By Kelly Jackson Higgins
Nov 05, 2010
Conspiracy theories have run rampant ever since the Stuxnet worm was
discovered this year, with speculation ranging from an inside job at
Siemens to a nation state-sponsored targeted attack against Iran's
nuclear operations. But what still doesn't add up with any of these
scenarios is how Stuxnet spread outside the facility's SCADA systems to
Windows machines around the world.
Stuxnet has been under the microscope for months as researchers around
the world have picked apart and analyzed the malware's makeup and
possible intent. No one knows for sure who is behind it or its specific
goal, but fingers have been pointed at Israel, the U.S., France,
Germany, and England as a nation-state targeting Iran's nuclear
But the trouble with all of the speculation is that much of it comes out
of anti-malware analysis that looks at what the code did and how it
affected victim machines versus who was actually responsible for writing
it, says Tom Parker, director of security consulting services at
Securicon. "That makes sense, of course, because a lot of business
demands answering those questions. But it's not a good idea to use those
same tools for attribution," says Parker, who will offer up a different
method for malware attribution in a talk at Black Hat Abu Dhabi next
Parker has done some analysis of his own on Stuxnet, using a homegrown
tool he created to trace the malware writers. His tool doesn't work like
antivirus: "It monitors a system and looks for behavior patterns within
code. If it sees a certain sequence of behaviors that are associated
with certain malicious activity," it compares it with similar behavior,
he says. "Certain AV engines work a tiny bit like that," he adds.
Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery
Network, Cisco Switches, SAS 70 Type II Datacenter.
Find peace of mind, Defend your Critical Infrastructure.