Search This Blog

Sunday, September 26, 2010

US Official does not know source or reason for Stuxnet?

Really? "Because they can" it's simple really. This is a proof of concept worm that tested multiple concepts, one of which is that it did not morph the filenames so the authors did not seem to care if they were going to be detected. This worm was unique in that it had several first time ever items...
1. It utilized Four 0-day exploits, not one, but 4 !!!! Talk about proof that you can't patch or react to an exploit that there is no patch for, thus testing or proving Incident Response sucks.
2. It did not use tricky tactics to avoid detection. This was not a Zeus level worm, it used basic techniques for spreading and thus easy to irradicate.
3. It used USB/thumb drives to spread, assumably so it could breach the gap between SCADA and core network systems. Again showing how poor the detection of this worm and the staff to respond.
4. It was intelligent to detect the corporate network versus the SCADA nets and did not launch Win Server 2008 spoits if it was on the corporate network, only the SCADA net. Shows they tried to avoid corporate infection and possibly detection and focused on the SIEMENS PLC systems to install a root kit in the PLC controllers.
5. If it were a targeted attack, it would have been hidden better and only go after the networks of that nation or language. This worm hit everyone equally if they were vulnerable.
6. Symantec's analysis of the code, O Murchu said, shows that nearly 60 percent of the computers infected with Stuxnet are in Iran. An additional 18 percent are in Indonesia. Less than 2 percent are in the U.S.

It is not rocket science and I think Occams razor applies to this worm - "the simplest explanation is usually the correct one".

If this worm was intended to wipe out SCADA PLC's then it could have and would have. It could have gone easily undetected if the authors intended it to. The fact that it did not hide itself well and Symantec was able to gain control over it quickly, shows that it was a simple "Look what I did and how far I got"... We have a name for this kind of result... POWNED and OWNED.

Remember Defense in Depth and Time Based Security.. Your Defenses must be greater than your ability to detect and respond.

Clearly Stuxnet proved the Critical infrastructure systems were not able to detect and respond quick enough to stop what could have been a terrible Cyber event in our and other nations Nuclear Plants.

This was simply put, a proof of concept worm that wanted to send a message and show how incredibly weak the systems that control Nuke plants and other systems relying on older technology really are and send us all a message..


I recommend readers listen to PaulDotCom's PodCast where they discussed this event: Link to PaulDotCom article