Many hands cooperated to build Stuxnet worm

Tillett told the IdentEvent 2010 conference held this week that he found traces of more than 30 programmers in the Stuxnet worm source code, according to a report on The Atlantic magazine website.

Also, the peer-to-peer network built into the Stuxnet worm was encrypted to FIPS 140-2 standards, according to Tillett.

As previously reported by Infosecurity, the Stuxnet worm is a specialized malware targeting supervisory control and data acquisition (SCADA) systems, which monitor and control industrial processes, such as those in nuclear power plants or in facilities for water treatment.

The Stuxnet worm uses several vulnerabilities in the underlying Windows operating system for infection and propagation. Infection works via USB drives or open network shares. A root kit component hides the content of the malware on infected systems. An infected system can usually be controlled remotely by the attacker. In the end this means that the attacker can gain full control of the facility.

According to a Symantec white paper, there were 100 000 hosts infected by the Stuxnet worm, and over 40 000 unique external IP addresses in over 155 countries, as of Sept. 29, 2010. Most of the Stuxnet infections were in Iran, with Indonesia a distant second, and India third.

The concentration of infections in Iran indicates that this was the initial target for infections.

“While Stuxnet is a targeted threat, the use of a variety of propagation techniques…has meant that Stuxnet has spread beyond the initial target. These additional infections are likely to be ‘collateral damage’ – unintentional side-effects of the promiscuous initial propagation methodology utilized by Stuxent. While infection rates will likely drop as users patch their computers against the vulnerabilities used for propagation, worms of this nature typically continue to be able to propagate via unsecured and unpatched computers”, the Symantec researchers concluded.

What’s hot on Infosecurity Magazine?