Wednesday, February 16, 2011

Stuxnet: not so great, or a deadly threat?


I've noticed some computer security 'experts' are trying to claim that the Stuxnet worm isn't nearly as 'good' as news reports have suggested. Root Labs figures its authors weren't very skilled and/or knowledgeable and/or thorough in concealing it.

Rather than being proud of its stealth and targeting, the authors should be embarrassed at their amateur approach to hiding the payload. I really hope it wasn’t written by the USA because I’d like to think our elite cyberweapon developers at least know what Bulgarian teenagers did back in the early 90′s.

First, there appears to be no special obfuscation. ... Stuxnet does no better at this than any other malware discovered last year.

. . .

Second, the Stuxnet developers seem to be unaware of more advanced techniques for hiding their target.

. . .

Stuxnet doesn’t use any of these advanced features. Either the authors did not care if their payload was discovered by the general public, they weren’t aware of these techniques, or they had other limitations, such as time.

. . .

Whoever developed the code was probably in a hurry and decided using more advanced hiding techniques wasn’t worth the development/testing cost.


There's more at the link.

Kaspersky Labs contends that the authors of Stuxnet 'made several basic errors'.

For example, the command-and-control mechanism is poorly done and sends its traffic in the clear and the worm ended up propagating on the Internet, which was likely not the intent.

"This was probably not a western state. There were too many mistakes made. There's a lot that went wrong," [Parker] said. 'There's too much technical inconsistency. But, the bugs were unlikely to fail. They were all logic flaws with high reliability."

Parker said that Stuxnet may have been developed originally on contract and then once it was handed off to the end user, that group adapted it by adding the C&C infrastructure and perhaps one of the exploits, as well.


Again, more at the link.

Contrast these nit-picking technical analyses with the actual results achieved by Stuxnet, and things look rather different. The New York Times recently reported:

In recent days, the retiring chief of Israel’s Mossad intelligence agency, Meir Dagan, and Secretary of State Hillary Rodham Clinton separately announced that they believed Iran’s efforts had been set back by several years. Mrs. Clinton cited American-led sanctions, which have hurt Iran’s ability to buy components and do business around the world.

The gruff Mr. Dagan, whose organization has been accused by Iran of being behind the deaths of several Iranian scientists, told the Israeli Knesset in recent days that Iran had run into technological difficulties that could delay a bomb until 2015. That represented a sharp reversal from Israel’s long-held argument that Iran was on the cusp of success.

The biggest single factor in putting time on the nuclear clock appears to be Stuxnet, the most sophisticated cyberweapon ever deployed.

In interviews over the past three months in the United States and Europe, experts who have picked apart the computer worm describe it as far more complex - and ingenious - than anything they had imagined when it began circulating around the world, unexplained, in mid-2009.


See the source article for more details. Bold print is my emphasis. The New York Times also has a worthwhile collection of articles about Stuxnet.

Also, contrast the technical experts' views with the Pentagon's perspective on the worm.

Sure, al-Qaeda hasn’t launched any cyberattacks so far. Nor have its operatives manifested any ability to design anything as sophisticated as the Stuxnet worm. "But it is possible for a terrorist group to develop cyberattack tools on their own or to buy them on the black market," Lynn, the Pentagon’s point man on cybersecurity, warned on Tuesday. "As you know better than I, a couple dozen talented programmers wearing flip-flops and drinking Red Bull can do a lot of damage."

. . .

Lynn left little doubt he had a worm like Stuxnet in mind, even though he didn’t mention it by name. He warned about the "accidental release of toxic malware" in which "something as trivial as a thumb drive stuck in the wrong computer" could have "a calamitous effect on the global economy". What’s that sound like to you?

Perhaps Lynn has good reason to worry about the worm, even if he didn’t mention it by name. Before Stuxnet, cyberattacks against government facilities tasted like small beer - defacing someone’s website, or distributed denial of service overloads to bring the site down. But that was before a piece of malware managed to disrupt the industrial control systems spinning the centrifuges of Iranian nuclear facilities.

While no one quite knows who designed Stuxnet, there’s circumstantial evidence that it was a joint U.S.-Israeli jam. If so, then Lynn’s warning about a terrorist group acquiring a cyberweapon of comparable potency would be painfully ironic.


Once again, there's more at the link. Bold print is my emphasis.

It seems to me that if Stuxnet was so successful as to set the Iranian nuclear program back several years (until 2015 or so, if Israeli intelligence is to be believed), then it was very successful indeed. The technical experts trying to insist it wasn't all that good, and could have been improved, are missing the point. The old saw still applies: "The perfect is the enemy of the good". Stuxnet didn't need to be any better than it was. It did the job it was seemingly designed to do. What more could its designers hope for?

I have to agree, however, that Stuxnet may have initiated a new era of 'cyberwarfare'. I've no doubt Iran and other states hostile to the West (North Korea and China for certain) are now actively seeking to develop similar 'weapons' with which to attack us. I'm sure known areas of vulnerability such as the US electricity distribution system will be targeted.

It's going to be an interesting time . . . in the idiomatic sense of the term!

Peter

5 comments:

  1. This is the first true "shot" in the cyber war... no question. Well, actually the responsible party IS the question... :-)

    ReplyDelete
  2. It did its job, correct? Not as elegently as an expert might like, but Stuxnet is still driving the Iranian cyber folks up the proverbial tree, which is a lot better carry over than, oh, Stoned or Frodo had back in their day. As you said, sir, the perfect can be the enemy of the good.
    LittleRed1

    ReplyDelete
  3. This presumes of course that the designers of Stuxnet didn't make it look amateurish on purpose.

    Someone with great skill and knowledge can easily claim ignorance or act like a fool. Vice versa? Not so much.


    I know that if I had to design a virus/worm, my number one and two priorities would be to make sure it worked and make sure it didn't lead back to me.

    ReplyDelete
  4. I wouldn't be surprised if it turned out to originate with one of Iran's Arab neighbors.

    Antibubba

    ReplyDelete
  5. Padre,

    The U.S.'s electricity grid is old and mostly run by massive data centers at which I have worked before. Although very secure, a worm causing a voltage spike on the lines could burn out millions of dollars worth of equipment and cause a blackout. Although the system is old, it is actually a strength in this case, as malware could only be uploaded at plants, control centers, etc.

    The real problem that is scaring the living heck out of IT guys is when the "Smart Grid" takes full effect. Although this will have some MANY useful aspects such as on-demand electricity prices and the ability for the power company's to pinpoint a fault on a line, the drawbacks will be severe as well. The system will become very vulnerable in certain parts. Simply too many access points will be created. Plus I shudder to think what will happen if some malicious code was slipped into the algorithm for the "Smart Grid". I have heard from respectable sources that the coding itself is thousands of lines long. Searching for bad code would be like finding a needle in a haystack the size of a mansion.

    ReplyDelete

ALL COMMENTS ARE MODERATED. THEY WILL APPEAR AFTER OWNER APPROVAL, WHICH MAY BE DELAYED.