Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
The Military Worms Technology

Was Conficker Stuxnet's Trojan? 57

Posted by Soulskill from the malware-voltron dept.
Rambo Tribble writes "Reuters has published a provocative article describing the findings of cyberwarfare expert John Bumgarner, a former Army intelligence officer. His contention is that Conficker identified targets, then opened the door for Stuxnet. 'His analysis challenges a common belief that Conficker was built by an Eastern European criminal gang to engage in financial fraud. The worm's latent state had been a mystery for some time. It appears never to have been activated in the computers it infected, and security experts have speculated that the program was abandoned by those who created it because they feared getting caught after Conficker was subjected to intense media scrutiny. If confirmed, Bumgarner's work could deepen understanding of how Stuxnet's commanders ran the cyber operation that last year sabotaged an underground facility at Natanz, where Iranian scientists are enriching uranium using thousands of gas centrifuges.'"
This discussion has been archived. No new comments can be posted.

Was Conficker Stuxnet's Trojan? More

Was Conficker Stuxnet's Trojan?

Comments Filter:

  • Or was it just a lucky piggy back? (Score:4, Interesting)

    by Mr Z ( 6791 ) on Friday December 02, 2011 @07:46PM (#38245588) Homepage Journal

    It also seems possible that whoever wrote Stuxnet had pulled apart one or more pre-existing worms out there and decided to commandeer one, or at least collect intelligence from it. I mean, if someone has already done a bunch of dirty work for you, and you can piggy back on it "safely", then you have an effective vector for fast initial deployment.

  • sooo.... (Score:5, Interesting)

    by smash ( 1351 ) on Friday December 02, 2011 @08:37PM (#38246110) Homepage Journal
    If this was released by the US government, could infections in the government of other countries be considered an act of war? After all it is theft of resources and corruption of data.

  • Get the FUD Out of Here. (Score:5, Interesting)

    by shuttah ( 2475982 ) on Friday December 02, 2011 @08:41PM (#38246146) Journal

    I'm doubting this story.

    Admittingly, the following two clues as to who the author(s) of Conficker are, are circumstantial, but i would like to offer them to you guys for consideration since this behavior from Conficker has been observed and documented -

    1.

    "Once Conficker [A] infects a system, it includes a keyboard layout check, via the GetKeyboardLayout API, to determine whether the victim is currently using the Ukrainian keyboard layout. If so, [A] will exit without infecting the system. This suicide exit scheme has been observed in other malware-related software, such as Baka Software's Antivirus XP Trojan installer."

    The suggestion is that Conficker's author(s) were trying to avoid violating the local laws of their native country. Presumably Ukraine (who's laws concerning computer crime seem to have several loopholes).

    Source [sri.com]

    2.

    In a honeynet, there was a connection observed of the [B] variant of Conficker using variant [A]'s protocol to take over a machine already infected with Variant [A]... so it was Conficker trying to replace variant [A] with Variant [B]. For several reasons (located in the source link below), it is suggested the packet captured was an instance of Conficker testing it's own robust nature to not be taken over by another author or virus.

    The significance of this is the "hybrid" packet described above came from an address owned by, again, Baka Software in the Ukraine.

    Source [usenix.org]

  • Re:Or was it just a lucky piggy back? (Score:4, Interesting)

    by rekoil ( 168689 ) on Friday December 02, 2011 @10:45PM (#38246948)

    Entirely plausible. Conficker's phone-home mechanism was an algorithm that hashed the current date/time to generate a nonsense domain name, which it would then try to look up and grab a payload from. All the Bad Guys had to do was register one a few hours in advance, put up the payload, and wait. The groups who were fighting the thing managed to decompile the algorithm and play it forward, generating a list of hundreds of thousands of domain names that they then took to the various registries to get blocked. Paul Vixie was a big part of this, and here's [networkworld.com] a pretty good article on the group.

    It would not surprise me at all if CIA/Mossad/etc managed to get one of those domains un-blocked and used to deliver the Stuxnet payload.

  • Re:Macbook (Score:4, Interesting)

    by tqk ( 413719 ) <s.keeling@mail.com> on Saturday December 03, 2011 @02:02AM (#38247808)

    Like the saying goes: If builders built buildings the way that programmers wrote programs ...

    Shitty saying. There's another (paraphrased): Crap programmers can write crap programs in any language.

    Still another: An idea is not responsible for those who hold it. Just because Bill Gates had no idea what he was doing, doesn't mean all programmers have no idea what they're doing. Sweeping generalizations are *always* wrong.

    Some (many?) crap programmers have created many deplorable situations. Happily, I'm one of the guys who gets called in to clean up their messes. When I leave, the problem's solved, never to return. They're left with one less unmaintainable mess.

    May dmr's ghost haunt you to your grave, and beyond. >:-(

Slashdot Top Deals

"If I do not want others to quote me, I do not speak." -- Phil Wayne

Close