The Stuxnet Trojan remains a danger to a small minority of firms that run specialized control equipment, but security experts say it could serve as a guide for copycat malware writers, who can reproduce parts of its processes and take better aim at other companies.
it opens a whole new avenue in the research community and new level of vigilance for highly sophisticated threats to come in the future.
anti-malcode managerICSA Labs
"How do you know that the software you are using to support sophisticated manufacturing processes, ranging from uranium centrifuges to automobiles, is not being targeted by some cyberweapon, throwing off your tolerances and measurements?" asked Paul B. Kurtz, managing partner at Arlington, Va.-based GoodHarbor Consulting LLC. "It's something that can be very costly to private industry and ultimately very disruptive to economies."
The worm surfaced in July when it was discovered exploiting a Microsoft Windows file sharing zero-day vulnerability, spreading using the AutoPlay feature for USB sticks and other removable drives. Microsoft issued an emergency update to close the hole, but researchers discovered several other methods used by Stuxnet, including a printer sharing vulnerability, which was patched this month by Microsoft.
Stuxnet was unique in that it contains code that could identify Siemens' Supervisory Control and Data Acquisition (SCADA) software and then inject itself into programmable logic controllers, which automate the most critical parts of an industrial facility's processes -- temperature, pressure and the flow of water, chemicals and gasses. Kurtz, who served in senior positions on the White House's National Security and Homeland Security Councils under Presidents Bill Clinton and George W. Bush, is convinced that the Trojan's end game is to wreak havoc or even destroy critical infrastructure facilities by altering their vital processes.
"When you get into some of the other manufacturing processes today, the fault tolerance is so miniscule that it doesn't take much for a targeted piece of malware to cause problems," Kurtz said. "They can produce products that are inherently flawed and that can have disastrous effects."
Dave Marcus, director of security research at McAfee Avert Labs, draws parallels to the Google Aurora attacks, which surfaced in January. Like the Aurora attacks, which exploited a zero-day vulnerability in Internet Explorer to infiltrate Google and dozens of other firms, the cybercriminals behind Stuxnet had specific knowledge of their target environment, Marcus said. Those behind both attacks had a level of financing that enabled intelligence gathering prior to the attacks.
"We'll probably never see the same code used over again, but someone could certainly apply many of the same techniques," Marcus said. "Just because you are not using the system this piece of malware targeted, doesn't mean you're in the clear. You should use this as a wake-up call to evaluate your security posture."
Some of Stuxnet's technical features are relatively old-school, but the code has such a large footprint -- more than 500 MB -- that security researchers are still reverse-engineering the malware, revealing new features, said Andy Hayter, antimalcode manager at ICSA Labs, a vendor-neutral testing and certification firm.
"Some of the thought is that it required a development team, a QA team and a level of expertise of not only procuring zero-day vulnerabilities and obtaining signed certificates, but procuring the knowledge to also infect PLCs," Hayter said. "They had to have a testing environment to find out if it worked."
Like the Conficker/Downadup worm, it initially infected victim's machines by spreading via removable devices, such as USB sticks. But unlike Conficker and other malware, Stuxnet used a batch of four previously unknown Microsoft zero-day flaws (Microsoft patched two of the vulnerabilities) to gain access to laptops and other machines with the goal of getting on the network. Like the Zeus banking Trojan, the malware used stolen digital certificates (from JMicron and Realtek) to make it seem legitimate, avoiding detection by traditional security technologies.
"This is not developed by a hacker sitting in his basement," Hayter said. "It's a well thought out project that was developed and managed; it opens a whole new avenue in the research community and new level of vigilance for highly sophisticated threats to come in the future."
Stuxnet itself is benign to most enterprises, but IT pros at manufacturing facilities may need to rethink their security processes, said Mohan Ramanathan, a solutions architect for critical infrastructure at Portsmouth, N.H.-based SIEM vendor, NitroSecurity Inc. Industrial control facilities are designed with a hardened exterior surrounding a small footprint that consists of the programmable logic controllers – the central core that up until now people thought didn't need security, Ramanathan said. Some facilities are now indirectly connected to the Internet and other devices that could be used as a stepping stone to gain access, he said.
"There's very little security that happens inside of control systems networks," Ramanathan said. "It was thought that keeping the total profile of the system small would keep it out of danger."
But Stuxnet's ability to get into the network, circumvent traditional security parameters and reprogram devices is what could be used by future cybercriminals, Ramanathan said. The same level of expertise could be used in the corporate world to target firms running enterprise resource planning (ERP) software, such as German-based SAP or software developed by Oracle Corp., Ramanathan said.
"If there are other things you are doing, like trying to contain the usual rash of viruses, outbreaks and data leakage, this isn't currently going to appear at the top of your list," Ramanathan said. "But we're actually seeing a revolutionary leap. It is potentially the next wave of malware that can be used to wipe out data at one of your competitors."