Closing The Chapter On Stuxnet

Researcher at Black Hat DC to dispel myths, misconceptions about who was behind the targeted attack, and their motives

Months of speculation, malware analysis, and conspiracy theories have swirled around the game-changing Stuxnet worm since it was first revealed last summer. But one veteran security expert hopes to dispel some of the myths and misconceptions about Stuxnet next week at Black Hat DC -- and then finally close the book on the attack.
Tom Parker, director of security consulting services at Securicon, began picking apart some of the Stuxnet misconceptions in
a session at Black Hat Abu Dhabi
. In the months since Abu Dhabi, Parker has conducted further analysis that shoots down some of the conclusions drawn during the past few months.
Parker maintains that much of the speculation and analysis about Stuxnet and its origins have come mostly out of anti-malware analysis that looks at what the code did and how it affected the victimized machines -- and not who actually wrote it. Theories of nation-state sponsorship, organized crime, as well as the involvement of the West, or even China, have been circulating.
He doesnt buy
the China theory
, he says, which was based, in part, on the discovery that Vacon, the maker of one of the two frequency converter drives used in the Siemens programmable logic controller targeted by the Stuxnet worm, doesnt make its drives in its home country Finland, but rather in Suzhou, China. Vacons Suzhou offices were raided around the time line experts think Stuxnet was first created, according to Jeffrey Carr, founder and CEO of Taia Global.
A second connection Carr made is that the digital certificate pilfered by the Stuxnet attackers was RealTek Semiconductors. RealTek is headquartered in Taiwan, but has a subsidiary called Realsil Microelectronics in Suzhou, China. He also points to Chinas access to Windows source code, courtesy of Microsoft.
But Securicons Parker says the China theory just doesnt add up because the evidence isnt compelling enough.
Another myth Parker will dispel next week is that Stuxnet was sophisticated. It isnt really that hard to do, he says. The use of stolen digital signatures to sign the device drivers wasnt such a big coup, he says. These are semiconductor companies, not security companies, he says. Its not so tough to target and steal their certificates.
He believes that Stuxnet was indeed targeting Irans nuclear program, but that it was designed to delay, not destroy, its operations. I think its a highly feasible theory that was written in order to delay or set back the Iranian enrichment program so diplomatic or other efforts could succeed, he says.
Meanwhile, to solve the attribution piece of the puzzle, you need to filter out clues that reveal things about the man behind the malware, or whether the malware author is sophisticated, according to Parker. He says other elements to look for are clues such as the compiler version the author used, or whether he left behind a home directory, or username. Existing tools, such as IDA and PEID, can be used for compiler identification, and identification of debug strings -- such as those which may contain a username, he says. You just need to know to look for them.
An IDAPro plug-in he wrote and released during Black Hat Abu Dhabi analyzes so-called nested conditional statements, a sure sign of a newbie programmer. A more advanced programmer is going to be more concerned with the efficiency of this code, he says.
The code Ive written is designed to derive sophistication by the quality of the programming. This is a small piece of the overall analysis, though, and really just serves to prove a point: that there is more we can be doing to provide insights into the author, he says.
The ultimate goal is to improve tools to drill down into these details. The theory is trying to take cybersecurity to the same level that forensics is in the ballistics space, he says.
As for Stuxnet, Parker says he believes the advanced elements -- the PLC manipulation -- were possibly the handiwork of a Western nation-state. The deployment of the attack, given its amateur mistakes, indicate the creators didnt lock and load the attack themselves.
Either way, Parker says its time to dial down the Stuxnet obsession. Hopefully, we can close the chapter in the Stuxnet book altogether, he says. We have had a lot of people do great research on it, but its time to move on, according to Parker.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Closing The Chapter On Stuxnet