Prof casts doubt on Stuxnet's accidental 'great escape' theory

Analysis An expert has challenged a top theory on how the infamous Stuxnet worm, best known for knackering Iranian lab equipment, somehow escaped into the wild.

New York Times journalist David Sanger wrote what's become the definitive account of how Stuxnet was jointly developed by a US-Israeli team. The sophisticated malware was deployed to sabotage high-speed centrifuges at Iran's nuclear fuel processing plant by infecting and commandeering the site's control systems.

According to Sanger's sources, an Iranian technician's laptop was plugged into a Stuxnet-sabotaged centrifuge and was infected by the malfunctioning equipment. The worm then "escaped into the wild" when the laptop was connected to the internet, granting the software nastie safe passage to the wider world, according to the newspaper journalist's contacts.

Now Prof Larry Constantine, a software engineer with years of experience in industrial control systems, claims some parts of Sanger’s account are just not possible. According to the prof, Sanger may have been misled by his political sources.

In an IEEE Spectrum Techwise Conversations podcast, Prof Constantine explained that the Stuxnet worm is like a military missile: one half of it is the rocket engine, designed to spread the malware from PC to PC by exploiting security vulnerabilities in Microsoft's Windows operating system; the other half is the explosive payload, a block of malicious code injected into Siemens-built industrial controllers.

Prof Constantine asserted that the specialised payload hidden away in the control systems was incapable of infecting a Windows PC, thus it is impossible for the Iranian technician's laptop to have picked up the worm from the uranium enrichment machinery. It is not known exactly how the engineer's portable PC was infected.

The academic also said the malware was designed to restrict itself to local-area networks, specifically the plant's internal LAN, and could not have spread to the wider internet under its own steam.

The prof claimed in the podcast:

First of all, the Stuxnet worm did not escape into the wild. The analysis of initial infections and propagations by Symantec show that, in fact, that it never was widespread, that it affected computers in closely connected clusters, all of which involved collaborators or companies that had dealings with each other.

Secondly, it couldn't have escaped over the internet, as Sanger's account maintains, because it never had that capability built into it: it can only propagate over [a] local-area network, over removable media such as CDs, DVDs, or USB thumb drives. So it was never capable of spreading widely, and in fact the sequence of infections is always connected by a closed chain.

Another thing that Sanger got wrong... was the notion that the worm escaped when an engineer connected his computer to the programmable logic controllers (PLCs) that were controlling the centrifuges and his computer became infected, which then later spread over the internet. This is also patently impossible because the software that was resident on the PLCs is the payload that directly deals with the centrifuge motors; it does not have the capability of infecting a computer because it doesn't have any copy of the rest of the Stuxnet system, so that part of the story is simply impossible.

In addition, the explanation offered in his book and in his article is that Stuxnet escaped because of an error in the code, with the Americans claiming it was the Israelis' fault that suddenly allowed it to get onto the internet because it no longer recognised its environment. Anybody who works in the field knows that this doesn't quite make sense, but in fact the last version, the last revision to Stuxnet, according to Symantec, had been in March, and it wasn't discovered until June 17. And in fact the mode of discovery had nothing to do with its being widespread in the wild because in fact it was discovered inside computers in Iran that were being supported by a Belarus antivirus company called VirusBlokAda.

Prof Constantine, an academic in the mathematics and engineering department at the University of Madeira in Portugal, argued that these technical details matter "because it raises broad questions about the nature of the so-called leaks from administration personnel to Sanger". The academic does not dispute that Stuxnet was a joint US-Israeli operation to create malware specifically to sabotage Siemens equipment at processing plants in Natanz, Iran.

Costin Raiu, a senior security researcher at Kaspersky Lab, said the professor was right to question the infected laptop theory, and added "Stuxnet did not 'escape' into the wild by accident". It's possible that, rather than admit the worm was deployed wider than a specific Iranian installation, the US administration let it be known that its super-weapon had accidentally broken free of its constraints.

El Reg asked several independent experts for a reality check on the technical aspects of Prof Constantine's criticism of Sanger's account. Folks at security tools biz Sourcefire and antivirus firm Eset agreed that it was unlikely the laptop could have been compromised by plugging it into a Stuxnet-infected PLC. However the experts were split on whether or not Stuxnet was capable of spreading across the internet.

Eset earlier published a report [PDF] - jointly written by David Harley, Eugene Rodionov, Juraj Malcho and Aleksandr Matrosov - on the Stuxnet outbreak. The team was sympathetic to the prof's fresh take on several counts, but dismissed his suggestion that Stuxnet was unable to escape into the wild:

The way the IEEE story describes it, there's a confusion somewhere between the infection mechanism and the payload that clearly casts doubt on Sanger's account, if it really has to do with a backward infection from a PLC. The account of the backward infection doesn't sound convincing technically. A vulnerability in software interfacing between PLC and another system might account for it in principle, but doesn't seem likely given the nature of the payload programming.

Constantine is more or less correct in that Stuxnet spread by USB device, removable media or network shares rather than normal internet channels. But network share infection is kind of ambivalent and [network file system protocol] SMB/CIFS is certainly capable of being used beyond the local-area network. Stuxnet's primary infection vector was USB, but it also infected through the MS08-67 RPC vulnerability initially exploited by Conficker, the MS10-061 print spooler vulnerability, and network shares. However it might be able to propagate through the internet under some circumstances via network shares along with VPN and using the RPC vulnerability.

Although MS08-067, MS10-061 are mainly used to propagate inside the local-area network, Eugene thinks that it is possible for these vulnerabilities to allow the malware to cross the borders of adjacent networks. But did it? As Juraj points out, there's no reason (apart from Sanger telling us so) to assume that if Stuxnet "escaped" it did so by leaking from a developer's PC via the internet.

The bods at Eset also rubbished Prof Constantine's contention that Stuxnet did not spread widely:

It's nonsense to say that Stuxnet didn't get into the wild. Constantine cites Symantec as demonstrating that Stuxnet was never widespread, but Symantec itself stated: "As of September 29, 2010, the data has shown that there are approximately 100,000 infected hosts... We have observed over 40,000 unique external IP addresses, from over 155 countries."

However Dominic Storey, Sourcefire's technical director for EMEA, told El Reg that the local-area network protocols exploited by Stuxnet to spread across a nuclear plant's internal systems would be blocked at the firewall in any corporate - or even any sensible home user. Even a badly managed enterprise set-up would block incoming file and print sharing connections. If it didn't, Stuxnet would be the least of the organisation's problems.

Storey trained as a plasma physicist at the UK's Atomic Energy Authority, specialising in nuclear fusion research, prior to embarking in a career in network security. Recently he's carried out a lot of work looking into vulnerabilities in industrial control (SCADA) systems.

"Stuxnet was not like a worm. It was written for a specific platform and its vector for spreading was from laptop to laptop or USB drive - it didn't rip through the cosmos," Storey said.

The physicist argued there was "merit" in Prof Constantine's argument, which if nothing else adds a dash of further intrigue to the heated debate about the origins and purpose of Stuxnet, generally considered as the world's first cyber-weapon. ®