Prof casts doubt on Stuxnet's accidental 'great escape' theory

How DID the super-weapon flee Iran's nuke plant?

Providing a secure and efficient Helpdesk

Analysis An expert has challenged a top theory on how the infamous Stuxnet worm, best known for knackering Iranian lab equipment, somehow escaped into the wild.

New York Times journalist David Sanger wrote what's become the definitive account of how Stuxnet was jointly developed by a US-Israeli team. The sophisticated malware was deployed to sabotage high-speed centrifuges at Iran's nuclear fuel processing plant by infecting and commandeering the site's control systems.

According to Sanger's sources, an Iranian technician's laptop was plugged into a Stuxnet-sabotaged centrifuge and was infected by the malfunctioning equipment. The worm then "escaped into the wild" when the laptop was connected to the internet, granting the software nastie safe passage to the wider world, according to the newspaper journalist's contacts.

Now Prof Larry Constantine, a software engineer with years of experience in industrial control systems, claims some parts of Sanger’s account are just not possible. According to the prof, Sanger may have been misled by his political sources.

In an IEEE Spectrum Techwise Conversations podcast, Prof Constantine explained that the Stuxnet worm is like a military missile: one half of it is the rocket engine, designed to spread the malware from PC to PC by exploiting security vulnerabilities in Microsoft's Windows operating system; the other half is the explosive payload, a block of malicious code injected into Siemens-built industrial controllers.

Prof Constantine asserted that the specialised payload hidden away in the control systems was incapable of infecting a Windows PC, thus it is impossible for the Iranian technician's laptop to have picked up the worm from the uranium enrichment machinery. It is not known exactly how the engineer's portable PC was infected.

The academic also said the malware was designed to restrict itself to local-area networks, specifically the plant's internal LAN, and could not have spread to the wider internet under its own steam.

The prof claimed in the podcast:

First of all, the Stuxnet worm did not escape into the wild. The analysis of initial infections and propagations by Symantec show that, in fact, that it never was widespread, that it affected computers in closely connected clusters, all of which involved collaborators or companies that had dealings with each other.

Secondly, it couldn't have escaped over the internet, as Sanger's account maintains, because it never had that capability built into it: it can only propagate over [a] local-area network, over removable media such as CDs, DVDs, or USB thumb drives. So it was never capable of spreading widely, and in fact the sequence of infections is always connected by a closed chain.

Another thing that Sanger got wrong... was the notion that the worm escaped when an engineer connected his computer to the programmable logic controllers (PLCs) that were controlling the centrifuges and his computer became infected, which then later spread over the internet. This is also patently impossible because the software that was resident on the PLCs is the payload that directly deals with the centrifuge motors; it does not have the capability of infecting a computer because it doesn't have any copy of the rest of the Stuxnet system, so that part of the story is simply impossible.

In addition, the explanation offered in his book and in his article is that Stuxnet escaped because of an error in the code, with the Americans claiming it was the Israelis' fault that suddenly allowed it to get onto the internet because it no longer recognised its environment. Anybody who works in the field knows that this doesn't quite make sense, but in fact the last version, the last revision to Stuxnet, according to Symantec, had been in March, and it wasn't discovered until June 17. And in fact the mode of discovery had nothing to do with its being widespread in the wild because in fact it was discovered inside computers in Iran that were being supported by a Belarus antivirus company called VirusBlokAda.

Prof Constantine, an academic in the mathematics and engineering department at the University of Madeira in Portugal, argued that these technical details matter "because it raises broad questions about the nature of the so-called leaks from administration personnel to Sanger". The academic does not dispute that Stuxnet was a joint US-Israeli operation to create malware specifically to sabotage Siemens equipment at processing plants in Natanz, Iran.

Costin Raiu, a senior security researcher at Kaspersky Lab, said the professor was right to question the infected laptop theory, and added "Stuxnet did not 'escape' into the wild by accident". It's possible that, rather than admit the worm was deployed wider than a specific Iranian installation, the US administration let it be known that its super-weapon had accidentally broken free of its constraints.

El Reg asked several independent experts for a reality check on the technical aspects of Prof Constantine's criticism of Sanger's account. Folks at security tools biz Sourcefire and antivirus firm Eset agreed that it was unlikely the laptop could have been compromised by plugging it into a Stuxnet-infected PLC. However the experts were split on whether or not Stuxnet was capable of spreading across the internet.

Eset earlier published a report [PDF] - jointly written by David Harley, Eugene Rodionov, Juraj Malcho and Aleksandr Matrosov - on the Stuxnet outbreak. The team was sympathetic to the prof's fresh take on several counts, but dismissed his suggestion that Stuxnet was unable to escape into the wild:

The way the IEEE story describes it, there's a confusion somewhere between the infection mechanism and the payload that clearly casts doubt on Sanger's account, if it really has to do with a backward infection from a PLC. The account of the backward infection doesn't sound convincing technically. A vulnerability in software interfacing between PLC and another system might account for it in principle, but doesn't seem likely given the nature of the payload programming.

Constantine is more or less correct in that Stuxnet spread by USB device, removable media or network shares rather than normal internet channels. But network share infection is kind of ambivalent and [network file system protocol] SMB/CIFS is certainly capable of being used beyond the local-area network. Stuxnet's primary infection vector was USB, but it also infected through the MS08-67 RPC vulnerability initially exploited by Conficker, the MS10-061 print spooler vulnerability, and network shares. However it might be able to propagate through the internet under some circumstances via network shares along with VPN and using the RPC vulnerability.

Although MS08-067, MS10-061 are mainly used to propagate inside the local-area network, Eugene thinks that it is possible for these vulnerabilities to allow the malware to cross the borders of adjacent networks. But did it? As Juraj points out, there's no reason (apart from Sanger telling us so) to assume that if Stuxnet "escaped" it did so by leaking from a developer's PC via the internet.

The bods at Eset also rubbished Prof Constantine's contention that Stuxnet did not spread widely:

It's nonsense to say that Stuxnet didn't get into the wild. Constantine cites Symantec as demonstrating that Stuxnet was never widespread, but Symantec itself stated: "As of September 29, 2010, the data has shown that there are approximately 100,000 infected hosts... We have observed over 40,000 unique external IP addresses, from over 155 countries."

However Dominic Storey, Sourcefire's technical director for EMEA, told El Reg that the local-area network protocols exploited by Stuxnet to spread across a nuclear plant's internal systems would be blocked at the firewall in any corporate - or even any sensible home user. Even a badly managed enterprise set-up would block incoming file and print sharing connections. If it didn't, Stuxnet would be the least of the organisation's problems.

Storey trained as a plasma physicist at the UK's Atomic Energy Authority, specialising in nuclear fusion research, prior to embarking in a career in network security. Recently he's carried out a lot of work looking into vulnerabilities in industrial control (SCADA) systems.

"Stuxnet was not like a worm. It was written for a specific platform and its vector for spreading was from laptop to laptop or USB drive - it didn't rip through the cosmos," Storey said.

The physicist argued there was "merit" in Prof Constantine's argument, which if nothing else adds a dash of further intrigue to the heated debate about the origins and purpose of Stuxnet, generally considered as the world's first cyber-weapon. ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.