Why Stuxnet Is a really bad weapon

The world of malware has, over the last couple of decades, morphed to become not just a mechanism with which to subvert people's computers and steal money, but also a way for corporations and sovereign states to conduct cyber espionage.

An example of malware being used for industrial cyber espionage emerged two months ago with a worm, which had previously been quite rare, breaking out suddenly in Peru and neighboring countries.

This worm, specific to the electronic drafting software AutoCAD, is called ACAD/Medre.A and is written in AutoLISP, the language that is used to script operations in AutoCAD.  ACAD/Medre.A has a very devious agenda: It emails copies of the drawings the user opens to over 40 mail boxes hosted at two different Chinese ISPs.

The antivirus firm ESET in San Diego was the first to detect the outbreak in Peru and noted that they could "see detections at specific URLs, which made it clear that a specific website supplied [an infected] AutoCAD template that appears to be the basis for this localized spike ... If it is assumed that companies which want to do business with [the company at the URL] have to use this template, it seems logical that the malware mainly shows up in Peru and neighboring countries. The same is true for larger companies with affiliated offices outside this area that have been asked to assist or to verify the – by then – infected project and then [infect] their own environment."

In other words, someone or some organization -- not necessarily in China -- planted the infected template. As a result they were able to swipe the drawings of all of the companies competing for some project, presumably to gain an edge in securing business.

ESET estimates that something like 100,000 drawings were stolen before ESET, with the help of Autodesk, the Chinese National Computer Virus Emergency Response Center, and the Chinese ISPs involved, were able to contain the problem. For a detailed look at the technology behind the attack, see the posting "ACAD/Medre.A Technical Analysis" in the ESET Threat Blog.

ESET now offers a free, stand-alone cleaner which will search for and remove ACAD/Medre.A infections.

So industrial cyber espionage is a big deal, but even more impressive and much more worrying is military cyber espionage because the stakes and consequences are much higher.

And there's a serious problem with military cyber espionage: In the real world if someone attacks you with something like a cruise missile, once it's landed you won't be able to put the missile back together and lob it back at whoever sent it. That's the nature of real-world armaments. You can build really smart and deadly devices and, even if they malfunction, the enemy will very, very rarely be able to turn your technology against you.

Not so with software armaments. Consider the much discussed Stuxnet, the computer worm that first appeared about two years ago. Stuxnet targets Siemens industrial control systems and is said to be responsible for damaging equipment used by the Iranian nuclear program.

The Stuxnet worm is an impressive example of sophisticated software engineering relying, as it did, on four new zero-day attacks along with several known vulnerability exploits used by other malware.

On top of that, Stuxnet it is very complex. According to an article in Vanity Fair,  "In terms of functionality, this was the largest piece of malicious software that most researchers had ever seen, and orders of magnitude more complex in structure. (Malware’s previous heavyweight champion, the Conficker worm, was only one-twentieth the size of this new threat.)"

When the worm was discovered and publicized in June 2010, there was an immediate denial-of-service attack on two mail lists that concern industrial systems security which, it could be assumed, was intended to slow down dissemination of the news to the worm's targets. You can see that contingent damage was involved in supporting the original attack -- a consequence that will become more commonplace in future where military cyber espionage is involved.

Since the first discovery of Stuxnet there have been at least two more variants identified, each incorporating "improvements" that were designed to do things such as increase the infection rate of the malware.

So, who was responsible for this stupendous feat of coding? The Russian mafia? Chinese hackers? Nope, just a few weeks ago it was revealed that Stuxnet was created by a joint U.S. and Israeli intelligence operation called "Operation Olympic Games" which was started under the Bush administration and expanded under the Obama administration!

Apparently Stuxnet did its job because, it is estimated, some 1,000 centrifuges used by the Iranians to purify nuclear material that are controlled by Siemens systems, were damaged during the period Stuxnet was active.

Whether this was all that was intended is unknown, and a report by the Institute for Science and International Security says: "If Stuxnet’s goal was the destruction of all the centrifuges in the [Fuel Enrichment Plant (FEP) at Natanz], Stuxnet failed.  But if its goal was to destroy a more limited number of centrifuges and set back Iran’s progress in operating FEP while making detection of the malware difficult, it may have succeeded, at least for a while."

Interestingly, a worm considered a descendent of Stuxnet, Duqu, now appears to be currently designed to steal information, but its modular architecture suggests that it could be tasked with other goals in future versions.

Even more intriguingly, Duqu appears to have been coded in an odd programming language which researchers have called "the Duqu Framework". This framework has since been identified by Kaspersky Labs as a custom version of C called Object Oriented C complied with the Microsoft Visual Studio compiler.

I'd suggest that Stuxnet and Duqu as military cyber espionage weapons were actually failures, not because they probably only caused limited damage, but because we launched a weapon that can, and will, be turned against us.

Why? Because code is code. It's a set of ideas frozen into binary and when you execute that code -- when you make the ideas actually do something --  the bits don't vanish and the ideas don't get mangled. They're still there. No matter how much you encrypt, hide, and obfuscate your code and your ideas, there's always someone, somewhere who can decrypt, find, and unobfuscate all of it.

Even when the malware is military grade, it would be foolish to assume that the enemy can't profit from our research and development, because when we attack they get a clean copy of the weapon we attack them with. And there are lots of really clever people out there, clever people who don't live in the U.S. and who don't have our best interests at heart. They have access to powerful computers and software just like we do and they are more than capable of decoding what we've sent out and turning our ideas against us.

So, my friends, we're on the verge of a new world of hurt for the enterprise. Cyber espionage, both industrial and military, is coming of age, and in our efforts to compromise the plans and programs of other nations and enterprises, we're also spreading what are, in effect, the prototypes for sophisticated advanced software weapons that will eventually be available for anyone with the need, the opportunity, and the guts to use them. You think computer security is tough today? Just wait ...

Gibbs is insecure in Ventura, Calif. Your threat assessment to gearhead@gibbs.com and follow him on Twitter (@quistuipater) and on Facebook (quistuipater).

Read more about wide area network in Network World's Wide Area Network section.

Show Comments