infosec-news January 2011 archive
Main Archive Page > Month Archives  > infosec-news archives
infosec-news: [ISN] Lame Stuxnet worm 'full of errors', says sec

[ISN] Lame Stuxnet worm 'full of errors', says security consultant

From: InfoSec News <alerts_at_nospam>
Date: Thu Jan 20 2011 - 11:11:26 GMT
To: isn@infosecnews.org

http://www.theregister.co.uk/2011/01/19/stuxnet_male_decry_security_researchers/

By John Leyden
The Register
19th January 2011

Far from being cyber-spy geniuses with ninja-like black-hat coding
skills, the developers of Stuxnet made a number of mistakes that exposed
their malware to earlier detection and meant the worm spread more widely
than intended.

Stuxnet, the infamous worm that infected SCADA-based computer control
systems, is sometimes described as the world's first cyber-security
weapon. It managed to infect facilities tied to Iran's controversial
nuclear programme before re-programming control systems to spin up
high-speed centrifuges and slow them down, inducing more failures than
normal as a result. The malware used rootkit-style functionality to hide
its presence on infected systems. In addition, Stuxnet made use of four
zero-day Windows exploits as well as stolen digital certificates.

All this failed to impress security consultant Tom Parker, who told the
Black Hat DC conference on Tuesday that the developers of Stuxnet had
made several mistakes. For one thing, the command-and-control mechanisms
used by the worm were inelegant, not least because they sent commands in
the clear. The worm spread widely across the net, something Parker
argued was ill-suited for the presumed purpose of the worm as a
mechanism for targeted computer sabotage. Lastly, the code-obfuscation
techniques were lame.

Parker doesn't dispute that the worm is as sophisticated as most
previous analysis would suggest, or that it took considerable skills and
testing to develop. "Whoever did this needed to know WinCC programming,
Step 7, they needed platform process knowledge, the ability to reverse
engineer a number of file formats, kernel rootkit development and
exploit development," Parker said, Threatpost reports. "That's a broad
set of skills.”

[...]

___________________________________________________________
Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery
Network, Cisco Switches, SAS 70 Type II Datacenter.
Find peace of mind, Defend your Critical Infrastructure.
http://www.tegataiphoenix.com/