Tuesday, October 5, 2010

Stuxnet Trojan attacks could serve as blueprint for malware writers

The Stuxnet Trojan remains a danger to a small minority of firms that run specialized control equipment, but security experts say it could serve as a guide for copycat malware writers, who can reproduce parts of its processes and take better aim at other companies.


"How do you know that the software you are using to support sophisticated manufacturing processes, ranging from uranium centrifuges to automobiles, is not being targeted by some cyberweapon, throwing off your tolerances and measurements?" asked Paul B. Kurtz, managing partner at Arlington, Va.-based GoodHarbor Consulting LLC. "It's something that can be very costly to private industry and ultimately very disruptive to economies."
The worm surfaced in July when it was discovered exploiting a Microsoft Windows file sharing zero-day vulnerability, spreading using the AutoPlay feature for USB sticks and other removable drives. Microsoft issued an emergency update to close the hole, but researchers discovered several other methods used by Stuxnet, including a printer sharing vulnerability, which was patched this month by Microsoft.
Stuxnet was unique in that it contains code that could identify Siemens' Supervisory Control and Data Acquisition (SCADA) software and then inject itself into programmable logic controllers, which automate the most critical parts of an industrial facility's processes -- temperature, pressure and the flow of water, chemicals and gasses. Kurtz, who served in senior positions on the White House's National Security and Homeland Security Councils under Presidents Bill Clinton and George W. Bush, is convinced that the Trojan's end game is to wreak havoc or even destroy critical infrastructure facilities by altering their vital processes.
"When you get into some of the other manufacturing processes today, the fault tolerance is so miniscule that it doesn't take much for a targeted piece of malware to cause problems," Kurtz said. "They can produce products that are inherently flawed and that can have disastrous effects."
Dave Marcus, director of security research at McAfee Avert Labs, draws parallels to the Google Aurora attacks, which surfaced in January. Like the Aurora attacks, which exploited a zero-day vulnerability in Internet Explorer to infiltrate Google and dozens of other firms, the cybercriminals behind Stuxnet had specific knowledge of their target environment, Marcus said. Those behind both attacks had a level of financing that enabled intelligence gathering prior to the attacks.


No comments:

Post a Comment