ARLINGTON, VA–There is a growing sentiment among security researchers that the programmers behind the Stuxnet attack may not have been the super-elite cadre of developers that they’ve been mythologized to be in the media. In fact, some experts say that Stuxnet could well have been far more effective and difficult to detect had the attackers not made a few elementary mistakes.
In a talk at the Black Hat DC conference here Tuesday, Tom Parker, a security consultant, presented a compelling case that Stuxnet may be the product of a collaboration between two disparate groups, perhaps a talented group of programmers that produced most of the code and exploits and a less sophisticated group that may have adapted the tool for its eventual use. Parker analyzed the code in Stuxnet and looked at both the quality of the code itself as well as how well it did what it was designed to do, and found several indications that the code itself is not very well done, but was still highly effective on some levels.
Parker wrote a tool that analyzed similarities between the Stuxnet code and the code of some other well-known worms and applications and found that the code was fairly low quality. However, he also said that there was very little chance that one person could have put the entire attack together alone.
“There are a lot of skills needed to write Stuxnet,” he said. “Whoever did this needed to know WinCC programming, Step 7, they needed platform process knowledge, the ability to reverse engineer a number of file formats, kernel rootkit development and exploit development. That’s a broad set of skills. Does anyone here think they could do all of that?”
That broad spectrum of abilities is what has led many analysts to conclude that Stuxnet could only be the work of a well-funded, highly skilled group such as an intelligence agency or other government group. However, Parker pointed out that there were a number of mistakes in the attack that one wouldn’t expect to find if it was launched by such an elite group. For example, the command-and-control mechanism is poorly done and sends its traffic in the clear and the worm ended up propagating on the Internet, which was likely not the intent.
“This was probably not a western state. There were too many mistakes made. There’s a lot that went wrong,” he said. ‘There’s too much technical inconsistency. But, the bugs were unlikely to fail. They were all logic flaws with high reliability.”
Parker said that Stuxnet may have been developed originally on contract and then once it was handed off to the end user, that group adapted it by adding the C&C infrastructure and perhaps one of the exploits, as well.
The mistakes weren’t limited to the operational aspects of Stuxnet, either. Nate Lawson, a cryptographer and expert on the security of embedded systems, said in a blog post Monday that the Stuxnet authors were very naive in the methods they used to cloak the payload and target of the malware. Lawson said that the Stuxnet authors ignored a number of well-known techniques that could have been much more effective at hiding the worm’s intentions.
“Rather than being proud of its stealth and targeting, the authors should be embarrassed at their amateur approach to hiding the payload. I really hope it wasn’t written by the USA because I’d like to think our elite cyberweapon developers at least know what Bulgarian teenagers did back in the early 90′s,” Lawson said. “First, there appears to be no special obfuscation. Sure, there are your standard routines for hiding from AV tools, XOR masking, and installing a rootkit. But Stuxnet does no better at this than any other malware discovered last year. It does not use virtual machine-based obfuscation, novel techniques for anti-debugging, or anything else to make it different from the hundreds of malware samples found every day.”
Lawson concludes that whoever wrote Stuxnet likely was constrained by time and didn’t think there was enough of a return to justify the investment of more time in advanced cloaking techniques.