Experts: Stuxnet is simplistic, kludgy, and about to crush you
Kaspersky warns copycats using source code could replicate Stuxnet effect
In the wake of attacks on U.S. security firms, a different U.S. security firm is warning that the U.S. (probably not other security firms) is at risk from cheap knockoffs of the now-available Stuxnet source code.
Other researchers call Stuxnet clunky, inelegant, difficult to install, easy to detect and probably not that easy to target. Immediately before the successful two-year attack on Iran's nuclear facility was discovered, that probably would have been a great comfort to Iran.
Still, Western of industrial-control SCADA software of the kind Stuxnet attacked contain dozens of flaws that could be exploited by either Stuxnet or one of the variants of it Kaspersky Labs predicts may begin propagating soon. Many of the SCADA flaws, by the way, were discovered through continuing research on Stuxnet.
Stuxnet-like attacks could cross the "air gap" that was the ultimate security system-isolation technique for computers before the days of wireless computing, and change the whole approach government and military authorities use to evaluate risk, according to security experts writing for Government Computer News.
Others discount some of the effect of Stuxnet as exaggeration and wonder if Iran is using the poor-little-me approach to fool the West into thinking it is weaker online than it actually is. (On a similar topic in a previous blog I referred to Hanlon's Razor, which applies in this case through its implication that you should never go too far out of your way to think your enemy is only faking stupidity. )
There's a growing consensus among malware experts that there were some major weaknesses in Stuxnet itself, though.
Compared to the code of other sophisticated worms, Stuxnet was pretty basic in many of its capabilities, though it's unlikely one person could have written it all alone, according to information presented in talk at the Black Hat security conference in DC in January by Tom Parker director of security consulting services Alexendria, Va. Based Securcon.
"There are a lot of skills needed to write Stuxnet," Parker said. "Whoever did this needed to know WinCC programming, Step 7, they needed platform process knowledge, the ability to reverse engineer a number of file formats, kernel rootkit development and exploit development. That's a broad set of skills. Does anyone here think they could do all of that?"
"This was probably not a western state. There were too many mistakes made. There's a lot that went wrong," he said. 'There's too much technical inconsistency. But, the bugs were unlikely to fail. They were all logic flaws with high reliability." -- Threatpost
The programmers that created Stuxnet or tailored it to attack Iran's nuclear facilities should have been embarassed by their "amateurish approach to hiding the payload," according to Nate Lawson, founder and chief security researcher for Root Labs which specializes in cryptography, software protection and kernel security development and analysis.
Lawson compared the concealment routines to "what Bulgarian teenagers were doing in the early '90s."
"There are your standard routines for hiding from AV tools, XOR masking, and installing a rootkit. But Stuxnet does no better at this than any other malware discovered last year. It does not use virtual machine-based obfuscation, novel techniques for anti-debugging, or anything else to make it different from the hundreds of malware samples found every day," Lawson wrote in his blog.
Second, the Stuxnet developers seem to be unaware of more advanced techniques for hiding their target. They use simple “if/then” range checks to identify Step 7 systems and their peripheral controllers. If this was some high-level government operation, I would hope they would know to use things like hash-and-decrypt or homomorphic encryption to hide the controller configuration the code is targeting and its exact behavior once it did infect those systems. – Nate Lawson, Root Labs, blog, Jan. 17.
So it's all completely true, as far as anyone can really confirm.
Stuxnet may be the most sophisticated worm ever created, and could only have come from the supersecret, black-budget labs of America and Israel's most elite security agencies, or it was cobbled together by some group of some multinational but inconsequential team of regional intelligence operators or it was routine virus that got out of control and was used by Iran as an excuse for belligerent accusations of Western policies, to generate unity through the feeling of persecution at home, and inspire obsessive loners living in basements to attack the IT infrastructure of the U.S. rather than the government that actually oppresses them.
And, whatever the provenance, it will undoubtedly set off an unstoppable series of cyberwar attacks that will end in the destruction of everything we hold dear – and things other than our own computers as well.
Or, it was a pretty effective digital attack by people who don't like the idea of Iran having nuclear weapons, was created in a middling-quality IT military or intelligence lab, was used pretty effectively for quite a long time before it was discovered, and generated a typically ham-handed response from the Iranian government.
The most interesting thing about it continues to be that it opened the door to attacks on civil-engineering projects rather than just computers.
The second most interesting it that it apparently inspired the creation or radicalization of loner, basement-living hackers in Iran who currently use their computer skills to go through proxies and play World of Warcraft, read banned Western news sources or look at pornography, but are starting to focus their misspent energy and frustration getting back at the U.S. instead of Iran. Interesting unintended consequence.
What's the Farsi word for "Anonymous?"
(Actually, it's this: بی نام but that doesn't help me much. )