Platt Perspective on Business and Technology

Stuxnet – a more detailed analysis of its code and update on this still unfolding story

Posted in book recommendations, business and convergent technologies, in the News by Timothy Platt on August 13, 2011

This is my 15th installment in an occasional series on international cyber-security, and the changing nature of threats faced and responses offered (see Ubiquitous Computing and Communications, postings 58-60, 62-65, 67, 68, 70, 73-75 and 92 for parts 1-14.) I decided to share another follow-up posting to this story as detailed analysis of the Stuxnet code has yielded some very provocative and even surprising findings.

• Stuxnet was designed and built primarily to spread through local networks and not the internet, and to spread via USB ports and through portable devices such as flash drives that would be connected in via USB ports. This means that this particular malware package was built to spread and work locally within targeted systems and not to simply spread far and wide and to any and all computer systems.
• That was in fact suspected before it was proven through detailed code analysis and from tests in laboratory hardware systems. But how this code was built turned out to involve some much less expected features. In particular, Stuxnet was built incorporating in four distinct zero-day attacks in its payload:
• One that helped it to specifically target computer networks that use shared printers,
• One that specifically facilitated its spread through their USB ports,
• One to escalate Stuxnet’s privileges, giving it greater networked computer access and control, and
• One more that allows it to take over any computer it was introduced into.
• Stuxnet also included code designed to help it evade detection by standard anti-malware security software, and to specifically target and cause damage to a particular type of industrial control system (this point discussed in earlier series postings in greater detail.)
• Here, it should be explicitly noted that a zero-day vulnerability is one that is so novel and new that until it is exploited and revealed through that, it is still completely unknown and even to the software engineers who developed the now vulnerable code in question. And true zero-day attacks are extremely rare, accounting for only a tiny percentage of all malware activity.
• I will add that Stuxnet also made use of two distinct stolen security authentication certificates to help it spoof its way into computers past their firewall and malware protection software.

That makes this one of the most complex and carefully constructed examples of malware code ever discovered in the wild. I note in this regard that in general, fewer than a dozen malware attacks are found per year that include even one completely novel zero-day vulnerability exploit. Four in one malware payload has set a new record.

In a sense this is an old story now but it is more important to view Stuxnet as a harbinger of things to come. This is also tomorrow’s front page news too. The level of comprehensive complexity and sophistication of this cyber-weapon may be novel as of now, but that simply means that Stuxnet has redefined what can and will be done and against both government and private sector networks and information systems, and what our critical infrastructure systems have to be protected from.

I finish this posting by sharing a link to a news story that appeared in the July, 2011 issue of Wired: “How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History” by Kim Zetter. This is a magazine article rather than a book, but to make it easier to find I include this posting in my Book Recommendations category as well as in Ubiquitous Computing and Communications.

I fully expect to come back to this story again in future postings, and to find myself discussing next generation spin-offs of Stuxnet as well.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: