03.04.11
Stuxnet, HBGary, a-v positives
Weapons inspector Charles A Duelfer has this to say about Iran’s nuclear program:
The IAEA inspectors report that Iran continues to expand its activities and, in particular, its uranium enrichment seems to be continuing with plans for expansion. Tehran has not complied with requirements to explain suspected military nuclear work and seems unfazed by Security Council sanctions. Moreover, the IAEA reports that the output of the declared facilities continues—despite the affects of the Stuxnet cyber attack. The evidence is that despite increased sanctions, the effects of cyber attacks (and reportedly the sabotaging of imported equipment) and the assassinations in Iran of top scientists, the program marches on…to the point where it is beginning to look inevitable rather than unacceptable as previous White House statements have declared.
The mythology of Stuxnet is indefatigable. Too many businesses are directly interested in the lasting perception that cyberwar can accomplish anything.
A prime example is now HBGary. The Anonymous pillage of HBGary files spilled its material on Stuxnet worldwide.
At Cryptome, it’s archived here.
The zip-file at Cryptome contains some technical analysis and a directory of binaries, all of which should flag positive for malware.
DD randomly tested it a day ago and Avast quarantines all of them, some flagged as generic Windows malware, others as pieces of Stuxnet and infected files which look like its dropper, rootkit and hooks into the kernel and Windows firewall.
It’s easy enough to test your anti-virus on it. A cursory scan of the file as it download won’t flag it — unless the on-access part of your protective suite burrows right into compressed archives.
But if you command the program to look in the archive, it will (or it should) find all of it.
The HBGary Stuxnet archive reveals an old, regular and necessary business practice: The sharing of virus library samples between security companies.
More recently interest beyond simple technical analysis and the fashioning of digital cures is in the picture. And that’s the tinkering with and reverse-engineering of the samples with the aim of making new versions for potential or actual use by the military or government.
Many years ago creating, rewriting and modifying malware was exclusively the domain of amateur virus-writers. But it eventually moved into organized crime when it became possible to monetize the action of computer viruses. And now it is also in the work product of computer security companies, like HBGary, in the business of cadging cyberwar and intelligence work from various official clients and, presumably, also some from the private sector.