According to a report from Sky News, the Stuxnet worm has already been traded on the black market. The report does not specify whether this refers to the source code or binary samples. British security specialists now fear that terrorists could use the worm to attack critical infrastructure. The report quotes an IT security consultant to the UK government as saying, "You could shut down power stations, you could shut down the transport network across the United Kingdom."
There is hard evidence that Stuxnet is in the hands of highly motivated, well-trained, and well-financed criminals. Sky News' source declined to provide more precise information.
Audun Lødemel, VP of Marketing and Business Development at German IT service provider Norman, believes that "It was just a matter of time before the Stuxnet code was made available for anyone, with even the most basic knowledge of coding, to alter and potentially wreak havoc on the UK infrastructure. This is serious stuff, and Oil & Gas, Railways, Electricity, and Water services should now be on Red Alert."
Whether this alarmist assessment of the threat is justified is highly doubtful. Although it is theoretically possible that terrorists could modify Stuxnet for their own ends, Stuxnet has a highly specific digital payload. It cannot disable just any power station, traffic light controller, water pumping station, or other system—and certainly can't be controlled by a bunch of script kiddies sitting in front of their PCs. The attackers would have to identify specific vulnerabilities in specific targets, develop new attack code, and incorporate it into Stuxnet.
Nonetheless, Stuxnet remains the most sophisticated vehicle available for creating malicious code aimed at industrial systems running on Microsoft Windows. It spreads via USB flash drives and LANs, exploiting multiple vulnerabilities in Windows to insert itself into industrial control systems. Once inside, it conceals itself and performs its designed task: manipulating code in programmable logic controllers to disrupt motor and turbine control systems. Researchers have now uncovered most of its methods, meaning that in the future, it will take further work to sneak it past anti-virus software and intrusion detection systems.
