Tra i tanti studi realizzati sul famoso malware questo, appena pubblicato da Ralph Langner, del Langner Group, è forse quello che più mi ha colpito (qui una sintesi). Per la profondità dell’analisi e per alcune conclusioni che, se corrette, rimetterebbero in discussione un paio di certezze maturate in questi ultimi due anni.
Ad esempio, secondo l’autore, il worm non sarebbe realmente sfuggito al controllo, propagandosi ed infettando tramite internet. Scrive Langner:

Legend has it that in the summer of 2010, Stuxnet “escaped” from Natanz due to a software bug that came with a version update, and that the roughly 100,000 Stuxnet-infected computer systems worldwide became infected because the malware now self-propagated via the Internet much like a conventional worm. According to the story, Patient Zero was a mobile computer that a control system engineer at Natanz plugged to an infected controller, the laptop got infected and set the malware free when later connected to the Internet.
While that is a good story, it cannot be true. An infected controller contains only Stuxnet’s payload and no dropper component whatsoever, making the alleged jump from controller to computer technically impossible.
All propagation routines in Stuxnet’s dropper (introduced with the rotor speed attack) are carefully crafted, with the problem to be solved apparently being that physical contact to a trusted carrier had been lost. But propagation can only occur between computers that are attached to the same logical network or that exchange files via USB sticks. The propagation routines never make an attempt to spread to random targets for example by generating random IP addresses. Everything happens within the confined boundaries of a trusted network.
However, these days such a trusted environment isn’t necessarily local anymore. Contractors working at Natanz work for other clients as well, and they will have carried their Stuxnet-infected laptop computers to those clients and connected them to their (maybe even air-gapped) “local” networks. Patient One, let’s say a cement plant, will have other contractors besides the one that employs Patient Zero, who also connect their mobile computers to the now-infected “local” network. Those will carry the malware farther. At some link in the chain, infected contractors and/or asset owners will use remote access via VPN, allowing the virus to travel over continents. All of a sudden, Stuxnet made its way around the globe, but not because of the Internet, but because trusted network connections are tunneled through the Internet these days, extending to shared folder access, however ill-advised that may be from a security perspective.