Closing The Chapter On Stuxnet

Months of speculation, malware analysis, and conspiracy theories have swirled around the game-changing Stuxnet worm since it was first revealed last summer. But one veteran security expert hopes to dispel some of the myths and misconceptions about Stuxnet next week at Black Hat DC -- and then finally close the book on the attack.

Tom Parker, director of security consulting services at Securicon, began picking apart some of the Stuxnet misconceptions in a session at Black Hat Abu Dhabi. In the months since Abu Dhabi, Parker has conducted further analysis that shoots down some of the conclusions drawn during the past few months.

Parker maintains that much of the speculation and analysis about Stuxnet and its origins have come mostly out of anti-malware analysis that looks at what the code did and how it affected the victimized machines -- and not who actually wrote it. Theories of nation-state sponsorship, organized crime, as well as the involvement of the West, or even China, have been circulating.

He doesn't buy the China theory, he says, which was based, in part, on the discovery that Vacon, the maker of one of the two frequency converter drives used in the Siemens programmable logic controller targeted by the Stuxnet worm, doesn't make its drives in its home country Finland, but rather in Suzhou, China. Vacon's Suzhou offices were raided around the time line experts think Stuxnet was first created, according to Jeffrey Carr, founder and CEO of Taia Global.

A second connection Carr made is that the digital certificate pilfered by the Stuxnet attackers was RealTek Semiconductor's. RealTek is headquartered in Taiwan, but has a subsidiary called Realsil Microelectronics in Suzhou, China. He also points to China's access to Windows source code, courtesy of Microsoft.

But Securicon's Parker says the China theory just doesn't add up because the evidence isn't "compelling" enough.

Another myth Parker will dispel next week is that Stuxnet was sophisticated. "It isn't really that hard to do," he says. The use of stolen digital signatures to sign the device drivers wasn't such a big coup, he says. "These are semiconductor companies, not security companies," he says. "It's not so tough to target and steal their certificates."

He believes that Stuxnet was indeed targeting Iran's nuclear program, but that it was designed to delay, not destroy, its operations. "I think it's a highly feasible theory that was written in order to delay or set back the Iranian enrichment program so diplomatic or other efforts could succeed," he says.

Meanwhile, to solve the attribution piece of the puzzle, you need to filter out clues that reveal things about the man behind the malware, or whether the malware author is sophisticated, according to Parker. He says other elements to look for are clues such as the compiler version the author used, or whether he left behind a home directory, or username. "Existing tools, such as IDA and PEID, can be used for compiler identification, and identification of debug strings -- such as those which may contain a username," he says. "You just need to know to look for them."

An IDAPro plug-in he wrote and released during Black Hat Abu Dhabi analyzes so-called "nested conditional" statements, a sure sign of a newbie programmer. "A more advanced programmer is going to be more concerned with the efficiency of this code," he says.

"The code I've written is designed to derive sophistication by the quality of the programming. This is a small piece of the overall analysis, though, and really just serves to prove a point: that there is more we can be doing to provide insights into the author," he says.

The ultimate goal is to improve tools to drill down into these details. "The theory is trying to take cybersecurity to the same level that forensics is in the ballistics space," he says.

As for Stuxnet, Parker says he believes the advanced elements -- the PLC manipulation -- were possibly the handiwork of a Western nation-state. The deployment of the attack, given its amateur mistakes, indicate the creators didn't lock and load the attack themselves.

Either way, Parker says it's time to dial down the Stuxnet obsession. "Hopefully, we can close the chapter in the Stuxnet book altogether," he says. "We have had a lot of people do great research on it," but it's time to move on, according to Parker.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.