»Why don’t you write about Stuxnet?« – »Stuxnet is a must in an automation blog!«
Well… sometimes even I should take advice from readers. In this case, however, I’m not sure if I really should, at least not at the moment. Why?
Well… sometimes even I should take advice from readers. In this case, however, I’m not sure if I really should, at least not at the moment. Why?
The most important reason is: As for now, nobody knows what Stuxnet really is about, and »blog« doesn’t automatically mean »spreading speculation«, not always anyway. So what seem to be the facts?
The computer worm attacks Windows systems by way of four zero-day exploits, all of which have been patched by Microsoft (the last one on 2 August 2010). From this it is obvious that at least every infection that occurred after the first August patchday is a case of »sack the system administrator«.
At least, sack someone. Many companies do have strict update policies which don’t even allow for important security updates to be installed, so the sysadmin may be excused.
So what happens when a system is infected? The malware looks for SCADA systems (Supervisory Control And Data Acquisition), especially »Simatic WinCC« from Siemens. This unusually large worm contains a PLC rootkit which seems to be able to rewrite PLC instructions. Not always, that is. Stuxnet seems to look out for very special combinations of input and output configurations. There are two really interesting aspects about it: The focus on highly special industrial control systems and the fact that it is digitally signed with two authentic certificates from JMicron and Realtek. Both led to speculations about cyber-warfare, fuelled by Symantec – a provider of ant-virus software notorious for blowing every newly detected vulnerability out of proportion in order to promote their products. They wrongly claimed that most infections happened in Iran, which is not even supported by their own data. That led many conspiracy theorists to believe that the state of Israel is in some way connected to Stuxnet. The actual spread numbers don’t support that, but facts tend never to impress Believers.
Certainly Stuxnet is a rather impressive piece of malware. After it has been analysed for two months by leading experts, it still isn’t clear what it does under which circumstances – it hasn’t even been disassembled completely. It can be removed from infected systems, but even that is not as easy as it reads. Siemens has published information and tools to deal with the worm. Probably every IT professional or programmer in this world would like to be able to write code like that, malware or not. Apart from that, everything is speculation.
The computer worm attacks Windows systems by way of four zero-day exploits, all of which have been patched by Microsoft (the last one on 2 August 2010). From this it is obvious that at least every infection that occurred after the first August patchday is a case of »sack the system administrator«.
At least, sack someone. Many companies do have strict update policies which don’t even allow for important security updates to be installed, so the sysadmin may be excused.
So what happens when a system is infected? The malware looks for SCADA systems (Supervisory Control And Data Acquisition), especially »Simatic WinCC« from Siemens. This unusually large worm contains a PLC rootkit which seems to be able to rewrite PLC instructions. Not always, that is. Stuxnet seems to look out for very special combinations of input and output configurations. There are two really interesting aspects about it: The focus on highly special industrial control systems and the fact that it is digitally signed with two authentic certificates from JMicron and Realtek. Both led to speculations about cyber-warfare, fuelled by Symantec – a provider of ant-virus software notorious for blowing every newly detected vulnerability out of proportion in order to promote their products. They wrongly claimed that most infections happened in Iran, which is not even supported by their own data. That led many conspiracy theorists to believe that the state of Israel is in some way connected to Stuxnet. The actual spread numbers don’t support that, but facts tend never to impress Believers.
Certainly Stuxnet is a rather impressive piece of malware. After it has been analysed for two months by leading experts, it still isn’t clear what it does under which circumstances – it hasn’t even been disassembled completely. It can be removed from infected systems, but even that is not as easy as it reads. Siemens has published information and tools to deal with the worm. Probably every IT professional or programmer in this world would like to be able to write code like that, malware or not. Apart from that, everything is speculation.
Comments