Stuxnet. The malware destined to become a movie, sadly all based on unfounded speculation and a desire to cover-up poor analysis and reporting.
The sample of Stuxnet analyzed by Symantec had an unreported bug. Stuxnet created the file winsta.exe, to which it continually appended such that winsta.exe grew by tens of gigabytes in a very short period of time. In short, it quickly consumed available drive space and created a rather critical - and highly visible symptom - for victims. The type of thing that typically leads to much discussion online, particularly if it's not known (by the victim) to be attributable to any specific event.
Once aware of this bug that antivirus vendors had overlooked in such an important malware as Stuxnet, the natural course was to look for the very earliest mention. Using translator services to interpret foreign languages and clicking through each and every result to ensure absolute integrity in the dating of this event took days, not hours. But the research did pay off and the earliest date was found: June 19, 2010.
It's worth noting as well that the earliest detection of this file was via Microsoft Security Essentials, which began detecting the inflated winsta.exe on July 8, 2010 as TrojanDropper:Win32.Stuxnet.A.
Information in hand, the evidence was then sent to antivirus vendors who had either failed to mention the file at all in their reports or had mentioned the file but overlooked the bug. On February 11, 2011 - some six months after reporting the bug - Symantec finally updated their Stuxnet report to include:
"Stuxnet is able to copy itself to remote computers as %System%\winsta.exe through the Printer Spooler, and then execute itself. Winsta.exe may contain multiple copies of Stuxnet and grow abnormally large."
So why is this important? The winsta.exe bug can be used to date the variant that Symantec analyzed - the same variant that some media super jocks would have us believe was deliberately designed to target Iran. Yet this variant is definitely not the original Stuxnet. Indeed, it's quite possibly simply a red herring planted after the original Stuxnet worm was discovered/disrupted earlier in the month.
It's worth noting that the February 11, 2011 Symantec update also included the overdue admission that multiple (at least 5) companies were initially targeted and that the first victims were in June and July 2009. This is particularly interesting, given that Symantec originally claimed an Iranian connection based on Web traffic gathered in July 2010 - a full year after Stuxnet began. Perhaps in an attempt to stubbornly justify that bad data analysis, the updated report also states, "All targeted organizations have a presence in Iran."
That's a particularly interesting and revealing choice of words. What major oil/energy company doesn't have a presence in Iran? Having a presence in Iran and Iran being the specific target are two entirely different things. Trying to craftily word around the facts just brings further discredit to Symantec.
So why such a continued push towards the Iran conspiracy? Here are three good reasons:
- If you were an antivirus vendor that used completely erroneous, year-later data to "prove" some spurious connection, you might be inclined to try and save face no matter what.
- If you're a super jock journalist that did little fact checking before reporting the Iran myth as fact, you too could have a potential vested interest in keeping that same story on track. Parading out anonymous prior-government spooks speaking off the record holds sway with some of the general public and could be an effective tactic to propel the fiction forward.
- If you're the one that posited the bogus theory to begin with, of course you'll go along for the celebrity sideshow. After all, who cares about facts when the fiction generates so much more fanfare? And Ted Talks. Of course, Obama won the Nobel Peace Prize before ever taking office or doing anything of import, so Ted Talks denigrating itself for non-credible celeb isn't such a huge surprise.
Myriam Dunn Cavelty of the Parliamentary Brief still says it best:
"The one big problem with the Stuxnet story is that it is almost entirely based on speculation. Beyond the fact that Stuxnet is an unusual piece of code, it garnered so much international attention because of its possible link to the Bushehr nuclear power plant in Iran. The German industrial control security expert, who was the first to draw this conclusion, labeled his theory as 'highly speculative'. As soon as his theory moved from the specialist computer press into the mainstream press, the original caveats were forgotten, a common pattern for cyber threat stories."
The only thing to add is that Stuxnet is - without dispute - the most important malware in history. It would be nice if for once the industry (including vendors and journalists) would put their self-interests on hold, would stop trying to save face, and would instead delve into the truth of Stuxnet so at least we have the real facts.