Many aspects of Stuxnet are so completely different from malware as we know it that it’s only natural that so many hard-working experts at some point in the analysis ended in frustration. The best way to approach Stuxnet is not to think of it as a piece of malware like Sasser or Zotob, but to think of it as part of an operation — operation myrtus. Operation myrtus can be broken down into three major stages: Preparation, infiltration, and execution.
Stage 1, preparation:
– Assemble team, consisting of multiple units (intel, covert ops, exploit writers, process engineers, control system engineers, product specialists, military liaison)
– Assemble development & test lab, including process model
– Do intel on target specifics, including identification of key people for initial infiltration
– Steal digital certificates
Stage 2, infiltration:
– Initial infiltration using USB sticks, perhaps using contractor’s comprised web presence
– Weapon spreads locally via USB stick sharing, shared folders, printer spoolers
– Contact to command & control servers for updates, and for evidence of compromise
– Update local peers by using embedded peer-to-peer networking
– shut down CC servers
Stage 3, execution:
– Check controller configuration
– Identify individual target controllers
– Load rogue ladder logic
– Hide rogue ladder logic from control system engineers
– Check PROCESS condition
– Activate attack sequence
What this shows is that the 0day exploits were only of temporary use during the infiltration stage. Quite a luxury for such sophisticated exploits! After the weapon was in place, the main attack is executed on the controllers. At that point, where the rogue ladder logic is executed, it’s all solid, reliable engineering — attack engineering.