Is Stuxnet the 'best' malware ever?
'Groundbreaking' worm points to a state-backed effort, say experts
Computerworld - The Stuxnet worm is a "groundbreaking" piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals.
"It's amazing, really, the resources that went into this worm," said Liam O Murchu, manager of operations with Symantec's security response team.
"I'd call it groundbreaking," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab. In comparison, other notable attacks, like the one dubbed Aurora that hacked Google's network and those of dozens of other major companies, were child's play.
O Murchu and Schouwenberg should know: They work for the two security companies that discovered that Stuxnet exploited not just one zero-day Windows bug but four -- an unprecedented number for a single piece of malware.
Stuxnet, which was first reported in mid-June by VirusBlokAda, a little-known security firm based in Belarus, gained notoriety a month later when Microsoft confirmed that the worm was actively targeting Windows PCs that managed large-scale industrial-control systems in manufacturing and utility firms.
Those control systems are often referred to using the acronym SCADA, for "supervisory control and data acquisition." They run everything from power plants and factory machinery to oil pipelines and military installations.
At the time it was first publicly identified in June, researchers believed that Stuxnet -- whose roots were later traced as far back as June 2009 -- exploited just one unpatched, or "zero-day," vulnerability in Windows and spread through infected USB flash drives.
Iran was hardest hit by Stuxnet, according to Symantec researchers, who said in July that nearly 60% of all infected PCs were located in that country.
On Aug. 2, Microsoft issued an emergency update to patch the bug that Stuxnet was then known to exploit in Windows shortcuts.
But unbeknownst to Microsoft, Stuxnet could actually use four zero-day vulnerabilities to gain access to corporate networks. Once it had access to a network, it would seek out and infect the specific machines that managed SCADA systems controlled by software from German electronics giant Siemens.
With a sample of Stuxnet in hand, researchers at both Kaspersky and Symantec went to work, digging deep into its code to learn how it ticked.
The two companies independently found attack code that targeted three more unpatched Windows bugs.
"Within a week or week and a half [of news of Stuxnet], we discovered the print spooler bug," said Schouwenberg. "Then we found one of the EoP [elevation of privilege] bugs." Microsoft researchers discovered a second EoP flaw, Schouwenberg said.
Working independently, Symantec researchers found the print spooler bug and two EoP vulnerabilities in August.
- University of North Florida breach exposes data on 107,000 individuals
- Zeus Trojan bust reveals sophisticated 'money mules' operation in U.S.
- GAO slams White House for failing to lead on cybersecurity
- Man charged with attack on Web site of Fox News' Bill O'Reilly
- Heartland breach expenses pegged at $140M -- so far
- IT contractor gets five years for $2M credit union theft
- Democracy would suffer if Google left China, says MIT panel
- Gonzalez accomplice gets five years for hacking TJX
- Threat of cyberattacks from overseas high, federal IT execs say
- Botnets 'the Swiss Army knife of attack tools'
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!