Over the last few weeks I have heard plenty of talk about a new threat called Stuxnet.
What it actually is and what sort of damage it is causing takes some research, although an initial patch in August from Microsoft gave it its first headlines. Several blogs by Symantec have been written on the subject of Stuxnet, Liam O Murchu said that analysis of Stuxnet has been ongoing for some time now, and that it has been continuously analysing the threat since it was discovered earlier this year,
He said that initial investigation into the threat pointed to a command and control infrastructure as the method to control the threat. However the command and control servers used were taken offline shortly after this control mechanism was discovered.
Talking to SC Magazine, Patrick Fitzgerald from Symantec's threat response centre said that Stuxnet was initially discovered in late July, and initially exploited a zero-day vulnerability that was leveraging the Windows shortcut flaw.
Although an initial out-of-band patch was released in August and a further patch in September covered a second unknown vulnerability in the Windows print spooler, used to spread itself to other machines in the network, he said that the threat is still present.
He said: “We took over the domain connectivity and get an understanding of the live infection data and it turned out that it used P2P connections to infect another machine. It is really sophisticated and we are learning new things every day about it.”
Asked if it is similar to the Conficker worm, which eventually used P2P connectivity to move from machine to machine, Fitzgerald commented that while the zero-day exploit was used as an entry point for the network, the P2P capability has now given it another mechanism to infect.
I asked if he would call this threat a botnet. He said: “I suppose, but it is targeting software such as Siemens Supervisory Control and Data Acquisition (Scada) which controls industrial control systems and turns out a code risk that gives control of the software within the industry and the complete manufacturing process.
“It still exists and is still active, it has affected the consumer but unless they are running Scada is will not do much to them. This is the most sophisticated malware I have seen in years.”
Dominic Storey, technical director of Sourcefire EMEA commented that Stuxnet could be the first worm of many for Scada. He said that what seemed to be a surprise for most people was that although Siemens responded with a fix, they advised their customers not to change the system passwords.
He said: “This advice makes sense when you consider what these systems do – control industrial processes in power stations, chemical plants, hospitals and so on. Their concern was that due to the complex distributed nature of these critical systems, a hastily implemented password change could cause system authentication failures and knock-on effects that could adversely affect process operation with potentially catastrophic consequences.”
A problem plaguing organisations that run process control networks, he claimed, is that network connectivity has increased but network security has not matched it.
“As proprietary devices control, sense and manage these processes have been replaced by common off-the-shelf components running Microsoft Windows and Linux and although these devices have their own internal levels of security, their communications protocols such as Modbus and DNP3 offer little protection against attack,” he said.
Storey said that in particular, security researchers are concerned about: the lack of concern about security and authentication in the design, deployment and operation of existing Scada networks; the belief that Scada systems have the benefit of security through obscurity through the use of specialised protocols and proprietary interfaces; the belief that Scada networks are secure because they are physically secured; and the belief that Scada networks are secure because they are disconnected from the internet.
He said: “Many of these beliefs are unfounded and with the advent of Stuxnet, managers are coming to the realisation that this is the case. Stuxnet raises the bar on sophistication and has been widely considered by the security community to be the first of many types of weaponised malware structured for industrial espionage.”
So what is the best tactic for companies to detect whether they are infected, and remove the malware if so? Fitzgerald said that once Stuxnet is able to spread there is little or no user activity requested, but anti-virus can detect it as it ‘can pick up remnants of activity and can alert to the threat'.
“It shows that those behind it have an understanding of the Scada system, a reasonable knowledge of rootkit to hide that and knowledge of the targets that they are interested in,” he said.
He also claimed that there is no evidence of the motive, and he had seen Iran had the highest level infection and his impression was that it was aiming for its industrial targets. He also commented that digital certificates show a tenuous link to China, but there is no evidence to back that up.
From my conversation with Patrick Fitzgerald, it is clear to see that this threat is one to be taken seriously for businesses. While he mentioned that there is no real threat for consumers at the moment, it is quite feasible that this could be developed into one by what is obviously a clever controller.
What is obvious is that there is a lot more that can be achieved by this malware and a lot more that we need to learn about it in the meantime.