A well-known security consultant has gone public with his startling hypothesis that Conficker, a notorious but still-mysterious computer worm that confounded IT managers for months in 2008 and 2009, was actually a dry run for Stuxnet, the worm that infected and apparently disabled an Iranian nuclear facility in 2010.
“Conficker was a door kicker,” John Bumgarner, a former U.S. Army and U.S. Marines officer who’s also worked at IBM and Lucent, told Reuters in a story that was posted online Friday morning (Dec. 2). “It built out an elaborate smoke screen around the whole world to mask the real operation, which was to deliver Stuxnet.”
If Bumgarner’s hypothesis is true, it would finally explain the mystery behind Conficker, which had infected perhaps 15 million PCs by early 2009. The worm built a huge botnet army of linked computers, yet never switched it on. Its authorship has never been determined, though evidence hints at Ukrainian cybercriminals.
Stuxnet is thought to have been created by U.S. and Israeli intelligence services to cripple the Iranian nuclear-fuel-processing facility at Natanz, which suffered unexplained accidents and shutdowns in the summer of 2010.
Other security researchers aren’t convinced by Bumgarner’s scenario.
“This account stretches my credulity to [the] breaking point,” said Britain-based Trend Micro researcher Rik Ferguson in a blog posting later Friday.
“Conficker/Stuxnet is quite the stretch,” tweeted Kaspersky Lab researcher and ZDNet writer Ryan Naraine on Friday.
Too many coincidences?
Bumgarner, who is now the chief technology officer for the U.S. Cyber Consequences Unit, a nonprofit think-tank that advises government agencies on cybersecurity, thinks there are too many similarities between Conficker and Stuxnet to be coincidental.
Both were highly sophisticated, both spread via USB sticks and both rapidly mutated, he said. Bumgarner also said there are overlapping dates marked in the developed code for both, as well as in Duqu, a recently discovered Trojan that many security experts think was created by the writers of Stuxnet.
Ferguson didn’t buy it.
“The levels of sophistication in Conficker and Stuxnet are in different leagues,” he countered. “Stuxnet was a far more sophisticated animal, taking advantage of zero-day vulnerabilities and requiring specialist knowledge of SCADA systems and nuclear facilities.”
Ferguson pointed out that all of Conficker’s exploits were of already-known vulnerabilities that many people simply hadn’t bothered to patch. In contrast, Stuxnet used four rare and valuable “zero-day” Windows exploits that had never before been known of, and Duqu used one.
Bumgarner also leaves out the fact that Conficker initially spread through a vulnerability in the networking component of Windows. Only later did it move on to exploiting the “instant-run” feature that automatically ran programs on USB sticks as soon as they were plugged into PCs.
Conficker was eventually defeated by a group of security and software companies that Microsoft put together in early 2009. It is now detected and destroyed by most major anti-virus software packages. Microsoft is still offering a $250,000 reward for information leading to its creators.
Nevertheless, Bumgarner told Reuters that Conficker, like Stuxnet, is a cyberweapon, not a criminal creation, and that its silent botnet may someday wake up.
“Conficker represents the largest cyberarmy in the world,” he said. “These soldiers are just waiting for their next mission.”