Stuxnet and the Future of Malware

By Jeff Vance

(Back to article)

Who was responsible for Stuxnet? This was a question I asked a number of security pros at the 2011 RSA security conference last month in San Francisco. The leading contenders were the obvious ones: the U.S. and Israel. However, a very good case was made (off the record, unfortunately) for a surprising dark horse: China.

“Sure, China relies on Iran for oil, and it is an ally of Iran at the U.N., but China doesn’t want a nuclear Iran any more than we do,” my source said. Compelling cases for this point of view can be found in this Forbes article from December, Stuxnet’s Finnish-Chinese Connection and in this report to Congress, U.S.-CHINA ECONOMIC AND SECURITY REVIEW COMMISSION.

China has proven itself to be proficient at cyber-espionage; most likely responsible for penetrating the U.S. electrical grid, as well as both U.S. defense and intelligence networks usually via thumb-drive launched malware.

Is the private sector next?

There’s a case to be made that a Fortune 500 company has already been a cyber-espionage victim -- or more, accurately, a Fortune 500 company suffered collateral damage when it was caught up in state repression. That company was Google. The culprit was almost certainly China. The argument could be made that this is an isolated case but it seems the Chinese government’s main target was its own dissidents, and it was just a fortunate side benefit for China that it had also been at odds with Google for some time.

Thus, China wasn’t too terribly concerned about covering its tracks, avoiding detection or minimizing collateral damage. Warning shots are now a key component of cyber-espionage, it would seem.

Today, the biggest threat to the enterprise is still the insider attack. Those attacks aren’t bankrolled by nations, but how long will it be until a hostile or even shady and opportunistic foreign government notices this opportunity? How long until a bad-actor nation-state or a creative organized-crime network decides to start turning unhappy, underpaid or simply greedy insiders into intelligence assets in the same manner that nations have turned locals into spies for centuries?

In fact, some insider attacks are practically proof-of-concept for state sponsored or organized crime sponsored ones. The only missing ingredient is the link between the insider and a larger malicious entity willing to pay.

Logic bombs in everyday life

Stuxnet is, in part, a sophisticated logic bomb, or a specific type of malware that kicks into high-gear when specified conditions are met. Logic bombs have long been suspected in several high profile cyber-espionage attacks, including, but not limited to, the Google hack, the penetration into the U.S. electrical grid, some of the attacks that hit Georgia and Estonia during their conflicts with Russia, and U.S.-backed attacks against the Taliban and Serbia.

Even for national defense agencies, cyber-espionage is still far more theory than fact. Skeptics have long argued that the threat from cyber-espionage is overblown. “Show me the actual damage,” they say. Or as Rob Rosenberger writes on the security-hype-debunking site vmyths:

"Did a story in the Wall Street Journal say 'Thousands of Georgians feared dead in Russian military cyber-attack?' NO. Did The Register announce “Russian army hackers make Georgian fuel pipelines flow backward”? NO. Did the U.S. Air Force website proclaim “Airmen deploy to Tbilisi to stop Russian military hackers”? NO. Remember this the next time the computer media gets infatuated with the notion of a cyber-war."

Well, Stuxnet has done lots and lots of real-world damage. There’s no body count, nor were Iranian defense systems, say, turning themselves against Tehran Terminator style, but Rosenberger now has some of the evidence that was previously lacking.

Not to pick on Rosenberger (he knows a thing or two about security) but the signs pointing to something like Stuxnet have been around for a while. With security so often an afterthought, I have a hard time dismissing anyone who wants to get out ahead of the evolving threat landscape for a change. That said, Rosenberg, back in 2008, had a very valid point. A few years later, several high profile attacks that hit the enterprise look to have plenty in common with Stuxnet.

Here are some highlights:

2010, Texas Auto Center - A vengeful employee, who had just been laid off, launched an attack from the company’s Webtech Plus software. He used the software, meant to aid with repossessions, to disable customer vehicles, flash lights continuously and cause horns to blare all day long. The dealership was besieged with angry calls and towing requests.

2008, Fannie Mae - A logic bomb from a contract engineer, who had recently been terminated, attempted to delete data on more than 4,000 servers.

2008, Wand Corp. - A laid off tech support employee at this family-owned restaurant technology and management company launched a semi-successful logic bomb attack that crashed 25 computers and cost the company thousands of dollars to clean up.

2006, UBS - A UBS system administrator, angered over his “meager” annual bonus, launched a virus that, had it been successful, would have driven UBS’s stock price into the ground.

Of the incidents listed above, three of them have one thing in common: they were logic bombs. The fourth incident, Texas Auto Center, didn’t even need logic bomb capabilities because the system itself was already pretty much designed to be a logic bomb. The conditions: a disgruntled employee with system access and ill intent. The result: the system does what it was designed to do -- set off car alarms -- but not how or when it was supposed to.

All the Texas Auto Center ex-employee needed for that attack were credentials. His were suspended, but as a former admin, he just used someone else’s that he happened to remember. Texas Auto Center was sloppy about its access controls and authentication and paid for it.

For a primer in just how potentially dangerous these sorts of attacks are, check out a November 2009 episode of 60 Minutes, which showed the world how easily a logic bomb could damage or destroy physical machinery. A test attack (called Aurora) hacked into a SCADA system and caused a power generator to self-destruct.

Logic bombs, insiders, scammers and thieves

The insider attacks above share an important trait with cyber-warfare: the main intent is to disrupt and damage. More troubling are the ones that actually want to steal classified information (or protected IP), or simply learn enough about the target to cause all sorts of problems.

The Google penetration falls into that camp, as do earlier Chinese breaches into the U.S. intelligence and defense systems. The ZeuS and Bugat Trojans, both of which focus on gaining financial data, seek to gather specific data in order to steal.

Now, take those sophisticated malware tools (which anyone can buy online for a few thousand dollars, by the way) mix them with disgruntled workers and an outside entity seeking to steal or do harm, and you have a perfect attack storm.

Is there any proof that this sort of thing is happening? No. But it's probably just a matter of time before it does.

There are two even more flammable ingredients: mobility and social networks. “Malware used to be binary in nature, taking advantage of a particular vulnerability in a specific system,” said Michael Sutton, VP of Security Research for Zscaler. Now, the software landscape is far more fragmented, with smartphones, tablets and other non-PC platforms complicating the picture, which is inspiring hackers to create more general-purpose malware.

“The future of malware, I’d argue, is Web-based worms. Then, it doesn’t matter what device you are on,” Sutton said. “Malware also used to spread by hopping from device to device. The devices had to have the same vulnerabilities, or it didn’t work. Now, malware is starting to target social networks, where it spreads from profile to profile to profile, growing exponentially, in minutes.”

Twitter, Facebook and LinkedIn all have numerous security vulnerabilities. For social networking sites, the space is still a land grab and the point is to grow as big as you can as fast as you can. Security is considered a minor nuisance that the sites figure they can clean up later.

The more things change

“As fascinating as it is to study new threats like Stuxnet, the majority of the threats to business are what they’ve always been,” said Chris Larsen, head of Blue Coat System’s research lab. “Social engineering attacks, especially for fake security products, are still some of the most common and most successful threats.”

Larsen also discussed a particularly devious social engineering attack where the bad guys launched their targeted attack by focusing on a company’s executives. However, instead of targeting the executives themselves, they went after spouses, the logic apparently being that at least one executive would have a poorly secured PC shared with a non-tech savvy spouse. That PC would then be the beachhead into the company.

Blue Coat just released its 2011 Web Security Report , which investigated the changing threat landscape in detail. “One of the trends that is the most disturbing,” Larsen said, “is that hackers are becoming more and more patient. They’ll set up fake store fronts; they’ll create "malvertising" campaigns; they’ll build up a powerful botnet over time; and they’ll often seek investments from other criminals to buy them the time to concoct slower, more elaborate attacks.”

Hackers tend to be hackers, conventional wisdom goes, because they’re greedy and lazy. Emphasis on lazy. Patient, determined, high-achieving hackers who have even greedier backers? Now that’s really scary.

Based in Santa Monica, California, Jeff Vance is the founder of www.sandstormmedia.net, a copywriting and content marketing firm. He regularly contributes stories about emerging technologies to this publication and many others. If you have ideas for future stories, contact him at jeff@sandstormmedia.net or visit.