Symantec: Stuxnet 2.0 unlikely

While another wave of uranium attacks may be unlikely, industry now more cautious and will be watching out for improvised Stuxnet-like malware, security expert says.

TOKYO--The Stuxnet worm may have stole the IT security limelight last year but a second wave of attacks is unlikely to take place, according to Symantec.

During a press briefing here Wednesday to launch the company's Insight Reputation System, Kevin Hogan, Symantec's senior director for security response, said the Stuxnet target is very specific so its availability on the Internet does not mean malicious hackers will use the worm to launch new attacks.

Hogan said: "Unless you have information on the installation you want to target, you can't do it. The Windows code, which the Stuxnet worm was written from, has already been developed into another threat--like the rootkit for example--but it does not mean another facility is at stake."

When quizzed on whether the threat has evolved, he said the Stuxnet attacks have "opened the lid" on industrial control systems and become an added area of security that researchers like him will have to look at.

"We realized that the Scada (supervisory control and data acquisition)system, which was the [original] target in Stuxnet attacks, have a series of problems too--not unlike the Windows systems we use for daily work," he clarified.

He added that the worm was not as esoteric as it seemed and that most of the operations--of launching Stuxnet attacks--had moved to Windows. "It's an eyeopener for me and my team to discover that Stuxnet worm actually isn't as different as we thought it was," he said.

The malware exploits a vulnerability in the way Microsoft's Windows Shell handles shortcut files and if tapped, can allow the attacker to gain complete control of a system. The virus was initially written to steal data from critical infrastructure companies by specifically targeting Scada systems running Siemens' WinCC software.

While he does not believe an instance of Stuxnet 2.0 will surface, Hogan cautioned that the industry should still be wary of new malware that may leverage the design of the original worm.

"In the next year or two, we will probably see proof of concepts [of Stuxnet-like threats]. The Scada industry is also aware of this development and will approach things differently," he said.

Stuxnet attacks theoretically have the ability to cause significant chaos as highlighted in previous media reports, but Hogan believes a "center-view" approach should be adopted to address the issue.

"Stuxnet is an easy scare-mongering subject, but bear in mind that it was designed for a single purpose, a single installation," he said.

"Yes, the Windows PC system can be affected, but no harm will occur if it is not linked to the Step 7 system," he explained. Step7 refers to a programming system designed for professional use for industrial controllers to carry out automated functions.

For non-industrial IT users, Hogan said the risk of banking or personal information being stolen is high and is an area the industry should pay attention to.

Focus on smartphone security
Threats targeting smart phones are also on the rise, Hogan said, adding that in the near- to mid-term, denial-of-service (DoS) attacks, spyware and banking Trojans will continue to plague unassuming consumers.

Another threat smartphone users may face is the risk of downloading badly written apps. According to Hogan, a major U.S. network's service had to be temporarily degraded due to a badly written instant messenger app running on Google's Android platform.

While "permissions" are typically requested before users download apps from Android Market, the average user does not appear to care too much about giving "access" to apps, he explained.

He noted that as Google does little when vetting Android apps, users may be infected by rogue or poorly designed apps only after installation.

He cautioned mobile users to be wary when downloading apps as they may purport to be useful tools, but are in fact Trojans which are capable of stealing passwords and personal information when installed.

Hogan also highlighted that Nokia's Symbian OS currently carries the most number, more than 50, of malware threats. "Most of these were written to attack the Nokia S60 [phone] which had a considerable number of users in Europe and Indonesia," he said. "But, these viruses will die off as the handsets are phased out."

This is unlike malware targeting Android and Apple's iOS, he noted, which stay in the operating platforms and may continue to infect the users even when they move to new models running the same platforms.

Tyler Thia of ZDNet Asia reported from Symantec's regional media briefing in Tokyo, Japan.