A hacker group claimed possession of Stuxnet source code, and certain media thought it was worth an article. Actually, it’s not. Stuxnet binaries are available on the Internet for everybody. Everybody can download a copy of Stuxnet and start reverse engineering the code. For some parts of the dropper, that’s actually quite easy, as Microsoft’s Bruce Dang recently explained in Berlin. The question is why anybody would take the effort to reverse engineer Windows exploits that have already been fixed by the vendor. With the exploits for the engineering software and SCADA application that’s different, but few people have recognized; hackers, CERT people and journalists not among them.
A whole different story is the controller code. Cracking the encryption and decompiling the code is comparatively easy and has been done at least by us and by Symantec, as has been proven. It can and will certainly be done by others as well. Everybody who takes the effort ends up with roughly 15,000 lines of STL code that looks to the average hacker as antiquated pre-8086 assembly language (several examples have been given in this blog).
The problem with Stuxnet’s STL code is not the exact sequence of instructions. The problem is the underlying concepts that have been used in the exploits. Hackers will have a hard time understanding these. Control system engineers won’t. So while hackers probably won’t play around with controller attacks for another several months, we cannot assume the same for some more serious potential attackers in organized crime, terrorism, and state-sponsored cyber warfare organizations.