A new generation of malware

Introduction

Computer software evolves, and popular interpretation is to introduce new generations whenever fundamental changes arrive. If one looks at malware in the same manner, one may also classify different types into various generations.

One such classification might be based on the motivations to those who are the initiators of the malware. If we use this approach, a classification might be like this:

• Generation I: Malware, where the motivation was to show how clever the authors were.
  Malware was in its infancy and its authors were few. The antivirus vendors arrived on the scene at this stage.
   
• Generation II: Malware, where the motivation was to spread the malicious software as much as possible and as quickly as possible (and to some extent also to ruin systems).
  The hugely widespread worms from early this century belong to this category.
   
• Generation III: Malware, where the motivation was economically motivated.
  Most malware developed in later years, belong to this category. Using vulnerabilities in software combined with social engineering techniques are the main propagation vectors.
   
• Generation IV: Malware, very sophisticated, aimed against a particular target or targets.
  The malware that belongs to this category is not primarily used to gain money, rather as a weapon against something.
  This will be the focus of this security article.

Seen in a time-frame these four generations overlap to some degree. Malware belonging to the first generation is still being developed, the recent Twitter worm may be viewed as an example. It further seems safe to assume that third generation malware will be around for quite a long time, although those behind the malware may start using technology from the fourth malware generation.

Stuxnet - the most sophisticated malware

Stuxnet is a piece of malware that belongs to generation four above. We will in this article not provide a technical analysis of Stuxnet, but look at it from a broader point of view.

Highlights

Stuxnet was first discovered by the Belarus security company VirusBlokAda in June this year. However, it is assumed that the malware was created and released in the wild months before.

Soon after Stuxnet was discovered, security organizations started their malware analysis as usual. Norman published a description of Stuxnet in the beginning of July.

However, as weeks and months passed, the analyses of Stuxnet continued and revealed increasingly new characteristics and sophistication. Some of the features and techniques used by Stuxnet are:

• Stuxnet's initial spreading mechanism is by USB sticks using the .LNK vulnerability, for which Microsoft released an out-of-band security update 2 August.
• Stuxnet uses four different software vulnerabilities. One of the vulnerabilities it uses was closed by a security update from Microsoft in its monthly set of updates in September (although information about this vulnerability has been known more than one year).
• Stuxnet uses rootkit technologies to avoid detection.
• Stuxnet targets a particular type of industrial control systems (ICS) - Supervisory Control And Data Acquisition (SCADA) from Siemens, and attempts to infect the Programmable Logic Controller (PLC). Since Siemens' systems seem to be the main target, Siemens has published an advisory for users with potentially vulnerable Siemens software.

Stuxnet is not a mass spreader. Interestingly it seems that more than half of the infected systems were based in Iran, which lead to some intriguing speculation (see below).

Speculation

Stuxnet is probably the most advanced piece of malware ever created, or at least released in the wild. This has led to conjectures that those behind this malware are not "the usual cybercriminals".

This hypothesis seems quite likely. It would require substantial amounts of money and advanced programming resources to investigate finding (or buying) the used vulnerabilities. Stuxnet is also a complex and sophisticated piece of software, which would require programming skills not freely available. Finally Stuxnet uses techniques, which indicate intimate knowledge of the industrial control systems that are targeted.

One theory that has emerged publicly lately, and received much acclaim, is that Stuxnet is targeted against a particular nuclear plant in Iran. This first emerged in a web article from Ralph Lagner, which is being updated continuously. Supposedly the attack has already taken place and was successful.

Who stands behind?

The answer to this question is also of a speculative character. We can disregard the traditional usual suspects whenever malware is involved: the cybercriminals with economical motives. There seems to be no monetary gain from Stuxnet.

Another potential initiator/creator is an intelligence agency or a nation. This seems more likely as these would have the resources that creating Stuxnet requires. Some nations may also see it as part of their vital interests to sabotage a nuclear facility in Iran.
Seen from this perspective, Stuxnet may be viewed as a cyberweapon - perhaps the first we have ever seen used.

It will be interesting to see if/when we ever get an answer to who the originators behind the Stuxnet malware were.

Consequences

We started this article by claiming that Stuxnet belonged to the fourth generation of malware. Depending on its ultimate target, it may or may not have been a success.

Regardless of Stuxnet's successfulness, it is a fact that the techniques used by this malware have been and will be analyzed and published. Stuxnet's ways to approach systems that so far were perceived as "safe", and the potential for targeting completely different systems using ideas derived from Stuxnet, will be studied and implemented in new malware belonging to "the Stuxnet generation of malware"

With Stuxnet a completely new use of malware has been introduced.

We live in interesting times!