Greg's Bite: Stuxnet's New Trick?
Posted by Greg Mills
Much has been written about the Stuxnet worm that invaded Iranian Windows PCs and hijacked critical control devices that ran their rouge nuclear weapons program equipment. The sophistication of the Stuxnet worm was unlike anything software security experts had ever seen. The Stuxnet worm spread far and wide, but only did damage to plutonium enrichment devices and a nuclear reactor in Iran. That software attack set back the Iranians as much as three years in developing a nuclear weapon according to experts. The original Stuxnet Trojan rewrote industrial controllers that were hooked up to the PCs.
The fear among those same computer security experts is that the Stuxnet worm that used three rare Windows 0 Day exploits and amazingly compact code was the forerunner of other malicious code that could create havoc in power plants and critical infrastructure around the world. That has not happened, but still remains a threat. Others think the Stuxnet team is too advanced to reuse old code that makes the new Trojan easy to find. See: http://www.eweek.com/c/a/Security/Duqu-Stuxnet-Worms-May-Come-from-Diffe...
Recently Symantec's research labs discovered a new worm with similar sophistication to the Stuxnet worm. This time the code is creating a "back door" to give access to Windows PCs remotely, at a future time. The new worm also captures keystrokes to learn and store passwords to be used to bypass security protocols. The new worm is set to self destruct after 36 days, which would capture 2 passwords if the password is changed once a month.
The new code is designed to learn more about the target, such as the manufacturer of the control devices used, security measures and other information that would make a future Stuxnet like attack more successful. The worm gathers the intel and then forwards it to a remote server that seems to still be in operation. See: http://www.foxnews.com/scitech/2011/10/18/stuxnet-clone-found-possibly-p...
While the authors of the original Stuxnet worm seem to be on the right side politically, the research and product they are putting out can only endanger the rest of the world's infrastructure, should the code be reverse engineered and turned against us. The source code of Stuxnet and the source code of the "Duqu" worm, seem to be similar enough to imply they were written by the same team. The notorious hacker group "Anonymous" attacked Monsanto has threatened to unleash malware to bring down industrial controllers and there is the possibility a diffrent team is at work.
As far as anyone has publicly admitted, the source code for Stuxnet and Duqu are still not available for new malicious worms to be written using the same tricks the authors of Stuxnet used in the first attack. Hopefully, the industrial controllers found to be vulnerable have been made more secure. Iran has its own hackers who recently stole a security certificate and that could mean trouble in the form of payback from Iran. The Iranians were pretty upset about the attack on their nuclear program and would like to get even.
The fear now it that Israel will soon go ahead and make a conventional military strike on Iran's nuclear program since the time Stuxnet gave them has begun run out. The danger of a nuclear armed Iran can't be understated and the Iranian plan to kill the ambassador to the US from Saudi Arabia gives the US an excuse to wink at an Israeli attack limited to the Iranian nuclear program. Keep your gas tanks full, war in the middle east will cause at least a brief spike in fuel prices. That is Greg's Bite on the situation.