Stuxnet cyberweapon looks to be one on a production line, researchers say
Evidence is rising that Stuxnet, a cyberweapon that attacked Iran's nuclear facilities in 2009, is part of a supersophisticated manufacturing process for malicious software, two antivirus companies tell the Monitor.
Somewhere in the world, the creators of the Stuxnet worm are involved in a cyberweapon manufacturing operation that can pump out supersophisticated malicious software tweaked for specific missions, new targets, and detection evasion.Skip to next paragraph
Subscribe Today to the Monitor
Stuxnet, the first military-grade cyberweapon known to the world, has been called a digital missile and a cyber-Hiroshima bomb. But it was not a one-shot blast, new research shows. Rather, Stuxnet is part of a bigger cyberweapons system – a software platform, or framework – that can modify already-operational malicious software, researchers at two leading antivirus companies told the Monitor.
The platform appears to be able to fire and reload – again and again – to recalibrate for different targets and to bolt on different payloads, but with minimal added cost and effort, say researchers at Kaspersky Labs and at Symantec.
RECOMMENDED: Iran nuclear program: 5 key sites
Kaspersky, based in Moscow, and Symantec, in Sunnyvale, Calif., are antivirus companies, competitors in fact. Each has had teams laboring independently for more than a year to decipher Stuxnet. Both are amazed to have discovered digital fingerprints of a much larger family of weaponized software.
What each has uncovered are at least seven cyberweapon "launcher" files created from a common software platform. A launcher file is needed to stealthily insert the malicious payload (Stuxnet, for instance) onto a computer, as well as carrying the payload files and encryption keys needed to unfurl them and make them function.
All seven launcher files contain chunks of identical source code, yet differ in small but important ways, according to a Kaspersky Labs study released last week. Just two of those files are known to be used by the Stuxnet program. Two others are related to an espionage software program called Duqu, discovered last fall.
That leaves three launcher files with no known affiliations. While those three could be affiliated with as-yet-undetected variants of Stuxnet or Duqu, they are more likely to be affiliated with undiscovered cyberweapons operating "in the wild" somewhere in cyberspace, researchers say.
Kaspersky's findings are buttressed by researchers at Symantec, which led the deciphering effort on Stuxnet in 2010. The companies' findings imply that Stuxnet's creators are not resting on past deeds, such as the attack on Iran's nuclear fuel manufacturing facilities. Instead, they are apparently churning out new cyberweapons for new missions from that same common software platform, researchers from both firms told the Monitor.