Ralph Langner, the industrial control systems expert who first identified Stuxnet’s target, dissects the worm into its active ingredients:

Most people think of Stuxnet’s exploits as some complex, but structured hacker stuff on the operating system level, plus some mushy, arcane 70s-style controller code that cracked centrifuge rotors. In reality, the automation side of Stuxnet is as modular, structured and complex as the coding that can be found at the operating system level.  So let’s try to break down Stuxnet’s exploits in categories:

1. Operating system exploits (generic)
1.1 Two stolen digital certificates
1.2 Four zero-day vulnerabilities plus at least one known vulnerability
1.3 Peer-to-peer update logic

2. Windows application exploits (generic)
2.1 Default database password for SCADA application, plus SQL injection, plus forced SQL execution
2.2 Hijacking the legitimate driver DLL (s7otbxdx.dll)
2.3 Executing arbitrary code in project folders of the engineering software

3. Controller exploits (generic)
3.1 Code injection to any operation block, taking priority over legitimate code
3.2 Hooking system functions
3.3 I/O Filter & faker

4. Physical process exploits (mostly target specific)

From all the exploits listed, only exploit category four is tied to a specific target configuration.

In short, Langner believes that a lot of this stuff is more reusable than people appreciate, and worries about the proliferation risk.  In the worst case, he thinks that we may soon see the free availability of pre-packaged, fully configurable cyberweapons to “immoral idiots and geniuses alike,” much like the arming of the “script kiddies” in the prior decade.

I personally suspect that he may place too much weight on weapon engineering (and underestimates the intelligence and targeting activity that presumably preceded it), but read his whole argument.

Tags: cyberwar