Siemens discovers 417 attack code

We have always said that Stuxnet can only be understood based on hard lab work. So it does not surprise  us at all that when we sent our fellow researchers from Siemens back to their lab on November 11 in response to their meager “official Siemens communication” on Stuxnet, success was waiting right around the corner. Only eleven days later, they finally did discover the 417 attack code.

Quote from their official Stuxnet portal: When the CPU 417 and a DB 8061 that was already in the project are used, the malware is able to change the block during downloading. If the DB8061 is not already in the project, no action is required.

It is noteworthy that they point out DB 8061, which is the most peculiar data block of the 417 attack, since it is loaded dynamically by the rogue driver DLL, whereas the other data blocks are either statically loaded by the DLL (DB 8062, 8063), or dynamically created by rogue code on the controller (DB 8064..8070). As their first genuine research result that hadn’t previously been published by us or by Symantec, Siemens lets us know that DB 8061 is part of the targeted project. Now with Siemens’ Stuxnet experts back in business, we assume that they will soon tell us about any products they know about for the 417(FH) that would use DB 8061.