Stuxnet Information and Resources (3)

This is the 3rd volume of an ongoing Stuxnet resources blog article, supplementing our paper "Stuxnet Under the Microscope". Volume 1 is at /2011/01/03/stuxnet-information-and-resources/, and volume 2 is at /2011/01/20/stuxnet-information-and-resources-2/.  

Added 30th March 2011

Nice article by Mark Russinovich on Analyzing a Stuxnet Infection with the Sysinternals Tools, Part 1. Though I don't think Stuxnet is universally acknowledged as the most sophisticated malware ever. See, for instance, http://gcn.com/articles/2011/01/18/black-hat-stuxnet-not-superworm.aspx.

Eugene Kaspersky suggests that it's easy for blackhats to repurpose Stuxnet's code to attack other systems, and brings in some tenuously related earlier problems (power failures on the US East Coast in 2003, the Spanish air-crash in 2008). I'm not convinced… http://computerworld.co.nz/news.nsf/news/cut-price-stuxnet-successors-possible-kaspersky

Ralph Langner's TED talk is online: http://on.ted.com/Stuxnet

(ISC)2 Government Advisory Board Executive Writers Bureau, not altogether accurately, on some of the technical points, on How Stuxnet changed the security game.

Added 8th March 2011

Kelly Jackson Higgins in a Dark Reading article tells us that Malware Attacks Decline In SCADA, Industrial Control Systems, quoting a report published by the Security Incidents Organization drawing on its Repository of Industrial Security Incidents (RISI) database.

One aspect that's attracted attention on specialist lists is the mention of a large US power company (unnamed) that experienced infections of 43 operator and programming stations.

Added 5th March 2011

• Myriam Dunn Cavelty at Parliamentary Brief Online (29 October 2010): The real cyberwar is about beating the crooks and the spooks
• Myriam Dunn Cavelty and Oliver Rolofs for Munich Security Conference: MSC Booklet Paper: From Cyberwar to Cybersecurity: Proportionality of Fear and Countermeasures

Added 4th March 2011:

Ralph Langner at the TED Conference, as summarized by the BBC: US and Israel were behind Stuxnet claims researcher.

Added 3rd March:

• J. Oquendo takes a cold, clear look on Infosec Island at some of the hype that surrounds the Stuxnet story: Cyberterrorism – As Seen On TV
• While Visible Risk, while by no means entirely negative about the Vanity Fair Stuxnet story (see http://blog.eset.com/2011/03/02/more-on-stuxnet), makes an entirely reasonable point about Irresponsible Sensationalism. I have to agree: comparing Stuxnet to Hiroshima is way, way, way over the top.

Added 2nd March:

• Michael Joseph Gross on A Declaration of Cyber War in Vanity Fair. Despite a somewhat breathless tone in the introduction – "the world’s top software-security experts were panicked by the discovery of a drone-like computer virus" (where's my Valium?!) – actually a comprehensive and largely accurate account. It even mentions ESET's research, though if you blink while you read through you'll miss it. ;-) 
• A video interview with Ralph Langner on the Silver Bullet Podcast: http://www.cigital.com/silverbullet/show-059/
• I just spotted an article series based on the paper by Eric Byres, Andrew Ginter and Joel Langill previously flagged here: Stuxnet Report: A System Attack.
• And I'm talking about Stuxnet and SCADA at Infosecurity Europe on the 19th April. Suitably breathless summary here.

Added 24th February:

• Eric Byres, Andrew Ginter, Joel Langill: How Stuxnet Spreads – A Study of Infection Paths in Best Practice Systems. I haven't read this yet, as it requires registration and approval which hasn't yet come through, but it looks likely to be worth the wait (confirmed: I'm not registered and have downloaded the paper, which looks well worth reading, in my copious free time..). Joel Langill also maintains a list of links at http://www.stuxnetcure.com.
• Tofino Security also has a revised document by Eric Byres and Scott Howard on "Analysis of the Siemens WinCC / PCS 7 “Stuxnet” Malware for Industrial Control System Professionals". Again, you'll need to register before you can read it: www.tofinosecurity.com/stuxnet-central.
• Lee at Security FAQs on With Worms Such As Stuxnet Are We In For A New Level Of Cyber Warfare? (Reasonable high-level summary: I don't altogether agree that the malware didn't affect computers other than those it directly targeted though.)

14th February

• Kim Zetter, in Wired's "Threat Level" column Report: Stuxnet Hit 5 Gateway Targets on Its Way to Iranian Plant, summarizes the latest update to Symantec's Threat Dossier. Symantec researchers now believe that Stuxnet targeted five organizations in Iran as staging posts in the attack of their final target in that country.
• Chris Barth writes for Forbes about the claim by the Anonymous group that it is in possession of the Stuxnet code. Decompiled Stuxnet code is certainly around here and there, but reversed code is one thing: whether Anonymous can make effective re-use of a threat that's already been under microscopes of anti-malware laboraties for many months is a different question. Anonymous Claims Possession Of Insidious Stuxnet Virus.

7th February update to entry for 6th February 2011: The Reuters article refers to a statement by the Russian ambassador to NATO claiming that Stuxnet could have caused "another Chernobyl": more info at http://www.csoonline.com/article/659165/stuxnet-could-have-caused-new-chernobyl-russian-ambassador-says?source=rss_data_protection. Hat tip to @FSecure. 

7th February 2011: Tip of the hat to Gary Mauvais for alerting me to an article by Nima Bagheri, CEO of U0vd: The Art of Deception for Stuxnet in Iran.  While the article doesn't read like the "authoritative" view from Iran, it makes some useful, sensible points and doesn't push an overt political agenda, though the conclusion does support what does appear to be the official Iranian line that this was an attack against Iranian nuclear operations, but that it wasn't successful.

6th February 2011: Iran says Stuxnet claims need investigating, while still maintaining that reports of major damage to the Bushehr plant were a malicious campaign by countries hostile to Tehran's nuclear program, and despite previous claims of no direct damage to its nuclear programme. (Reuters)

1st February 2011: an article by William Gibson (yes, that William Gibson) draws a connection between Brain (a 25-year-old PC virus) and Stuxnet. 25 Years of Digital Vandalism. He doesn't seem to think much of Stuxnet, drawing a much-to-the-point riposte from Bob McMillan: http://twitter.com/#!/bobmcmillan/status/30533396702699520.

23rd January 2011: a major addition to the speculative material available on Stuxnet, plus a couple of cynical asides from the Twitterverse. (I can't believe I said "Twitterverse"…)

• Tom Parker's hefty presentation "Stuxnet Redux: Malware Attribution & Lessons Learned" for Blackhat is now available (having seen that, I wish I could have been at the presentation myself…) Interestingly, it mentions a Greenpeace theory which seems to have slipped under my radar. I hope it's nothing to do with my tongue-in-cheek blog about Finnish anti-nuclear activists. ;-)
• @Cyber_Adam_SRA also flagged the Parker presentation and the Greenpeace theory, and advanced his own theory that "Stuxnet was developed by IT Security journalist": that actually makes more sense than some of the speculation around. ;-)
• Meanwhile, @imaguid countered an observation by @DaveMarcus that "malware is as effective as it needs to be" (commenting on the recent rash of OTT "#stuxnet was so embarrassing and lame" writeups) with the observation that  "malware updated twice after its so-called success doesn't sound like it was effective as it needed to be." I kind of agree with both of them: the earlier wave of "invincible superbug" suggestions were generally pretty silly: on the other hand, some of the Stuxnet implementation is pretty sharp…

David Harley CITP FBCS CISSP
ESET Senior Research Fellow