How Stuxnet is Scaring the Tech World Half to Death
A complex computer virus and its imminent threat.
2:30 PM, Sep 30, 2010 • By JONATHAN V. LAST
To date, no one knows exactly what Stuxnet was doing in the Siemens PLC. “It’s looking for specific things in specific places in these PLC devices,” Digital Bond CEO Dale Peterson told PC World. “And that would really mean that it’s designed to look for a specific plant.” Tofino Security Chief Technology Officer Eric Byres was even more ominous, saying, “The only thing I can say is that it is something designed to go bang.” Even the worm’s code suggests calamity. Ralph Langner is the most prominent Stuxnet sleuth and he notes that one of the last bits of code in the worm is the line “DEADF007.” (Presumably a dark joke about “deadf*ckers” and the James Bond call-sign “007.") “After the original code is no longer executed, we can expect that something will blow up soon,” Langner says somewhat dramatically. “Something big.”
The most important question is what that “something big” might be.
But there is another intriguing question: How did Stuxnet spread as far as it did? The worm is, as a physical piece of code, very large. It’s written in multiple languages and weighs in at nearly half a megabyte, which is one of the reasons there are still many pieces of it that we don’t understand. And one of those puzzles is how Stuxnet found its way onto so many computers so far away from one another. Iran is the epicenter, but Stuxnet is found in heavy concentrations in Pakistan, Indonesia, and India, too, and even as far away as Russia, Uzbekistan, and Azerbaijan. By the standards of modern worms, the 45,000 computers infected by Stuxnet is piddling. But if Stuxnet really can only propagate via local networks and USB drives, how did it reach even that far?
Stuxnet is already the most studied piece of malware ever, absorbing the attention of engineers and programmers across the globe, from private companies to academics, to government specialists. And yet despite this intense scrutiny, the worm still holds many secrets.
*An earlier version of this article stated that the compilation date for the ~wtr4141.tmp file was February 3, 2009.
Recent Blog Posts