The BBC has an article on the so-called "stuxnet worm". It is, we are told, a very sophisticated program, designed to propagate itself from Windows machine to Windows machine via USB stick. The program hijacks Siemens PLC (programmable logic control) devices by changing the instructions that PLC programming tools hand to the PLCs.
The article quotes a conjecture that the worm is aimed at the Iranian Bushehr nuclear power plant or the uranium enrichment plant at Natanz.
I wonder.
The worm is obviously a very sophisticated program. It is aimed at Windows, and uses not one but four different zero-day exploits -- all of which were supposedly completely unknown (by whom?) until Stuxnet showed up. This shows a very detailed knowledge of Windows. It also suggests that someone knew or guessed which versions of Windows were running at the target.
It then attacks PLC programming tools, which means the authors know that software very well. And it also means the authors know a lot about how the PLC machines are deployed at the targeted site.
An obvious conjecture is that the authors are working for a national government because no one else would have the resources and expertise to put all this together.
Really? If someone knew that much about the target, why not a non-computer attack, which would be much more likely to succeed.
Really? Where better to go for expertise on Windows vulnerabilities than the Windows security industry: Symantec, F-Secure, et al.?
In the 1920s, the US prohibited alcoholic drinks, the famous Prohibition. It was widely circumvented. By the 1930s, it was obvious that Prohibition was on its way out. And that would mean that its enforcers would be unemployed and might actually have to find honest work. So the scare tactics started up. Propaganda like the film "Reefer Madness". Is Stuxnet a modern-day "Reefer Madness", intended to scare people into buying more security for their windows boxes?
As an extra, added, side benefit, the Iranians, say, will scramble around trying to secure their sensitive sites from this threat.
However real the problem posed by Stuxnet is, there is a simple solution to it: Don't use Windows. And there is an even simpler solution: clean any USB or other mass storage before you put it to use. Zero out the partition table, and create new partition(s).