Skip to Content

Stuxnet Tricks Copied by Computer Criminals

Techniques used by government-backed malware are surfacing in the code used by ordinary cyber criminals.
September 19, 2012

Malicious code apparently used by governments to spy on, harass, and sabotage one another has grabbed headlines in recent years, yet the highly targeted nature of such attacks have meant ordinary Web users have so far had little to fear. That may now be changing as some experts say the techniques used in sophisticated, state-backed malware are trickling down to less-skilled programmers who target regular Web users and their online accounts or credit card details.

Rogue code: A portion of code from the Flamer virus.

“Cybercriminals read the news as well,” says Roel Schouwenberg, a security researcher with Russian computer security company Kaspersky. Schouwenberg adds that sophisticated, state-sponsored “cyberweapons and targeted attacks now give us some insight into what will be coming into the mainstream.”

State-sponsored malware became widely known in 2010 with the discovery of Stuxnet, a program targeted at Iranian industrial control systems and believed to have been sponsored by Israel and the United States (see “New Malware Brings Cyberware One Step Closer”). Since then, several other very sophisticated malware packages have been discovered that are also believed to have been made by governments or government contractors. These packages include Duqu, exposed late in 2011, and Flame, found in May 2012.

One reason such malware is so effective is that it tends to exploit previously unknown software vulnerabilities, known as zero-days, in widely used programs such as Microsoft Windows to gain control of a computer. Schouwenberg says those exploits can be quickly “copy-pasted” by other programmers, as happened after the discovery of Stuxnet, but they are also usually patched relatively quickly by software companies. More concerning is the way that higher-level design features are being picked up, he says.

“They are copying the design philosophy,” says Schouwenberg, adding that one now-popular technique found in conventional “criminal malware” was inspired by the discovery of Stuxnet. For example, Stuxnet installed fake device drivers using digital security certificates stolen from two Taiwanese computer component companies, allowing them to sneak past any security software. Other malware now uses fake certificates in a similar way to hide malicious software from antivirus programs.

“Stuxnet was the first really serious malware with a stolen certificate, and it’s become more and more common ever since,” says Schouwenberg. “Nowadays you can see use of fake certificates in very common malware.”

Aviv Raff, chief technology officer and cofounder of Israeli computer security firm Seculert, agrees. “Design features of Stuxnet, Duqu, and Flame are appearing in opportunistic criminal malware,” he says.

Schouwenberg says he is currently on the lookout for tricks used in the recently discovered Flame, described by some researchers as the “most complex ever found” (see “The Antivirus Era is Over”), to surface in more common malware.

Flame had a modular design, enabling its operators to send upgraded parts as necessary, for example to perform particular actions or attacks. “I think we will definitely see more of that approach,” says Schouwenberg, who believes it might be an attractive way for malware authors to sell their work to others. “It provides an up-sell opportunity for these guys if they can sell something, and then offer upgrade kits to improve it later.”

Schouwenberg says that a modular design also makes malware harder for security companies to track a particular piece of malware. “When they only upload the modules to specific targets, it’s much harder to get all the components and see and know all of it.”

Sean Sullivan, a researcher at Finnish security company F-Secure, agrees that this is a good way to understand the way common cyber criminals build technology. “Criminals operate in a highly commoditized ‘malware as a service’ ecosystem. They buy components and assemble them into their operation. Like a business, they optimize for profit,” he says.

However, Sullivan also notes that many cyber criminals have invested in their own code, and can’t dedicate resources on the scale of a government contractor or agency.

“The operational security required by those behind Stuxnet, Flame, etc. means that they simply cannot outsource anything, they must do everything from start to finish,” says Sullivan, “which is a heavy investment and certainly isn’t anything close to being profitable.”

But Schouwenberg says the influx of expensively developed new ideas into criminal malware will likely increase in coming years. Government agencies and contractors around the world now openly advertise for programmers with the skills needed to create sophisticated malware, he says, suggesting there are more Stuxnets, Duqus, and Flames to come. “That’s a major shift from just a few years ago,” he says.

Keep Reading

Most Popular

DeepMind’s cofounder: Generative AI is just a phase. What’s next is interactive AI.

“This is a profound moment in the history of technology,” says Mustafa Suleyman.

What to know about this autumn’s covid vaccines

New variants will pose a challenge, but early signs suggest the shots will still boost antibody responses.

Human-plus-AI solutions mitigate security threats

With the right human oversight, emerging technologies like artificial intelligence can help keep business and customer data secure

Next slide, please: A brief history of the corporate presentation

From million-dollar slide shows to Steve Jobs’s introduction of the iPhone, a bit of show business never hurt plain old business.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.