Stuxnet still has active infections in Iran, we observe

As discussed in the last post we see worldwide virus activity. As the only company in the world we are also able to see the still active Stuxnet infections. Why? Because we own part of the Stuxnet command & control (C&C) infrastructure. If we were evil (which we are not) we could send them updates and commands. How did we acquire the Stuxnet C&C infrastructure? Company secret.

General virus activity in Iran

For December 2013 (until today) we have 1.274.013 infection records (with 417.206 unique Iranian IPs). Among the infected organizations are many many universities and research organizations. We cannot quickly say about how many virus infections appear at the Iranian government as we would have to find some sources regarding their used IP ranges.

We have seen 20.000 unique infections per day max, with ZeroAccess being with 64% the biggest threat there:

Iran December 2013 Graph

Iran December 2013

Stuxnet Active Infections

Yes, there are still computers in Iran infected with Stuxnet. We still observe internationally multiple active Stuxnet infections. Below are all infections still active in Iran.

Iran Stuxnet Infections

Worldwide Stuxnet activity monitored on our servers (infected machines connecting to the command & control infrastructure):

Stuxnet All

Stuxnet sends some information in the GET request. An example request (made by the “Pars Online” infection) is “/index.php?data=66a96e28270b6b4b93c9e63cf84b1307da7c7a046e50a46acba7b1f643e03f9a5390d546f2a7645fa21d659d3fb4a857946291a6f89da476b4b6e3842e0cac56dc8427bdea6c5b62b58c9d3fb5a877a54fa391baa9e54283”.