Stuxnet Cleaning

A blog over on Technet.com describes the results from the first week’s application of the latest Microsoft Malicious Software Removal Tool (MSRT) release. One of the new targets of the MSRT was the Stuxnet Trojan. This blog post provides figures on the number of machines from which Stuxnet was removed. US Infections The United States had the largest number of machines from which the Stuxnet Trojan was removed, almost 32,000 machines. Of course this represents a very small percentage of the machines in the US; it was less than 0.1% of the machines that reported processing the MSRT. (NOTE: I wasn’t aware that when I authorized the MSRT on my machines that it reported the results of its application back to Microsoft. But, then again, like most people I don’t actually read the user’s agreement that we check off on before signing up for the update service). That 32,000 machine figure seemed awfully high to me since Stuxnet is targeted at Siemens WinCC systems. The blog post didn’t mention anything about these systems so I asked an expert Dale Peterson at DigitalBond.com. Dale told me that the number didn’t seem high to him because the Trojan infects a computer and then looks for the SCADA systems. This means that normal replication would take the Trojan to many more non-SCADA systems because there are more available. One thing is almost certain; the 32,000 machines from which this Trojan was removed are not all of the infected machines in this country. Many people don’t signup for automatic updates, and many machines are not directly connected to the internet. So there is going to be a reservoir of infected machines to keep the Trojan being an active threat. One last thing to consider, with about 1:10,000 tested machines being infected we can assume that there is a relatively high probability that any given Siemens WinCC system in the US has been exposed to this Trojan, even if it hasn’t been specifically targeted. The more machines that have potential linkages to the control system the higher the probability is that the SCADA system is infected. This includes networked machines and machines that can be linked via USB file transfer devices. Most of these SCADA machines are not set up to run automatic updates so they are unlikely to have been cleaned by the MSRT. So we don’t have a good handle on how many SCADA systems have been cleaned and had Stuxnet removed. That further means that it is hard to quantify the actual chance of any given SCADA machine having been infected. Foreign Infections There has been much discussion in the press about the number of machines in Iran that have been infected. According to the Technet blog the MSRT removed Stuxnet from almost 5,000 machines in Iran. While this is a significantly smaller number than found in the US it is a much higher percentage (1.83%) of the machines checked in that country. The only other country that had anywhere near that infection rate was Indonesia with a rate of 1.66%. This statistical anomaly has given rise to speculation that the Stuxnet was specifically developed to target machines in those countries. This leads to the suggestion that it might have been an intelligence agency that developed Stuxnet. The problem with that speculation is trying to determine what intelligence agency would want to target these two particular countries.