Security Response

I wrote Symantec's original blog post describing the discovery of Duqu. In that blog I use the term "industrial control system manufacturers" and (after discussions with a variety of parties) we want to change that term to "industrial industry manufacturers" to more accurately define where Duqu has been found. We already made this change to our paper.

Finding the correct term can sometimes be a challenge. When we first wrote about Stuxnet, we originally used the term SCADA (supervisory control and data acquisition) and quickly discovered the proper term was "industrial control systems". In the computer security industry, we actually have specific definitions of viruses, worms, and trojans, while the general public often refer to any malware as just a virus. (In an unrelated...

For years now, we in the cyber security industry have been saying an explosion of mobile malware is just around the corner. Beginning in earnest this year, we have indeed observed a marked increase in threats targeting mobile devices – particularly the Android platform. However, it’s probably not accurate to say the expected explosion has in fact occurred. The reality is that cybercriminals are still very much in the exploratory phase of figuring out how to monetize the exploitation of mobile devices. This is the topic of Symantec’s latest research. You can read the whitepaper in its entirety here.

Above all else, our analysis highlights how most current efforts to monetize mobile malware have only a low revenue-per-infection ratio. This has severely limited the return on investment achievable by attackers. It also offers detailed insight into the top current mobile malware monetization schemes observed by Symantec,...

Thanks to some tips from a Dutch Profibus expert who responded to our call for help, we’ve connected a critical piece of the puzzle.

Since our discovery that Stuxnet actually modifies code on PLCs in a potential act of sabotage, we have been unable to determine what the exact purpose of Stuxnet is and what its target was.

However, we can now confirm that Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific vendors, one headquartered in Finland and the other in Tehran, Iran.  This is in addition to the previous requirements we discussed of a S7-300 CPU and a CP-342-5 Profibus communications module.

The target system would potentially look something like the diagram below:

...

Since we still haven’t had much success in determining the likely target of Stuxnet, we have decided to release at a high level the behavior of the PLC code. However, we suspect this level of detail while interesting probably still is not enough to identify the potential target.  You can find the additional information starting on page 38 of the latest revision of our paper.

Our previous call for verifiable experts in STL coding that have worked in multiple critical infrastructure industries and coded large STL programs for large industrial control systems in those multiple industries was unsuccessful.  If anyone still wishes to help, they can contact me by clicking on my name at the top to send me a private message.  

Originally this revision would have also described in more detail the remaining Task Scheduler privilege escalation vulnerability, but the vulnerability...