News

Code Missile: Stuxnet Worm Takes Aim

Stuxnet may be the first known precision malware weapon designed to destroy a single real-world industrial facility, but the collateral damage affects the entire Microsoft channel.

• By Scott Bekker
• November 01, 2010

It took months, but security researchers are progressing in untangling the fiendishly complex encryption and massive code base of the Stuxnet malware -- and what they say they've found is one of the most interesting developments in the computer security landscape in years.

The Christian Science Monitor online newspaper (csmonitor.com) in September reported, "Some top cyber security experts now say Stuxnet's arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world -- to destroy something."

The Monitor article was primarily based on interviews with German cyber-security researcher Ralph Langner, who began reverse engineering Stuxnet with his Hamburg-based team after the worm emerged this summer.

"With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge," Langer wrote on his Web site.

Although thousands of systems have been infected by the worm, which combined four zero-day Windows flaws, the picture emerging now is that all but one of those systems may be collateral damage.

According to Langner's analysis, Stuxnet was one piece in a military/intelligence operation conducted by a technically sophisticated nation state to target and destroy one specific real-world facility by compromising industrial process control software via a contractor's infected USB memory stick. Langner and other security experts speculate that the target may have been a facility in the Iranian nuclear weapons program. Suspicion has centered on the United States and Israel.

Proper Security Measures
Microsoft has responded aggressively to Stuxnet, and understandably so, because the case threatens to reinvigorate a host of thorny, but largely dormant, issues about Windows security, proprietary source code, state security and even possible Microsoft collusion with U.S. government intelligence agencies. As the Microsoft front line for sales and end-user services, Microsoft partners will be the ones taking fire.

At a base level, all Microsoft partners involved with supporting customers on Windows need to understand the basics of the Microsoft Stuxnet bulletins and patches, and it's a good time to re-evaluate security policies and protections around USB sticks.

Manufacturing integrators and ISVs, meanwhile, have a new set of concerns. Stuxnet provides a step-by-step guide for taking over a programmable logic controller (PLC) on an industrial control system. Anybody involved in installing or programming control systems will need to be ready to address and explain the threat. Langner predicted that exploit code based on vulnerabilities used by Stuxnet will make their way into known frameworks like Metasploit within a few months.

Langner also listed a number of basic security procedures that manufacturing integrators can re-emphasize with customers that would help prevent a Stuxnet-style attack from reaching critical control systems. They included defining and enforcing a high security level for engineering stations, especially mobile ones; prohibiting staff from using the stations for private purposes; securing the systems with whitelisting solutions; defining and enforcing a high security level for contractors; removing shared folders; removing critical systems from the network; reviewing policies for remote access; implementing a zoning concept for the network; and using PLC version control systems.

Political Concerns
The biggest Stuxnet problems for Microsoft, however, are what can be called the political issues. And these will be problems for Microsoft's global systems integrators, global ISVs and Microsoft partners in the international subsidiaries, although U.S.-based partners with highly security-conscious customers can expect to be dragged into these conversations, as well.

Microsoft faces four intertwined political issues. Two of them arise from being a multinational corporation headquartered within the world's most powerful nation state. Several years ago, Microsoft faced pushback from China about whether it was appropriate for Chinese government, military and business computers to run on an OS created in another country. Related to that issue is the persistent rumor that Microsoft has either voluntarily or under duress created a backdoor for the U.S. National Security Agency (NSA) to gain access to Windows-based computers. The combination of NSA suspicion and Windows flaws should give new life to international conspiracy theories about collusion.

The other political issues involve the technology fights within the IT community. The Stuxnet incident will revive arguments that Windows is less secure than other OSes. Meanwhile, the issue is new grist for open source advocates, who will use the case to argue that Microsoft's proprietary approach to its code is a problem.