I just came across a post from The H telling us that US government warns of potential Stuxnet variants. Of course, concern about the availability and possible portability of the code is hardly a new concern, but it turns out the article refers to a "Statement for the Record" to the (deep breath) United States House of Representatives Committee on Energy and Commerce Subcommittee on Oversight and Investigations, by Roberta Stempfley and Sean P. McGurk of the Department of Homeland Security (Gasps for breath).
In fact, the real interest of the document lies in the extensive overview (12 closely-typed pages without graphics and such) of the DHS view of its own cybersecurity mission, pointing out how the services we rely on in our daily life (water, power, healthcare,transportation, and finance) rely on America's IT and communications infrastructure. (Of course, the same is increasingly true of many other nations.)
However, since The H has chosen to focus on the issue of Stuxnet variants, let's look at that issue of potential variants. Obviously, I can't say that the people behind Stuxnet will never modify the code to generate further variants for whatever purpose. And it's true that Stuxnet code is fairly freely available, though I believe that to be disassembly, not commented source code. But the payload is highly specialized, both in what it does and in terms of the control language it's written in (which is why it took so long to work out what was happening). There is no point in panicking about possible variants, which would need a new set of zero-days to be really effective. (Yes, I've pretty much said this before...)
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
