In the months since Stuxnet first hit our radar, I’ve wiped a lot of brickdust off my forehead. Mostly as a result of banging my head against the wall in the hope of distraction from yet another infuriating, unsubstantiated speculation about who wrote it, what it was for, and who was the target, repeated as if it was proven fact.
(By the way, my apologies to David J. Evans of the Information Commissioner’s Office, who gave an excellent presentation on data protection and privacy at yesterday’s very enjoyable Virus Bulletin seminar in London: I hope he wasn’t distracted by my sitting a row or two back staring at the Sky story on my Blackberry and silently mouthing “Whaaaaaattttttt!!!!!?????”)
The hook on which this sorry dishrag of a story hangs is the claim that the “super virus” (sigh…) is being traded on the black market and “could be used by terrorists”. That would be the bad guys as opposed to the saintly individuals who originally put it together, very possibly to attack nuclear facilities, I suppose.
So which market is the black market? Probably Billingsgate, since this story seems to have attracted more than its fair share of red herrings and fisherman’s tales. I don’t imagine that Stuxnet samples have much market value, though. There are an awful lot of them around these days. Or are we talking about (tartare) source code? Well, if someone is really hawking the original code, that’s very interesting, and it would be nice to know if it tells us any more about its origins (interesting and unsensational article on that by the BBC here, by the way). But given the amount of detailed analysis that’s already available (and I mean substantial blocks of reverse-engineered code, not high-level analysis and code snippets and descriptions), I’m not sure that anyone with malicious intent and a smidgen of technical skill would need the original code.
But let’s get on to the interesting Chicken Licken stuff about the Sky falling, appropriate dismissed by Steward Meagher at thinq.co.uk as “a load of old cock.” (Nice bit of debunking…)
Let’s say for the sake of argument that equipment used for uranium enrichment in Iranian nuclear facilities was the target: there’s certainly substantial supporting (if unconclusive) evidence of that. One Will Gilpin, apparently an IT security consultant to the UK government, is quoted as suggesting that possession of “the virus” in whatever form has alarming potential:
“You could shut down the police 999 system.”
Really? The emergency services switchboard (999 is the UK equivalent of 911) is pump-driven? Sportswear sponsorship is everywhere nowadays.
“You could shut down hospital systems and equipment.”
At a (biiiiiiiig) stretch, perhaps. Some systems, maybe. In the unlikely event that they use equipment supplied from Tehran or Finland in certain therapeutic contexts.
“You could shut down power stations, you could shut down the transport network across the United Kingdom.”
Ah yes, I saw that movie. Michael Caine robbing a bank in Turin by screwing with the traffic lights. They use high-speed frequency converter drives for traffic control too, do they? Well, I never….
I’m not sure what sort of consultancy Will Gilpin provides to the government. If he was quoted correctly, I’d guess it’s probably something to do with justifying draconian anti-terrorist measures. If HMG is expecting quality intelligence on malware, it might want to ask for its money back.
I have a theory. (No, not the flippant suggestion of a few days back regarding the involvement of Finnish eco-terrorists.)
One webDEViL (need to get that shiftlock key fixed, buddy…) has published Proof of Concept code to make use of the (as yet unpatched) Task Scheduler vulnerability, and while plenty of other relevant code and reverse-engineering analysis has already been published in various dark corners, this one caught the attention of the media.
(My colleague Josep Albors also reported it a few days ago. Sorry, it’s in Spanish, and I haven’t had time to do a translated blog.)
I wonder if the Sky News story is based on a garbled, superhyped interpretation of that story, with a leavening of “we know something you don’t know” from various mouthpieces eager to prove that government agencies are ahead of the curve?
As I was writing this, I came across a nice bit of myth-busting from Paul Ducklin, who evidently finds this hypefest as irritating as I do.
[Update: hat tip to Rob Rosenberger for drawing my attention to another sane-and-sensible blog on the same topic from Roger Thompson.]
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Author David Harley, We Live Security