The Conficker worm, a virus believed to have infected up to 15 million computers in 2009, was a “smoke screen” for the 2010 Stuxnet attack on Iranian computer systems, according to John Bumgarner, the CTO of the US Cyber Consequences Unit.
“Conficker was a door kicker,” Bumgarner told Reuters. “It built out an elaborate smoke screen around the whole world to mask the real operation, which was to deliver Stuxnet.”
According to Bumgarner, Conficker was used to identify target machines in Iran for the Stuxnet virus, and then to pull the Stuxnet virus down onto those machines. The final hurdle was to get the virus onto the computers which controlled the centrifuges, which were not connected to the internet, and needed a human “mule” to plug an infected USB stick into the computers.
Bumgarner told Reuters that he identified the link to Stuxnet only after spending more than a year researching the attack on Iran and dissecting hundreds of samples of malicious code. An “unprecedented level of sophistication”, and an overlap in the development and deployment of the two pieces of malware lead him to conclude that the two were related.
The IT security community has questioned Bumgarner’s analysis. Rik Ferguson, director of security research at Trend Micro tweeted: “It looks so weak. Spread Conficker globally, years later pull down Stuxnet only onto Iranian machines, wait for someone to put in a USB who might then happen to take the same USB to a nuclear facility.”
“It [Conficker] had no PLC (programmable logic controller) related payload whatsoever and was actually used to deliver FakeAV (anti-virus),” Ferguson wrote. “I just can’t credit the theory at all,”