The Stuxnet worm is a "wake-up call" because of its complexity and its aim at critical infrastructure systems, a Symantec director told a U.S. congressional committee today.
The malware is a milestone in many ways, Dean Turner, director of Symantec Security Response's Global Intelligence Network, said in testimony before the U.S. Senate Committee on Homeland Security and Governmental Affairs.
It is the first known threat to: spy on and reprogram industrial control systems and grant hackers control of critical infrastructures; use four zero-day vulnerabilities; compromise two digital certificates; inject code into industrial control systems and hide the code from operators; and include a programmable logic controller (PLC) rootkit to reprogram PLCs and hide the changes, he said.
"Stuxnet is an incredibly large and complex threat," Turner said. "In fact, it is one of the most complex threats that we have analyzed to date at Symantec."
"Stuxnet demonstrates the vulnerability of critical national infrastructure industrial control systems to attack through widely used computer programs and technology. Stuxnet is a wake-up call to critical infrastructure systems around the world," he said. "Stuxnet has highlighted that direct attacks to control critical infrastructure are possible and not necessarily spy-novel fictions. The real-world implications of Stuxnet are beyond any threat we have seen in the past."
It's still unknown who is responsible for Stuxnet and exactly what the target was, although there has been speculation--bolstered by recent research from Symantec--that Iran's Natanz uranium enrichment facility could have been a target.
The worm spreads via holes in Windows, but doesn't unleash its payload unless there is specific Siemens software used in industrial control systems on the system, such as that used in power plants, dams and chemical facilities.
Whoever is behind it knows industrial control systems, so it's not likely that a typical cybercriminal gang developed it, Turner said.
Stuxnet has infected hundreds of thousands of computers, mostly home or office PCs. It's also infected an unnamed utility company in the San Diego area, according to antivirus firm Eset. And Siemens has confirmed infections at about 14 industrial control systems, but it's unknown exactly how the industrial control systems were affected.
Updated 3:35 p.m. PST with information on infections.