

Son of Stuxnet Found in the Wild on Systems in Europe - boh
http://www.wired.com/threatlevel/2011/10/son-of-stuxnet-in-the-wild/

======
parshap
This is big news. It confirms suspicions that the Stuxnet attack on Iran was
not going to be a one-time thing. We now know that at least one group has
already been running these types of attacks and surveillance all over the
world for the past two years (with much more likely planned). In the coming
years, this kind of thing is going to be the norm for nations and other
organizations with the resources.

------
drallison
Joe Weiss spoke about exploits of this sort in the Stanford EE Computer
Systems Colloquium on Oct 12, 2011. View the video of the talk and download
the slides at <http://ee380.stanford.edu>.

------
gasull
Why does the article assume is made by the same people who wrote Stuxnet?
Stuxnet source code from an IDA Pro dump is available in GitHub and in
torrents.

~~~
rnicholson
Symantec's write-up has more details and comparison of Stuxnet and Duqu -
[http://www.symantec.com/content/en/us/enterprise/media/secur...](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf)

~~~
gasull
I've skimmed it. My point is that, if the source code of Stuxnet is available
on the Internet, anyone could have created Duqu.

~~~
lawnchair_larry
Try compiling it. You won't get far.

Current binary to C decompilers are not sufficient to reproduce and modify
moderately complex software. They just make analysis easier, because it's more
like reading pseudocode.

------
geoffschmidt
What I don't understand is, how does it send the information it gathers back
to its operators? I thought that these industrial facilities weren't usually
connected to the internet, and that a worm had to get lucky with a thumb drive
to get inside.

How do you run that backwards to get data out? Surely not thumb drives again?

~~~
jness
This malware does not target air-gapped industrial control systems. This is
just a remote administration trojan with a keylogging component. The kernel
mode driver architecture and hooking method is the same (probably same code)
as used in Stuxnet but the malware's purpose is information gathering only,
not industrial sabotage.

------
westiseast
This is probably the longest article I've ever read on the internet -
fantastic introduction for me, a person who knows very little about trojans
except that the Greeks made a big one years ago.

