The Stuxnet worm is a "groundbreaking" piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals.
"It's amazing, really, the resources that went into this worm," said Liam O Murchu, manager of operations with Symantec's security response team.
[ Also on InfoWorld: This summer a second variant of the Stuxnet worm struck. | InfoWorld's Woody Leonhard explains the workings of the rootkit exploit. | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
"I'd call it groundbreaking," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab. By comparison, other notable attacks, like the one dubbed "Aurora" that hacked Google's network, and those of dozens of other major companies, was child's play.
O Murchu and Schouwenberg should know: They work for the two security companies that discovered Stuxnet exploited not just one zero-day Windows bug, but four, an unprecedented number for a single piece of malware.
Stuxnet, which was first reported in mid-June by VirusBlokAda, a little-known security firm based in Belarus, gained notoriety a month later when Microsoft confirmed that the worm was actively targeting Windows PCs that managed large-scale industrial-control systems in manufacturing and utility firms.
Those control systems are often dubbed SCADA, for "supervisory control and data acquisition," and run everything from power plants and factory machinery to oil pipelines and military installations.
At the time, researchers believed Stuxnet -- whose roots were later traced as far back as June 2009 -- exploited a single unpatched, or "zero-day" vulnerability in Windows and spread through infected USB flash drives.
Iran was hardest hit by Stuxnet, according to Symantec researchers, who said in July that nearly 60 percent of all infected PCs were located in that country.
Microsoft patched the Stuxnet-exploited bug in Windows' shortcuts with an emergency update Aug. 2.
Unbeknownst to Microsoft, it had plugged just one of four zero-day vulnerabilities that Stuxnet used to gain access to a company's network, then seek out and infect the specific machines that managed SCADA systems controlled by software from German electronics giant Siemens.
With a sample of Stuxnet in hand, researchers at both Kaspersky and Symantec went to work, digging deep in its code in an attempt to learn how it ticked.
What the two companies independently found was attack code that targeted three more unpatched Windows bugs.
"Within a week, a week-and-a-half [of news of Stuxnet], we discovered the print spooler bug," said Schouwenberg. "Then we found one of the EoP (elevation of privilege) bugs." Microsoft researchers discovered a second EoP flaw, Schouwenberg said.
Working independently, Symantec researchers found the print spooler bug and two EoP vulnerabilities in August.