Expert: Stuxnet Did Not Escape into the Wild

Larry Constantine, a professor at the University of Madeira, in Portugal claims that the infamous Stuxnet malware couldn’t have escaped into the wild by jumping on to the laptop of an engineer who connected his device to infected PLCs (Programmable Logic Controllers) that were controlling the centrifuges.

A few months ago, the New York Times reported that Stuxnet was developed by the United States and Israel and that it reached the Internet after the aforementioned technician connected his infected laptop to the Web.

However, according to Constantine, Stuxnet couldn’t have escaped as described in this scenario because it wasn’t designed to propagate over the Internet. It could spread only on local area networks and removable drives.

He highlights the fact that the worm wasn’t as widespread as other pieces of malware that we see today, infecting millions of machines.

In his interview with IEEE Spectrum, the professor underscored another flaw in the theory. He said that it would have been impossible for Stuxnet to copy itself from the PLCs that were controlling the centrifuges to the engineer’s laptop in the first place.

“This is also patently impossible because the software that was resident on the PLCs is the payload that directly deals with the centrifuge motors; it does not have the capability of infecting a computer because it doesn’t have any copy of the rest of the Stuxnet system, so that part of the story is simply impossible,” he explained.

Some agree with Constantine’s theory, but others aren’t so sure that it couldn’t have spread to the Internet.

Speaking to The Register, researchers from ESET noted that in reality, Stuxnet could have propagated through the Internet “under some circumstances via network shares along with VPN and using the RPC vulnerability.”

Furthermore, the experts highlight that even Symantec, the source cited by Constantine when speaking of the number of infected devices, admitted that in September 2010 there were around 100,000 infected hosts. According to the researchers, the number is high enough to rank Stuxnet as a piece of malware that got into the wild.