If you think malware is a serious problem today, just wait for the Stuxnet worm to get busy.
Developed and launched by parties unknown, the Stuxnet worm has been described as “a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance — a target still unknown.”
Various other reports indicate that the worm has targeted industrial control systems sold by Siemen and appears to have been directed at the Iranian IT infrastructure where, as of July, about 60 per cent of all Stuxnet-infected machines were to be found (the world total of infected machines was estimated at that time to be about 45,000, spread across various countries, including Indonesia and India).
It turns out Iran uses Siemens control systems in its electricity generating plants, communication systems, and first nuclear power plant, which is scheduled to start producing power in October. Or maybe that should now be “was scheduled”.
What’s particularly impressive, according to a Computerworld article, is that malware experts from Symantec and Kaspersky Lab discovered that the Stuxnet worm “exploited not just one zero-day Windows bug but four — an unprecedented number for a single piece of malware.”
Security guru Bruce Schneier has a good summary of the worm that is now thought to be the work of an unidentified national government or some other large, well-heeled organization simply because of the incredible (and therefore, expensive) complexity of the code.
Now, just imagine this mutating, incredibly hard to find and remove, highly infectious worm spreading stealthily over the next few months and years. The worm replicates far and wide and becomes a time bomb. This will be an opportunity just waiting for the first organization to work out how to hijack the worm’s code to use as their own attack platform. Any group or groups that do this could strike a devastating blow on anyone they consider to be their enemy — this could be a country (India vs. Pakistan), an industry (eco-extremists vs. Big Oil), or even just another business (pick any pair of commercial global companies).
Or imagine what might happen if some devious organization should reverse engineer the code and set loose a re-targeted worm then try to imagine what would happen should your organization’s IT systems become the focus of an attack. If this worm is half as effective as reports claim, your IT world would come crashing down and stay down for a long time … at least long enough for you to install OS X or Linux.
But what if the attack isn’t of the all-out variety? What if the worm masters just degrade your systems rather than wipe everything out? They could, for example, cause the normal rate of PC crashes in your organization to increase by, say, a measly 1 per cent.
If such a thing happened right after Microsoft’s regular updates, how would you ever notice the increase? You’d probably mark it down to the updates before you’d ever suspect malware that was virtually undetectable.
But the financial consequences would be significant. You’d have a decrease in productivity of much more than 1 per cent because you might, for example, lose orders or lose data that has to be recreated. The chances of being able to see the consequences of a serious stealth malware attack are very, very low given how most organizations manage and track their PC infrastructure.
On the other hand, a major malware outbreak that targeted not one or two organizations but, for example, the entire banking sector could be far more damaging than most people might think; just consider how many devices and services Windows powers. For instance, ATMs would tank, administrative PCs would bork, and most consumers would find themselves typing on the keyboards of expensive boat anchors when they tried to get to their accounts (and the malware might have well passed their account credentials to the worm masters who then drained the consumer’s accounts).
Yep, this could be the future and sooner than you might think. Then again, the future could already have started.
Gibbs worries in Ventura, Calif. Your concerns to backspin@gibbs.com.