Skip the navigation

Is Stuxnet the 'best' malware ever?

September 16, 2010 06:47 AM ET

And they were clever, said Schouwenberg.

Once inside a company, Stuxnet used the MS08-067 exploit only if it knew that the target was part of a SCADA network. "There's no logging in most SCADA networks, and they have limited security and very, very slow patch cycles," Schouwenberg explained, making the long-patched MS08-067 exploit perfect for the job.

Put all that together, and the picture is "scary," said O Murchu.

So scary, so thorough was the reconnaissance, so complex the job, so sneaky the attack, that both O Murchu or Schouwenberg believe it couldn't be the work of even an advanced cybercrime gang.

"I don't think it was a private group," said O Murchu. "They weren't just after information, so a competitor is out. They wanted to reprogram the PLCs and operate the machinery in a way unintended by the real operators. That points to something more than industrial espionage."

The necessary resources, and the money to finance the attack, puts it out the realm of a private hacking team, O Murchu said.

"This threat was specifically targeting Iran," he continued. "It's unique in that it was able to control machinery in the real world."

"All the different circumstances, from the multiple zero-days to stolen certificates to its distribution, the most plausible scenario is a nation-state-backed group," said Schouwenberg, who acknowledged that some people might think he was wearing a tin foil hat when he says such things. But the fact that Iran was the No. 1 target is telling.

"This sounds like something out of a movie," Schouwenberg said. "But I would argue it's plausible, suddenly plausible, that it was nation-state-backed."

"This was a very important project to whoever was behind it," said O Murchu. "But when an oil pipeline or a power plant is involved, the stakes are very high."

And although Siemens maintains that the 14 plants it found with infected SCADA systems were not affected or damaged by Stuxnet, O Murchu and Schouwenberg weren't so sure.

Experts have disagreed about when the Stuxnet attacks began -- Kaspersky believes it was as early as July 2009, while Symantec traced attacks back to January 2010 -- but they agree that the worm went undetected for months.

"We don't know if they succeeded or not, but I imagine that they got to the targets that they wanted," said O Murchu, citing the stealthy nature and sophistication of the worm.

"The command-and-control infrastructure of Stuxnet is very, very primitive, very basic," said Schouwenberg. "I think they were convinced that they would be able to do what they wanted before they were detected."

O Murchu will present a paper on Symantec's Stuxnet work at the Virus Bulletin security conference, which is slated to kick off Sept. 29 in Vancouver, British Columbia. Researchers from Microsoft and Kaspersky will present a separate paper at the same conference.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at Twitter@gkeizer, or subscribe to Gregg's RSS feed Keizer RSS. His e-mail address is gkeizer@ix.netcom.com.

Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.



Our Commenting Policies