O Murchu's research also found a 21-day propagation window; in other words, the worm would migrate to other machines in a network only for three weeks before calling it quits.
Those anti-propagation measures notwithstanding, Stuxnet has spread widely. Why?
Kaspersky's [Roel] Schouwenberg [a senior antivirus researcher] believes it's because the initial attack, which relied on infected USB drives, failed to do what Stuxnet's makers wanted.
"My guess is that the first variant didn't achieve its target," said Schouwenberg, referring to the worm's 2009 version that lacked the more aggressive propagation mechanisms, including multiple Windows zero-day vulnerabilities. "So they went on to create a more sophisticated version to reach their target."
That more complex edition, which O Murchu said was developed in March of this year, was the one that "got all the attention," according to Schouwenberg. But the earlier edition had already been at work for months by then -- and even longer before a little-known antivirus vendor from Belarus first found it in June. "The first version didn't spread enough, and so Stuxnet's creators took a gamble, and abandoned the idea of making it stealthy," said Schouwenberg.
In Schouwenberg's theory, Stuxnet's developers realized their first attempt had failed to penetrate the intended target or targets, and rather than simply repeat the attack, decided to raise the ante.
"They spent a lot of time and money on Stuxnet," Schouwenberg said. "They could try again [with the USB-only vector] and maybe fail again, or they could take the risk of it spreading by adding more functionality to the worm."
O Murchu agreed that it was possible the worm's creators had failed to infect, and thus gain control, of the industrial systems running at their objective(s), but said the code itself didn't provide clear clues.
What is clear, O Murchu said in a news conference Friday morning, is that Stuxnet evolved over time, adding new ways to spread on networks in the hope of finding specific PLCs (programming logic control) hardware to hijack. "It's possible that [the attackers] didn't manage to get to all of their targets [with the earlier version]," O Murchu said. "The increased sophistication of Stuxnet in 2010 may indicate that they had not reached their target."
With the proliferation of Stuxnet, Schouwenberg said that the country or countries that created the worm may have themselves been impacted by its spread. But that was likely a calculated risk the worm's developers gladly took.
And that risk may have been quite small. "Perhaps they knew that their own critical infrastructure wouldn't be affected by Stuxnet because it's not using Siemens PLCs," Schouwenberg said.
The danger now posed by Stuxnet is not simply through its direct proliferation but by virtue of the fact that it provides a blueprint that can be adapted by other parties who would otherwise lack the resources to create malware this sophisticated from scratch.
What might have been conceived as a tool to prevent the creation of a weapon of mass destruction could itself be turned into a WMD.
The Washington Post reports:
"Stuxnet opened Pandora's box," said Ralph Langner, a German researcher whose early analysis of the worm's ability to target control systems raised public awareness of the threat. "We don't need to be concerned about Stuxnet, but about the next-generation malware we will see after Stuxnet."
Sean McGurk, director of the U.S. National Cybersecurity and Communications Integration Center at the Department of Homeland Security, said that the department posted its first report to industry recommending steps to mitigate the effects of Stuxnet on July 15. But "not even two days later," he said, a hacker Web site posted the code so that others could use it to exploit the vulnerabilities in Microsoft.
(Note: You can view every article as one long page if you sign up as an Advocate Member, or higher).
2
2
1
