Why Stuxnet Is a really bad weapon

The world of malware has, over the last couple of decades, morphed to become not just a mechanism with which to subvert people's computers and steal money, but also a way for corporations and sovereign states to conduct cyber espionage.

An example of malware being used for industrial cyber espionage emerged two months ago with a worm, which had previously been quite rare, breaking out suddenly in Peru and neighboring countries.

This worm, specific to the electronic drafting software AutoCAD, is called ACAD/Medre.A and is written in AutoLISP, the language that is used to script operations in AutoCAD.  ACAD/Medre.A has a very devious agenda: It emails copies of the drawings the user opens to over 40 mail boxes hosted at two different Chinese ISPs.

The antivirus firm ESET in San Diego was the first to detect the outbreak in Peru and noted that they could "see detections at specific URLs, which made it clear that a specific website supplied [an infected] AutoCAD template that appears to be the basis for this localized spike ... If it is assumed that companies which want to do business with [the company at the URL] have to use this template, it seems logical that the malware mainly shows up in Peru and neighboring countries. The same is true for larger companies with affiliated offices outside this area that have been asked to assist or to verify the – by then – infected project and then [infect] their own environment."

In other words, someone or some organization -- not necessarily in China -- planted the infected template. As a result they were able to swipe the drawings of all of the companies competing for some project, presumably to gain an edge in securing business.

ESET estimates that something like 100,000 drawings were stolen before ESET, with the help of Autodesk, the Chinese National Computer Virus Emergency Response Center, and the Chinese ISPs involved, were able to contain the problem. For a detailed look at the technology behind the attack, see the posting "ACAD/Medre.A Technical Analysis" in the ESET Threat Blog.

ESET now offers a free, stand-alone cleaner which will search for and remove ACAD/Medre.A infections.

So industrial cyber espionage is a big deal, but even more impressive and much more worrying is military cyber espionage because the stakes and consequences are much higher.

And there's a serious problem with military cyber espionage: In the real world if someone attacks you with something like a cruise missile, once it's landed you won't be able to put the missile back together and lob it back at whoever sent it. That's the nature of real-world armaments. You can build really smart and deadly devices and, even if they malfunction, the enemy will very, very rarely be able to turn your technology against you.

Not so with software armaments. Consider the much discussed Stuxnet, the computer worm that first appeared about two years ago. Stuxnet targets Siemens industrial control systems and is said to be responsible for damaging equipment used by the Iranian nuclear program.

The Stuxnet worm is an impressive example of sophisticated software engineering relying, as it did, on four new zero-day attacks along with several known vulnerability exploits used by other malware.

On top of that, Stuxnet it is very complex. According to an article in Vanity Fair,  "In terms of functionality, this was the largest piece of malicious software that most researchers had ever seen, and orders of magnitude more complex in structure. (Malware’s previous heavyweight champion, the Conficker worm, was only one-twentieth the size of this new threat.)"

When the worm was discovered and publicized in June 2010, there was an immediate denial-of-service attack on two mail lists that concern industrial systems security which, it could be assumed, was intended to slow down dissemination of the news to the worm's targets. You can see that contingent damage was involved in supporting the original attack -- a consequence that will become more commonplace in future where military cyber espionage is involved.

Since the first discovery of Stuxnet there have been at least two more variants identified, each incorporating "improvements" that were designed to do things such as increase the infection rate of the malware.

So, who was responsible for this stupendous feat of coding? The Russian mafia? Chinese hackers? Nope, just a few weeks ago it was revealed that Stuxnet was created by a joint U.S. and Israeli intelligence operation called "Operation Olympic Games" which was started under the Bush administration and expanded under the Obama administration!

Apparently Stuxnet did its job because, it is estimated, some 1,000 centrifuges used by the Iranians to purify nuclear material that are controlled by Siemens systems, were damaged during the period Stuxnet was active.

Whether this was all that was intended is unknown, and a report by the Institute for Science and International Security says: "If Stuxnet’s goal was the destruction of all the centrifuges in the [Fuel Enrichment Plant (FEP) at Natanz], Stuxnet failed.  But if its goal was to destroy a more limited number of centrifuges and set back Iran’s progress in operating FEP while making detection of the malware difficult, it may have succeeded, at least for a while."

Interestingly, a worm considered a descendent of Stuxnet, Duqu, now appears to be currently designed to steal information, but its modular architecture suggests that it could be tasked with other goals in future versions.

Even more intriguingly, Duqu appears to have been coded in an odd programming language which researchers have called "the Duqu Framework". This framework has since been identified by Kaspersky Labs as a custom version of C called Object Oriented C complied with the Microsoft Visual Studio compiler.

I'd suggest that Stuxnet and Duqu as military cyber espionage weapons were actually failures, not because they probably only caused limited damage, but because we launched a weapon that can, and will, be turned against us.

Why? Because code is code. It's a set of ideas frozen into binary and when you execute that code -- when you make the ideas actually do something --  the bits don't vanish and the ideas don't get mangled. They're still there. No matter how much you encrypt, hide, and obfuscate your code and your ideas, there's always someone, somewhere who can decrypt, find, and unobfuscate all of it.

Even when the malware is military grade, it would be foolish to assume that the enemy can't profit from our research and development, because when we attack they get a clean copy of the weapon we attack them with. And there are lots of really clever people out there, clever people who don't live in the U.S. and who don't have our best interests at heart. They have access to powerful computers and software just like we do and they are more than capable of decoding what we've sent out and turning our ideas against us.

So, my friends, we're on the verge of a new world of hurt for the enterprise. Cyber espionage, both industrial and military, is coming of age, and in our efforts to compromise the plans and programs of other nations and enterprises, we're also spreading what are, in effect, the prototypes for sophisticated advanced software weapons that will eventually be available for anyone with the need, the opportunity, and the guts to use them. You think computer security is tough today? Just wait ...

Gibbs is insecure in Ventura, Calif. Your threat assessment to gearhead@gibbs.com and follow him on Twitter (@quistuipater) and on Facebook (quistuipater).

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mark Gibbs

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts