There’s been a ton of speculation on stuxnet so far, much of it seeming to indicate that this was created by a state actor. Most people have pointed at the incredible levels of effort that went into creating it. However people are forgetting that many recent malware attacks – including Zeus and Conficker, have had the title of “most complex ever” bestowed upon them as well. It seems natural that malware and computer attacks will only continue to get more complex. Complexity alone does not indicate a state actor.

What people aren’t saying (but I have a feeling many people sense it intuitively without stating it), is that the lack of monetization combines with the effort is indicative of a state actor being behind the stuxnet worm. Zeus and Conficker were easily monetized, which explains the effort involved – people (perhaps many people), worked hard to create something to make them money. If they needed an exploit, one could be purchased with the hope that they’d recoup the costs later. The fact that Stuxnet seems to do something (but we don’t know what), and doesn’t seem to be easy to monetize, certainly seems to indicate a non-criminal motive. Since we haven’t seen many other players in this space with significant resources other that criminals and governments, government because the natural suspect.

As for the target of Stuxnet, Iran has the most infections, but that could very easily be coincidence. So far there’s no evidence at all that Iran, or anyone else, was a specific target, and we’ve had a simple case of the media continuing to report on each other’s reporting. There are so many reasons that Iran could have more infections I can’t even count them all. Perhaps Iran doesn’t have great antivirus adoption rates. Perhaps the first few infections simply happened to be there. Perhaps, this was made by Iranians. Viruses are inherently untargetted, so trying to guess at a target based on the geographical location of infections is speculative at best. However, since no one has any better theories, the media echo chamber will continue to promote this until people assume it’s true, whether or not it really is.

In the Verizon DBIR report they have an interesting graph on page 26. It shows the percentage of malware infections that have been customized. (That is to say that the malware itself is customized). In 2005-2007 the percentage held steady between 21%-28%. In 2008 is jumped to 59% and in 2010 is it still high at 54%. Perhaps not surprisingly, even though only half of the malware is customized, that half is responsible for 97% of the stolen records. Presumably non-customized malware and all other methods are responsible for the remaining 3%. Why the huge discrepancy? It’s easy – antivirus. Non-customized malware gets detected, customized doesn’t. This just goes back to something many people have started to feel in the last few years – antivirus is inherently flawed, and we’re starting to see it’s flaws. Blacklisting is inherent a losing battle, because there will always be new bad things, and there will always be something you didn’t think of. Whitelisting may seem like a pain at first, but in the long run it’s almost always easier and more efective.

I was thinking some more about the RAM skimmers mentioned in the last post. I wasn’t really paying attention the first time I read the report, but I later noticed that Verizon mentions that the RAM scraper was found on a P.O.S.  (point of sale – the system a cashier will use to check out a customer in a store) system. A P.O.S. system would seem to be a system which could be very well defined in terms of what should be running on it, and would seem to be an ideal candidate for whitelisting software. Getting rid of the AV on P.O.S. systems and replacing them with whitelisting software which only allows specific applications to run would seem to be an ideal way to greatly increase the security of these systems, and make them future-proof against whatever the next generation of malware is.

In Verizon Business’ most recent data breach investigation report they mentioned a new class of malware which I’d never heard of before but found interesting – RAM scrapers. The basic idea is that they grab data straight from RAM. Verizon goes on the conclude that the recent increase in the use of encryption and limitations on what data can be permanently stored (mostly thanks to PCI), scammers have had to start looking to other areas to gain access to unencrypted data. I guess this shouldn’t really surprise anyone too much – we already know that for every measure there is another countermeasure. This is also another good example of Shamir’s third law of cryptography – “Cryptography is typically bypassed, not penetrated”.

The Race to Zero is a competition which recently wrapped up at Defcon. In it, teams of contestants are given ten known pieces of malware – viruses and exploits – and are tasked with obfuscating the malware in such a way that antivirus programs cannot detect the malware. The competition was ultimately won by Mandiant which completed the task in a little over six hours. (About 36 minutes per challenge). This contest simply serves to illustrate the point that signature based antivirus scanning is a failing proposition. As I’ve said before, there are a virtually infinite number of possible malware signature out there, and trying to write an infinite number of signatures is an exercise in futility. It makes a lot more sense to enumerate good than to enumerate bad. We figured this out years ago when we started making firewalls use a default deny – we should be doing the same for antivirus.

According to the statistics from Microsoft’s malicious software removal tool, trojan horses designed to steal online game credentials are now more prevalent than more traditional trojans which simply turn a PC into part of a DDoS zombie network. Frankly this doesn’t surprise me too much. After all the main driver behind botnets these days is purely monetary. Since multiplayer games are now also an economic engine, it makes sense for virus writers to start going after them.