Forgot your password?
typodupeerror
Security Worms IT

Stuxnet Analysis Backs Iran-Israel Connection 307

Posted by Soulskill
from the my-god-has-a-bigger-firewall-than-your-god dept.
Trailrunner7 writes "Liam O'Murchu of Symantec, speaking at the Virus Bulletin Conference, provided the first detailed public analysis of the worm's inner workings to an audience of some of the world's top computer virus experts. O'Murchu described a sophisticated and highly targeted virus and demonstrated a proof of concept exploit that showed how the virus could cause machines using infected PLCs to run out of control. Though most of the conversation about Stuxnet is still based on conjecture, O'Murchu said that Symantec's analysis of Stuxnet's code for manipulating PLCs on industrial control systems by Siemens backs up both the speculation that Iran was the intended target and that Israel was the possible source of the virus. O'Murchu noted that researchers had uncovered the reference to an obscure date in the worm's code, May 9, 1979, which, he noted, was the date on which a prominent Iranian Jew, Habib Elghanian, was executed by the new Islamic government shortly after the revolution. Anti-virus experts said O'Murchu's hypothesis about the origins of Stuxnet were plausible, though some continue to wonder how the authors of such a sophisticated piece of malware allowed it to break into the wild and attract attention." Symantec has also issued a lengthy and detailed dossier on Stuxnet (PDF).
This discussion has been archived. No new comments can be posted.

Stuxnet Analysis Backs Iran-Israel Connection

Comments Filter:
  • Wait a minute. (Score:5, Insightful)

    by Moryath (553296) on Friday October 01, 2010 @06:40PM (#33766014)

    So the entire idea of the "Israel created this to attack Iran" idea is based on finding the date May 9, 1979 hidden in the code - and that because it's the first day the current theocratic asshats running Iran beheaded the first Jew of their despotic regime? Really?

    This is like playing Nostradamus. Pluck something vague, go hunting, and see what you can say later to claim you "predicted it." For instance, in Eastern bloc countries, May 9 1945 is "Victory Day." I'm sure some prominent politician somewhere in there also died on May 9, 1979. A google search for that date came back with 196,000 results just on the precise phrase "May 9, 1979".

    Ridiculous.

  • Proof??? (Score:5, Insightful)

    by ArieKremen (733795) on Friday October 01, 2010 @06:41PM (#33766028)
    They were smart enough to write and deploy a complex virus, but stupid enough to include a reference to an obscure execution date of a prominent Iranian Jew; the first .Google hit conveniently pointing to the relevant Wikipedia entry. That screams red herring (en.wikipedia.org/wiki/Red_herring_(idiom)), not proof.
  • Re:Wait a minute. (Score:2, Insightful)

    by Anonymous Coward on Friday October 01, 2010 @06:43PM (#33766048)

    So the entire idea of the "Israel created this to attack Iran" idea is based on finding the date May 9, 1979 hidden in the code

    No, the idea is based on Israel having the motivation, the capability, and the demonstrated willingness to do things like this. (Not saying that it's true that the thing came from Israel *or* targeted Iran, mind you.)

  • by hex0D (1890162) on Friday October 01, 2010 @06:47PM (#33766090)
    Watching the news reports on Iran's nuclear program about a month ago, I started to wonder if Israel would rely on diplomacy alone to resolve the issue. They sure didn't in 1981 when Iraq was building a nuclear reactor in Osirak, they flew in F-16s and bombed it. So it's not without precedent for the Israelis to attack Arab nuclear facilities.

    I for one respect their taking direct action in the interest of their national security. And if they can do so in a way that does not cost human life, all the better.

  • Re:Wait a minute. (Score:5, Insightful)

    by Moryath (553296) on Friday October 01, 2010 @06:48PM (#33766100)

    Dozens of regimes have the motivation, capability and demonstrated willingness to do things like this.

    Hell, thousands of hackers across the world have the motivation, capability, and demonstrated willingness to do things like this. And that's not even before we get to the professional virus-writers that are tied in with outfits like yakuza and russian mafia gangs these days operating various blackmail/extortion gambits.

    It sounds more like the "idea" is based on someone who has some grudge against Israel and found a convenient outlet for it, just like all the other "waah the jews did it" conspiracy theories that always sprout up - including the dork who posted a "jews also did wtc" in the first post (thankfully probably trollmarked down to -1 by now) to this article.

  • Re:Wait a minute. (Score:3, Insightful)

    by EdZ (755139) on Friday October 01, 2010 @06:50PM (#33766124)

    So the entire idea of the "Israel created this to attack Iran" idea is based on finding the date May 9, 1979 hidden in the code

    That, and the worm being targeted at Iranian PLCs. It's an incredibly sophisticated and specific attack with little avenue for direct profit, so it's unlikely to be either an extortion attempt by a criminal organisation or something produced by a blackhat hobbyist. That makes a government being behind it likely. Israel definitely has motive and means to be behind the worm.

    some continue to wonder how the authors of such a sophisticated piece of malware allowed it to break into the wild and attract attention.

    It took quite a while before researchers realised the payload was intended to mess with one specific brand of PLCs (they're hardly part of a standard honeypot), maybe the intent was to hide it in plain sight it as 'just another botnet'.

  • Re:Wait a minute. (Score:3, Insightful)

    by ACS Solver (1068112) on Friday October 01, 2010 @06:53PM (#33766148)
    Yeah, that doesn't seem like good evidence at all. Mind you, I do consider it very likely that Israel is behind this. Israel has both the motivation and the capability to launch such an electronic attack at Iran. But as far as actual evidence goes, I'd like to see something more concrete. Assuming that the code really refers to the date and that it's not just a mistaken interpretation of a pointer to 0x00090579, there's still a lot of stuff that happened on that particular day.
  • Yeah, Right... (Score:4, Insightful)

    by Nom du Keyboard (633989) on Friday October 01, 2010 @07:00PM (#33766198)
    Yeah, right. Israel creates this super-secret superworm, attacks Iran with it, after putting their fingerprints all over it just so that they will get caught by the first person to look at it in a text editor. All this knowing that it is going to infect the whole world and everybody is going to be coming after the authors with torches, pitchforks, and blood in their eye.

    Of course, that explains it all.
  • Re:Wait a minute. (Score:5, Insightful)

    by polle404 (727386) on Friday October 01, 2010 @07:04PM (#33766230)
    funny, yesterday it was an obscure bible reference that supposedly proved Israeli mischief
    http://gizmodo.com/5652032/the-secret-code-inside-the-supervirus-attacking-iran-nuclear-power [gizmodo.com]

    Sounds like someone has found someone to blame, and are desperately searching for "evidence" to back it up
  • by ZuchinniOne (1617763) on Friday October 01, 2010 @07:07PM (#33766264)

    Technical analysis aside, all these Israel claims are based on huge assumptions and zero concrete evidence. Even if Israel did create this virus why would they put references in the code that led back to them?

  • Re:Wait a minute. (Score:3, Insightful)

    by Moryath (553296) on Friday October 01, 2010 @07:10PM (#33766322)

    Hey but wait! Today is October 1st that they "discovered" the May 9th reference. That's the day Alexander the Great defeated Darius III of Persia! That PROVES it was an attack against Iran, because Iran is Persia!

    October 1 is also the day Germany annexed the Sudetenland... and the day the USS Grouper torpedoed the Lisbon Maru mistakenly... and the day the Israeli Air Force bombed the PLO headquarters in Tunis (too bad they didn't get Arafat back then!).

    And this is the problem of trying to follow "date code" clues. Assuming you didn't mistake a hexadecimal pointer for a datecode, you still generally have a 1/365 chance (ostensibly 1/366 for leap years, but for some reason February 29th just seems to be a relatively boring day [wikipedia.org] anyways) of hitting some coincidental match anyways.

  • by Zocalo (252965) on Friday October 01, 2010 @07:13PM (#33766344) Homepage
    And it adds up. Besides the "date", admittedly a bit of a stretch as you note, there are also references to "Myrtus" within a path left in the code. Myrtus, a type of myrtle, is possibly a biblical reference to the Book of Esther (Esther was originally called Hadassah - similar to the Hebrew word for myrtle) in which Jewish forces, after unraveling a Persian attack plan, stage a preemptive and successful assault against their adversaries. There is also the level of knowledge required for the targeting of Stuxnet, including highly specific details about its intended target that would have required internal knowledge of the kind that is likely to require espionage to acquire. Finally, there is also a cut-off date of June 24, 2012 when Stuxnet will go dormant. While not unheard of in the world of more conventional botnets, this is decidedly unusual and further points to a nation state's involvement.

    Taking all that together, I think it's fairly reasonable to limit the list of suspects to those countries with a reason to be wary of Iran's nuclear program - of which there are, admittedly, quite a few. However, Israel does have a track record for being decidedly unsubtle when it is being proactive about such things, viz the 2007 air raid [wikipedia.org] on one of Syria's nuclear facilities, or the murder of Mahmoud_al-Mabhouh. [wikipedia.org]
  • by SplashMyBandit (1543257) on Friday October 01, 2010 @07:13PM (#33766348)
    Exactly. It shows how badly the people analyzing the worm would like it to tie it back to a super-secret Mossad operation. Talk about "confirmation bias"!
  • Re:Wait a minute. (Score:3, Insightful)

    by copponex (13876) on Friday October 01, 2010 @07:28PM (#33766450) Homepage

    Ridiculous.

    What's more ridiculous is people who think the State of Israel can do no wrong, or that Israeli interests are the same thing as American interests.

    The virus was targeted towards Iranian PLCs. The date is supporting evidence of that, but may be a coincidence anyway.

    What's not a coincidence is that Israel has been threatening to attack Iran, but still refuses to sign the Non Proliferation Treaty as Iran has and subject themselves to inspections. Israel doesn't want to play by anyone's rules but their own, and creating this virus falls well within the threats they have made over the past five years.

  • Re:Wait a minute. (Score:1, Insightful)

    by Moryath (553296) on Friday October 01, 2010 @07:44PM (#33766618)

    You're still operating under the faulty assumption it's against Iran.

    Who else does Iran sell these PLC's to?

  • Re:Wait a minute. (Score:3, Insightful)

    by alexo (9335) on Friday October 01, 2010 @08:19PM (#33766842) Journal

    Also, the creators of the virus called it Myrtus, which is another name for Esther. Esther was the Jewish wife of a Persian king. One of the kings lieutenants hatched a plan to destroy the Jewish people and Esther convinced the king to give permission to fight back. The story is vaguely appropriate.

    Damn, people, you're beginning to sound like the whackos that find "biblical references" that "predict" everything that happened since (in hindsight, of course).

    If you believe that Israel is behind the attack, fine -- at this point it is as plausible an assumption as any -- but stop getting all over yourselves in ridiculous attempts to "prove" it.

    Consider this:

    1. State actors do not put "easter eggs" into munitions. If a state wants it to be known that they are behind such an action, it will either claim responsibility or will leak the information while officially refusing to comment. If a foreign intelligence programmer decides to get "creative", they will be dealt with harshly.

    2. Israelis speak Hebrew. The name Esther is written and pronounced as ESTER (transliteration, the 'E' is short, like in 'merry'). *Nobody* uses the word "Myrtus". Also see #1 above.

  • Re:Wait a minute. (Score:5, Insightful)

    by siddesu (698447) on Friday October 01, 2010 @08:33PM (#33766942)

    Hehe, mod parent up.

    The "EU" as a "state actor" is rich. If there is anything that is farther from a "state actor" in the world today (excluding maybe the UN), it is the EU. They can't make a decision on how to tie their collective shoes together, much less conspire to attack a foreign country.

    Look at the EU's "common position" on the Iran sanction proposals for the spine, resolution, unity and swift action the "state actor" has...

  • Re:Wait a minute. (Score:1, Insightful)

    by gateur (840898) on Friday October 01, 2010 @08:33PM (#33766944)
    Oh please, of course Israel did it. Israel is the most despicable terrorist state in the world. The pinpricks the Palestinians commit against Israel are trivial compared to the murderous rampages of the IDF. They have no intention of stopping until they've slaughtered every Arab baby in the world. The moral powers of the world must soon choose to stop the heinous aggression or wait until Israel decides it wants Europe too.
  • by mangu (126918) on Friday October 01, 2010 @08:45PM (#33767050)

    The whole idea could be is that it doesn't prove anything, but still tells everyone who's responsible

    If someone wants to sign their code with a date, the most logical pick would be their birthdate [wikipedia.org]

    If you want to make a veiled threat, you wouldn't pick something that gets hundreds of thousands results in Google [google.com]. You would try to make your threat clear but deniable [wikipedia.org]

  • by Maltheus (248271) on Friday October 01, 2010 @09:10PM (#33767186)

    I don't understand how a person can respect hypocrisy. Why is it ok for Israel to have nukes, but not Iran? Why is it ok for them to attack their neighbors and when anyone else does it, it's a crime?

  • Re:Yeah, Right... (Score:3, Insightful)

    by LoRdTAW (99712) on Friday October 01, 2010 @09:57PM (#33767454)

    There is no saying that the virus was stuffed with fake clues pointing to Israel. Who knows where it came from but this is either a read herring (most likely) or someone trying to start a war. Its a very interesting subject you could turn it into a book or movie plot.

  • Re:Wait a minute. (Score:3, Insightful)

    by demonlapin (527802) on Friday October 01, 2010 @10:22PM (#33767596) Homepage Journal
    So the Jews are motivated, capable, willing, and utter fucking idiots who reveal everything in easter eggs in the program. It's like dealing with Bush's duller critics all over again - either the Jews are scheming, vicious bastards, or they're just total fucking morons. But you have to choose one of those and stand by it.
  • Re:Wait a minute. (Score:3, Insightful)

    by Cylix (55374) * on Friday October 01, 2010 @10:30PM (#33767640) Homepage Journal

    Even more reason why the clues are most likely planted.

    Very soon we will find an ASCII star of david planted in one of the binaries.

  • Re:Proof??? (Score:2, Insightful)

    by osu-neko (2604) on Saturday October 02, 2010 @01:58AM (#33768508)

    Don't you think that if a state-sponsored agency wrote and deployed the virus, the QA/QC would remove ego-driven references?

    I like to imagine governments would do all kinds of things that would make sense. Alas, I don't live in the imaginary world where they actually succeed at it all the time.

    A basement hacker has an ego, a state-sponsored team of programmers have a task.

    I'm gonna venture a guess that you've never worked for the government. XD Ego-driven behavior tends to be more common there than in corporations, at least in my experience.

  • Re:Wait a minute. (Score:3, Insightful)

    by lewko (195646) on Saturday October 02, 2010 @02:13AM (#33768560) Homepage

    That an anonymous coward will write-off another person's opinion, simply because they may be Jewish, is rather strange. Until you realize that the anonymous coward is an anti-Semite.

    Up next: Anonymous coward insists some of his best friends are Jewish. Film at eleven.

  • Re:Wait a minute. (Score:3, Insightful)

    by alexo (9335) on Saturday October 02, 2010 @02:29AM (#33768620) Journal

    Have you ever heard of an Israeli project, military or otherwise, named after a Greek word when a Hebrew one is available?
    And I am not talking about translations by non-Hebrew media.

  • Re:Wait a minute. (Score:3, Insightful)

    by dbIII (701233) on Saturday October 02, 2010 @04:32AM (#33768986)
    Most of the threats were along the lines of "I hate those guys too so vote for me". Notice how since the last election was blatantly rigged there haven't been any threats? They are not needed.
    While the support for Hizbolla is real, consider that the rockets used are 40 years old or more and probably were about to be thrown out. If Iran really wanted to hurt Israel to the point where they would be handing it to Syria on a platter they would send more money and newer rockets.
    Iran doesn't directly attack Israel because even if they managed to somehow win a conflict they wouldn't get to keep anything. The aggression against Israel is mainly for domestic consumption but also lets them pretend they care about Palestinians so they can pretend to have something more in common with the Arab states.
    When they get nuclear weapons the most likely situation would be "nice island you've got there Bahrain, shame if something happened to it but I'm selling nuclear insurance" instead of some crazed mutual annihilation with Israel.
  • by SmallFurryCreature (593017) on Saturday October 02, 2010 @06:11AM (#33769266) Journal

    Your arguments sound and awfull lot like people who argue 9/11 was a government plot. Why do they argue this? Because they are afraid and can't deal with a world were a random group of individuals can do such a complex thing.

    This is especially amazing as a story running at the same time is about the leaked Intel key. And of course the ongoing story of the PS3 being cracked.

    Random individuals are a lot more resourceful then some people are willing to give them credit for. But blaming a shadow government for it is far easier to cope with because that means at least someone is in charge. In control.

    Those "stolen" certificates also mean nothing. They get "leaked" all the time. Case in point, the Intel key, which was a LOT more valuable then the keys in this worm.

    As for hackers knowing about Siemens... that is so easy and trivial to explain I hard find it worth the effort. But it is PUBLIC knowledge who supplies Iran with its tools. Export bans and all make sure everything has to be declared.

    No, I look deeper and look at the fact this worm was so quickly discovered and so handily easily decoded with all these handy clues pointing to Iran's enemies. Mmm, a virus outbreak in Iran that nobody else notices, spreads uncontrollably yet then is near instantly dissected and points towards Iran's standard scape goats.

    Gosh, how convenient.

    Zero day exploits are a dime a dozen, smart people the same. This is just a worm that worked its magic in a mono-culture. The moment I start thinking "government conspiracy" is when someone reveals anything about the data transferred.

    WHY would Israel do this? They got far better methods available. And they don't need to disable a windows PC of a nuclear reactor office workers. They got reliable aircraft to do that that send a far stronger message. They got plenty of experience with it.

  • by httptech (5553) on Saturday October 02, 2010 @08:33AM (#33769572) Homepage

    Nope, I'm pretty sure it's a reference to guavas, considering the complete path was:

    b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb

  • Re:Wait a minute. (Score:3, Insightful)

    by demonlapin (527802) on Saturday October 02, 2010 @09:01AM (#33769662) Homepage Journal

    virtually all of the Israelis I have known have been racist and xenophobic

    When all of your immediate neighbors want to kill you, it does tend to push you a bit toward xenophobia.

The meta-Turing test counts a thing as intelligent if it seeks to devise and apply Turing tests to objects of its own creation. -- Lew Mammel, Jr.

Working...