SecTechno caught my attention with their title of “2010 Top 5 Most Dangerous Malwares”, and then I read this line at the start:
1-STUXNET…it is for the first time in the history that a malware bypass the cyberspace to get directly to the physical environment
Whoa! Stop right there. Not true.
Malware existed on removable media first. It started with boot-sector viruses on floppy disks. Malware spreading in the 1980s depended on “get directly to the physical environment”. The only real exception was the Morris Worm on UNIX in 1988. There was a slow transition to malware on the network through the 1990s (Ivar on MacOS System 7 was my personal favorite) but it was the mid-1990s before malware started to take full advantage of network infection vectors instead of removable media, as explained in a paper by Peter Bergen.
In retrospect we can confidently state that malware writers adapted more quickly to the changed circumstances than Microsoft did. The combination of network connectivity, powerful macro languages and applications which were network aware on one level but had not really incorporated any important security concepts and, of course, the sheer number of targets available proved quite impossible to resist.
So don’t believe the hype. Stuxnet is not dangerous because of how it works. That is the same old story. It is dangerous because it was highly targeted. In addition the malware was directed to achieve a consequence of social or even political significance, instead of just financial gain.
In other words, when you look at a breached castle wall you should ask whether it was from a special and unknown type of attack (very unlikely) or because the attacking army did their research and targeted the weakest spot (very likely). Likewise, you can ask whether the defending forces had done their research and responded with sufficient resources in time, or whether they were caught off-guard or unready.
Inside the main gate of Chepstow Castle, Wales. The curtain wall on the right was breached 25 May 1648 by Isaac Ewer’s cannons and the site where Royalist commander Sir Nicholas Kemeys was killed. Photo by me.
What does a system ready to defend against malware look like? History tells us that this is a pretty good list to monitor, and would have detected Stuxnet:
- Alternate Data Streams (ADS)
- Audit Policy status
- System file checksums
- Local User activity, dumps
- Open file handles
- Modified, Access, Created times of files on system drive
- Hidden files on the system drives
- Temporary files and cookies
- Associated DLLs of running processes
- System, application, and security logs
- Interface configuration
- Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) activity — ports opened by processes
- Local registry hive changes
- Rootkit detection
- Services running
- System information about hardware, OS, and installed software