Both Aurora and Stuxnet leverage unpatched "zero-day" flaws in Microsoft products. But Stuxnet is more technically remarkable than the Google attack, Schouwenberg said. "Aurora had a zero-day, but it was a zero-day against IE6," he said. "Here you have a vulnerability which is effective against every version of Windows since Windows 2000."
On Monday, Microsoft rushed out an early patch for the Windows vulnerability that Stuxnet uses to spread from system to system. Microsoft released the update just as the Stuxnet attack code started to be used in more virulent attacks.
Although Stuxnet could have been used by a counterfeiter to steal industrial secrets -- factory data on how to make golf clubs, for example -- Schouwenberg suspects a nation state was behind the attacks.
To date, Siemens says four of its customers have been infected with the worm. But all those attacks have affected engineering systems, rather than anything on the factory floor.
Although the first version of the worm was written in June 2009, it's unclear if that version was used in a real-world attack. Schouwenberg believes the first attack could have been as early as July 2009. The first confirmed attack that Symantec knows about dates from January 2010, said Vincent Weafer, Symantec's vice president of security technology and response.
Most infected systems are in Iran, he added, although India, Indonesia, and Pakistan are also being hit. This in itself is highly unusual, Weaver said. "It is the first time in 20 years I can remember Iran showing up so heavily."