Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Conficker worm linked to Stuxnet, respected US expert claims

Both aimed at Iran's nuclear programme

Article comments

The Stuxnet malware was not only built to attack Iran’s nuclear program its assault was aided by the Conficker worm of 2008, a respected US security researcher has claimed.

According to a Reuters report, John Bumgarner of the independent US Cyber Consequences Unit (US-CCU) has researched a number of connections between the two pieces of malware, concluding that they were part of the same anti-Iran programme.

Bumgarner believes from analysing Conficker that its activation date - April Fool’s day 2009 - was chosen because it was the 30 year anniversary of Iran being declared an Islamic Republic. In addition, he discovered that the compilation dates for other modules included two days on which Iranian President Mahmoud Ahmadinejad made speeches significant for the country’s nuclear program.

Conficker’s job, then, was to attack Iranian Government computers in advance, probing for weaknesses and compromising machines for the more disruptive payload unleashed by Stuxnet 18 months later.

"Conficker was a door kicker. It built out an elaborate smoke screen around the whole world to mask the real operation, which was to deliver Stuxnet," he told Reuters.

With its pointed use of significant dates, Conficker also served as a veiled message to Iran’s leadership from (although Bumgarner does not state this himself) Israel and the US.

Without further evidence, Bumgarner’s theory is highly speculative and will not serve as anything other than an informed opinion until that is provided. Bumgarner is, however, a respected security expert and former intelligence officer and so his views will add to the inbox of theories on Stuxnet and Conficker’s origins.

Conficker was first detected in November 2009, infecting large numbers of PCs; a year after its discovery this had reached at least 7 million, according to the Shadowserver Foundation, although that included subsequent variants adopted by criminals. It has always been seen as being part of a conventional criminal campaign.

It did have one unusual element which might or might not chime with Bumgarner’s theory, depending on how it is interpreted – the malware was set to activate in botnet form on a specific day, 1 April 2009, some time after first being released.

As organisations raced to remove it in advance of this date the success of the malware started to become apparent, with infections found in the French and UK militaries, and at least one British Police force. It is believed to have infected machines in Iran just as easily although how many is impossible to confirm.

Because Conficker exploited a Windows software flaw, Microsoft offered a $250,000 bounty for information leading to the arrest of its creators. This went unclaimed.

The delayed activation of Conficker looks like an odd tactic for an important piece of malware meant to pave the way for an attack, Stuxnet, striking later on. By the time the activation data arrived, competent security teams had removed it, neutralising its threat.

Bumgarner’s theory seems to be that it had already done its work by then and the 1 April date was deployed as a sort of cyberwar feint.

Connected or not, Stuxnet appeared in June 2010 and is now known to have been hugely successful at invading the industrial control systems used by Iran in its Uranium enrichment programme.

In recent weeks, a third piece of sophisticated malware, Duqu, has been connected to Stuxnet by some security companies, again on the basis of fairly circumstantial evidence. Iran has admitted being affected by Duqu although the same is also true for many organisations around the world.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *