IT Security & Network Security News & Reviews: Stuxnet: Hunting for the Malware's Origins
Stuxnet: Hunting for the Malware's Origins
by Brian Prince
When VirusBlokAda first discovered the worm in June 2010, Stuxnet had already been active for at least a year. The older versions of the worm used an AutoRun trick to spread. Security researchers said the first version of Stuxnet was relatively rudimentary in its methods of propagation, opting to abuse the AutoRun feature of computers.
U.S. and Israeli Origins?
Much speculation has centered on who may have created Stuxnet. A recent story in The New York Times reported that the worm had been tested at a facility in Israel, and hinted at a combined effort between the United States and Israel. However, definitive evidence remains elusive, and many question why intelligence agencies would launch a targeted attack yet fail to use measures to keep it from spreading around the world and drawing as much attention as it did.
How Sophisticated was Stuxnet?
Stuxnet has been described as being a game-changer, and a highly sophisticated piece of malware. However, evidence has surfaced that some aspects of the worm were more sophisticated than others, including its ability to manipulate programmable-logic controllers and the use of four zero-day vulnerabilities targeting Windows.
Less Sophisticated Pieces
On the other hand, the worms authors failed to encrypt communications with the command-and-control server. The worm also only used two domains to call back to, whereas other pieces of malware have more redundancy to thwart takedown efforts, Securicon security consultant Tom Parker said at the Black Hat DC conference.
Clues in the Code?
Some say clues to the worms creation can be found in the code, though others dispute the notion. One of these supposed clues includes a file directory inside Stuxnet called "Myrtus," considered by some to be an allusion to the Old Testament Book of Esther.
Though the worm spread to computers worldwide, many of the infections were in Iran. Symantecs analysis of the worms functionality found it targets frequency converter drivers that control motor speeds. The worm looks for converter drivers that operate at very high frequencies that are associated with centrifuges. A December 2010 report from the Institute of Science and International Security called Stuxnet "a reasonable explanation" for the destruction of 1,000 centrifuges at Irans uranium-enrichment plant at Natanz, but said the evidence is not definitive.
Impact on the Cyber Arms Race
To some, Stuxnet serves as a symbol of a new type of cyber-warone where the goal is not only to disable Websites and Internet communications, but also to directly cause damage in the physical world. In the wake of recent events, Iran revealed it is establishing cyber-security squads. In the United States, it has been used to call attention to the importance of defending the countrys critical infrastructure.