Is Stuxnet the 'best' malware ever?
Both firms reported their findings to Microsoft, which patched the print spooler vulnerability on Tuesday and said it would address the less-dangerous EoP bugs in a future security update.
"Using four zero-days, that's really, really crazy," said Symantec's O Murchu. "We've never seen that before."
Neither has Kaspersky, said Schouwenberg.
But the Stuxnet wonders didn't stop there. The worm also exploited a Windows bug patched in 2008 with Microsoft's MS08-067 update. That bug was the same vulnerability used to devastating effect by the notorious Conficker worm in late 2008 and early 2009 to infect millions of machines.
Once within a network -- initially delivered via an infected USB device -- Stuxnet used the EoP vulnerabilities to gain administrative access to other PCs, sought out systems running the WinCC and PCS 7 SCADA management programs, hijacked them by exploiting either the print spooler or MS08-067 bugs, then tried the default Siemens passwords to commandeer the SCADA software.
They could then reprogram the so-called PLC (programmable logic control) software to give machinery new instructions.
On top of all that, the attack code seemed legitimate because the people behind Stuxnet had stolen at least two signed digital certificates.
"The organization and sophistication to execute the entire package is extremely impressive," said Schouwenberg. "Whoever is behind this was on a mission to get into whatever company or companies they were targeting."
O Murchu seconded that. "There are so many different types of execution needs that it's clear this is a team of people with varied backgrounds, from the rootkit side to the database side to writing exploits," he said.
The malware, which weighed in a nearly half a megabyte -- an astounding size, said Schouwenberg -- was written in multiple languages, including C, C++ and other object-oriented languages, O Murchu added.
"And from the SCADA side of things, which is a very specialized area, they would have needed the actual physical hardware for testing, and [they would have had to] know how the specific factory floor works," said O Murchu.
"Someone had to sit down and say, 'I want to be able to control something on the factory floor, I want it to spread quietly, I need to have several zero-days,'" O Murchu continued. "And then pull together all these resources. It was a big, big project."
One way that the attackers minimized the risk of discovery was to put a counter in the infected USB that allowed it to spread to no more than three PCs. "They wanted to try to limit the spread of this threat so that it would stay within the targeted facility." O Murchu said.
- University of North Florida breach exposes data on 107,000 individuals
- Zeus Trojan bust reveals sophisticated 'money mules' operation in U.S.
- GAO slams White House for failing to lead on cybersecurity
- Man charged with attack on Web site of Fox News' Bill O'Reilly
- Heartland breach expenses pegged at $140M -- so far
- IT contractor gets five years for $2M credit union theft
- Democracy would suffer if Google left China, says MIT panel
- Gonzalez accomplice gets five years for hacking TJX
- Threat of cyberattacks from overseas high, federal IT execs say
- Botnets 'the Swiss Army knife of attack tools'
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Malware and Vulnerabilities White Papers | Webcasts