Win32/Stuxnet: more news and resources

Perhaps you're getting as tired of this thing as I am (though with the information still coming in, I'm not going to be finished with this issue for a good while, I suspect).  But without wishing to hype, I figure it's worth adding links to some further resources.

There's a very useful comment by Jake Brodsky to my previous post at http://blog.eset.com/2010/07/20/theres-passwording-and-theres-security, which explains very clearly the difficulties that Siemens ineptitude has imposed on people working in the SCADA space. As he rightly says, that's not an area in which I have first-hand experience, but I am aware of those difficulties (and sympathetic to them, having worked at a level of responsibility within other areas of a critical national infrastructure). I am certainly not suggesting that they can be overcome "on a whim".

The ICS-CERT advisory at http://www.us-cert.gov/control_systems/pdf/ICSA-10-201-01%20-%20USB%20Malware%20Targeting%20Siemens%20Control%20Software.pdf suggests that ICS CERT and Siemens CERT are working together on some aspects of the problem, and hopefully this will lead to a more realistic approach to resolving the SCADA aspects of the problem. (D

SC Magazine's Dan Raywood has picked up on some more issues, including the SCADA issue and the Microsoft interim fix at http://support.microsoft.com/kb/2286198#FixItForMe (see also Heise's story at http://www.h-online.com/security/news/item/lnk-vulnerability-Microsoft-fix-causes-icon-chaos-1042888.html).

Chet Wisniewski and Sean Sullivan, on the other hand, have explored the digital certificate issue that Pierre-Marc blogged on two days ago, and Paul Ducklin stresses the privacy and encryption issues.

The Irish Software Developers Network focuses on some of the figures originally blogged here and mentioned in a press release here. In case there's any confusion, perhaps it's worth stressing a few points.

  • The percentages quoted refer to the tens of thousands of reported Stuxnet infection: they don't express a percentage of the totality of malware flagged on ThreatSense.net(r), let alone all malware.
  • While the high volumes reported for the US and Iran are interesting, they don't represent an authoritative statistic applicable universally: as I pointed out here, other sources show significant differences in distribution for some regions.
  • While SCADA targeting malware is a major concern at the moment (and poses a very major problem to sites using certain Siemens control software), the distribution of the malware is certainly not restricted to such sites.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Author David Harley, ESET

  • Eric Byres

    "Chester Wisniewski suggests deploying a GPO (Group Policy Object) to prevent users from executing programs except from drive C: this won’t suit everyone, but certainly offers a viable alternative, especially in corporate environments."

    Some bad news – several other people also suggested this work around and it doesn't appear to be effective - the vulnerability is executed when the Icon is rendered and thus is not seen by the OS as running from the drive. Thus you still get infected. Still this would limit other variations from executing further activities from the drive.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

23 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.