The Stuxnet saga rolls on. And while a lot of talented people have been poring over the code for a while, some questions are still unresolved at this time, despite all the coverage. This report provides an analysis of the notorious Stuxnet worm (Win32/Stuxnet) that attracted the attention of virus researchers recently. It is primarily
ESET researchers have been analyzing samples of dangerous malware – detected by ESET as Win32/Industroyer – which is capable of performing an attack on power supply infrastructure. Robert Lipovsky, a researcher at ESET, tells us more.
Seven years after Stuxnet first came to light, industrial systems security once again in the spotlight, reports ESET's Robert Lipovsky.
ESET has analyzed a sophisticated and extremely dangerous malware, known as Industroyer, which is designed to disrupt critical industrial processes.
An Iranian news agency has said that “malware worse than Stuxnet” may soon be unleashed, to “spy on and destroy the software structure of Iran’s nuclear program".
Version 1.31 of a comprehensive analysis of the Stuxnet phenomenon, updated to add pointers to additional resources. This is probably the last update of the document, but further relevant resources will be added to a list here.
Last week, reports of a new malware named Gauss emerged, a complex threat that has attracted a lot of media attention due to its links to Stuxnet and Flame and its geographical distribution. Since ESET has added detection for this threat, we are seeing geographical distribution of detection reports similar to those detailed by Kaspersky.
Analysis of the Flame worm (Win32/Flamer) reveals some interesting facts about the internal structure of its main module.
The slow drip of revelations about Flame have kept this piece of malware in the news for more than two weeks so it is worth reminding people that most antivirus programs now protect against Flame (ESET products detect it as Win32/Flamer.A). The coverage of Flame was boosted last week by a conveniently-timed assist from leaks
A week ago the big malware news was the code known as Flame, Flamer, or sKyWIper (detected by ESET as Win32/Flamer.A), then on June 1, this news broke: "A damaging cyberattack against Iran’s nuclear program was the work of U.S. and Israeli experts and proceeded under the secret orders of President Obama." (Washington Post) Clearly,
I notice there's a flurry of articles around the "Stuxnet anniversary" and "After Stuxnet" themes...
In fact, the real interest of the document lies in the extensive overview (12 closely-typed pages without graphics and such) of the DHS view of its own cybersecurity mission.
Or so the latest report from DEBKAfile states, claiming the Stuxnet worm broke numerous Iranian centrifuges by forcing them to overspeed, causing damage and prompting the replacement of some 5,000-6,000 units. They cite “intelligence sources” as the source of information. Whether or not this will be confirmed, it seems malware authors clearly are targeting political
I've stopped maintaining Stuxnet resource pages recently, but occasionally I come across an article that adds something useful to the mix, or simply summarizes aspects of the Stuxnet story neatly and accurately. Besides, its authors must be feeling a little left out with all that fuss about TDL4. ;-) A recent report in Wired gives
...the 'next Stuxnet' probably won't be any such thing, whatever we may choose to call it...
… albeit more slowly than previously. Added to the resources page at https://www.welivesecurity.com/2011/01/23/stuxnet-information-and-resources-3 today: A nice article by Mark Russinovich on Analyzing a Stuxnet Infection with the Sysinternals Tools, Part 1. Though I don't think Stuxnet is universally acknowledged as the most sophisticated malware ever. See, for instance, http://gcn.com/articles/2011/01/18/black-hat-stuxnet-not-superworm.aspx. (Hat tip to Security Garden for the pointer.)
Kelly Jackson Higgins in a Dark Reading article tells us that Malware Attacks Decline In SCADA, Industrial Control Systems, quoting a report published by the Security Incidents Organization drawing on its Repository of Industrial Security Incidents (RISI) database. One aspect that’s attracted attention on specialist lists is the mention of a large US power company
Added 5th March 2011 to the Stuxnet resources page at http://blog.eset.com/?p=5945...
Added to the Stuxnet resources page at https://www.welivesecurity.com/2011/01/23/stuxnet-information-and-resources-3 on 4th March 2011: Ralph Langner at the TED Conference, as summarized by the BBC: US and Israel were behind Stuxnet claims researcher. As previously mentioned at https://www.welivesecurity.com/2011/03/03/nice-stuxnet-commentary-and-hype-deflation. (Hat tip to Mikko Hypponen. Again!) David Harley CITP FBCS CISSP ESET Senior Research Fellow
Some extra resources: J. Oquendo takes a cold, clear look on Infosec Island at some of the hype that surrounds the Stuxnet story: Cyberterrorism – As Seen On TV While Visible Risk, while by no means entirely negative about the Vanity Fair Stuxnet story (see https://www.welivesecurity.com/2011/03/02/more-on-stuxnet), makes an entirely reasonable point about Irresponsible Sensationalism. I
