The security research world is oohing and ahhing lately at what may turn out to be the most sophisticated malware attack ever: Stuxnet.

Stuxnet appears to be more than just another malware attack, and more than just another targeted attack. Many believe that it is a government-sponsored attack against Iran's nuclear facilities.

Stuxnet first came to our attention as the first attack using Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability described first by Belorussian security firm VirusBlokAda.

The worm drops itself on the system and a link to that copy on any removable drives. Loading that drive on another system exploits the LNK vulnerability to load the malware automatically on that system.

This was impressive enough when it came to light, but in fact Stuxnet uses 3 other zero-day vulnerabilities to spread under various circumstances. And to make the programs look legitimate, at least two compromised code signing certificates of legitimate companies were used to sign the malicious code, perhaps letting it slip through other defenses.

Together, all this sets a new record of Bob Beamon caliber and definitely merited further scrutiny.

Another aspect of Stuxnet that stood out from early on was that the actual purpose behind all the sophisticated penetration is to locate and take control of industrial control systems, also known as SCADA (Supervisory Control And Data Acquisition) systems. If it finds such systems, it attempts to steal code and design projects. But wait, there's more.

Stuxnet also looks for a programming interface to PLCs (Programmable Logic Controllers) and to inject its own code in the PLC. It also monitors access to the PLCs so that when someone attempts to view the code on them, the injected code is not viewed. This makes Stuxnet a new kind of rootkit.

All this and more makes you have certain amount of admiration for Stuxnet's authors. They're very good at their work and brought their A game to this one. This is why German security firm Langner calls it the "hack of the century" (see that link for more on the PLC attack). Roel Schouwenberg of Kaspersky says "I'd call it groundbreaking."

Finally, it was also noticed by many that Stuxnet has an unusual geographical distribution:

How would a high-quality attack such as this become so prevalent in Iran? Liam O Murchu, manager of operations with Symantec's security response team, told Computerworld that "[t]his threat was specifically targeting Iran." Schouwenber added: "All the different circumstances, from the multiple zero-days to stolen certificates to its distribution, the most plausible scenario is a nation-state-backed group."

Experts disagree over when the attacks began, as it seems that they may have been ongoing for some time before they were discovered. Consider this report of a "serious nuclear accident" in Iran on Wikileaks from July, 2009.

But even the Iranians are admitting that their nuclear agency has a computer worm problem. All manner of industrial facilities could be the target, but the most mentioned are the Bushehr nuclear reactor and the uranium centrifuge farm at Natanz.

Who has a high level of computer security sophistication and an interest in attacking Iranian industrial control systems? Some speculate it's the US, but most of the speculation centers on the Israelis. It's all just speculation, but it's intriguing so it's tempting.

Look for more research about Stuxnet to emege this week at the Virus Bulletin Conference in Vancouver.