Hello,
It is interesting in reading the article and comments here on Slashdot that no one has talked about the effect cooperation between Iran and North Korea would have on either accelerating the pace of malicious software deployed against these nation-states, or even worse, the use of other means to combat their nuclear ambitions.
The Stuxnet worm was designed to target a single specific network. Yes, it spread in other ways, but the payload it deployed would was engineered so that it would only work on the Natanz nuclear facility's network. That is an insane level of precision and it clearly shows the huge investment made by the attacker(s) to ensure that this "cyberweapon" could only be triggered by the correct environmental conditions. It costs money to develop the targeting, payload and telemetry systems to support that, and the attacker(s) are only going to make that type of investment in what has to have been a highly-speculative "cyberweapon" if they believe they are going to get some value out of it.
The value in malicious software like this (as well as in commercial spyware offerings, like FinFisher) is in their ability to perform without being detected by anti-malware software. As soon as that happens, the malicious software no longer has any value. The attacker may attempt to update their malicious software for a few generations, but once they are on the radar of anti-malware companies, samples of the new variants will make their way to the researchers at the anti-malware companies, possibly with metadata or telemetry that allows the point of origin to be identified. Which is not so good for plausible deniability. It is also possible that the countermeasures introduced to foil detection by anti-malware programs will introduce unforeseen errors into the malicious program, simply because it was not as fully tested as the original attack.
If one is to believe that the Stuxnet worm was jointly-created by the United States and Israeli to (1) degrade Iran's nuclear ambitions; and (2) as a means of delaying an attack by Israel on Iran than one has to wonder about what sort of options are to be considered if malicious software is no longer an option.
From the defender's point of view, Iran's response to the Flame malware was probably the most effective thing they could do to combat it: The Iranian CERT blasted out copies of it to anti-malware companies around the world, ensuring that detection would be added in a matter of hours. Anti-malware companies add detection of malicious software sent to them; that's what they do, after all.
The idea that an anti-malware company would not add detection for a threat because it may have been created by or used by a governmentâ"or they were told not to by their governmentâ"does not hold water. While anti-malware software may be thought of as an American or Western European creation, there are plenty of anti-malware companies in South America, the Middle East, Asia, Eastern Europe and other parts of the globe, and any anti-malware company that did not add detection for such a threat would be subject to speculation and scrutiny about why. It would be a tacit admission by the country the anti-malware company operated in that their government was responsible for the malware.
Maintaining plausible deniability means not blocking or otherwise interfering with the detection of malware by anti-malware companies, and when they respond to a threat in hours that may have taken weeks, months or even years to develop, well, you start looking for other ways to get more bang for your buck. My fear is the emphasis will be on the bang.
Regards,
Aryeh Goretsky