Is Stuxnet the 'best' malware ever?
Both firms reported their findings to Microsoft, which patched the print spooler vulnerability on Tuesday and said it would address the less-dangerous EoP bugs in a future security update.
"Using four zero-days, that's really, really crazy," said Symantec's O Murchu. "We've never seen that before."
Neither has Kaspersky, said Schouwenberg.
But the Stuxnet wonders didn't stop there. The worm also exploited a Windows bug patched in 2008 with Microsoft's MS08-067 update. That bug was the same vulnerability used to devastating effect by the notorious Conficker worm in late 2008 and early 2009 to infect millions of machines.
Once within a network -- initially delivered via an infected USB device -- Stuxnet used the EoP vulnerabilities to gain administrative access to other PCs, sought out systems running the WinCC and PCS 7 SCADA management programs, hijacked them by exploiting either the print spooler or MS08-067 bugs, then tried the default Siemens passwords to commandeer the SCADA software.
They could then reprogram the so-called PLC (programmable logic control) software to give machinery new instructions.
On top of all that, the attack code seemed legitimate because the people behind Stuxnet had stolen at least two signed digital certificates.
"The organization and sophistication to execute the entire package is extremely impressive," said Schouwenberg. "Whoever is behind this was on a mission to get into whatever company or companies they were targeting."
O Murchu seconded that. "There are so many different types of execution needs that it's clear this is a team of people with varied backgrounds, from the rootkit side to the database side to writing exploits," he said.
The malware, which weighed in a nearly half a megabyte -- an astounding size, said Schouwenberg -- was written in multiple languages, including C, C++ and other object-oriented languages, O Murchu added.
"And from the SCADA side of things, which is a very specialized area, they would have needed the actual physical hardware for testing, and [they would have had to] know how the specific factory floor works," said O Murchu.
"Someone had to sit down and say, 'I want to be able to control something on the factory floor, I want it to spread quietly, I need to have several zero-days,'" O Murchu continued. "And then pull together all these resources. It was a big, big project."
One way that the attackers minimized the risk of discovery was to put a counter in the infected USB that allowed it to spread to no more than three PCs. "They wanted to try to limit the spread of this threat so that it would stay within the targeted facility." O Murchu said.
- University of North Florida breach exposes data on 107,000 individuals
- Zeus Trojan bust reveals sophisticated 'money mules' operation in U.S.
- GAO slams White House for failing to lead on cybersecurity
- Man charged with attack on Web site of Fox News' Bill O'Reilly
- Heartland breach expenses pegged at $140M -- so far
- IT contractor gets five years for $2M credit union theft
- Democracy would suffer if Google left China, says MIT panel
- Gonzalez accomplice gets five years for hacking TJX
- Threat of cyberattacks from overseas high, federal IT execs say
- Botnets 'the Swiss Army knife of attack tools'
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts