[ISN] A Different Spin On Sleuthing Stuxnet

From: InfoSec News <alerts_at_private>
Date: Mon, 8 Nov 2010 00:15:21 -0600 (CST)

By Kelly Jackson Higgins
Nov 05, 2010 

Conspiracy theories have run rampant ever since the Stuxnet worm was 
discovered this year, with speculation ranging from an inside job at 
Siemens to a nation state-sponsored targeted attack against Iran's 
nuclear operations. But what still doesn't add up with any of these 
scenarios is how Stuxnet spread outside the facility's SCADA systems to 
Windows machines around the world.

Stuxnet has been under the microscope for months as researchers around 
the world have picked apart and analyzed the malware's makeup and 
possible intent. No one knows for sure who is behind it or its specific 
goal, but fingers have been pointed at Israel, the U.S., France, 
Germany, and England as a nation-state targeting Iran's nuclear 

But the trouble with all of the speculation is that much of it comes out 
of anti-malware analysis that looks at what the code did and how it 
affected victim machines versus who was actually responsible for writing 
it, says Tom Parker, director of security consulting services at 
Securicon. "That makes sense, of course, because a lot of business 
demands answering those questions. But it's not a good idea to use those 
same tools for attribution," says Parker, who will offer up a different 
method for malware attribution in a talk at Black Hat Abu Dhabi next 

Parker has done some analysis of his own on Stuxnet, using a homegrown 
tool he created to trace the malware writers. His tool doesn't work like 
antivirus: "It monitors a system and looks for behavior patterns within 
code. If it sees a certain sequence of behaviors that are associated 
with certain malicious activity," it compares it with similar behavior, 
he says. "Certain AV engines work a tiny bit like that," he adds. 


Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery 
Network, Cisco Switches, SAS 70 Type II Datacenter. 
Find peace of mind, Defend your Critical Infrastructure.
Received on Sun Nov 07 2010 - 22:15:21 PST

This archive was generated by hypermail 2.2.0 : Sun Nov 07 2010 - 22:25:47 PST