(ISC)² Twitter Updates

  • (ISC)² Twitter Updates

    Archives

    More...

    About the
    (ISC)² Blog

    • (ISC)² believes in the importance of open dialogue and collaboration, between both (ISC)², its certified members and members of business and society.

      (ISC)² established this blog to provide a voice to its certified members, who have significant knowledge and valuable insights to share that can benefit the information security industry, the people in it and the public at large.

      The postings on this site are the author's own and don't necessarily represent
      (ISC)²'s positions, strategies or opinions. (ISC)² does not control, monitor, or endorse any links provided in this blog and makes no warranty or statement regarding the content on any linked website.

      Those who post comments to blogs should ensure their comments are focused on the topic at hand. (ISC)² reserves the right to remove any post or comment from this site.

      Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org.

      Please click here for FAQs.

      Please click here for the Blog guidelines.

    « SIEM ROI - How to prove it? | Main | Merchant Level 2 SAQ or ROC »

    26 September 2010

    Stuxnet, Suxnet

    I've been in this business too long to be easily riled by hoaxes and semi-hoaxes, electronic Pearl harbours, rumours and gossip.

    But after enforced immersion into various aspects of the Win32/Stuxnet issue (from remediation-related discussion with SCADA sites to code analysis, to data mining from distribution data), I've become more than usually frustrated with articles and discussion threads adding two and two to make infinity.

    Here, briefly, is what we know.

    • Stuxnet used an unusually rich selection of 0-day attacks, exploiting the LNK and print spooler vulnerabilities recently patched by Microsoft and a couple of Elevation of Privilege issues that haven't been patched yet.
    • It seems to be looking for a very specific control system, and its payload draws on some pretty esoteric SCADA-related information, even if we don't know exactly what system or type of system it's looking for.
    • There has been a high volume of detections in Asia, and Iran (52.2%), Indonesia (17.4%)  and India (11.3%) seem to have been particularly hard hit, compared to, say, the USA (0.6%),ranked 11th in our statistics.

    Those figures are drawn from ESET's telemetry over a period from July to late September. They tell us where the most infections seem to be, but they tell us nothing about the rageting of the malware, because although the payload is targeted, the distribution mechanisms aren't. (At least, not in ways that we can measure retrospectively. There might have been some targeting at the initial point of release, but the promiscuous nature of the distribution makes that point of release impossible to determine.) There are lots of factors that govern where self-replicative malware gets to, and targeting may or may not be one of them.

    That's about it. We can speculate that because the coding suggests a multi-disciplinary "tiger team", that team might be more formally state funded than the hackers for hire we've seen at work in some targeted attacks, but I wouldn't stake my life on it, let alone claim to know which state or states might be involved.

    This week, some of the big names in malware research will be at the Virus Bulletin conference in Vancouver, and some presentations on Stuxnet are scheduled (and guaranteed lively interest). ESET just published a report that's more technical analysis (67 pages worth!) than speculation here. As few people are going to read through all that analysis looking for the Big Picture, I've summarized some of the issues I've mentioned here in an article at Security Week (due out today, I believe) and a longer (and decidedly irritable) post on the ESET blog.

    David Harley CITP FBCS CISSP
    ESET Senior Research Fellow

    Posted by on 26 September 2010 at 05:55 AM in Harley, IT Security, Malware |

    Comments

    This may be a bit of a rant, but, now that the dust has settled a bit, it probably would be a good idea to assess what Stuxnet means going forward for us in the Security community. While it is not the end of the world it definitely made cyber warfare or just plain physical sabotage using software a lot more realistic.

    Just my two cents about this, this comes pretty close to the scenario from an old Tom Clancy Ops-Room novel. Those of us who have been involved in risk assessments have often been accused by management of tell nightmare stories. How many times have you heard. "This is a secure network so we don't to implement x y or z." That is bad enough when they claim the firewalls are good enough to justify weak passwords, but when the network was physically isolatee you tended to let them have their way.

    The main lesson I am taking from this is that the simple controls that we have all forced on our networked colleagues are now strongly recommended for "secure networks" too. I mean things like strong passwords, change the vendor default passwords and keep your OS's up to date. Someone reintroduced virus distibution through sneakerware.

    I like to say "know who your enemies are." but this time it really has demonstrated how vulnerable we are with so many uncontrolled devices out there, and I really mean embedded OSes on devices that never were meant to be updated or to have security built in, factory robots, SCADAs, DCMs. It is not the end of the world, and I suppose we should be thankful for the work, but it seems like a sisyphus parody.

    Stuxnet is a game changer just like Nimda and Slammer were, but it is a bit worse because the playing field is not just the Internet and corporate intranets, it really is everywhere now. It makes my head hurt just to think of it.

    Posted by: Thomas Coats | 06 October 2010 at 11:32 AM

    The comments to this entry are closed.

    Recent Contributors

    Past Contributors