SAN FRANCISCO–The Stuxnet attack has been making headlines for several weeks now, thanks to the fact that includes a pair of zero-day vulnerabilities and also has drivers signed by a stolen digital certificate. However, the real story of this novel malware attack may not be its tactics but its creator, which security experts say could be a nation-state.
Virtually all of the malware that’s prevalent on the Internet today is designed with one goal in mind, and that’s to make money for its creators. Banker Trojans, bot clients, rootkits, keyloggers, they all are meant to make money, either directly or indirectly. Some malware, such as banker Trojans and keyloggers, cut right to the chase and simply steal online banking credentials and other financial information. Others, such as bot clients, are pieces of larger puzzle in which the attackers make money either through renting slices of the botnet to other attackers or by threatening to launch DDoS attacks against a specific site unless the owner pays a fee.
Attackers and malware writers have become very adept at finding new ways to make money over the years, and the risk of prosecution is very low in most cases. That’s one of the reasons that the Stuxnet malware stands out: there’s no clear immediate financial gain for its creators. The Stuxnet attack is designed to be as stealthy as possible and targets mainly SCADA systems, some of the highest value machines in the world.
The attack exploits a zero-day vulnerability in the way that all currently supported versions of Windows handle LNK files and is spread initially through USB sticks. Once an infected USB drive is attached to a PC, the attack on the machine is essentially automatic and there is little indication to the user that anything bad has happened. But that’s just one piece of the puzzle. Stuxnet also exploits a vulnerability in Siemens’ WinCC SCADA control software, which runs on industrial control systems in utilities, power plants, manufacturing facilities and other key environments.Once on the machines, the malware attempts to contact a remote server and join a botnet.
Stuxnet’s sophistication and its lack of any real money-making component are leading experts to believe the attack is likely the work of a national government or intelligence agency.
“This is the most sophisticated attack that we have seen to date, by far,” Roel Schouwenberg, a malware researcher at Kaspersky Lab, said at the company’s Virus Analyst Summit here Tuesday. “The involvement of a nation-state is the most likely scenario. This is a highly advanced attack.”
The topic of national governments and intelligence agencies being involved in offensive attacks online has been a touchy one for years, and while many security experts and analysts say that it’s simply a fact of life in the modern world, there has been little in the way of evidence of actual attacks.
Microsoft issued an emergency patch for the LNK flaw on Monday, after reports surfaced of other existing malware families, such as Sality, beginning to exploit the flaw, as well. In addition to the USB exploitation method, the LNK flaw also can be exploited via a drive-by download.
Schouwenberg, who has been researching Stuxnet for several weeks, said that although the first public reports of the malware’s existence only appeared in recent weeks, he now believes the malware itself is much older.
“We went back and looked at our samples and found Stuxnet samples from 2009,” he said. “No one knows what it was doing before it became public a few weeks ago.”