Feeds

Prof casts doubt on Stuxnet's accidental 'great escape' theory

How DID the super-weapon flee Iran's nuke plant?

3 Big data security analytics techniques

Analysis An expert has challenged a top theory on how the infamous Stuxnet worm, best known for knackering Iranian lab equipment, somehow escaped into the wild.

New York Times journalist David Sanger wrote what's become the definitive account of how Stuxnet was jointly developed by a US-Israeli team. The sophisticated malware was deployed to sabotage high-speed centrifuges at Iran's nuclear fuel processing plant by infecting and commandeering the site's control systems.

According to Sanger's sources, an Iranian technician's laptop was plugged into a Stuxnet-sabotaged centrifuge and was infected by the malfunctioning equipment. The worm then "escaped into the wild" when the laptop was connected to the internet, granting the software nastie safe passage to the wider world, according to the newspaper journalist's contacts.

Now Prof Larry Constantine, a software engineer with years of experience in industrial control systems, claims some parts of Sanger’s account are just not possible. According to the prof, Sanger may have been misled by his political sources.

In an IEEE Spectrum Techwise Conversations podcast, Prof Constantine explained that the Stuxnet worm is like a military missile: one half of it is the rocket engine, designed to spread the malware from PC to PC by exploiting security vulnerabilities in Microsoft's Windows operating system; the other half is the explosive payload, a block of malicious code injected into Siemens-built industrial controllers.

Prof Constantine asserted that the specialised payload hidden away in the control systems was incapable of infecting a Windows PC, thus it is impossible for the Iranian technician's laptop to have picked up the worm from the uranium enrichment machinery. It is not known exactly how the engineer's portable PC was infected.

The academic also said the malware was designed to restrict itself to local-area networks, specifically the plant's internal LAN, and could not have spread to the wider internet under its own steam.

The prof claimed in the podcast:

First of all, the Stuxnet worm did not escape into the wild. The analysis of initial infections and propagations by Symantec show that, in fact, that it never was widespread, that it affected computers in closely connected clusters, all of which involved collaborators or companies that had dealings with each other.

Secondly, it couldn't have escaped over the internet, as Sanger's account maintains, because it never had that capability built into it: it can only propagate over [a] local-area network, over removable media such as CDs, DVDs, or USB thumb drives. So it was never capable of spreading widely, and in fact the sequence of infections is always connected by a closed chain.

Another thing that Sanger got wrong... was the notion that the worm escaped when an engineer connected his computer to the programmable logic controllers (PLCs) that were controlling the centrifuges and his computer became infected, which then later spread over the internet. This is also patently impossible because the software that was resident on the PLCs is the payload that directly deals with the centrifuge motors; it does not have the capability of infecting a computer because it doesn't have any copy of the rest of the Stuxnet system, so that part of the story is simply impossible.

In addition, the explanation offered in his book and in his article is that Stuxnet escaped because of an error in the code, with the Americans claiming it was the Israelis' fault that suddenly allowed it to get onto the internet because it no longer recognised its environment. Anybody who works in the field knows that this doesn't quite make sense, but in fact the last version, the last revision to Stuxnet, according to Symantec, had been in March, and it wasn't discovered until June 17. And in fact the mode of discovery had nothing to do with its being widespread in the wild because in fact it was discovered inside computers in Iran that were being supported by a Belarus antivirus company called VirusBlokAda.

Prof Constantine, an academic in the mathematics and engineering department at the University of Madeira in Portugal, argued that these technical details matter "because it raises broad questions about the nature of the so-called leaks from administration personnel to Sanger". The academic does not dispute that Stuxnet was a joint US-Israeli operation to create malware specifically to sabotage Siemens equipment at processing plants in Natanz, Iran.

Costin Raiu, a senior security researcher at Kaspersky Lab, said the professor was right to question the infected laptop theory, and added "Stuxnet did not 'escape' into the wild by accident". It's possible that, rather than admit the worm was deployed wider than a specific Iranian installation, the US administration let it be known that its super-weapon had accidentally broken free of its constraints.

El Reg asked several independent experts for a reality check on the technical aspects of Prof Constantine's criticism of Sanger's account. Folks at security tools biz Sourcefire and antivirus firm Eset agreed that it was unlikely the laptop could have been compromised by plugging it into a Stuxnet-infected PLC. However the experts were split on whether or not Stuxnet was capable of spreading across the internet.

Eset earlier published a report [PDF] - jointly written by David Harley, Eugene Rodionov, Juraj Malcho and Aleksandr Matrosov - on the Stuxnet outbreak. The team was sympathetic to the prof's fresh take on several counts, but dismissed his suggestion that Stuxnet was unable to escape into the wild:

The way the IEEE story describes it, there's a confusion somewhere between the infection mechanism and the payload that clearly casts doubt on Sanger's account, if it really has to do with a backward infection from a PLC. The account of the backward infection doesn't sound convincing technically. A vulnerability in software interfacing between PLC and another system might account for it in principle, but doesn't seem likely given the nature of the payload programming.

Constantine is more or less correct in that Stuxnet spread by USB device, removable media or network shares rather than normal internet channels. But network share infection is kind of ambivalent and [network file system protocol] SMB/CIFS is certainly capable of being used beyond the local-area network. Stuxnet's primary infection vector was USB, but it also infected through the MS08-67 RPC vulnerability initially exploited by Conficker, the MS10-061 print spooler vulnerability, and network shares. However it might be able to propagate through the internet under some circumstances via network shares along with VPN and using the RPC vulnerability.

Although MS08-067, MS10-061 are mainly used to propagate inside the local-area network, Eugene thinks that it is possible for these vulnerabilities to allow the malware to cross the borders of adjacent networks. But did it? As Juraj points out, there's no reason (apart from Sanger telling us so) to assume that if Stuxnet "escaped" it did so by leaking from a developer's PC via the internet.

The bods at Eset also rubbished Prof Constantine's contention that Stuxnet did not spread widely:

It's nonsense to say that Stuxnet didn't get into the wild. Constantine cites Symantec as demonstrating that Stuxnet was never widespread, but Symantec itself stated: "As of September 29, 2010, the data has shown that there are approximately 100,000 infected hosts... We have observed over 40,000 unique external IP addresses, from over 155 countries."

However Dominic Storey, Sourcefire's technical director for EMEA, told El Reg that the local-area network protocols exploited by Stuxnet to spread across a nuclear plant's internal systems would be blocked at the firewall in any corporate - or even any sensible home user. Even a badly managed enterprise set-up would block incoming file and print sharing connections. If it didn't, Stuxnet would be the least of the organisation's problems.

Storey trained as a plasma physicist at the UK's Atomic Energy Authority, specialising in nuclear fusion research, prior to embarking in a career in network security. Recently he's carried out a lot of work looking into vulnerabilities in industrial control (SCADA) systems.

"Stuxnet was not like a worm. It was written for a specific platform and its vector for spreading was from laptop to laptop or USB drive - it didn't rip through the cosmos," Storey said.

The physicist argued there was "merit" in Prof Constantine's argument, which if nothing else adds a dash of further intrigue to the heated debate about the origins and purpose of Stuxnet, generally considered as the world's first cyber-weapon. ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.