informa
News

Stuxnet, Duqu, Flame Targeted Illegal Windows Systems In Iran

Pirated software the norm in the region
An oft-overlooked detail about Stuxnet, Duqu, and Flame is that the attacks all targeted Windows machines in Iran even though Windows isn't allowed to be sold there under U.S. export restriction laws. Software smuggling and pirating are commonplace there, including for Windows.

"Piracy is rampant there -- 99 percent of software in that part of the world is pirated. I know because I spent a lot of time in that part of the world," says Ashar Aziz, CEO of FireEye.

Software piracy and smuggling are a big problem in countries, such as Iran, that are banned from many high technology imports under economic sanctions. Stopping those illegal activities in Iran and other trade-sanctioned countries is difficult and often unrealistic, leaving many U.S. vendors to come to accept that their software is pirated there.

The masterminds behind Stuxnet, Duqu, and Flame -- who Obama administration officials say were government technologists and intelligence officials from the U.S. and Israel, according to reports in The New York Times and The Washington Post -- apparently were confident in Iran's use of Windows such that they targeted it. They used zero-day vulnerabilities and other methods for gathering intelligence on Iran's nuclear development program with Duqu and Flame, and then actually sabotaged the operation at the Natanz facility with a Windows worm that ultimately spread to a specific Siemens programmable logic controller that ran the centrifuges. The attack ultimately caused the centrifuges to spin out of control and fail.

Microsoft knows better than any software firm about the perils of pirated software and the difficulty in shutting it down. The software giant, which like other U.S. firms is banned from shipping software to Iran, Cuba, North Korea, Sudan, and Syria, pushes updates to all supported versions of Windows -- even pirated ones -- as a healthy security ecosystem practice. So even pirated Windows machines in Iran theoretically would receive up-to-date versions of Windows if users there apply the patches.

While Microsoft declined to comment on pirated software in Iran, Yunsun Wee, director of Microsoft Trustworthy Computing, did confirm that Microsoft supports of all of its software, pirated or not. "Any supported Microsoft operating system has access to security updates, regardless of genuine status, either by manually downloading them from Microsoft's site or by using Automatic or Windows Updates," Wee says.

Security experts say the Flame, Duqu, and Stuxnet attacks should not be perceived as against Microsoft, even if its products were part of the equation. "It's not that they went against Microsoft ... In no way would I say Stuxnet was built to go against Microsoft. It went after vulnerabilities," says Al Kinney, director of defense cybersecurity capability for HP Enterprise Services.

According to a report in The Washington Post today, officials confirmed that Flame was an effort to slow Iran's nuclear program down as well as to buy some time for sanctions and diplomatic efforts.

[ Easy-to-crack encryption likely helped keep Flame alive, as well as its resemblance to conventional software. See How Flame Hid In Plain Sight For Years. ]

Some security experts wonder why the U.S. and Israel bothered creating zero-day exploits and professional software development in the Flame, Duqu, and Stuxnet attacks just to target likely pirated software. "It struck me: Do you really need these complex pieces of malware to be that sophisticated if [the target] is using illegal versions of the software?" says Brian Honan of BH Consulting and a member of the Irish CERT.

The operators behind the attacks appear to have covered most of their bases with the quality of the code as well as the assumption that the Iranians were updating their Windows machines, experts say. Even so, antivirus software exports are banned from the U.S. to Iran as well, so AV tools there, if any, were likely weak links. Gunter Ollmann, vice president of research at Damballa, says that was likely a factor. "I'm sure one of the criteria [in an attack] was whether or not there were security products on the targeted device and if it's capable of detecting [Flame's] bag of tricks," Ollmann says.

But what the attackers did not do so well was keep the code under wraps, which has since led to its unraveling by security researchers around the globe.

"The biggest failure was letting [Stuxnet] escape," FireEye's Aziz says. The attackers didn't ensure it didn't spread beyond its target, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: