Stuxnet source code up for sale on underground forums
November 26, 2010
If you can actually believe this, the source code for the sophisticated Stuxnet virus is now apparently available for sale at some unspecified price in underground forums. Some Internet security observers were actually expecting this to happen soon, given all the focus and attention the news media has given Stuxnet lately.
The Stuxnet worm could now be adapted and used to shut down large power grids, refineries, complex industrial systems, manufacturing plants and even nuclear power plants. Some security experts in the last week say we're a generation behind and have already lost the war in cyberspace.
These flamboyant warnings of doom are nothing more than alarmist crap, according to Paul Ducklin of Internet security firm Sophos, who criticises the report for stating assumptions as fact as well as for sensationalism.
Ducklin is far more worried about the very real problem posed by cybercrooks raiding bank accounts and subverting payment systems, a concern almost everybody in the security community shares greatly.
"The problem with inaccurate, inflammatory and irresponsible stories about Stuxnet - good though they may be for page impressions and video views - is that they make cybercriminality sound like a second-rate problem when it is positioned against a news backdrop alleging cyberwar," Ducklin writes.
Stuxnet is a highly sophisticated worm that resides on Windows servers running Siemens software that selectively targets industrial control systems and complex remote monitoring software. The most well-publicised incident of infection was at the Bushehr nuclear power plant in Iran but it's far from clear if the virus sabotaged systems carrying out uranium enrichment at Natanz or at Iran's controversial Bushehr nuclear power plant, which has been subject to many delays.
Worse, it's even less clear who developed the malware. Some say it was made in India, while others think it may have been done in China, Venezuela or Brazil.
One thing is certain, however: whoever created the virus used four Windows zero-day vulnerabilities, now exposed, and must have done a great deal of testing on industrial control systems. Adapting the worm for another target would take an almost equivalent level of expertise which some say is highly unlikely.
The concept that cyberterrorists are poised to unleash variants of this malware in the wild belongs in the same category as claims that Iraq might be able to deploy biological weapons within 45 minutes in discredited documents published by the U.K. government prior to the start of the disastrous invasion of the country back in 2002.
But make no mistake: Stuxnet is a very complex threat, and the Iranian nuclear angle certainly adds a great deal of mystery, so it's a bit easy for the general media to get a bit carried away with this.
Siemens' software also controls critical oil & gas refineries and manufacturing plants. The German enginerring firm warns that customers who use the infected software could have the devastating effect of disrupting whole power grids in the U.S., Canada, South America, Europe and Asia.
Siemens began distributing SysClean, a malware and virus scanner made by Trend Micro. It has been updated to remove StuxNet, a worm that spreads by exploiting two separate security flaws in Siemens's SCADA (supervisory control and data acquisition) software and every supported version of Microsoft Windows.
“As each plant is individually configured in a very unique method, we cannot rule out the possibility that removing the malware may affect your plant in any way," the Siemens advisory said.
The company also advised customers to keep the scanner updated at all times because “there are already some new derivative versions of the original virus around, and we are trying our best to mitigate these and other security issues.”
Recently, Siemens has come under blistering criticism for not removing the security vulnerability two years ago, when, according to Wired.com, the default password threat first came to light.
So far, StuxNet has infected the engineering environment of at least one unidentified Siemens customer, and has since been eliminated, Siemens said.
The company added that there are no known infections of production plants to this day, but warns that there's always the possibility that some could be discovered in the near future.
The worm spreads whenever a system running Siemens's SCADA software is attached to an infected USB stick. The attacks use a recently documented vulnerability in the Windows shortcut feature to take control of customer's personal computers in the workplace. Once there, the worm takes advantage of default passwords in WinCC, the security-prone, problematic SCADA software provided by Siemens.
Late yesterday, Siemens said it has updated WinCC to fix the security vulnerability. For its part, Microsoft has issued a stop-gap fix but hasn't said yet if and when it plans to patch the the Windows security flaw.
Chris Wysopal, CTO of application security tools firm Veracode says “Siemens has put their own customers at risk with this egregious vulnerability in their software. Worse, is all the many customers from around the world who purchased the software not knowing of any of its many security risks."
"Software customers that are operating SCADA systems on critical infrastructure such as power grids, oil and gas refineries or their factories with the WinCC software had a duty to their customers to not purchase this troublesome software without proper security testing. It is obvious now that no security tests were ever performed on SCADA before putting it in place in the field-- not by Siemens itself and not by the customer. This is totally unacceptable,” added Wysopal.
You can link to the Internet Security web site as much as you like.