Conficker, Duqu, Stuxnet, Aliens, Confuxnet!

I have just read a Reuters news story where respected “cyber warfare expert” John Bumgarner is reported to claim that Conficker was devised and released to act as a global smokescreen for the surgical attack, using Stuxnet on nuclear facilities in Iran.
Bumgarner claims that initial reconnaissance work was carried out using Duqu in 2007 to identify targets relevant to a later attack by Stuxnet. In November 2008 Conficker was released globally to infect as many machines as possible. When a Conficker infection phoned home, if the victim machine was found to be in a apposite location (Iran) it was flagged as a later target for Stuxnet. He further states that Conficker did no damage to machines outside Iran and that on the infamous April 1st “activation date” (of the third variant from March 2009) it was used to pull down Stuxnet to those machines located in interesting locations in Iran.
Here is the evidence, all of it unsubstantiated as far as I can ascertain, that Bumgarner presents to support his claim:
1- Both Stuxnet and Conficker show evidence of “unprecedented sophistication” leading him to believe that they are related.
2- Both Stuxnet and Conficker use the same vulnerability to infect machines (MS08-67)
3 – Unspecified “key dates” in timestamps of unspecified “different versions” of Conficker and Stuxnet overlap and also “helped him to identify April 1 2009 as the launch date for the attack“.
4 – April 1st 2009 was the 30th anniversary of the declaration of an Islamic Republic in Iran. Other unspecified dates also corresponded with days when “Iranian President Mahmoud Ahmadinejad said his nation would pursue its nuclear program despite international objections, and another with the day that he made a highly controversial appearance at Columbia University in New York“.
As regards the end-game, the eventual infection of machines physically located in the right place inside nuclear facilities, Bumgarner concedes that at this point the malware wasn’t yet “in the target“. So to make that final crucial leap, Stuxnet was designed to infect USB drives, in the hope that someone would later take the same USB drive from a Conficker/Stuxnet infected machine and plug it into a machine located in an air-gapped network in nuclear facility. At that point, Bumgarner states, “it was checkmate“.
Phew, what a ride! You’ll forgive me I hope if I say that this account stretches my credulity to breaking point. Let me list a few reasons why.
1 – If targets outside of Iran were surplus to requirements, why did the first iteration of Conficker only exclude computers based in the Ukraine? Why was that restriction later removed? Why not only infect machines in Iran in the first place? It is also not true to say that machines infected with Conficker were all unharmed, Conficker was used to deliver Fake AV and had a functional relationship with Waledac botnet C&C
2 – The levels of sophistication in Conficker and Stuxnet are in different leagues. The original version of Conficker used a single already patched Windows vulnerability to spread, the second variant added the capability to spread via removable drives and by brute forcing passwords against a list of common password variants, neither method sophisticated. There was a level of sophistication in the scale of pseudo-random domains that were generated by the malware as potential C&C locations, but nothing that wasn’t quickly reverse engineered and understood. In the third variant of Conficker the propagation methods were actually removed, only to reappear again in the fourth significant variant. Stuxnet was a far more sophisticated animal, taking advantage of zero-day vulnerabilities and requiring specialist knowledge of SCADA systems and nuclear facilities.
3 – I would theorise that the creators of Stuxnet chose to also use the MS08-67 vulnerability because its effectiveness is demonstrated by the fact that Conficker is still one of the most prevalent infections in enterprise networks, three years after its initial appearance. Why would you make two pieces of malware that propagate using the same vulnerability and yet rely on one to download the other?
4 – The “activation date” of April 1 was coded into the third variant of Conficker. You don’t need unspecified time-stamps on unspecified files to tell you that.
5 – April 1st is also April Fool’s day in many countries around the world, it’s also the anniversary of the founding of Apple Inc., the founding of the Serious Organised Crime Agency (SOCA) in the UK, the birth of the Republic of Ireland and the land blockade of West Berlin by the East German military. Get my point? As regards President Mahmoud Ahmadinejad saying that his country would continue to pursue it’s nuclear program, well surely, pick a day, pick any day…
Then of course there’s the difficult conclusion, relying on persons unknown to plug a USB device into a Confuxnet infected machine, then unknowingly taking that same USB drive and plugging it into a PLC in a nuclear facility. Given the “unprecedented sophistication” of everything that has gone before, it’s this one just a tiny bit of a shot in the dark? A little bit “hit and hope”?
Sorry Mr. Bumgarner, it could be true, of course it could, and it could be that you have been misreported, but on the evidence you present so far, I just don’t buy it.
If I were a government with this kind of resource at my disposal, wouldn’t it make sense for one of my operatives in the target facility to simply take the USB containing Stuxnet right there for me?
I know, there weren’t any aliens.

4 thoughts on “Conficker, Duqu, Stuxnet, Aliens, Confuxnet!

  1. ip intel

    Rik is right. Stuxnet and Conflicker are not related. Bumgarner is a journalist –a good story teller but his stories do not hold when read by computer scientists or security professionals.

  2. Guy Fifther

    I think Bumgarner is right. Militant zionists never cared a damn about collateral damage, be it computers worldwide or palestinian civilian housing in Gaza and Lebanon.

    Also, please note, there are alternative names for Conficker. F-Secure used Downadup, but Kaspersky Lab uses “Kido”, which rhymes with “Zhido”, the slavic language word used for the israelite nation.

    Maybe Kaspersky Lab knew from the first minute that Tel-Aviv was behind the Conficker malware, but were not allowed to published it by the power that be, so they only put a riddle reference in the malware’s name?

    It is well-known that Stuxnet was created by the Unit-8200 electronic warfare battalion of the zionist military, the self-styled IDF.

  3. Mikkie

    Thanks for the nice article Rik, i think the “evidence” speaks for the man himself. You know P.T. Barnum once said “There a sucker born every minute …..” And i guess he just further been proven to be right ;-)


Leave a Reply

Your email address will not be published. Required fields are marked *