Feeds

back to article Lame Stuxnet worm 'full of errors', says security consultant

Far from being cyber-spy geniuses with ninja-like black-hat coding skills, the developers of Stuxnet made a number of mistakes that exposed their malware to earlier detection and meant the worm spread more widely than intended. Stuxnet, the infamous worm that infected SCADA-based computer control systems, is sometimes described …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

or maybe.....

merely workable is good enough.

If you are not trying to build up a reputation, or trying to obscure who you are, maybe making it look like a well informed but amateur haxor was deliberate. Who knows.

6
0
Black Helicopters

Yeah.

The more 'elite' it is the more it starts to look like a powerful government, would go the theory.

Honestly I've not bought into Iran even being the target. There's no evidence to suggest it is other than Isreal hates Iran [and vice-versa], Area 51-type alien conspiracies of the type you usually get in white-to-black hat circles anyways - combined with it hit Iran. Totally ignoring the fact the think liked moving around on USB sticks.. Which in a country where the internet isn't exactly pervasive is how you move data around, just like we used to with floppy disks.

Once you get past target you have to look at motives.. If you assume that Iran is the target and the US/Isreal is the belligerent state in question, going after this kind of stuff is pointless - when you bear in mind the specific target equipment isn’t in their problem reactors. It all seems so pointless when you realise that it’d take Isreal about 3 seconds to come up with casus belli and just bomb the plants and actually put them offline permanently.

It’s in the interest of the US to let them get on with it and let the likes of Arak go online for the reason to bomb them.

0
2
Go

BFD

It did what it was intended to do. Way too many people think killing a deer is an error too, but it looks just like success sitting on my plate next to the mashed potatoes and green beans,

5
1
Grenade

'Full of errors'

Do you warn your hunting partners about your 'full of errors' approach to shooting deer before you start out?

0
0
Anonymous Coward

re: Do you warn your hunting partners

I think maybe he just hit it with his pick-up.

0
0
Black Helicopters

It could be deliberate

I can think of at least two reasons why the creators of Stuxnet did not bother with more obfuscation etc.

1) They wanted it to be found because they expected that the Iranians would then form a circular firing squad and/or demoralizing witch hunt. Either of which would drastically hinder the recovery from the outbreak. There is evidence that, combined with a couple of assassinations this has indeed been the case

2) It is misdirection because there is also Stuxnet2 which has not been found and which continues to wreak havoc but that havoc is believed to be caused by Stuxnet. Thus the recovery is hindered because such computer techs as the Iranian nuclear industry has waste their time hunting for the original Stuxnet instead of looking for Stuxnet2

I've got no idea whether either of these reasons are valid but both seem quite plausible, and in the process of thinking through the arguments for those two I've come up with some others. Now I don't say these reasons are correct but I do think the argument isn't as clear cut as the original article suggests.

21
1

Occam, Razor ?

Look it up.

0
0
Silver badge
Thumb Down

Sir

It looks like the Iranians would serve their own interests better by not relying on US or Israeli firewall technology then.

I'm saying this completely ignorant of the attack vector for this worm so feel free to correct this sorry state of affairs :)

1
0

"the most credible of which suggests...

...it was developed by US and Israeli intelligence agencies"

No, I think the most credible is that the Chinese developed it to slow the Iranian nuke work whilst toeing the line with sanctions objections, to maintain their 3rd largest oil supply.

http://blogs.forbes.com/firewall/2010/12/14/stuxnets-finnish-chinese-connection/

The article lends further credibility to that theory.

2
5
FAIL

Nope

I have to say - I read the article, and the guy's white paper on the subject, and I have to say that I just don't get it. His arguments seem to be more full of holes that he claims the US/Israeli story is.

For example, he states: "...in March 2010, China’s Customs ministry started an audit at Vacon’s Suzhou facility and took two employees into custody thereby providing further access to Vacon’s manufacturing specifications under cover of an active investigation."

Yet according to his own articles, the main damage caused by Stuxnet was "In late 2009 or early 2010"

And one of his biggest arguments against the NYT article was that the timeline was inaccurate!

3
0
Anonymous Coward

The Forbes article is a pile of tripe

see title

3
0
Silver badge

"amateur approach", etc.

But, did it work?!

As far as I'm informed it did indeed work very well. So why being more 'elegant' than needed? Sounds more like a waste of resources. And, as others pointed out already, this may as well have been intended.

2
0
Black Helicopters

Double bluff (tin foil required)

OR... Its a US hi-tech industry double bluff.

Lots of kit is imported from China etc, and there are already complains of the security risk this exposes the West to.

So.. To demonstrate the point, some western hi-tech industry developed it, unleashed it on Iran. And in a few months can say..

"Hey look, because Iran imported this kit from the west we were able to break it. That means the Chinese could do the same to the kit we import from them. Therefore, we should build and use all our own hi-tech kit in the west. Oh, and it'll cost lots too."

1
0
Black Helicopters

Government op, then?

So, first we're told it could only have been developed by someone with a budget well into the millions, and that someone had an axe to grind with Iran. Now we're told that they made a botch job of some aspects of it.

Sounds more and more like a government op with each new revelation!

24
0
Silver badge
Big Brother

Remember...

....these are the direct descendants of the people who floated the idea of offing Castro with a remote-control shark.

...and they passed through at least ten years of aggravated cronyfication and empire-building.

It's enough to make Goering blanch with envy. But will it generate good code?

6
0
Black Helicopters

Yup

Like the article said the actual exploits actually took a lot of expertise, it was just the packaging that was sloppy, maybe intentionally so. I wouldn't rule out the possibility of it being the USA/Israel and deliberately made to look amateurish in an attempt to lay the blame elsewhere when it was discovered.

2
0

What is it about these 'Security Experts'?

They're always going orgasmic about "security agencies" and "intelligence organisations" - as if the best way to express your geeky, nerdy, anti-authoritarian streak, is to find the biggest bully in the school yard, and then cuddle up to him, in hopes he'll be your friend. And they always seem appalled, when they later discover their protector, wanking off behind the bike sheds with a copy of the Sun.

If you believe their own hype you'd imagine that - if the Israeli secret service decided to go mob-handed into another country to assassinate someone - they wouldn't take turns in front of the hotel security cameras, dressed as the 118 guys, wouldn't you? Experience shows otherwise, however!

Western security agencies employ people who secretly visit male bondage clubs, or belonged to the same spanking collective, while at University. Their principle distinguishing features, are that they are not above killing people, to get their own way, and they want the ability to peep-show on the rest of us, while continuing all the creepy, pervy stuff that they get off on.

9
0
Silver badge

OHMSIS ....... The Basement Files

"Western security agencies employ people who secretly visit male bondage clubs, or belonged to the same spanking collective, while at University. Their principle distinguishing features, are that they are not above killing people, to get their own way, and they want the ability to peep-show on the rest of us, while continuing all the creepy, pervy stuff that they get off on." .... Daniel 1 Posted Wednesday 19th January 2011 16:18 GMT

Thanks for the heads up on Western security agent requirements and peccadillos, Daniel 1. :-0

2
2
Grenade

Don't you think...

if you want to kill one of your agents when the public have already worked out he is an agent, you leave a gimp suit on his bed and an orange ball in his mouth? Judging by your assumptions that what you see is what you get, there's no smoke without fire, etc., that would be an effective tactic.

0
0
Dead Vulture

Problem solved.

I wrote Stuxnet.

0
0
Pirate

You couldn't possibly have written it

because I did

0
0
Joke

I wrote it,

and so did my wife!

2
0
Coat

Problem Solved...

You're all bragging... my 10 year old son wrote it on a dare...took him maybe two hours of concentrated effort.

Just leaving... got to go make sure he hasn't written another one to crash the electrical network in Iran..

0
0
Go

titular blatherings

erm, I'm SPARTACUS?

0
0
Boffin

The China Connection

As Jeffrey Carr has pointed out on Forbes, most of the actual evidence points to China as the source for Stuxnet.

http://blogs.forbes.com/firewall/2010/12/14/stuxnets-finnish-chinese-connection/

and

http://blogs.forbes.com/jeffreycarr/2011/01/17/the-new-york-times-fails-to-deliver-stuxnets-creators/?boxes=Homepagechannels

1
5
FAIL

Wat?

"most of the actual evidence"

There is no evidence whatsoever in these article. Just some Chinamendunnit ranting.

Did Carr get a phat cheque from Uncle Sam?, or is he volunteering, patriot-liar style? That is the question.

His timeline is completely off, the "not targetted" argument is quite obviously counter-truth, etc...

6
0
Silver badge

For the sake of comparison

So, can I have a few examples of weaponized malware previously developed by the USA, to compare?

"We would have done a better job" sounds like a very lame defense. The fact that teenage VXers could do better would actually indicate that they did not do it, indeedly-doo.

The same argument holds for China. The Chinese reportedly pwnd most USA 3-letters agencies' system for years without being detected, after all. Or was it a fear-mongering lie? You can't have it both ways.

3
0
Silver badge
Joke

"re-programming control systems to spin up high-speed centrifuges and slow them down"

So it was intended to speed it up and then slow it down?

I propose renaming it the Bucks Fizz Worm

10
0
Coat

Aha!

"Lame Stuxnet worm 'full of errors', says security consultant"

Turns out it was the Americans after all =]

And they appear to have got Microsoft to code it for them.

7
3
Coat

" Lastly, the code-obfuscation techniques were lame."

Lame... technical term that. If you dont work in the industry it would take me a day or two to explain it to you.

1
1

The fact that bits of it are crap...

...does smack of Government procurement though, does it not? 'There's the old saw, 'always remember your weapon was manufactured by the lowest bidder'.

7
0
Thumb Down

State would do a better job - NOT!

"He suggested that a Western state was unlikely to be responsible for developing Stuxnet because its intelligence agencies would have done a better job at packaging the malware payload."

Why does everyone assume that just because something was done by a state that it would always be better than done by someone else. In fact most state run operations are worse than private operations.

4
1
Black Helicopters

Private Operations or Private Individuals?

I'll grant you that most state run operations are hopeless, and that private operations run a much better ship (generally). But private operations tend not to be in the busines of creating viruses or malware (at least I'm not aware of any that sell such items commercially).

So that does kind of leave it as individuals (or a loosely connected group) or a state sponsored operation.

As an aside, let's add some more conspiracy theory:

The malware exploited 4 zero day exploits. What are the possibilties that the US Government had Microsoft create vulnerabilities in Windows deliberatley so that attacks like this could take place in the future? Let's face it, an awful lot have been discovered over time - more perhaps than should be in a commercial operating system (and I'm not bashing Windows per se, I quite like it)

0
0
Silver badge
Grenade

Cry me a river....

"He suggested that a Western state was unlikely to be responsible for developing Stuxnet because its intelligence agencies would have done a better job at packaging the malware payload."

Hmmm ........ Now there is HUBRIS in all of its sad and mad and bad and cad glory.

"The true identity of Dark Avenger has never been established, though there are no shortage of conspiracy theories floating around the net." .... Whatever do you think the net is primarily for if not floating theories and conspiring with nets? Bots?

2
0
Bronze badge

It worked and fooled the consultants.

The arrogance of consultants who are people who have lost front line skills is amazing. The inventors of the worm are probably LMAO because this consultant still doesn't know what the worm really contains. The idiot is probably just looking at the honey pot. Anyone with security brain knows that!

2
0
Gold badge

Spread too widely? Not well hidden?

(Sheesh! Pick one and stick to it, will ya?)

OK, so maybe it spread widely. That maximises the chance that it is brought into the target facility by an innocent worker at that facility, rather than requiring a Mossad agent. Guess which is easier, particularly if the developer isn't working for the Israeli or American governments?

OK, so maybe it wasn't well obfuscated. That's easy to say with hindsight. Didn't stop it spreading widely before everyone knew it was there and what target it was aimed at.

Maybe the developer knows more about their craft than these black hat experts.

2
0
Boffin

Nobody is expert in all areas

It doesn't surprise me that when inspected by many experts in different areas that parts of it look amateurish. The whole point of keeping something like this secret under development requires it to be developed by very few people. But if the code had been inspected by more experts during development the secrecy of its development would have been more likely to have been breached, which would have defeated the purpose of its development.

High quality code has to be inspected with interest by many eyeballs with many different perspectives, see Raymond's law: http://en.wikipedia.org/wiki/The_Cathedral_and_the_Bazaar .

Another issue to do with obfuscation is that less can be more, in the sense that lightweight code which consumes fewer resources on systems intended as a relay rather than those intended to be attacked, is more likely to go undetected.

1
0
IT Angle

Has anyone concidered...

Perhaps the "errors" or "flaws" in the code was to throw off the suspicion that it was built by a security agency? Why else overlook such obvious errors unless you're trying to make it look like it was built by amateurs.

1
0
Paris Hilton

If I looked hard enough...

... I can probably find 5 continuity errors/gaffs in "The Godfather".

Does that make me "unimpressed" and "superior" to Coppola ?

Paris, coz she believes in doing.

4
0
Anonymous Coward

Can we know for sure?

That the Iran infection is Stuxnet?

0
0
Bronze badge

remind me

What _did_ we do for uniformed speculation before the web came along?

2
0
Silver badge

Government involvement confirmed

When it was originally discovered the headline was something like "it's advanced complexity suggests it was written by government agencies"

To anyone who has ever dealt with IT in government agencies this was pretty unbelievable.

So the new headline - "totally amateurish suggest it was written by government agencies" is rather more believable.

1
0

Maybe it isn't as good as it could have been because...

...it had to be ready by a certain day?

Such as the day before the Israelis started bombing.

1
0
Pint

Its was part of the plan

I read about this consultant trashing Stuxnet last year. Personaly i think he's just upset he couldnt create a better virus first. This is a Mossad/CIA joint effort. NSA might have some feelers in it too but they got China to worry about. The actual delviery of the malware was Mossad via thumbdrive from some engineer. This along with the asssinations that took place. Messed up the whole plan Ahmadenijand had. CIA is providing the human intel for the Mossad agents in the field. That way our boys hands dont get dirty and Mossad can get back at Iran for supplying arms to Hizbollah.

Sounds like a good script for a Tom Clancy movie starring Ryan Renyolds

0
0
Unhappy

Please god don't let Ban affleck play Ryan again.....

just dig up Hans Solo again

0
0
Grenade

Should have made the place go boom instead of speeding up spindles.

Perfect obfuscation IMHO

0
0
Black Helicopters

Crappy code? You got your man...

From my experience of the reality of being in the military, and the civilian populations perceptions of the abilities associated with the military, I would predict that the shabbier code is indeed from the black helicopter (but not black hatted) guys. Military systems tend to dislike creative and imaginative types, and pay far less. Hollywood may not like it, but the military isn't populated by the supermen you think it is.

0
0
FAIL

Article reads like an instruction book!!

This article reads to me like an instruction book on how to create a better worm for kiddys, surprised there isn't an example code in there as well!!

0
0
Grenade

World's First cyber-security weapon?

Hmmm. don't know about that. Just before the first Gulf War (1991) a printer (or something) was delivered to the Iraqi military that contained some funky software (last minute firmware job, I think) that absolutely clobbered the Iraqi military logistics system (equipment/supplies being delivered to all the wrong places at all the wrong times). If not THE first cyber-war weapon it's got to be pretty close. Forgive me if my memory is fuzzy on this matter. Maybe it was the worlds first cyber-practical joke (it being clever AND funny).

Grenade, cos it's all about war and stuff. Why can't we all just get along and re-direct our energies and technology to space travel? you know, something constructive that moves the human race forwards instead of backwards all the time?

0
0
Pint

my imaginary rootkitted botnet with all the trimmings that I have never written

is better than your real one that almost took down a nuclear reactor .....

maybe they are trying to get the real creators to honour their manhood by challenging them to go up a water tower with a bucket......

0
0

Page:

This topic is closed for new posts.