
Stuxnet: Zero Victims - Hackman21
http://securelist.com/analysis/publications/67483/stuxnet-zero-victims/
======
pimlottc
The title should read something like "Initial victims". The article isn't
claiming there weren't any victims; it's just the opposite, that there were
multiple (5) primary sites affected by the attack, which they attempt to
pinpoint and analyze.

I guess the chose the title by analogy with the term "patient zero", since
"patients zero" wouldn't have quite made sense.

~~~
e40
Perhaps "victim zero" then?

------
PhantomGremlin
In reading this, I'm astonished at how primitive Stuxnet was. If I were
writing a worm that saved information on infected systems, I would have:

    
    
       created a public/private key pair
       included the public key in the worm
       encrypted interesting stuff with the public key
    

That way nobody would be able to decrypt any of the information saved by the
worm if they didn't know the private key.

Does that make sense or am I missing something obvious? Why did Stuxnet keep a
cleartext embedded trail of systems it traversed? I can't grok that at all.

~~~
amckenna
It is possible they chose not to encrypt things with public/private keys
(asymmetric crypto) because generally that is slow and computationally
intensive, as compared to using symmetric crypto. If the goal was to be as
stealthy as possible then creating asymmetrically encrypted blobs on the
victims machines may have been too obvious. They couldn't have used symmetric
crypto because the key would need to have been kept on the machine performing
the crypto, thereby rendering it useless.

My guess is they figured stealth would provide the protection they needed and
the possibility that errors/corruption during encryption, storage, and
transmission was an unacceptable risk at the time. Another possibility is that
large blobs of encrypted data on the victim machines would be obvious and
possibly flagged, thereby compromising the stealth of the operation. Or the
devs simply didn't have time.

------
adamfeldman
Please change the submission to a secure URL:
[https://securelist.com/analysis/publications/67483/stuxnet-z...](https://securelist.com/analysis/publications/67483/stuxnet-
zero-victims/)

------
tkmcc
> The name could mean that the initial infection affected some server named
> after our anti-malware solution installed on it.

Unlikely to be a server given that OS version number on the "KASPERSKY ISIE"
line is 5.1, which corresponds to that of Windows XP [+].

> KALASERVER, ANTIVIRUSPC, NAMADSERVER: judging by the names, there were at
> least two servers involved in this case too.

..also judging by the "5.2" on each line, which corresponds to the OS version
of Windows Server 2003 (including R2). "5.2" also could indicate Windows XP
64-bit Edition, but that seems much less likely to be the case.

[+] [http://msdn.microsoft.com/en-
us/library/windows/desktop/ms72...](http://msdn.microsoft.com/en-
us/library/windows/desktop/ms724832%28v=vs.85%29.aspx)

