Weaponized software

Iran is fighting off a significant cyber attack, reports The New York Times. The worm, dubbed Stuxnet, represents a hellish breakthrough in the evolution of computer viruses.

Stuxnet, which was first publicly identified several months ago, is aimed solely at industrial equipment made by Siemens that controls oil pipelines, electric utilities, nuclear facilities and other large industrial sites. While it is not clear that Iran was the main target — the infection has also been reported in Indonesia, Pakistan, India and elsewhere — a disproportionate number of computers inside Iran appear to have been struck, according to reports by computer security monitors.

The Christian Science Monitor first reported on Stuxnet in June.  The primary source of the CSM story was computer security expert Ralph Langner, who has been chronicling his research of the virus on his Web site. Langner called Stuxnet the “hack of the century,” and said “Stuxnet is going to be the best studied piece of malware in history.”

Wired magazine, unsurprisingly, has the definitive story.

“It’s the most complex piece of malware we’ve seen in the last five years or more,” says Nicolas Falliere, a code analyst at security firm Symantec. “It’s the first known time that malware is not targeting credit card [data], is not trying to steal personal user data, but is attacking real-world processing systems. That’s why it’s unique and is not over-hyped.”

… Eric Byres, chief technology officer for Byres Security, says the malware isn’t content to just inject a few commands into the PLC [Programmable Logic Controller] but does “massive reworking” of it.

“They’re massively trying to do something different than the processor was designed to do,” says Byres, who has extensive experience maintaining and troubleshooting Siemens control systems. “Every function block takes a fair amount of work to write, and they’re trying to do something quite radically different. And they’re not doing it in a light way. Whoever wrote this was really trying to mess with that PLC. We’re talking man-months, if not years, of coding to make it work the way it did.”