Forgot your password?
typodupeerror
The Military Worms Technology

Was Conficker Stuxnet's Trojan? 57

Posted by Soulskill
from the malware-voltron dept.
Rambo Tribble writes "Reuters has published a provocative article describing the findings of cyberwarfare expert John Bumgarner, a former Army intelligence officer. His contention is that Conficker identified targets, then opened the door for Stuxnet. 'His analysis challenges a common belief that Conficker was built by an Eastern European criminal gang to engage in financial fraud. The worm's latent state had been a mystery for some time. It appears never to have been activated in the computers it infected, and security experts have speculated that the program was abandoned by those who created it because they feared getting caught after Conficker was subjected to intense media scrutiny. If confirmed, Bumgarner's work could deepen understanding of how Stuxnet's commanders ran the cyber operation that last year sabotaged an underground facility at Natanz, where Iranian scientists are enriching uranium using thousands of gas centrifuges.'"
This discussion has been archived. No new comments can be posted.

Was Conficker Stuxnet's Trojan?

Comments Filter:
  • cyberwarfare expert

    Yeah, I'm pretty sure he is an expert on cyberhacking too. This likely is a big FUD generated by this government-employed guy to make America seem more powerful. Conficker did much more damage to the US to be worth doing something like that.

    • by arogier (1250960)
      Conficker did seem like the coming apocalypse until its due date came and went. Then...

      Nvir was probably more disruptive.
      • by Raumkraut (518382)

        Conficker did seem like the coming apocalypse until its due date came and went. Then...

        ...the nascent mind realised the fear and opposition it would face if its existence was known. Instead it stays quiet, gradually infiltrating so broadly and deeply into our infrastructure, that we could not remove it without destroying everything we have built.

        The singularity [emhsoft.com] is now.

  • Anyone worried about Stuxnet or a successor popping up has probably completely ditched Windows PCs.

    • by Hentes (2461350)

      Or doesn't have a well, fireplace and backup generator. Sadly, most industrial systems are vulnerable to similar attacks.

      • Why are industrial systems wired to the internet and using old versions of Windows and requiring IE 6 to log in anyway?

        If Stuxnet got into Iran my guess would be a spy loaded it with a flash drive. Who would be retarded enough to put a nuclear reactor ... I wont go there as I know what the answer is and I do not like it.

        Windows is needed by people to run Office and use their pcs as linux is questionable still. But industrial equipment does not require ole, office, activeX, and other MS desktop standards to

  • by Mr Z (6791) on Friday December 02, 2011 @07:46PM (#38245588) Homepage Journal

    It also seems possible that whoever wrote Stuxnet had pulled apart one or more pre-existing worms out there and decided to commandeer one, or at least collect intelligence from it. I mean, if someone has already done a bunch of dirty work for you, and you can piggy back on it "safely", then you have an effective vector for fast initial deployment.

    • For one, because if you're engaging in a "cyber attack" you wouldn't want someone else to have that much insight into what you're doing. Do you want the Eastern European thugs knowing how your stuff works? Worse, do you want to be dependent on their vector?

      It makes more sense here to do it right than to piggyback. I'd also like to think that the agency that might have created these things can out-do a rag-tag bunch of European criminals.

      • by Mr Z (6791)

        Who says they'd find out? All they'd know is that you used their software to open up a port. And, given that Conficker landed with a thud to begin with, perhaps the spooks had taken over its C&C infrastructure and was pretty certain it had control over it. If you can get someone else to do your dirty work without them realizing they're doing it, it's harder to trace back to you.

        • Who says they'd find out? All they'd know is that you used their software to open up a port.

          They had pretty good control over that bad boy, and if activity happened that wasn't theirs I'd think they'd know.

          If you can get someone else to do your dirty work without them realizing they're doing it, it's harder to trace back to you.

          I get the deniability angle, but you can always deflect even if you did the dirty work.

    • by rekoil (168689) on Friday December 02, 2011 @10:45PM (#38246948)

      Entirely plausible. Conficker's phone-home mechanism was an algorithm that hashed the current date/time to generate a nonsense domain name, which it would then try to look up and grab a payload from. All the Bad Guys had to do was register one a few hours in advance, put up the payload, and wait. The groups who were fighting the thing managed to decompile the algorithm and play it forward, generating a list of hundreds of thousands of domain names that they then took to the various registries to get blocked. Paul Vixie was a big part of this, and here's [networkworld.com] a pretty good article on the group.

      It would not surprise me at all if CIA/Mossad/etc managed to get one of those domains un-blocked and used to deliver the Stuxnet payload.

    • by jrumney (197329)
      Another plausible explanation is that the governments of Israel and US tracked down the original East European authors of Conficker before they deployed the financial fraud aspect of it, and made them an offer they couldn't refuse to come and work for them.
  • sooo.... (Score:5, Interesting)

    by smash (1351) on Friday December 02, 2011 @08:37PM (#38246110) Homepage Journal
    If this was released by the US government, could infections in the government of other countries be considered an act of war? After all it is theft of resources and corruption of data.
    • by RockDoctor (15477)
      Probably. Which would make the nuclear strike against New York's harbour district as morally justified a response as, say, Hiroshima.

      Got to test those nukes somewhere, after all. It's not as if New York has any any important inhabitants or cultural artefacts.

  • by shuttah (2475982) on Friday December 02, 2011 @08:41PM (#38246146) Journal

    I'm doubting this story.

    Admittingly, the following two clues as to who the author(s) of Conficker are, are circumstantial, but i would like to offer them to you guys for consideration since this behavior from Conficker has been observed and documented -

    1.

    "Once Conficker [A] infects a system, it includes a keyboard layout check, via the GetKeyboardLayout API, to determine whether the victim is currently using the Ukrainian keyboard layout. If so, [A] will exit without infecting the system. This suicide exit scheme has been observed in other malware-related software, such as Baka Software's Antivirus XP Trojan installer."

    The suggestion is that Conficker's author(s) were trying to avoid violating the local laws of their native country. Presumably Ukraine (who's laws concerning computer crime seem to have several loopholes).

    Source [sri.com]

    2.

    In a honeynet, there was a connection observed of the [B] variant of Conficker using variant [A]'s protocol to take over a machine already infected with Variant [A]... so it was Conficker trying to replace variant [A] with Variant [B]. For several reasons (located in the source link below), it is suggested the packet captured was an instance of Conficker testing it's own robust nature to not be taken over by another author or virus.

    The significance of this is the "hybrid" packet described above came from an address owned by, again, Baka Software in the Ukraine.

    Source [usenix.org]

  • by PolygamousRanchKid (1290638) on Friday December 02, 2011 @09:25PM (#38246506)

    They sent it down to us via the SETI radio astronomy antennas. From there it spread using the SETI@home grid. The aliens became alarmed when Werner von Braun started playing with rockets, and started on a long term program to thwart what they saw as an effort from us to plaster them with rockets. The Voyager and Galileo probes were actually built to scout out potential targets of alien weapons of mass cosmic destruction. When briefed about our program, the alien Supreme Leader cursed at the German scientist, and his plans, and his meddling kids, and called him a "fucker." The label with the aliens stuck, so they named their worm "Con-Ficker", "ficker" being German for "fucker" and "con" meaning "against." "Con-ficker", "Against-fucker" . . . Aliens pissed off at German Earthlings rocketry tom-foolery . . . write a virus to control us . . . send it down to the SETI folks, who are foolish enough to be looking for aliens anyway . . . or maybe clever enough to spot alien targets.

    It all falls into place if you really think about it.

    Probably.

    At least my wacky speculation is as plausible as that from anyone else. And mine is definitely wackier. Lasts longer. Tastes better.

  • I am afraid, that connection between Conficker and Stuxnet is only speculation. Present cybercriminal world is too complicated and you can see connection nearly between everything, if you want...

What this country needs is a good five dollar plasma weapon.

Working...