Stuxnet, GitHub and a Worm with Cloak and Dagger Written All Over It
Some variety of Stuxnet is on GitHub. Crowdleaks posted the code but it’s uncertain if its the actual source or that of code posted by an organization possibly working on behalf of a government organization.
Stuxnet, as you may recall, is a virus that targets industrial control systems. It’s already been given credit for disrupting Iran’s nuclear program. We wrote recently how you can protect your organization from a Stuxnet attack.
Crowdleaks posted the Stuxnet file, which was discovered in a cache of internal emails that a group known as Anonymous posted from HBGary Federal, a software security company. According to reports, HBGary planned to reveal the names of several people tied to Anonymous, a group known for its Web-based attacks. In response, Anonymous hacked into HBGary and posted 27,000 emails from the company.
What the emails reveal is perhaps the most compelling aspect to this story. Reading through it, there are references that show how HBGary referenced Stuxnet in context to the US. Government:
from: David D. Merritt to: Aaron Barr date: Sun, Oct 3, 2010 at 9:35 PM subject: Re: Hunter Killer Insanity 285mailed-bygmail.com hide details 10/3/10 contacts over at TSA say that everybody has a copy…combine that with US CERTs vulnerability status and their own systems not meeting the spec…. i’m seeing TSA becoming a malware testbed… Aaron Barr responds: On Oct 3, 2010, at 10:13 PM, Aaron Barr wrote: > Dave, > > We haven’t but I would be interested to talk to you some about the tie. I do have a decent amount of information on Stuxnet and would be interested to hear about the tie. Some of what I know about Stuxnet might be of interest. I think it would be best to discuss in a more closed space though. > > In doing a little research: > http://diocyde.wordpress.com/2010/03/12/ringy-ringy-beacon-callbacks-why-dont-you-just-tell-them-their-pwned/ > > While this guy can be a bit of a crackpot at times his post has more validity than fiction. Greg and I have brainstormed a bit in the past on how to conduct such an attack that would be very difficult to detect. Autonomous, single purpose malware with no C&C. As we have said the battle is on the edges either source of destination, everything else is or will become somewhat irrelevant or diminished in value. > > Aaron Barr > CEO > HBGary Federal, LLC > 719.510.8478
For now, the code on GitHub appears to be unremarkable.
Crowdleaks.org had a software engineer (whose name has been withheld) look at the Stuxnet binaries inside of a debugger and offer some insight on the worm. She informed us that most of the worms’ sources were using code similar to what is already publically available. She noted that the only remarkable thing about it was the 4 windows 0 days and the stolen certificates.
“A hacker did not write this, it appears to be something that would be produced by a team using a process, all of the components were created using code similar to what is already publically available. That is to say it’s ‘unremarkable’. This was created by a software development team and while the coders were professional level I am really not impressed with the end product, it looks like a picture a child painted with finger paints.”
When asked what type of organization likely wrote it, she stated:
“Probably a corporation by request of a government, it was clearly tested and put together by pro’s. It really looks like outsourced work.”
Stuxnet has reached into the increasingly cloak and dagger world of cyber espionage. It’s potential to disrupt is considerable. This story is only beginning to unfold.