I've been in this business too long to be easily riled by hoaxes and semi-hoaxes, electronic Pearl harbours, rumours and gossip.
But after enforced immersion into various aspects of the Win32/Stuxnet issue (from remediation-related discussion with SCADA sites to code analysis, to data mining from distribution data), I've become more than usually frustrated with articles and discussion threads adding two and two to make infinity.
Here, briefly, is what we know.
- Stuxnet used an unusually rich selection of 0-day attacks, exploiting the LNK and print spooler vulnerabilities recently patched by Microsoft and a couple of Elevation of Privilege issues that haven't been patched yet.
- It seems to be looking for a very specific control system, and its payload draws on some pretty esoteric SCADA-related information, even if we don't know exactly what system or type of system it's looking for.
- There has been a high volume of detections in Asia, and Iran (52.2%), Indonesia (17.4%) and India (11.3%) seem to have been particularly hard hit, compared to, say, the USA (0.6%),ranked 11th in our statistics.
Those figures are drawn from ESET's telemetry over a period from July to late September. They tell us where the most infections seem to be, but they tell us nothing about the rageting of the malware, because although the payload is targeted, the distribution mechanisms aren't. (At least, not in ways that we can measure retrospectively. There might have been some targeting at the initial point of release, but the promiscuous nature of the distribution makes that point of release impossible to determine.) There are lots of factors that govern where self-replicative malware gets to, and targeting may or may not be one of them.
That's about it. We can speculate that because the coding suggests a multi-disciplinary "tiger team", that team might be more formally state funded than the hackers for hire we've seen at work in some targeted attacks, but I wouldn't stake my life on it, let alone claim to know which state or states might be involved.
This week, some of the big names in malware research will be at the Virus Bulletin conference in Vancouver, and some presentations on Stuxnet are scheduled (and guaranteed lively interest). ESET just published a report that's more technical analysis (67 pages worth!) than speculation here. As few people are going to read through all that analysis looking for the Big Picture, I've summarized some of the issues I've mentioned here in an article at Security Week (due out today, I believe) and a longer (and decidedly irritable) post on the ESET blog.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow