Stuxnet and the Future of Malware

Of the incidents listed above, three of them have one thing in common: they were logic bombs. The fourth incident, Texas Auto Center, didn’t even need logic bomb capabilities because the system itself was already pretty much designed to be a logic bomb. The conditions: a disgruntled employee with system access and ill intent. The result: the system does what it was designed to do — set off car alarms — but not how or when it was supposed to.

All the Texas Auto Center ex-employee needed for that attack were credentials. His were suspended, but as a former admin, he just used someone else’s that he happened to remember. Texas Auto Center was sloppy about its access controls and authentication and paid for it.

For a primer in just how potentially dangerous these sorts of attacks are, check out a November 2009 episode of 60 Minutes, which showed the world how easily a logic bomb could damage or destroy physical machinery. A test attack (called Aurora) hacked into a SCADA system and caused a power generator to self-destruct.

Logic bombs, insiders, scammers and thieves

The insider attacks above share an important trait with cyber-warfare: the main intent is to disrupt and damage. More troubling are the ones that actually want to steal classified information (or protected IP), or simply learn enough about the target to cause all sorts of problems.

The Google penetration falls into that camp, as do earlier Chinese breaches into the U.S. intelligence and defense systems. The ZeuS and Bugat Trojans, both of which focus on gaining financial data, seek to gather specific data in order to steal.

Now, take those sophisticated malware tools (which anyone can buy online for a few thousand dollars, by the way) mix them with disgruntled workers and an outside entity seeking to steal or do harm, and you have a perfect attack storm.

Is there any proof that this sort of thing is happening? No. But it’s probably just a matter of time before it does.

There are two even more flammable ingredients: mobility and social networks. “Malware used to be binary in nature, taking advantage of a particular vulnerability in a specific system,” said Michael Sutton, VP of Security Research for Zscaler. Now, the software landscape is far more fragmented, with smartphones, tablets and other non-PC platforms complicating the picture, which is inspiring hackers to create more general-purpose malware.

“The future of malware, I’d argue, is Web-based worms. Then, it doesn’t matter what device you are on,” Sutton said. “Malware also used to spread by hopping from device to device. The devices had to have the same vulnerabilities, or it didn’t work. Now, malware is starting to target social networks, where it spreads from profile to profile to profile, growing exponentially, in minutes.”

Twitter, Facebook and LinkedIn all have numerous security vulnerabilities. For social networking sites, the space is still a land grab and the point is to grow as big as you can as fast as you can. Security is considered a minor nuisance that the sites figure they can clean up later.

The more things change

“As fascinating as it is to study new threats like Stuxnet, the majority of the threats to business are what they’ve always been,” said Chris Larsen, head of Blue Coat System’s research lab. “Social engineering attacks, especially for fake security products, are still some of the most common and most successful threats.”

Larsen also discussed a particularly devious social engineering attack where the bad guys launched their targeted attack by focusing on a company’s executives. However, instead of targeting the executives themselves, they went after spouses, the logic apparently being that at least one executive would have a poorly secured PC shared with a non-tech savvy spouse. That PC would then be the beachhead into the company.

Blue Coat just released its 2011 Web Security Report , which investigated the changing threat landscape in detail. “One of the trends that is the most disturbing,” Larsen said, “is that hackers are becoming more and more patient. They’ll set up fake store fronts; they’ll create “malvertising” campaigns; they’ll build up a powerful botnet over time; and they’ll often seek investments from other criminals to buy them the time to concoct slower, more elaborate attacks.”

Hackers tend to be hackers, conventional wisdom goes, because they’re greedy and lazy. Emphasis on lazy. Patient, determined, high-achieving hackers who have even greedier backers? Now that’s really scary.

Based in Santa Monica, California, Jeff Vance is the founder of, a copywriting and content marketing firm. He regularly contributes stories about emerging technologies to this publication and many others. If you have ideas for future stories, contact him at [email protected] or visit.