Stuxnet Information and Resources (1)

 [Latest update: 20th January 2011. Note that because this resource was becoming longer than anticipated and somewhat unwieldy, second  and third "volumes" of more recent links arenow available at http://blog.eset.com/?p=5913 and http://blog.eset.com/?p=5945 ]

The Stuxnet analysis "Stuxnet Under the Microscope" by Aleksandr Matrosov, Eugene Rodionov, David Harley, and Juraj Malcho, has, unlike most ESET white papers, been subject to a number of revisions as we've come to know more about the malware itself, and as the purposes of its perpetrators have become clearer. However, since all the known vulnerabilities exploited by Stuxnet have now been patched, version 1.3x of the document  is likely to be the last substantial revision.

On the other hand, we can't help but notice that information, discussion and speculation has by no means dried up. So rather than revise the document every time we see a relevant link and requiring you to download and pore through all those page, we're making a resources list available on this page, and we'll be updating it as necessary and appropriate. This doesn't mean, of course, that we won't update the original report if a more substantial addition or modification becomes necessary.

The list below is essentially the first appendix from the Stuxnet analysis, presenting links to further information and resources in approximately chronological order, and additions will be timestamped and flagged in other blogs and microblogs.

We don't, of course, claim that this list is all-inclusive, and it will be maintained on a "best endeavours" basis as time and other commitments allow. We are not responsible for the content on external sites: nor do we necessarily agree with the opinions and speculations expressed by other individuals and organizations, of course.

Changelog

Two VB presentation links appended on 5th January 2011. And one more from the Washington Times.

Report of a Stuxnet-unrelated vulnerability in SCADA software, a speculative cyberwar link, and some links on Iranian post-Stuxnet "cybermilitia" recruitment appended, 12th January 2011.

Tony Dyhouse writes in SC Magazine about the political implications for the security community of the Stuxnet and Wikileaks incidents. Link appended 14th January 2011.

16th January 2011: appended article "Israel Tests on Worm Called Crucial in Iran Nuclear Delay" by William J. Broad, John Markoff and David E. Sanger.

17th January 2011: appended several links relating to the New York Times article flagged on the 16th January – one from Heise (in English), one from The Register, plus three links from the Spanish press courtesy of Josep Albors (and Josep's own blog on the subject). The Register and SC Computing commented on a study by OECD (Organization for Economic Cooperation and Development) scientists: a link to the substantial OECD report by Peter Sommer and Ian Brown on "Reducing System Cybersecurity Risk" is also appended. And F-Secure have a "wrap-up" video up on Youtube, though I think that might be a bit premature (good blog article, though). Heise also have an article on a SCADA-related exploit, not directly related but interesting.

18th January 2011: more articles following on from New York Times story, by Kim Zetter, Bret Stephens and Jeffrey Carr. And a tinfoil special from extendedsubset.com (thanks for the pointer, Aryeh!): added a couple of the links referenced in that blog.

19th January 2011:

The H Online: Stuxnet not such a masterpiece after all?

John Leyden in The Register: Lame Stuxnet worm 'full of errors', says security consultant: My teenage son could code better

Wayne Madsen: Stuxnet: A Violation of US Computer Security Law – c/p with permission from Wayne Madsen Reports

Byron Acohido in USA Today: Stuxnet could be Conficker's Cousin.

20th January 2011:

ESET OECD report in SC Magazine: http://www.scmagazineus.com/cyberwarfare-dismissed-oecd-speaks-others-retweet/article/194543/

Mike Masnick ponders the movie-like aspects of the Stuxnet saga: http://www.techdirt.com/articles/20110117/02205812696/stuxnet-increasingly-sounding-like-movie-plot.shtml

Kevin Coleman comments on Iran's attempts to address the problem with a lawsuit against Israel: http://defensetech.org/2011/01/18/cyber-war-crimes/

The entries added to this blog post since version 1.31 are also listed in the second volume of these resources at http://blog.eset.com/?p=5913.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

• http://www.h-online.com/security/news/item/Trojan-spreads-via-new-Windows-hole-1038992.html
• http://www.heise.de/newsticker/meldung/Trojaner-verbreitet-sich-ueber-neue-Windows-Luecke-1038281.html
• http://www.reconstructer.org/main.html
• http://it.slashdot.org/submission/1283670/Malware-Targets-Shortcut-Flaw-in-Windows-SCADA
• http://it.slashdot.org/story/10/07/15/1955228/Malware-Targets-Shortcut-Flaw-In-Windows-SCADA
• http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/
• http://www.zdnet.co.uk/news/security/2010/07/16/spy-rootkit-goes-after-key-indian-iranian-systems-40089564/
• http://www.msnbc.msn.com/id/38315572
• http://www.reuters.com/article/idUSTRE66I5VX20100719
• http://forums.cnet.com/5208-6132_102-0.html?messageID=3341877
• http://www.f-secure.com/weblog/archives/00001993.html
• http://news.softpedia.com/news/PoC-Exploit-Code-Available-for-Windows-LNK-Vulnerability-148140.shtml
• http://www.computerworld.com/s/article/9179339/Windows_shortcut_attack_code_goes_public?taxonomyId=17&pageNumber=1
• http://krebsonsecurity.com/2010/09/stuxnet-worm-far-more-sophisticated-than-previously-thought/
• http://blog.eset.com/2010/08/04/assessing-intent
• http://www.google.com/hostednews/ap/article/ALeqM5h7lX0JoE1AGngQoEfWWmCM6THizQD9HC86L80
• http://www.dailytech.com/Hackers+Target+Power+Plants+and+Physical+Systems/article19257.htm
• http://www.scmagazineus.com/keeping-hilfs-from-crashing-your-party/article/173975/
• http://www.sans.org/newsletters/newsbites/newsbites.php?vol=12&issue=74
• http://www.computerworld.com/s/article/9185919/Is_Stuxnet_the_best_malware_ever_?taxonomyId=82
• http://www.zdnet.co.uk/news/security-threats/2010/09/16/siemens-stuxnet-infected-14-industrial-plants-40090140/
• http://www.h-online.com/security/news/item/Stuxnet-worm-can-control-industrial-systems-1080751.html
• http://secunia.com/advisories/41525/
• http://secunia.com/advisories/41471/
• http://blogs.technet.com/b/msrc/;
• http://www.csoonline.com/article/614064/siemens-stuxnet-worm-hit-industrial-systemss
• http://krebsonsecurity.com/2010/07/microsoft-to-issue-emergency-patch-for-critical-windows-bug/
• http://www.symantec.com/connect/blogs/stuxnet-breakthrough
• http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
• http://www.langner.com/en/index.htm
• http://blogs.technet.com/b/srd/archive/2010/09/14/ms10-061-printer-spooler-vulnerability.aspx.
• http://blog.eset.com/?s=stuxnet
• http://frank.geekheim.de/?p=1189
• http://www.faz.net/s/RubCEB3712D41B64C3094E31BDC1446D18E/Doc~E8A0D43832567452FBDEE07AF579E893C~ATpl~Ecommon~Scontent.html
• http://www.computerworld.com/s/article/9187300/Microsoft_confirms_it_missed_Stuxnet_print_spooler_zero_day_%20
• http://news.sky.com/skynews/Home/World-News/Stuxnet-Worm-Virus-Targeted-At-Irans-Nuclear-Plant-Is-In-Hands-Of-Bad-Guys-Sky-News-Sources-Say/Article/201011415827544?lpos=World_News_News_Your_Way_Region_5&lid=NewsYourWay_ARTICLE_15827544_Stuxnet_Worm%3A_Virus_Targeted_At_Irans_Nuclear_Plant_Is_In_Hands_Of_Bad_Guys%2C_Sky_News_Sources_Say
• http://news.sky.com/skynews/Home/video/Stuxnet-Worm-Virus-Targeted-At-Irans-Nuclear-Plant-Is-In-Hands-Of-Bad-Guys-Sky-News-Sources-Say/Video/201011415828645
• http://www.bbc.co.uk/news/technology-11795076
• http://www.thinq.co.uk/2010/11/25/stuxnet-worm-hits-black-market/
• http://nakedsecurity.sophos.com/2010/11/25/stuxnet-scared-of-shadows/
• http://thompson.blog.avg.com/2010/11/comment-on-stuxnet-and-more-windows-0-days.html
• http://en.wikipedia.org/wiki/Stuxnet
• http://www.msnbc.msn.com/id/3036697/#40280338
• http://www.itproportal.com/2010/11/25/microsoft-reveals-code-vulnerable-stuxnet/
• http://www.eweek.com/c/a/Security/Exploit-Code-for-Windows-Zeroday-Targeted-by-Stuxnet-Goes-Public-406413/
• http://www.exploit-db.com/exploits/15589/
• http://blogs.protegerse.com/laboratorio/2010/11/24/publicado-el-codigo-de-otra-de-las-vulnerabilidades-usadas-en-stuxnet/
• http://www.v3.co.uk/v3/news/2273495/stuxnet-black-market-sky-news
• http://www.f-secure.com/weblog/archives/00002040.html
• http://www.facebook.com/notes/eset-ireland/cyberthreats-daily-facebook-infested-with-new-worm-stuxnet-hype/10150130942127788
• http://af.reuters.com/article/energyOilNews/idAFLDE6AS1L120101129
• http://go.theregister.com/i/cfh/http://www.theregister.co.uk/2010/11/29/stuxnet_stuxnet/
• http://www.h-online.com/security/news/item/Report-Stuxnet-code-being-sold-on-black-market-1142866.html
• http://www.microsoft.com/technet/security/bulletin/MS10-dec.mspx
• http://blogs.forbes.com/firewall/2010/12/14/stuxnets-finnish-chinese-connection/#more-2513
• http://taiaglobal.com/?attachment_id=81
• http://www.darkreading.com/vulnerability-management/167901026/security/attacks-breaches/228800582/china-likely-behind-stuxnet-attack-cyberwar-expert-says.html
• http://www.infracritical.com/papers/stuxnet-timeline.txt
• http://www.vimeo.com/18225315
• http://www.langner.com/en/2010/12/31/year-end-roundup/

Added 5th January 2011

• http://www.virusbtn.com/pdf/conference_slides/2010/Raiu-VB2010.pdf
• http://www.virusbtn.com/pdf/conference_slides/2010/OMurchu-VB2010.pdf
• LEVINE: Malware warfare made us all safer. Stuxnet for Nobel Peace Prize: http://www.washingtontimes.com/news/2011/jan/4/malware-warfare-made-us-all-safer/

Added 13th January 2011

• http://threatpost.com/en_us/blogs/china-sleeps-stuxnet-scada-bug-011011
• http://print.dailymirror.lk/other/mirror-education/142-education/32813.html
• http://www.itworld.com/security/133469/iran-responds-stuxnet-expanding-cyberwar-militia
• http://blogs.forbes.com/jeffreycarr/2011/01/12/irans-paramilitary-militia-is-recruiting-hackers/?boxes=financechannelforbes

Added 14th January 2011

• http://www.scmagazineuk.com/the-security-profession-needs-to-get-involved-with-politics/article/194256/?DCMP=EMC-SCUK_Newswire

Added 16th January 2011

• http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html

Added 17th January 2011

• http://h-online.com/-1170421
• http://www.theregister.co.uk/2011/01/17/stuxnet_israel_connection_fleshed_out/
• http://www.elmundo.es/elmundo/2011/01/16/internacional/1295180388.html
• http://www.gigle.net/stuxnet-podria-haber-sido-creado-por-eeuu-e-israel/
• http://www.elpais.com/articulo/internacional/Israel/disena/virus/informatico/boicotear/programa/nuclear/irani/elpepuint/20110116elpepuint_8/Tes
• http://blogs.protegerse.com/laboratorio/2011/01/17/stuxnet-y-las-teorias-conspiratorias-internacionales/
• http://www.theregister.co.uk/2011/01/17/cyberwar_hype_oecd_study/
• http://www.scmagazineuk.com/report-claims-that-the-use-of-cyber-weaponry-will-shortly-become-ubiqutous-as-threats-increase-but-with-no-cyber-war-on-the-horizon/article/194354/?DCMP=EMC-SCUK_Newswire
• http://www.oecd.org/dataoecd/3/42/46894657.pdf
• http://www.youtube.com/watch?v=gFzadFI7sco&feature=youtu.be
• http://www.h-online.com/security/news/item/SCADA-exploit-the-dragon-awakes-1169689.html
• http://www.f-secure.com/weblog/archives/00002083.html

Added 18th January 2011

• http://www.wired.com/threatlevel/2011/01/inl-and-stuxnet/
• http://blogs.forbes.com/jeffreycarr/2011/01/17/the-new-york-times-fails-to-deliver-stuxnets-creators/
• http://online.wsj.com/article/SB10001424052748703396604576087632882247372.html?mod=WSJ_Opinion_BelowLEFTSecond
• http://extendedsubset.com/?p=43
• http://graphics8.nytimes.com/packages/pdf/science/NSTB.pdf
• http://www.inl.gov/technicalpublications/Documents/3874574.pdf

Added 19th January 2011

• http://content.usatoday.com/communities/technologylive/post/2011/01/why-the-stuxnet-worm-could-be-confickers-cousin-/1
• http://h-online.com/-1171795
• http://www.theregister.co.uk/2011/01/19/stuxnet_male_decry_security_researchers/
• http://www.t-room.us/2011/01/stuxnet-a-violation-of-us-computer-security-law-%E2%80%93-cp-with-permission-from-wayne-madsen-reports/

Added 20th January 2011

• http://www.scmagazineus.com/cyberwarfare-dismissed-oecd-speaks-others-retweet/article/194543/
• http://www.techdirt.com/articles/20110117/02205812696/stuxnet-increasingly-sounding-like-movie-plot.shtml
• http://defensetech.org/2011/01/18/cyber-war-crimes/