The Conficker worm was one of the more intriguing and potentially destructive pieces of malware in the past decade. Earlier reports have suggested that Stuxnet was created by the US and Israeli governments, and now Reuters has a source telling them Conficker was also used to negate Iran’s nuclear program.
John Bumgarner, a retired Army intelligence officer and leader of the non-profit US Cyber Consequences Unit, says that the virus was part of a carefully executed plan to deliver the Stuxnet virus to key pieces of equipment used in Iranian nuclear facilities. Despite earlier researchers conclusions that Conficker was not used in the attack, Bumgarner kept digging, and as Reuters writes, believes he found the connection.
It took Bumgarner months to conclude that Conficker was created by the authors of Stuxnet.
First, he noticed that the two pieces of malware were both written with unprecedented sophistication, which caused him to suspect they were related. He also found that infection rates for both were far higher in Iran than the United States and that both spread by exploiting the same vulnerability in Windows.
He did more digging, comparing date and time stamps on different versions of Conficker and Stuxnet, and found a correlation — key dates related to their development and deployment overlapped. That helped him identify April Fool’s Day, April 1, 2009, as the launch date for the attack.
Bumgarner believes the attackers picked that date to send a message to Iran’s leaders. It marked the 30th anniversary of the declaration of an Islamic republic by Ayatollah Khomeini after a national referendum.
He also identified two other signals hidden in the Stuxnet code, based on the dates when key modules were compiled, or translated from programming text into a piece of software that could run on a computer.
But getting virus on the actual computers inside Iran’s facilities proved more tricky. Because they’re not connected to the internet, Bumgarner believes that the US government got the virus into the country through a fake website, then planted an operative inside Iran’s facilities, who loaded the virus onto pertinent computers with a USB drive. He thinks that was enough to ruin the Siemens-manufactured centrifuges, which Stuxnet was designed to affect.
Is this even real life? It seems too real to be true. But when you think about the fact that the Conficker virus never ended up doing anything in the millions of computers it spread to, this theory seems feasible. Either way, the entire story is a great read. [Reuters via The Verge]