back to article Lame Stuxnet worm 'full of errors', says security consultant

Far from being cyber-spy geniuses with ninja-like black-hat coding skills, the developers of Stuxnet made a number of mistakes that exposed their malware to earlier detection and meant the worm spread more widely than intended. Stuxnet, the infamous worm that infected SCADA-based computer control systems, is sometimes …

COMMENTS

This topic is closed for new posts.

Page:

  1. Anonymous Coward
    Anonymous Coward

    or maybe.....

    merely workable is good enough.

    If you are not trying to build up a reputation, or trying to obscure who you are, maybe making it look like a well informed but amateur haxor was deliberate. Who knows.

  2. Doug Glass
    Go

    BFD

    It did what it was intended to do. Way too many people think killing a deer is an error too, but it looks just like success sitting on my plate next to the mashed potatoes and green beans,

    1. streaky Silver badge
      Black Helicopters

      Yeah.

      The more 'elite' it is the more it starts to look like a powerful government, would go the theory.

      Honestly I've not bought into Iran even being the target. There's no evidence to suggest it is other than Isreal hates Iran [and vice-versa], Area 51-type alien conspiracies of the type you usually get in white-to-black hat circles anyways - combined with it hit Iran. Totally ignoring the fact the think liked moving around on USB sticks.. Which in a country where the internet isn't exactly pervasive is how you move data around, just like we used to with floppy disks.

      Once you get past target you have to look at motives.. If you assume that Iran is the target and the US/Isreal is the belligerent state in question, going after this kind of stuff is pointless - when you bear in mind the specific target equipment isn’t in their problem reactors. It all seems so pointless when you realise that it’d take Isreal about 3 seconds to come up with casus belli and just bomb the plants and actually put them offline permanently.

      It’s in the interest of the US to let them get on with it and let the likes of Arak go online for the reason to bomb them.

    2. Anonymous Coward
      Grenade

      'Full of errors'

      Do you warn your hunting partners about your 'full of errors' approach to shooting deer before you start out?

      1. Anonymous Coward
        Anonymous Coward

        re: Do you warn your hunting partners

        I think maybe he just hit it with his pick-up.

  3. FrancisT
    Black Helicopters

    It could be deliberate

    I can think of at least two reasons why the creators of Stuxnet did not bother with more obfuscation etc.

    1) They wanted it to be found because they expected that the Iranians would then form a circular firing squad and/or demoralizing witch hunt. Either of which would drastically hinder the recovery from the outbreak. There is evidence that, combined with a couple of assassinations this has indeed been the case

    2) It is misdirection because there is also Stuxnet2 which has not been found and which continues to wreak havoc but that havoc is believed to be caused by Stuxnet. Thus the recovery is hindered because such computer techs as the Iranian nuclear industry has waste their time hunting for the original Stuxnet instead of looking for Stuxnet2

    I've got no idea whether either of these reasons are valid but both seem quite plausible, and in the process of thinking through the arguments for those two I've come up with some others. Now I don't say these reasons are correct but I do think the argument isn't as clear cut as the original article suggests.

    1. Ubuntu Is a Better Slide Rule

      Occam, Razor ?

      Look it up.

  4. crowley

    "the most credible of which suggests...

    ...it was developed by US and Israeli intelligence agencies"

    No, I think the most credible is that the Chinese developed it to slow the Iranian nuke work whilst toeing the line with sanctions objections, to maintain their 3rd largest oil supply.

    http://blogs.forbes.com/firewall/2010/12/14/stuxnets-finnish-chinese-connection/

    The article lends further credibility to that theory.

  5. Sir Runcible Spoon Silver badge
    Thumb Down

    Sir

    It looks like the Iranians would serve their own interests better by not relying on US or Israeli firewall technology then.

    I'm saying this completely ignorant of the attack vector for this worm so feel free to correct this sorry state of affairs :)

    1. GettinSadda
      FAIL

      Nope

      I have to say - I read the article, and the guy's white paper on the subject, and I have to say that I just don't get it. His arguments seem to be more full of holes that he claims the US/Israeli story is.

      For example, he states: "...in March 2010, China’s Customs ministry started an audit at Vacon’s Suzhou facility and took two employees into custody thereby providing further access to Vacon’s manufacturing specifications under cover of an active investigation."

      Yet according to his own articles, the main damage caused by Stuxnet was "In late 2009 or early 2010"

      And one of his biggest arguments against the NYT article was that the timeline was inaccurate!

    2. Anonymous Coward
      Anonymous Coward

      The Forbes article is a pile of tripe

      see title

  6. Evil Auditor Silver badge

    "amateur approach", etc.

    But, did it work?!

    As far as I'm informed it did indeed work very well. So why being more 'elegant' than needed? Sounds more like a waste of resources. And, as others pointed out already, this may as well have been intended.

  7. Ian 62
    Black Helicopters

    Double bluff (tin foil required)

    OR... Its a US hi-tech industry double bluff.

    Lots of kit is imported from China etc, and there are already complains of the security risk this exposes the West to.

    So.. To demonstrate the point, some western hi-tech industry developed it, unleashed it on Iran. And in a few months can say..

    "Hey look, because Iran imported this kit from the west we were able to break it. That means the Chinese could do the same to the kit we import from them. Therefore, we should build and use all our own hi-tech kit in the west. Oh, and it'll cost lots too."

  8. Swoop
    Black Helicopters

    Government op, then?

    So, first we're told it could only have been developed by someone with a budget well into the millions, and that someone had an axe to grind with Iran. Now we're told that they made a botch job of some aspects of it.

    Sounds more and more like a government op with each new revelation!

    1. Destroy All Monsters Silver badge
      Big Brother

      Remember...

      ....these are the direct descendants of the people who floated the idea of offing Castro with a remote-control shark.

      ...and they passed through at least ten years of aggravated cronyfication and empire-building.

      It's enough to make Goering blanch with envy. But will it generate good code?

  9. Anonymous Coward
    Black Helicopters

    Yup

    Like the article said the actual exploits actually took a lot of expertise, it was just the packaging that was sloppy, maybe intentionally so. I wouldn't rule out the possibility of it being the USA/Israel and deliberately made to look amateurish in an attempt to lay the blame elsewhere when it was discovered.

  10. Daniel 1

    What is it about these 'Security Experts'?

    They're always going orgasmic about "security agencies" and "intelligence organisations" - as if the best way to express your geeky, nerdy, anti-authoritarian streak, is to find the biggest bully in the school yard, and then cuddle up to him, in hopes he'll be your friend. And they always seem appalled, when they later discover their protector, wanking off behind the bike sheds with a copy of the Sun.

    If you believe their own hype you'd imagine that - if the Israeli secret service decided to go mob-handed into another country to assassinate someone - they wouldn't take turns in front of the hotel security cameras, dressed as the 118 guys, wouldn't you? Experience shows otherwise, however!

    Western security agencies employ people who secretly visit male bondage clubs, or belonged to the same spanking collective, while at University. Their principle distinguishing features, are that they are not above killing people, to get their own way, and they want the ability to peep-show on the rest of us, while continuing all the creepy, pervy stuff that they get off on.

    1. amanfromMars 1 Silver badge

      OHMSIS ....... The Basement Files

      "Western security agencies employ people who secretly visit male bondage clubs, or belonged to the same spanking collective, while at University. Their principle distinguishing features, are that they are not above killing people, to get their own way, and they want the ability to peep-show on the rest of us, while continuing all the creepy, pervy stuff that they get off on." .... Daniel 1 Posted Wednesday 19th January 2011 16:18 GMT

      Thanks for the heads up on Western security agent requirements and peccadillos, Daniel 1. :-0

    2. Anonymous Coward
      Grenade

      Don't you think...

      if you want to kill one of your agents when the public have already worked out he is an agent, you leave a gimp suit on his bed and an orange ball in his mouth? Judging by your assumptions that what you see is what you get, there's no smoke without fire, etc., that would be an effective tactic.

  11. Anonymous Coward
    Dead Vulture

    Problem solved.

    I wrote Stuxnet.

    1. kissingthecarpet
      Pirate

      You couldn't possibly have written it

      because I did

      1. Angus 2
        Joke

        I wrote it,

        and so did my wife!

    2. LateNightLarry
      Coat

      Problem Solved...

      You're all bragging... my 10 year old son wrote it on a dare...took him maybe two hours of concentrated effort.

      Just leaving... got to go make sure he hasn't written another one to crash the electrical network in Iran..

      1. lpopman
        Go

        titular blatherings

        erm, I'm SPARTACUS?

  12. Anonymous Coward
    Boffin

    The China Connection

    As Jeffrey Carr has pointed out on Forbes, most of the actual evidence points to China as the source for Stuxnet.

    http://blogs.forbes.com/firewall/2010/12/14/stuxnets-finnish-chinese-connection/

    and

    http://blogs.forbes.com/jeffreycarr/2011/01/17/the-new-york-times-fails-to-deliver-stuxnets-creators/?boxes=Homepagechannels

    1. Anonymous Coward
      FAIL

      Wat?

      "most of the actual evidence"

      There is no evidence whatsoever in these article. Just some Chinamendunnit ranting.

      Did Carr get a phat cheque from Uncle Sam?, or is he volunteering, patriot-liar style? That is the question.

      His timeline is completely off, the "not targetted" argument is quite obviously counter-truth, etc...

  13. ElReg!comments!Pierre Silver badge

    For the sake of comparison

    So, can I have a few examples of weaponized malware previously developed by the USA, to compare?

    "We would have done a better job" sounds like a very lame defense. The fact that teenage VXers could do better would actually indicate that they did not do it, indeedly-doo.

    The same argument holds for China. The Chinese reportedly pwnd most USA 3-letters agencies' system for years without being detected, after all. Or was it a fear-mongering lie? You can't have it both ways.

  14. Simon Harris Silver badge
    Joke

    "re-programming control systems to spin up high-speed centrifuges and slow them down"

    So it was intended to speed it up and then slow it down?

    I propose renaming it the Bucks Fizz Worm

  15. Tigra 07 Silver badge
    Coat

    Aha!

    "Lame Stuxnet worm 'full of errors', says security consultant"

    Turns out it was the Americans after all =]

    And they appear to have got Microsoft to code it for them.

    1. PaulW
      Coat

      " Lastly, the code-obfuscation techniques were lame."

      Lame... technical term that. If you dont work in the industry it would take me a day or two to explain it to you.

  16. Gilbert Wham

    The fact that bits of it are crap...

    ...does smack of Government procurement though, does it not? 'There's the old saw, 'always remember your weapon was manufactured by the lowest bidder'.

  17. Anonymous Coward
    Thumb Down

    State would do a better job - NOT!

    "He suggested that a Western state was unlikely to be responsible for developing Stuxnet because its intelligence agencies would have done a better job at packaging the malware payload."

    Why does everyone assume that just because something was done by a state that it would always be better than done by someone else. In fact most state run operations are worse than private operations.

    1. Anonymous Coward
      Black Helicopters

      Private Operations or Private Individuals?

      I'll grant you that most state run operations are hopeless, and that private operations run a much better ship (generally). But private operations tend not to be in the busines of creating viruses or malware (at least I'm not aware of any that sell such items commercially).

      So that does kind of leave it as individuals (or a loosely connected group) or a state sponsored operation.

      As an aside, let's add some more conspiracy theory:

      The malware exploited 4 zero day exploits. What are the possibilties that the US Government had Microsoft create vulnerabilities in Windows deliberatley so that attacks like this could take place in the future? Let's face it, an awful lot have been discovered over time - more perhaps than should be in a commercial operating system (and I'm not bashing Windows per se, I quite like it)

  18. amanfromMars 1 Silver badge
    Grenade

    Cry me a river....

    "He suggested that a Western state was unlikely to be responsible for developing Stuxnet because its intelligence agencies would have done a better job at packaging the malware payload."

    Hmmm ........ Now there is HUBRIS in all of its sad and mad and bad and cad glory.

    "The true identity of Dark Avenger has never been established, though there are no shortage of conspiracy theories floating around the net." .... Whatever do you think the net is primarily for if not floating theories and conspiring with nets? Bots?

  19. JP19

    It worked and fooled the consultants.

    The arrogance of consultants who are people who have lost front line skills is amazing. The inventors of the worm are probably LMAO because this consultant still doesn't know what the worm really contains. The idiot is probably just looking at the honey pot. Anyone with security brain knows that!

  20. Ken Hagan Gold badge

    Spread too widely? Not well hidden?

    (Sheesh! Pick one and stick to it, will ya?)

    OK, so maybe it spread widely. That maximises the chance that it is brought into the target facility by an innocent worker at that facility, rather than requiring a Mossad agent. Guess which is easier, particularly if the developer isn't working for the Israeli or American governments?

    OK, so maybe it wasn't well obfuscated. That's easy to say with hindsight. Didn't stop it spreading widely before everyone knew it was there and what target it was aimed at.

    Maybe the developer knows more about their craft than these black hat experts.

  21. copsewood
    Boffin

    Nobody is expert in all areas

    It doesn't surprise me that when inspected by many experts in different areas that parts of it look amateurish. The whole point of keeping something like this secret under development requires it to be developed by very few people. But if the code had been inspected by more experts during development the secrecy of its development would have been more likely to have been breached, which would have defeated the purpose of its development.

    High quality code has to be inspected with interest by many eyeballs with many different perspectives, see Raymond's law: http://en.wikipedia.org/wiki/The_Cathedral_and_the_Bazaar .

    Another issue to do with obfuscation is that less can be more, in the sense that lightweight code which consumes fewer resources on systems intended as a relay rather than those intended to be attacked, is more likely to go undetected.

  22. Steven Holmquist
    IT Angle

    Has anyone concidered...

    Perhaps the "errors" or "flaws" in the code was to throw off the suspicion that it was built by a security agency? Why else overlook such obvious errors unless you're trying to make it look like it was built by amateurs.

  23. alwarming
    Paris Hilton

    If I looked hard enough...

    ... I can probably find 5 continuity errors/gaffs in "The Godfather".

    Does that make me "unimpressed" and "superior" to Coppola ?

    Paris, coz she believes in doing.

  24. Anonymous Coward
    Anonymous Coward

    Can we know for sure?

    That the Iran infection is Stuxnet?

  25. disgruntled yank Silver badge

    remind me

    What _did_ we do for uniformed speculation before the web came along?

  26. Yet Another Anonymous coward Silver badge

    Government involvement confirmed

    When it was originally discovered the headline was something like "it's advanced complexity suggests it was written by government agencies"

    To anyone who has ever dealt with IT in government agencies this was pretty unbelievable.

    So the new headline - "totally amateurish suggest it was written by government agencies" is rather more believable.

  27. Mike Richards Silver badge

    Maybe it isn't as good as it could have been because...

    ...it had to be ready by a certain day?

    Such as the day before the Israelis started bombing.

  28. DragonKin37
    Pint

    Its was part of the plan

    I read about this consultant trashing Stuxnet last year. Personaly i think he's just upset he couldnt create a better virus first. This is a Mossad/CIA joint effort. NSA might have some feelers in it too but they got China to worry about. The actual delviery of the malware was Mossad via thumbdrive from some engineer. This along with the asssinations that took place. Messed up the whole plan Ahmadenijand had. CIA is providing the human intel for the Mossad agents in the field. That way our boys hands dont get dirty and Mossad can get back at Iran for supplying arms to Hizbollah.

    Sounds like a good script for a Tom Clancy movie starring Ryan Renyolds

    1. flatline2000
      Unhappy

      Please god don't let Ban affleck play Ryan again.....

      just dig up Hans Solo again

  29. Gordon Pryra
    Grenade

    Should have made the place go boom instead of speeding up spindles.

    Perfect obfuscation IMHO

  30. Anonymous Coward
    Black Helicopters

    Crappy code? You got your man...

    From my experience of the reality of being in the military, and the civilian populations perceptions of the abilities associated with the military, I would predict that the shabbier code is indeed from the black helicopter (but not black hatted) guys. Military systems tend to dislike creative and imaginative types, and pay far less. Hollywood may not like it, but the military isn't populated by the supermen you think it is.

  31. Simon B
    FAIL

    Article reads like an instruction book!!

    This article reads to me like an instruction book on how to create a better worm for kiddys, surprised there isn't an example code in there as well!!

  32. Barnsey123
    Grenade

    World's First cyber-security weapon?

    Hmmm. don't know about that. Just before the first Gulf War (1991) a printer (or something) was delivered to the Iraqi military that contained some funky software (last minute firmware job, I think) that absolutely clobbered the Iraqi military logistics system (equipment/supplies being delivered to all the wrong places at all the wrong times). If not THE first cyber-war weapon it's got to be pretty close. Forgive me if my memory is fuzzy on this matter. Maybe it was the worlds first cyber-practical joke (it being clever AND funny).

    Grenade, cos it's all about war and stuff. Why can't we all just get along and re-direct our energies and technology to space travel? you know, something constructive that moves the human race forwards instead of backwards all the time?

  33. flatline2000
    Pint

    my imaginary rootkitted botnet with all the trimmings that I have never written

    is better than your real one that almost took down a nuclear reactor .....

    maybe they are trying to get the real creators to honour their manhood by challenging them to go up a water tower with a bucket......

Page:

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019