Stuxnet, Vancouver, and Virus Bulletin

Filed Under: Malware, Video

VB 2010
The great and the good of the anti-virus industry are packing their suitcases and charging their iPads in readiness for a trip to Vancouver, the setting next week for the twentieth Virus Bulletin conference.

It's the best opportunity that the malware fighters have each year to exchange discoveries, stories, and the occasional beer with their peers from other computer security companies. And it's an excellent opportunity too for businesses to put a face to the people who are building their anti-virus software and delivering protection against tens of thousands of samples of new malware every day.

Over three days delegates at the Westin Bayshore hotel will hear about botnets, identity theft, mobile malware, targeted attacks, SEO poisoning and attacks on social networks, as well as much much more.

Sophos will be there in force, with experts from our labs presenting papers. Paul Baccas (aka "pob") will be taking a close look at how we can heuristically detect malicious PDFs, and Mike Wood will be covering the use and abuse of digital signatures by malware.

What's been getting most of the media attention, however, is the Stuxnet worm.

Headline about Stuxnet

There have been numerous stories in the last few days about Stuxnet, with some claiming that it was deliberately coded to target an Iranian nuclear plant. But headlines suggesting it was designed to blow up power stations are perhaps a little sensationalist.

Yes, Stuxnet is a highly sophisticated piece of malware, which used a number of techniques which hadn't been seen before (for instance, exploiting zero day vulnerabilities in Microsoft's code).

Some of you will, no doubt, remember the YouTube video we made demonstrating how even with AutoRun and AutoPlay disabled, you can open a USB device (USB) and execute Stuxnet's malicious code without user interaction.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

And it's true that Stuxnet was also a highly targeted attack - clearly focusing on messing with SCADA systems (often used by power plants and other infrastructure).

Although there's been lots of speculation in the papers, the truth is that we don't know if Stuxnet was created by, say, Israel. It's very hard to prove 100% who created a piece of malware, and even more so to prove that it was done with the blessing of a government, army or secret service.

Mossad logoIsrael has certainly been accused of hacking into other country's computers before with military intentions (remember the story of how Mossad allegedly hacked a Syrian laptop and bombed a nuclear facility as a result?)

It's also tricky to positively confirm that Iran was the target of Stuxnet either. It was, after all, seen in a number of other countries.

Another issue that has been largely ignored by the media is the response of Siemens, who developed the SCADA software that Stuxnet targets. Stuxnet knows the default password used by the Siemens SCADA software, but - astonishingly - Siemens advised power plants and manufacturing facilities not to change their default password. That's despite it being public knowledge on the web for some years.

In summary - I think we need to be careful about pointing fingers without proof. I also reckon it's more appropriate (if the claims are true) to call this a state-sponsored cyberattack rather than cyber-terrorism..

Of course, we shouldn't be naive. Countries will use every dirty trick in the book to spy upon each other, disrupt activities, and grasp an advantage. We shouldn't be surprised if military and intelligence agencies are engaged in this kind of behaviour, and we mustn't fool ourselves into thinking that our own nations aren't above using the internet to further their own ends too.

I think we will see more and more attacks which will be blamed on state-sponsored cyber-attacks in the future. There have been numerous attacks in the past which could be said to have possible military, political or economic motives, but it is very difficult to prove that a hack was ordered by Mossad or instead dreamt up by a Macclesfield student.

Certainly next week we're expecting a fascinating conference in Vancouver - and my guess is that the talks related to Stuxnet will be amongst the best attended. I hope it doesn't cast too much of a shadow over the other excellent research and talks which will be presented there.

But whatever your reason for looking forward to VB2010, I hope you have a great time. If you see me or any of the other guys from Sophos, please say hello. If you're not lucky enough to get there, I'm sure plenty of people will be blogging and tweeting about the latest developments from Vancouver.

, , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.