According to a report from Sky News, the Stuxnet worm has already been traded on the black market. The report does not clarify whether this refers to the source code or to binary samples. British security specialists now fear that terrorists could use the worm to attack critical infrastructure. The report quotes an IT security consultant to the UK government as claiming, "You could shut down power stations, you could shut down the transport network across the United Kingdom".
According to the report, there is hard evidence that Stuxnet is in the hands of highly motivated, well trained, well financed criminals. Sky News' source declined to give more precise information.
Audun Lødemel, VP of Marketing and Business Development at German IT service provider Norman, believes that, "It was just a matter of time before the Stuxnet code was made available for anyone, with even the most basic knowledge of coding, to alter and potentially wreak havoc on the UK infrastructure. This is serious stuff and Oil & Gas, Railways, Electricity and Water services should now be on Red Alert".
Whether this kind of alarmist assessment of the threat is justified is highly doubtful. Although it is theoretically possible that terrorists could modify Stuxnet for their own ends, Stuxnet has a highly specific digital payload and cannot disable just any power station, traffic light controller, water pumping station or other system – and certainly can't be controlled by a bunch of script kiddies sitting in front of their PCs. The attackers would have to look at specific vulnerabilities in specific targets, develop new attack code and incorporate it into Stuxnet.
Nonetheless, Stuxnet remains the most sophisticated vehicle available for putting together malicious code aimed at industrial systems running on Microsoft Windows. It spreads via USB flash drives and LANs and exploits multiple vulnerabilities in Windows to insert itself into industrial control systems, where it conceals itself and sets about performing the task for which it was designed – manipulating code in programmable logic controllers to disrupt motor and turbine control systems (for example). Researchers have now got to the bottom of most of its tricks, meaning that in future it will take further work to allow it to sneak it past anti-virus software and intrusion detection systems.