News Analysis: The Israeli-produced worm that devastated Iran's nuclear production propagates in many ways, but the primary way is by USB memory sticks.
This story starts at the Washington,
D.C., Auto Show, which is held at the end
of January each year. While I was at the show, one of the people at the Land
Rover display handed me a USB memory stick.
I assumed that it contained a brochure or something similar, so I put it into
my pocket and took it home. There, I promptly forgot about it.
Fast forward a few days and the device appeared on my
desk, so I did what you're not supposed to do, and plugged it into my USB
port, assuming that Norton would block any bad stuff. Apparently there wasn't
any bad stuff, but what alarmed me was that this USB
memory didn't appear on my desktop as a removable drive-it simply launched a
video showing me a new model of the Range Rover. I couldn't detect the device
as a removable drive, so I couldn't reformat it for some other use. Instead, I
tossed it into the trash before the video got going.
The reason this alarmed me is that it demonstrated how
easy it is to insert and execute software, good or bad, without the user
knowing. Had this same USB memory module contained
Stuxnet, my computer might have been infected. This is exactly what
happened a couple of years ago in Iran
when the Israeli Defense Forces quietly planted some USB
memory sticks in places frequented by Iranian nuclear engineers. Like everyone
else, they popped the devices into their computers and the rest is
Apparently the insertion of the USB
device into the respective computers worked much like the one that showed me
the Land Rover video. As soon as the device detected the insertion, it went to
work and never waited for permission or a mouse click or whatever. Unlike the
video, this worm never gave any indication that it was setting itself up and
running. Instead, the software quietly installed itself and then took over the
control computers for Iran's
uranium centrifuges. It caused the centrifuges to overspeed until they were
destroyed, while reporting to the operators that everything was normal.
While virtually every computer infected by Stuxnet is in Iran,
or belongs to a company with a presence in Iran,
that doesn't mean that you're in the clear. Now that Stuxnet has been out for a
while, it's only a matter of time before malware producers use the delivery
mechanism to attack other targets.
Wayne Rash is a Senior Analyst for eWEEK Labs and runs the magazine's Washington Bureau. Prior to joining eWEEK as a Senior Writer on wireless technology, he was a Senior Contributing Editor and previously a Senior Analyst in the InfoWorld Test Center. He was also a reviewer for Federal Computer Week and Information Security Magazine. Previously, he ran the reviews and events departments at CMP's InternetWeek.
He is a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine. He is a regular contributor to Plane & Pilot Magazine and The Washington Post.