Lame Stuxnet worm 'full of errors', says security consultant Far from being cyber-spy geniuses with ninja-like black-hat coding skills, the developers of Stuxnet made a number of mistakes that exposed their malware to earlier detection and meant the worm spread more widely than intended. Stuxnet, the infamous worm that infected SCADA-based computer control systems, is sometimes …
The more 'elite' it is the more it starts to look like a powerful government, would go the theory.
Honestly I've not bought into Iran even being the target. There's no evidence to suggest it is other than Isreal hates Iran [and vice-versa], Area 51-type alien conspiracies of the type you usually get in white-to-black hat circles anyways - combined with it hit Iran. Totally ignoring the fact the think liked moving around on USB sticks.. Which in a country where the internet isn't exactly pervasive is how you move data around, just like we used to with floppy disks.
Once you get past target you have to look at motives.. If you assume that Iran is the target and the US/Isreal is the belligerent state in question, going after this kind of stuff is pointless - when you bear in mind the specific target equipment isn’t in their problem reactors. It all seems so pointless when you realise that it’d take Isreal about 3 seconds to come up with casus belli and just bomb the plants and actually put them offline permanently.
It’s in the interest of the US to let them get on with it and let the likes of Arak go online for the reason to bomb them.
I can think of at least two reasons why the creators of Stuxnet did not bother with more obfuscation etc.
1) They wanted it to be found because they expected that the Iranians would then form a circular firing squad and/or demoralizing witch hunt. Either of which would drastically hinder the recovery from the outbreak. There is evidence that, combined with a couple of assassinations this has indeed been the case
2) It is misdirection because there is also Stuxnet2 which has not been found and which continues to wreak havoc but that havoc is believed to be caused by Stuxnet. Thus the recovery is hindered because such computer techs as the Iranian nuclear industry has waste their time hunting for the original Stuxnet instead of looking for Stuxnet2
I've got no idea whether either of these reasons are valid but both seem quite plausible, and in the process of thinking through the arguments for those two I've come up with some others. Now I don't say these reasons are correct but I do think the argument isn't as clear cut as the original article suggests.
...it was developed by US and Israeli intelligence agencies"
No, I think the most credible is that the Chinese developed it to slow the Iranian nuke work whilst toeing the line with sanctions objections, to maintain their 3rd largest oil supply.
http://blogs.forbes.com/firewall/2010/12/14/stuxnets-finnish-chinese-connection/
The article lends further credibility to that theory.
I have to say - I read the article, and the guy's white paper on the subject, and I have to say that I just don't get it. His arguments seem to be more full of holes that he claims the US/Israeli story is.
For example, he states: "...in March 2010, China’s Customs ministry started an audit at Vacon’s Suzhou facility and took two employees into custody thereby providing further access to Vacon’s manufacturing specifications under cover of an active investigation."
Yet according to his own articles, the main damage caused by Stuxnet was "In late 2009 or early 2010"
And one of his biggest arguments against the NYT article was that the timeline was inaccurate!
OR... Its a US hi-tech industry double bluff.
Lots of kit is imported from China etc, and there are already complains of the security risk this exposes the West to.
So.. To demonstrate the point, some western hi-tech industry developed it, unleashed it on Iran. And in a few months can say..
"Hey look, because Iran imported this kit from the west we were able to break it. That means the Chinese could do the same to the kit we import from them. Therefore, we should build and use all our own hi-tech kit in the west. Oh, and it'll cost lots too."
So, first we're told it could only have been developed by someone with a budget well into the millions, and that someone had an axe to grind with Iran. Now we're told that they made a botch job of some aspects of it.
Sounds more and more like a government op with each new revelation!
....these are the direct descendants of the people who floated the idea of offing Castro with a remote-control shark.
...and they passed through at least ten years of aggravated cronyfication and empire-building.
It's enough to make Goering blanch with envy. But will it generate good code?
Like the article said the actual exploits actually took a lot of expertise, it was just the packaging that was sloppy, maybe intentionally so. I wouldn't rule out the possibility of it being the USA/Israel and deliberately made to look amateurish in an attempt to lay the blame elsewhere when it was discovered.
They're always going orgasmic about "security agencies" and "intelligence organisations" - as if the best way to express your geeky, nerdy, anti-authoritarian streak, is to find the biggest bully in the school yard, and then cuddle up to him, in hopes he'll be your friend. And they always seem appalled, when they later discover their protector, wanking off behind the bike sheds with a copy of the Sun.
If you believe their own hype you'd imagine that - if the Israeli secret service decided to go mob-handed into another country to assassinate someone - they wouldn't take turns in front of the hotel security cameras, dressed as the 118 guys, wouldn't you? Experience shows otherwise, however!
Western security agencies employ people who secretly visit male bondage clubs, or belonged to the same spanking collective, while at University. Their principle distinguishing features, are that they are not above killing people, to get their own way, and they want the ability to peep-show on the rest of us, while continuing all the creepy, pervy stuff that they get off on.
"Western security agencies employ people who secretly visit male bondage clubs, or belonged to the same spanking collective, while at University. Their principle distinguishing features, are that they are not above killing people, to get their own way, and they want the ability to peep-show on the rest of us, while continuing all the creepy, pervy stuff that they get off on." .... Daniel 1 Posted Wednesday 19th January 2011 16:18 GMT
Thanks for the heads up on Western security agent requirements and peccadillos, Daniel 1. :-0
if you want to kill one of your agents when the public have already worked out he is an agent, you leave a gimp suit on his bed and an orange ball in his mouth? Judging by your assumptions that what you see is what you get, there's no smoke without fire, etc., that would be an effective tactic.
As Jeffrey Carr has pointed out on Forbes, most of the actual evidence points to China as the source for Stuxnet.
http://blogs.forbes.com/firewall/2010/12/14/stuxnets-finnish-chinese-connection/
and
http://blogs.forbes.com/jeffreycarr/2011/01/17/the-new-york-times-fails-to-deliver-stuxnets-creators/?boxes=Homepagechannels
"most of the actual evidence"
There is no evidence whatsoever in these article. Just some Chinamendunnit ranting.
Did Carr get a phat cheque from Uncle Sam?, or is he volunteering, patriot-liar style? That is the question.
His timeline is completely off, the "not targetted" argument is quite obviously counter-truth, etc...
So, can I have a few examples of weaponized malware previously developed by the USA, to compare?
"We would have done a better job" sounds like a very lame defense. The fact that teenage VXers could do better would actually indicate that they did not do it, indeedly-doo.
The same argument holds for China. The Chinese reportedly pwnd most USA 3-letters agencies' system for years without being detected, after all. Or was it a fear-mongering lie? You can't have it both ways.
"He suggested that a Western state was unlikely to be responsible for developing Stuxnet because its intelligence agencies would have done a better job at packaging the malware payload."
Why does everyone assume that just because something was done by a state that it would always be better than done by someone else. In fact most state run operations are worse than private operations.
I'll grant you that most state run operations are hopeless, and that private operations run a much better ship (generally). But private operations tend not to be in the busines of creating viruses or malware (at least I'm not aware of any that sell such items commercially).
So that does kind of leave it as individuals (or a loosely connected group) or a state sponsored operation.
As an aside, let's add some more conspiracy theory:
The malware exploited 4 zero day exploits. What are the possibilties that the US Government had Microsoft create vulnerabilities in Windows deliberatley so that attacks like this could take place in the future? Let's face it, an awful lot have been discovered over time - more perhaps than should be in a commercial operating system (and I'm not bashing Windows per se, I quite like it)
"He suggested that a Western state was unlikely to be responsible for developing Stuxnet because its intelligence agencies would have done a better job at packaging the malware payload."
Hmmm ........ Now there is HUBRIS in all of its sad and mad and bad and cad glory.
"The true identity of Dark Avenger has never been established, though there are no shortage of conspiracy theories floating around the net." .... Whatever do you think the net is primarily for if not floating theories and conspiring with nets? Bots?
The arrogance of consultants who are people who have lost front line skills is amazing. The inventors of the worm are probably LMAO because this consultant still doesn't know what the worm really contains. The idiot is probably just looking at the honey pot. Anyone with security brain knows that!
(Sheesh! Pick one and stick to it, will ya?)
OK, so maybe it spread widely. That maximises the chance that it is brought into the target facility by an innocent worker at that facility, rather than requiring a Mossad agent. Guess which is easier, particularly if the developer isn't working for the Israeli or American governments?
OK, so maybe it wasn't well obfuscated. That's easy to say with hindsight. Didn't stop it spreading widely before everyone knew it was there and what target it was aimed at.
Maybe the developer knows more about their craft than these black hat experts.
It doesn't surprise me that when inspected by many experts in different areas that parts of it look amateurish. The whole point of keeping something like this secret under development requires it to be developed by very few people. But if the code had been inspected by more experts during development the secrecy of its development would have been more likely to have been breached, which would have defeated the purpose of its development.
High quality code has to be inspected with interest by many eyeballs with many different perspectives, see Raymond's law: http://en.wikipedia.org/wiki/The_Cathedral_and_the_Bazaar .
Another issue to do with obfuscation is that less can be more, in the sense that lightweight code which consumes fewer resources on systems intended as a relay rather than those intended to be attacked, is more likely to go undetected.
When it was originally discovered the headline was something like "it's advanced complexity suggests it was written by government agencies"
To anyone who has ever dealt with IT in government agencies this was pretty unbelievable.
So the new headline - "totally amateurish suggest it was written by government agencies" is rather more believable.
I read about this consultant trashing Stuxnet last year. Personaly i think he's just upset he couldnt create a better virus first. This is a Mossad/CIA joint effort. NSA might have some feelers in it too but they got China to worry about. The actual delviery of the malware was Mossad via thumbdrive from some engineer. This along with the asssinations that took place. Messed up the whole plan Ahmadenijand had. CIA is providing the human intel for the Mossad agents in the field. That way our boys hands dont get dirty and Mossad can get back at Iran for supplying arms to Hizbollah.
Sounds like a good script for a Tom Clancy movie starring Ryan Renyolds
From my experience of the reality of being in the military, and the civilian populations perceptions of the abilities associated with the military, I would predict that the shabbier code is indeed from the black helicopter (but not black hatted) guys. Military systems tend to dislike creative and imaginative types, and pay far less. Hollywood may not like it, but the military isn't populated by the supermen you think it is.
Hmmm. don't know about that. Just before the first Gulf War (1991) a printer (or something) was delivered to the Iraqi military that contained some funky software (last minute firmware job, I think) that absolutely clobbered the Iraqi military logistics system (equipment/supplies being delivered to all the wrong places at all the wrong times). If not THE first cyber-war weapon it's got to be pretty close. Forgive me if my memory is fuzzy on this matter. Maybe it was the worlds first cyber-practical joke (it being clever AND funny).
Grenade, cos it's all about war and stuff. Why can't we all just get along and re-direct our energies and technology to space travel? you know, something constructive that moves the human race forwards instead of backwards all the time?
I understand that now we have legitimized screwing up other people's computers in the "cyber warfare" context but when there is any possibility that the malware creator is some private sector "Cracker" then they need to be described in proper concept, not romanticized. Sic: "the Daring burglar". If the same twit physically snuck into your own personal bedroom at night and just pulled all your wife's underwear out of the drawer to "let you know he'd been there." you wouldn't describe his behavior as "daring" would you?
Crackers, need to be cast in the same light. "The no-life half-wit cracker who in his spare time obviously sexually molests small children and pets broke into ..... XYZ corp.", etc. Journalists (even technical Journalists) can help cast such slime as these in proper light instead of making them into -shudder- folk "heroes".
jccampb
of all these "conspiracy" theories.
"Only a so-called government could write this." riiiiiiiight....
Having WORKED in the industry, ANYONE can buy a controller for next to nothing and learn how to program the controller. Nothing mysterious about that. Does not require a lot of intelligence or money. Siemens had a lot of security issues with their equipment LONG before this was uncovered. Programming a controller is no different than programming any other piece of hardware. Anyone from Siemens, GE, Rockwell, distributor, customer, etc could have easily written the code.
Nothing to see here.....move along - just more examples of irresponsible journalism where facts seem to get lost...
A blunt instrument may be a 'crude' and unsubtle murder weapon - but if you get beaten to death with it, you're still just as dead as if you were taken out by a genetically-engineered killer virus or an orbiting deathray. Lame or not, this tool certainly did what it was meant to, meaning it was good *enough*. No doubt the next one will be better in this respect, of course.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
