Super Stuxnet's SCADA slaves: security is atrocious
153 computers, six SCADA systems, most C&C points to Iran
Botnet boffin Peter Kleissner says at least 153 computers are still slaves to Stuxnet.
Of those, six are tied to supervisory control and data acquisition (SCADA) systems which the malware is designed to exploit to destroy the attached machinery.
Kleissner told a presentation at an information security conference in Vienna last week that half of all infections stem from Iran, where the super worm was first targeted.
"The amount of unique identifiers basically equals to unique Stuxnet infections; it is safe to say that in 2013 and 2014 there were at least 153 distinct infected machines with Stuxnet," Kleissner says in the paper Internet Attacks Against Nuclear Power Plants [PDF].
"It is inevitable that existing malware infections lower the overall security of the particular machines and the entire networks and therefore make it easier (or possible at all) for anyone else to intrude the system."
Kleissner says the remaining infections are divided between India (23 percent), Indonesia (eight percent), and Saudi Arabia (seven percent).
The botnet wrangler had nabbed two command and control servers used in Stuxnet allowing him to gain insight into the active infections.
The infected boxes appear to be isolated puppets no longer being controlled by the United States attackers, but are nonetheless exposed to hijacking by anyone in control of those servers.
"... any capable intelligence service (or individual with the knowledge and skills) could seize control and potentially cause considerable damage leveraging the remaining infection," Kleissner says.
Stuxnet is one of the world's nastiest attacks, and is widely considered to be the handiwork of a hugely successful United States efforts under Operation Olympic Games to derail Iran's Natanz uranium enrichment program.
It is highly specialised targeting the machinery in use at Natanz and contains an expensive four zero days security flaws. ®