Chester Wisniewski, a researcher at the security firm Sophos, says Stuxnet's authors might have exploited this naiveté when designing the worm. JMicron and RealTek, the two companies that own the digital certificates that were stolen for Stuxnet, are located in the same office park in Taiwan. Wisniewski offers the following theory: "What if the attackers dropped a couple USB drives in the parking lot between JMicron and RealTek, and then employees picked them up and stuck them into their computers?" Voila, instant infection.
For Stuxnet, sticking it in is all it takes. Sean Sullivan, a researcher at the security firm F-Secure, points out that most USB-borne malware operates on a Windows feature known as AutoRun. AutoRun was developed in the 1990s to make it easier for people to install software on their computers; when you insert a disk, Windows looks for instructions telling it what to do. Usually these instructions are benign—the disk tells the PC to install a legitimate application—but AutoRun could also be used by hackers to install malware instantly. Over the years, Microsoft, security firms, and IT managers have become much more sophisticated about fighting AutoRun viruses. New versions of Windows prompt users about the software on a disk before running it, and corporate IT staffers often disable Windows' AutoRun features. But Stuxnet evades those measures; it can infect PCs even when AutoRun is turned off. "All you have to do is open up the folder and view the contents, and you're infected," Sullivan says. "It's such a minimal action that's required—something anyone would do just to see what's on the disk. That's why it spread."
There is, of course, a failsafe way to prevent Stuxnet from infecting high-security machines—why not just prohibit users from sticking USB devices into computers that have been purposefully separated from the Internet? "That would have worked," says Sophos' Wisniewski, "but the reality is the world is still pretty crappy at security." Companies either don't have such policies or don't enforce them—maybe, perhaps, because selfish employees (like yours truly) consider USB sticks extremely convenient. If you want to hand over a huge PowerPoint presentation to your colleagues down the hall, what's easier than sticking it on a USB disk?
If a company wants to ratchet up security, it's not as simple as banning all thumb drives. To be extra careful, you'd have to ban iPods, cameras, and every other USB-based doohickey—all of those devices are capable of carrying Stuxnet-like viruses, too. I asked Sean Sullivan, of F-Secure, if he could imagine any failsafe IT policy that would have worked to thwart Stuxnet. "Well, in our malware test machines, sometimes we put glue in the USB ports," he joked. Wisniewski, of Sophos, says, the only hope is education: Don't trade USB sticks, don't stick an unknown one into your machine, and don't pick one up off the street and plug it in your machine just to see what's inside.
"But I don't know if we're ever going to win that battle," Wisniewski says. "It's human nature. If I were a normal person and I didn't work in this bubble of security? If I found a USB drive, the first thing I would want to do is want to plug it in, too."