Stuxnet developers made ‘too many mistakes’

News 19 Jan, 2011

A researcher suggests the notorious Stuxnet worm was not actually technically astounding.

The creators of Stuxnet made “too many mistakes” and much went wrong in its use, a researcher has claimed.

Speaking at the Black Hat DC conference yesterday, security consultant Tom Parker said it was unlikely a Western state was responsible for developing Stuxnet due to the issues it encountered.

Parker claimed there was “too much technical inconsistency” and suggested Stuxnet’s code was not of particularly high quality, Kaspersky Lab’s Threatpost reported.

Furthermore, he said the command-and-control mechanism was badly put together. It was also unlikely the creators wanted Stuxnet to spread over the internet as it did, Parker added.

However, he said Stuxnet was still very effective on a number of levels and it was highly unlikely only one person developed the worm on their own.

"There are a lot of skills needed to write Stuxnet," Parker said.

"Whoever did this needed to know WinCC programming, Step 7, they needed platform process knowledge, the ability to reverse engineer a number of file formats, kernel rootkit development and exploit development. That's a broad set of skills.”

He hypothesised two separate groups could have launched Stuxnet – possibly a set of skilled programmers to produce the code and exploits, and a less technically proficient group to adapt the worm for its final use.

Mikko Hypponen, chief research officer at F-Secure, suggested Stuxnet authors may not have added encryption and anti-debugging features "because they wanted to make the program look as 'normal' as possible."

"Most AV labs use automation to find 'suspicious' samples," Hypponen told IT PRO.

"Stuxnet didn't look suspicious. It looked like an automation toolkit that would install signed device drivers."

When Stuxnet emerged last year, it caused a big stir in the security sphere, with many hailing it as a watershed moment.

A recent report in the New York Times suggested Stuxnet was tested in Israel before the worm was involved in sabotage of Iranian nuclear centrifuges.

The report, which cited unidentified intelligence and military experts, indicated Stuxnet was tested at the heavily-guarded Dimona complex in the Negev desert.