Win32/Stuxnet: more news and resources

Perhaps you're getting as tired of this thing as I am (though with the information still coming in, I'm not going to be finished with this issue for a good while, I suspect).  But without wishing to hype, I figeseture it's worth adding links to some further resources.

There's a very useful comment by Jake Brodsky to my previous post at https://www.welivesecurity.com/2010/07/20/theres-passwording-and-theres-security, which explains very clearly the difficulties that Siemens ineptitude has imposed on people working in the SCADA space. As he rightly says, that's not an area in which I have first-hand experience, but I am aware of those difficulties (and sympathetic to them, having worked at a level of responsibility within other areas of a critical national infrastructure). I am certainly not suggesting that they can be overcome "on a whim".

The ICS-CERT advisory at http://www.us-cert.gov/control_systems/pdf/ICSA-10-201-01%20-%20USB%20Malware%20Targeting%20Siemens%20Control%20Software.pdf suggests that ICS CERT and Siemens CERT are working together on some aspects of the problem, and hopefully this will lead to a more realistic approach to resolving the SCADA aspects of the problem. (D

SC Magazine's Dan Raywood has picked up on some more issues, including the SCADA issue and the Microsoft interim fix at http://support.microsoft.com/kb/2286198#FixItForMe (see also Heise's story at http://www.h-online.com/security/news/item/lnk-vulnerability-Microsoft-fix-causes-icon-chaos-1042888.html).

Chet Wisniewski and Sean Sullivan, on the other hand, have explored the digital certificate issue that Pierre-Marc blogged on two days ago, and Paul Ducklin stresses the privacy and encryption issues.

The Irish Software Developers Network focuses on some of the figures originally blogged here and mentioned in a press release here. In case there's any confusion, perhaps it's worth stressing a few points.

• The percentages quoted refer to the tens of thousands of reported Stuxnet infection: they don't express a percentage of the totality of malware flagged on ThreatSense.net(r), let alone all malware.
• While the high volumes reported for the US and Iran are interesting, they don't represent an authoritative statistic applicable universally: as I pointed out here, other sources show significant differences in distribution for some regions.
• While SCADA targeting malware is a major concern at the moment (and poses a very major problem to sites using certain Siemens control software), the distribution of the malware is certainly not restricted to such sites.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow