear efforts, the Jakarta Post reported.

“Iran believes Indonesia has a very independent view on Iran’s nuclear issue, and expects that the latest developments will encourage Indonesia to keep playing a constructive role,” Indonesian Foreign Minister Marty Natalegawa said following talks between Indonesian President Susilo Bambang Yudhoyono and Alaeddin Boroujerdi, chairman of the Iranian parliament's national security and foreign policy committee.

The Indonesian president "has affirmed that the Indonesian government will always be ready to contribute to the settlement of the issue,” Natalegawa said, referring to the dispute over Iran's nuclear program. “The president also said Iran and Indonesia were opposed to the proliferation of nuclear weapons,” he said (Erwida Maulia, Jakarta Post, Oct. 2).