Hacker News new | past | comments | ask | show | jobs | submit login
Stuxnet: Zero Victims (securelist.com)
99 points by Hackman21 on Nov 11, 2014 | hide | past | favorite | 9 comments



The title should read something like "Initial victims". The article isn't claiming there weren't any victims; it's just the opposite, that there were multiple (5) primary sites affected by the attack, which they attempt to pinpoint and analyze.

I guess the chose the title by analogy with the term "patient zero", since "patients zero" wouldn't have quite made sense.


Perhaps "victim zero" then?


The article itself also calls them "patients zero" or "original victims": "Perhaps an analysis of their activity can explain why they became "patients zero" (the original, or zero, victims)."


Yes, that confused me too.


In reading this, I'm astonished at how primitive Stuxnet was. If I were writing a worm that saved information on infected systems, I would have:

   created a public/private key pair
   included the public key in the worm
   encrypted interesting stuff with the public key
That way nobody would be able to decrypt any of the information saved by the worm if they didn't know the private key.

Does that make sense or am I missing something obvious? Why did Stuxnet keep a cleartext embedded trail of systems it traversed? I can't grok that at all.


It is possible they chose not to encrypt things with public/private keys (asymmetric crypto) because generally that is slow and computationally intensive, as compared to using symmetric crypto. If the goal was to be as stealthy as possible then creating asymmetrically encrypted blobs on the victims machines may have been too obvious. They couldn't have used symmetric crypto because the key would need to have been kept on the machine performing the crypto, thereby rendering it useless.

My guess is they figured stealth would provide the protection they needed and the possibility that errors/corruption during encryption, storage, and transmission was an unacceptable risk at the time. Another possibility is that large blobs of encrypted data on the victim machines would be obvious and possibly flagged, thereby compromising the stealth of the operation. Or the devs simply didn't have time.


Seems lazy, especially since its ancestor Flame contained some "world class" crypto expertise.

[1] http://gcn.com/articles/2012/06/11/flame-world-class-crypto-...


Please change the submission to a secure URL: https://securelist.com/analysis/publications/67483/stuxnet-z...


> The name could mean that the initial infection affected some server named after our anti-malware solution installed on it.

Unlikely to be a server given that OS version number on the "KASPERSKY ISIE" line is 5.1, which corresponds to that of Windows XP [+].

> KALASERVER, ANTIVIRUSPC, NAMADSERVER: judging by the names, there were at least two servers involved in this case too.

..also judging by the "5.2" on each line, which corresponds to the OS version of Windows Server 2003 (including R2). "5.2" also could indicate Windows XP 64-bit Edition, but that seems much less likely to be the case.

[+] http://msdn.microsoft.com/en-us/library/windows/desktop/ms72...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: