Did Conficker worm help sabotage Iran’s nuke programme?

(Reuters) – A cyber warfare expert claims he has  linked the Stuxnet computer virus that attacked Iran’s nuclear  program in 2010 to Conficker, a mysterious “worm” that surfaced  in late 2008 and infected millions of PCs.

Conficker was used to open back doors into computers in  Iran, then infect them with Stuxnet, according to research from  John Bumgarner, a retired U.S. Army special-operations veteran  and former intelligence officer.

“Conficker was a door kicker,” said Bumgarner, chief  technology officer for the U.S. Cyber Consequences Unit, a  non-profit group that studies the impact of cyber threats. “It  built out an elaborate smoke screen around the whole world to  mask the real operation, which was to deliver Stuxnet.”

While it is widely believed that the United States and  Israel were behind Stuxnet, Bumgarner wouldn’t comment on  whether he believes the Americans and Israelis also unleashed  Conficker, one of the most virulent pieces of so-called malware  ever detected.  He wouldn’t name the attackers he believes were  behind the two programs, saying the matter was too sensitive to  discuss.

The White House and the FBI declined to comment.

Prime Minister Benjamin Netanyahu’s office, which oversees  Israel’s intelligence agencies, also declined comment.

If Bumgarner’s findings, which couldn’t immediately be  independently confirmed, are correct then it shows that the  United States and Israel may have a far more sophisticated  cyber-warfare program than previously thought. It could also be  a warning to countries other than Iran that they might be  vulnerable to attacks.

His account leaves unresolved several mysteries. These  include the severity of the damage that the program inflicted on  Iran’s uranium enrichment facility, whether other facilities in  Iran were targeted and the possibility that there were other as  yet unidentified pieces of malware used in the same program.

The analysis may be met with skepticism in some quarters  because dozens of researchers teamed up in 2009 and spent months  studying Conficker, yet nobody concluded that the worm was used  to attack Iran. Still, the bulk of that work was concluded long  before Stuxnet was even discovered.

Bumgarner – who wrote a highly praised analysis of Russia’s  2008 cyber assault on Republic of Georgia – says he identified  Conficker’s link to Stuxnet only after spending more than a year  researching the attack on Iran and dissecting hundreds of  samples of malicious code.

He is well regarded by some in the security community. “He  is a smart man,” said Tom Kellermann, an advisor to the Obama  Administration on cyber security policy and the chief technology  officer of a company called AirPatrol.

His analysis challenges a common belief that Conficker was  built by an Eastern European criminal gang to engage in  financial fraud.

The worm’s latent state had been a mystery for some time. It  appears never to have been activated in the computers it  infected, and security experts have speculated that the program  was abandoned by those who created it because they feared  getting caught after Conficker was subjected to intense media  scrutiny.

If confirmed, Bumgarner’s work could deepen understanding of  how Stuxnet’s commanders ran the cyber operation that last year  sabotaged an underground facility at Natanz, where Iranian  scientists are enriching uranium using thousands of gas  centrifuges.

He provided Reuters with his timeline of the attack, which  indicates it began earlier than previously thought. He said that  it was planned using data stolen with early versions of Duqu, a  data stealing tool that experts recently discovered and are  still trying to understand. The operation ended  earlier-than-planned after the attackers got caught because they  were moving too quickly and sloppiness led to errors.

  WHO DID IT?

The view that Stuxnet was built by the United States and  Israel was laid out in a January 2011 New York Times report that  said it came from a joint programme begun around 2004 to undermine  Iran’s efforts to build a bomb. That article said the programme  was originally authorized by U.S. President George W. Bush, and  then accelerated by his successor, Barack Obama.

The first reports that the United States and Israel were  behind Stuxnet were greeted skeptically. There are still a  handful of prominent cyber security experts, including Jeffrey  Carr, the author of the book “Inside Cyber Warfare: Mapping the  Cyber Underworld,” who dispute the U.S.-Israel idea. He says  that circumstantial evidence paints a convincing case that China  was behind Stuxnet.

According to Bumgarner’s account, Stuxnet’s operators  started doing reconnaissance in 2007, using Duqu, which spied on  makers of components used in Iran’s nuclear and critical  infrastructure facilities.

In November 2008, Conficker was let loose and it quickly  spread, attacking millions of PCs around the world. Its initial  task was to infect a machine and “phone home” with its location.  If it was at a strategic facility in Iran, the attackers tagged  that PC as a target. The release left millions of untagged  machines infected with Conficker around the world, but no damage  was done to them.

In March 2009, Bumgarner says, the attackers released a new,  more powerful version of Conficker that started the next phase  of the attack on April 1 by downloading Stuxnet onto the  targeted PCs. After it completed that task, Conficker’s mission  on those machines was complete.

 CRACKING THE CASE

It took Bumgarner months to conclude that Conficker was  created by the authors of Stuxnet.

First, he noticed that the two pieces of malware were both  written with unprecedented sophistication, which caused him to  suspect they were related. He also found that infection rates  for both were far higher in Iran than the United States and that  both spread by exploiting the same vulnerability in Windows.

He did more digging, comparing date and time stamps on  different versions of Conficker and Stuxnet, and found a  correlation — key dates related to their development and  deployment overlapped. That helped him identify April Fool’s  Day, April 1, 2009, as the launch date for the attack.

Bumgarner believes the attackers picked that date to send a  message to Iran’s leaders. It marked the 30th anniversary of the  declaration of an Islamic republic by Ayatollah Khomeini after a  national referendum.

He also identified two other signals hidden in the Stuxnet  code, based on the dates when key modules were compiled, or  translated from programming text into a piece of software that  could run on a computer.

One coincided with a day when Iranian President Mahmoud  Ahmadinejad said his nation would pursue its nuclear program  despite international objections, and another with the day that  he made a highly controversial appearance at Columbia University  in New York.

 FUTBOL FANS

The operators communicated with Stuxnet-infected computers  over the Internet through servers using fake soccer websites  that they built as a front for their operation:  www.mypremierfutbol.com and www.todaysfutbol.com.

If Iranian authorities noticed that traffic, they would be  deceived into assuming it was from soccer fans, rather than  suspect that something was awry, Bumgarner said.

Once Conficker had pulled Stuxnet into computers in Iran  there was still one big hurdle, he said. Those infected  computers weren’t yet in the target – the underground uranium  enrichment facility at Natanz. Getting the virus in there was one of the trickiest parts of  the operation.