Submission + - Stuxnet Sux or Stuxnet Success Story? (securityweek.com)
wiredmikey writes: Sophistication apart, how dangerous is Stuxnet? Well, SCADA sites are not altogether typical of other corporate sites. There are concerns that many cannot easily take the same countermeasures as a “normal” business, since a PLC controlling a critical function cannot always be taken down easily, even to apply such commonsense precautions as disabling unnecessary ports, applying patches, updating unsupported Operating Systems, and so on.
Win32/Stuxnet might be described as a worm of a slightly different color, though it’s attracted interest from the media that’s comparable in intensity to Conficker, or Code Red, or Blaster. I’m not saying that it isn’t technically interesting, of course: it has too many novel features to be accused of that. I certainly don’t remember seeing so many 0-day exploits in a single malicious package.
Apart from the (now patched) LNK vulnerability (MS10-046) that originally attracted our attention, the more recently patched print spooler attack (MS10-061) proved almost as scary, since it allows a remote user using a Guest account (which should be unprivileged) privileged write access into the %SYSTEM% directory of the target machine. Stuxnet takes this as an opportunity to write (malicious) binary files into %SYSTEM%, so we’re glad to see that one go. Then there are the two privilege escalation issues I can’t discuss yet because of responsible disclosure issues; a new twist on an older patch (MS08-067); an almost incidental sideswipe at Siemens’ naive and persistent and use of a hardcoded password; and a sly use of stolen certificates that should worry anyone who still believes that white-listing and code-signing have rendered all reactive security software obsolete. And I haven’t even mentioned some SQL code that isn’t likely to give up all its secrets until we establish exactly which system (or kind of system, even) is being targeted...(continued)
Win32/Stuxnet might be described as a worm of a slightly different color, though it’s attracted interest from the media that’s comparable in intensity to Conficker, or Code Red, or Blaster. I’m not saying that it isn’t technically interesting, of course: it has too many novel features to be accused of that. I certainly don’t remember seeing so many 0-day exploits in a single malicious package.
Apart from the (now patched) LNK vulnerability (MS10-046) that originally attracted our attention, the more recently patched print spooler attack (MS10-061) proved almost as scary, since it allows a remote user using a Guest account (which should be unprivileged) privileged write access into the %SYSTEM% directory of the target machine. Stuxnet takes this as an opportunity to write (malicious) binary files into %SYSTEM%, so we’re glad to see that one go. Then there are the two privilege escalation issues I can’t discuss yet because of responsible disclosure issues; a new twist on an older patch (MS08-067); an almost incidental sideswipe at Siemens’ naive and persistent and use of a hardcoded password; and a sly use of stolen certificates that should worry anyone who still believes that white-listing and code-signing have rendered all reactive security software obsolete. And I haven’t even mentioned some SQL code that isn’t likely to give up all its secrets until we establish exactly which system (or kind of system, even) is being targeted...(continued)
