New in October 2010

Just when I had resigned myself to the notion that the computer security industry doesn’t care to invest in reverse engineering, along comes the Stuxnet worm and numerous investigations in which investment by each of any number of security companies is apparently to be measured in man-months. Of course, reports that have taken man-months would want to be detailed, and though I’m not shaken in my belief that competition in reverse engineering, as practised by the computer security industry, is less about the quality of the work than the unsupported use of terms such as “in-depth” and “comprehensive”, I must admit that a quick look at Stuxnet confirmed that most of it surely had been mined at least well enough that I would not find much to add except by committing to a full study. I can’t now catch up on others’ man-months, but within the constraints of what I will do for free, I did find one perspective that seemed novel enough to justify spending a little time to write up most of what I know about one Stuxnet component: one of the kernel-mode drivers looks to have been written independently of everything else in Stuxnet, as a general loader of almost arbitrary user-mode malware.

Before moving on, it occurred to me that although everyone surely has realised that to talk of Stuxnet exploiting a vulnerability in .LNK files is to shoot the messenger, someone ought to note it explicitly. Indeed, the coding oversight that’s depended on isn’t any sort of parsing error in .LNK files, as Microsoft and some supposed experts would have you believe, but is instead that the Control Panel is not nearly defensive enough about what it executes. Shortcut files just present the best vector for exploiting the vulnerability. You may think this is nit-picking, but if defect and vector are not differentiated, the defect may not be properly fixed and other vectors may go unexamined.

I’m biased, unsurprisingly, but I think a substantial opportunity was missed by not having me on hand to have got started on Stuxnet in June or July. Look around my other write-ups on malware. If you agree with me that I bring a new level of detail to such studies and you have a budget, then make me an offer for my services. After all, if you’re going to commit man-months to reverse-engineering some malware, don’t you want it done by the best you can get? It may even turn out that you don’t need as many man-months to do the same as your competitors, and you stand to find things out that they don’t.