The title should read something like "Initial victims". The article isn't claiming there weren't any victims; it's just the opposite, that there were multiple (5) primary sites affected by the attack, which they attempt to pinpoint and analyze.<p>I guess the chose the title by analogy with the term "patient zero", since "patients zero" wouldn't have quite made sense.
In reading this, I'm astonished at how primitive Stuxnet was. If I were writing a worm that saved information on infected systems, I would have:<p><pre><code> created a public/private key pair
included the public key in the worm
encrypted interesting stuff with the public key
</code></pre>
That way nobody would be able to decrypt any of the information saved by the worm if they didn't know the private key.<p>Does that make sense or am I missing something obvious? Why did Stuxnet keep a cleartext embedded trail of systems it traversed? I can't grok that at all.
Please change the submission to a secure URL: <a href="https://securelist.com/analysis/publications/67483/stuxnet-zero-victims/" rel="nofollow">https://securelist.com/analysis/publications/67483/stuxnet-z...</a>
> The name could mean that the initial infection affected some server named after our anti-malware solution installed on it.<p>Unlikely to be a server given that OS version number on the "KASPERSKY ISIE" line is 5.1, which corresponds to that of Windows XP [+].<p>> KALASERVER, ANTIVIRUSPC, NAMADSERVER: judging by the names, there were at least two servers involved in this case too.<p>..also judging by the "5.2" on each line, which corresponds to the OS version of Windows Server 2003 (including R2). "5.2" also could indicate Windows XP 64-bit Edition, but that seems much less likely to be the case.<p>[+] <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms724832%28v=vs.85%29.aspx" rel="nofollow">http://msdn.microsoft.com/en-us/library/windows/desktop/ms72...</a>