Stuxnet: Zero Victims (opens in new tab)

(securelist.com)

99 pointsHackman2111y ago9 comments

9 comments

The title should read something like "Initial victims". The article isn't claiming there weren't any victims; it's just the opposite, that there were multiple (5) primary sites affected by the attack, which they attempt to pinpoint and analyze.

I guess the chose the title by analogy with the term "patient zero", since "patients zero" wouldn't have quite made sense.

e4011y ago

Perhaps "victim zero" then?

iaskwhy11y ago

The article itself also calls them "patients zero" or "original victims": "Perhaps an analysis of their activity can explain why they became "patients zero" (the original, or zero, victims)."

Estragon11y ago

Yes, that confused me too.

PhantomGremlin11y ago

In reading this, I'm astonished at how primitive Stuxnet was. If I were writing a worm that saved information on infected systems, I would have:

   created a public/private key pair
   included the public key in the worm
   encrypted interesting stuff with the public key

That way nobody would be able to decrypt any of the information saved by the worm if they didn't know the private key.

Does that make sense or am I missing something obvious? Why did Stuxnet keep a cleartext embedded trail of systems it traversed? I can't grok that at all.

amckenna11y ago

It is possible they chose not to encrypt things with public/private keys (asymmetric crypto) because generally that is slow and computationally intensive, as compared to using symmetric crypto. If the goal was to be as stealthy as possible then creating asymmetrically encrypted blobs on the victims machines may have been too obvious. They couldn't have used symmetric crypto because the key would need to have been kept on the machine performing the crypto, thereby rendering it useless.

My guess is they figured stealth would provide the protection they needed and the possibility that errors/corruption during encryption, storage, and transmission was an unacceptable risk at the time. Another possibility is that large blobs of encrypted data on the victim machines would be obvious and possibly flagged, thereby compromising the stealth of the operation. Or the devs simply didn't have time.

mooneater11y ago

Seems lazy, especially since its ancestor Flame contained some "world class" crypto expertise.

[1] http://gcn.com/articles/2012/06/11/flame-world-class-crypto-...

adamfeldman11y ago

Please change the submission to a secure URL: https://securelist.com/analysis/publications/67483/stuxnet-z...

tkmcc11y ago

> The name could mean that the initial infection affected some server named after our anti-malware solution installed on it.

Unlikely to be a server given that OS version number on the "KASPERSKY ISIE" line is 5.1, which corresponds to that of Windows XP [+].

> KALASERVER, ANTIVIRUSPC, NAMADSERVER: judging by the names, there were at least two servers involved in this case too.

..also judging by the "5.2" on each line, which corresponds to the OS version of Windows Server 2003 (including R2). "5.2" also could indicate Windows XP 64-bit Edition, but that seems much less likely to be the case.

[+] http://msdn.microsoft.com/en-us/library/windows/desktop/ms72...

j / k navigate · click thread line to collapse