Stuxnet Has Infected My Reading

BY Hari Sreenivasan  October 7, 2010 at 6:00 PM EDT

Ever since I began researching material for a Stuxnet virus segment last week on the Newshour broadcast, I’ve been fascinated with this little worm, and I can’t seem to flip by an article about it without stopping to take a look.

Here are few pieces that might be worth your time:

For a good FAQ, check out Elinor Mills’ excellent “Fact vs. theory” article at CNET (where I used to work).

The weakest link in any computer system is usually the human. Most experts agree that the virus most likely climbed into the computer systems through USB keys. Farhad Manjoo penned this Slate piece on how these little “mosquitoes of the digital world” helped carry the virus past “air gaps” that usually keep industrial controls away from the Internet. He also has a good summary of some previous calamities caused by worms.

Then there’s the idea that this virus is now a blueprint on how to wreak havoc on infrastructure systems here in the United States. It was an idea that Ellen Nakashima picked up and ran with for her story in the Washington Post. It is also the subject of several articles about a recent study by Symantec, in which 53 percent of critical infrastructure companies reported having experienced what appeared to be a politically motivated cyber-attack.

Perhaps my interest has been piqued by the notion that this cyber-munition sheds light on what is an ongoing and aggressive war where sides are trying to build castle walls and moats, and posting electronic guards around valuable information. A Reuters team led by Jim Wolf profiles the Defense Department’s attempts at creating a new high-security private network called “dot.secure” and some of the criticisms against such an approach. Mark Clayton of the Christian Science Monitor highlights critics who say the U.S. government Stuxnet alerts have been too slow and not detailed enough in ways that could actually help corporations prepare their defenses or deal with the virus if the infections have already spread.

Bruce Schneier at Forbes helps clarify the distinction on how criminal agencies are careful to use their weapons to extort something using the possibility of sabotage, whereas the creators of Stuxnet created it for sabotage from the beginning — adding greater credence to the notion that this was designed by a government agency. He spells out how they used four highly prized and yet undiscovered “zero-day” vulnerabilities to help the virus spread, something criminal gangs are not likely to do because each of those is worth quite a bit on its own.

This video is worth a quick look. Liam O Murchu, a researcher for Symnatec, demonstrates how an infected computer can override a programmable logic controller. In this case, it kicks on an air compressor and inflates a balloon. A popped balloon at a computer conference is one thing; the real-world examples could be much worse.

The virus doesn’t appear to be spreading as aggressively as feared thanks to released software patches. According to this map from from the Kaspersky Lab’s monthly malware statistics, India and Indonesia have the systems most-infected by Stuxnet at the moment. It would lend slightly more credibility to an interesting thread started by Jeffrey Carr on the Firewall Blog at Forbes about whether this attack was really part of a larger corporate conspiracy. We’ll have to wait until a conference next month to see his evidence, but I’ll probably share some more reading about Stuxnet then as well.

Follow Hari on Twitter.