Stuxnet questions and answers from F-Secure

October 1st, 2010

If you are interested in the Stuxnet worm, take a look at this blog post from F-secure Labs, Stuxnet Questions and Answers. It’s relatively free of over ventilation and speculation. F-secure is a Finnish company specializing in anti-virus and computer security software. Here’s an intriguing example from the post that does speculate a bit.

Q: How does Stuxnet know it has already infected a machine?
A: It sets a Registry key with a value “19790509” as an infection marker.

Q: What’s the significance of “19790509”?
A: It’s a date. 9th of May, 1979.

Q: What happened on 9th of May, 1979?
A: Maybe it’s the birthday of the author? Then again, on that date a Jewish-Iranian businessman called Habib Elghanian was executed in Iran. He was accused to be spying for Israel.

Hat tip HN.

update: Another good resource is SYmantec’s W32.Stuxnet Dossier.

“While the bulk of analysis is complete, Stuxnet is an incredibly large and complex threat. The authors expect to make revisions to this document shortly after release as new information is uncovered or may be publicly disclosed. This paper is the work of numerous individuals on the Symantec Security Response team over the last three months well beyond the cited authors. Without their assistance, this paper would not be possible.”