CHAPTER 2
500 KILOBYTES OF MYSTERY
In the six years Liam O’Murchu had been analyzing viruses and worms, he’d never seen anything like the code he was looking at now. It was using techniques that went way beyond anything he’d ever seen other malware do. This wasn’t at all what he’d expected when he sat down at his computer in Symantec’s Southern California office and pulled up the Stuxnet files that had arrived overnight from his colleagues in Europe.
It was Friday, July 16, the day after the news of Stuxnet had broken in the tech community, and O’Murchu was in the midst of what he thought would be a routine and perfunctory review of the code. The thirty-three-year-old Irishman was manager of operations for the Security Response team in Symantec’s Culver City office, and it was his job to review new malware that came in to determine if it merited closer scrutiny.
Analysts in the company’s office in Dublin, Ireland, had got hold of the Stuxnet files late in their afternoon but only had a couple of hours with the code before it was time to hand it off to O’Murchu’s team in California, who were just waking up. Symantec’s threat-analysis team is spread across multiple continents so that anytime an important threat pops up, someone somewhere is awake to jump on it. Then as the sun sets on oneoffice and rises on another, workers in one time zone hand off their notes, like tag-team wrestlers, to those in the next zone.
Not all malware gets this follow-the-sun coverage. Of the more than 1 million malicious files Symantec and other security firms find each month, most are copycats of known tools that hackers simply tweak to alter their fingerprints and try to outrun antivirus scanners. These standard threats get piped through algorithms that tear through the code looking for signatures or behavior that matches known malware. Code gets kicked out of the queue for researchers to examine manually only if the algorithms find something they can’t reconcile. Malware containing, or suspected of containing, a zero-day exploit always gets examined by hand, which is the only reason Stuxnet landed on O’Murchu’s desk.
O’Murchu is an avid snowboarder with a lyrical accent and closely cropped brown hair sculpted vertically in front like the lip of a small half-pipe. A fairly recent transplant to the United States from Dublin, he’d only been in Symantec’s California office about two years before Stuxnet struck, but he’d worked for the company since 2004. He led a team of highly skilled malware analysts and reverse engineers who were engaged in a constant battle against an onslaught of digital threats, each one often more advanced than the last. None of them, however, prepared him for what he found in Stuxnet.
O’Murchu expected their examination of the code would be merely routine, just to confirm the presence of the zero-day exploit that Ulasen and Kupreev had already found. So he passed the code off to a junior engineer, thinking it would be a good opportunity to train him on zero days, and only examined the code himself to backstop his colleague and make sure he didn’t miss anything. But as soon as he opened the files, it was immediately clear there was something strange going on with the code.
The main Stuxnet file was incredibly large—500 kilobytes, as opposed to the 10 to 15 KB they usually saw. Even Conficker, the monster worm that infected more than 6 million machines the previous two years, was only 35 kilobytes in size. Any malware larger than this usually just contained a space-hogging image file that accounted for its bloat—suchas a fake online banking page that popped up in the browser of infected machines to trick victims into relinquishing their banking credentials. But there was no image file in Stuxnet, and no extraneous fat, either. And, as O’Murchu began to take the files apart, he realized the code was also much more complex than he or anyone else had previously believed.
When