Interpretation: Stuxnet manipulates a fast running process. Based on process conditions, the original code that controls this fast running process will no longer be executed. (Some people will now want to have their process engineers explain what the DEADF could mean.) After the original code is no longer executed, we can expect that something will blow up soon. Something big.Ralph also theorizes that the target may have been Iran's Bushehr nuclear plant due to the fact that 58% of the infections were located in Iran. He states:
It is hard to ignore the fact that the highest number of infections seems to be in Iran. Can we think of any reasonable target that would match the scenario? Yes, we can. Look at the Iranian nuclear program. Strange -- they are presently having some technical difficulties down there in Bushehr. There also seem to be indications that the people in Bushehr don't seem to be overly concerned about cyber security. When I saw this screenshot last year (http://www.upi.com/News_Photos/Features/The-Nuclear-Issue-in-Iran/1581/2/) I thought, these guys seem to be begging to be attacked. If the picture is authentic, which I have no means of verifying, it suggests that approximately one and a half year before scheduled going operational of a nuke plant they're playing around with software that is not properly licensed and configured. I have never seen anything like that even in the smallest cookie plant. The pure fact that the relevant authorities did not seem to make efforts to get this off the web suggests to me that they don't understand (and therefore don't worry about) the deeper message that this tells. Now you may ask, what about the many other infections in India, Indonesia, Pakistan etc. Strange for such a directed attack. Than, on the other hand, probably not. Check who comissions the Bushehr plant. It's a Russian integrator that also has business in some of the countries where we see high infection rates. What we also see is that this company too doesn't seem to be overly concerned about IT security. As I am writing this, they're having a compromised web site (http://www.atomstroyexport.com/index-e.htm) that tries to download stuff from a malware site that had been shut down more than two years ago (www.bubamubaches.info). So we're talking about a company in nukes that seems to be running a compromised web presence for over two years? Strange. I could give some other hints that have a smell for me but I think other researchers may be able to do a much better job on checking the validity of all this completely non-technical stuff. The one last bit of information that makes some sense for me is the clue that the attackers left in the code, as the fellows from Symantec pointed out -- use your own imagination because you will think I'm completely nuts when I tell you my idea.Ralph also feels that the sophistication of this malware lends itself to a team of expert coders and security professionals with specific skills and expertise rather than a malware developer working alone. The scare thought is that this type of malware represents a new facet of Cyberwarfare and should be viewed not only as malware, but as a piece of a bigger operation that targets a specific physical device or location.
There is a lot of very interesting information at all of the sites listed below for those who are looking for more information.