The world will know more about the mysterious Stuxnet virus by week’s end, after top virus researchers reveal the findings of their post mortem on Stuxnet at the annual Virus Bulletin Conference.
Researchers from Microsoft, Kaspersky Lab and Symantec are scheduled to reveal more than has been previously known about the mysterious virus, which was first identified in July and has been spreading steadily around the world, targeting industrial control systems manufactured by Siemens.
In a joint presentation at the annual gathering, researchers from Microsoft and Kaspersky Lab will discuss the findings of a joint analysis of The Stuxnet virus, detailing how the virus leveraged unpatched and – for the most part- unknown holes in MIcrosoft’s Windows operating system to infect and spread over computer networks.
Among the most pressing questions that experts would like to answer concern the origin of the virus, its exact purpose and how it was able to spread between the protected and isolated infrastructures of some of the world’s top nuclear facilities. That will be the subject of a separate presentation by Liam O’ Murchu of Symantec, one of a handful of researchers credited with discovering Stuxnet’s use of a vulnerability in Windows Print Spooler Service to compromise and spread between networked Windows systems.
In his presentation, O’ Murcho has promised to delve into Stuxnet’s more remarkable characteristics: its ability to identify, compromise and control industrial control systems used by power plants and nuclear facilities. O’ Murchu will reveal details of his analysis of the worm’s unique Trojan component affecting programmable logic controllers and provide insight into the origins of Stuxnet and its intended purpose.
Recent weeks have brought a string of sensational revelations about Stuxnet that have stoked speculation in security and political circles. Analysts long suspected that the virus, one of the most sophisticated threats ever to be publicly disclosed, was designed with a specific target or targets in mind and had nation-state backing. Subsequent analysis of outbreak data from Symantec in recent weeks turned the spotlight on Iran as a likely target and state sponsored hackers working for the U.S. or Israeli army as likely sources for Stuxnet, which may have been written to quietly disable nuclear enrichment facilities in Iran – an assertion reinforced by industrial control experts and not disputed by the intelligence community.
However, each week has also brought new revelations that cloud the Stuxnet picture at just the moment it seems to be coming into focus. Researchers at both Kaspersky and Symantec have publicly questioned the consensus that Iran’s nuclear facilities were Stuxnet’s clear target, citing infection data from India and other countries that rivals that of Iran.
O Murchu also noted that the Print Spooler Service hole that he and researchers from Kaspersky Lab independently discovered and reported to MIcrosoft’s Security Response Center had been publicly revealed almost a year earlier in the pages of Polish hacking magazine, Hackin9. O Murchu also revealed on a Symantec blog that the Windows shortcut file (LNK) vulnerability that Stuxnet used to jump from portable media devices to Windows systems was a late addition to the virus. Earlier versions of the worm had, instead, exploited the Windows AutoRun feature to infect Windows systems. That suggests that Stuxnet may have been spreading in the wild for much longer than researchers had previously believed, muddying the picture still more.
The most sought after information concern the three as-yet unpatched Windows vulnerabilities used by Stuxnet. Attendees at Virus Bulletin will be looking for any details about those holes or about other Stuxnet capabilities that are as yet unknown.