Stuxnet Malware Attack Speculation Leans Toward Israel

Evidence has emerged that some say points toward Israel as a possible originator of Stuxnet, but security pros caution against coming to any conclusions.

Security researchers have uncovered what some have called potential connections between the Stuxnet worm and Israel.

Two pieces of evidence have emerged. The first is a file directory inside Stuxnet called "Myrtus," which some consider an allusion to the Book of Esther, an Old Testament story in which the Jews thwart a Persian plot to destroy them. There are, however, competing explanations, as myrtus could also be about the myrtle plant common in the Mediterranean region.

"Myrtus is the family name, the botanical family name, for the guava plant. ... Myrtus was the directory name, and then the file name was guava," explained Eric Chien, technical director of Symantec Security Response.

Any connection, however, between the code and Israel is all speculation, he said.

"When you see that kind of stuff in code, we immediately have to think to ourselves ... that attackers have the natural desire to basically throw you off their scent," he said. "So if they really want to be clandestine [and] they really don't want you to know if it's them, then potentially they would just put in other things leading you to think that it's someone else's. So I don't think that the existence of these strings can bring sort of any additional credibility."

But this is not the only piece of evidence pointing toward politically motivated attackers. Other evidence suggesting a connection lies in Stuxnet's main installer, which among other things checks the date and version number of the compromised computer; decrypts, creates and installs the rootkit files and registry keys; and injects itself into the services.exe process to infect removable devices.

According to a paper [PDF] on Stuxnet by Symantec: "Export 16 [main installer] first checks that the configuration data is valid, after that it checks the value 'NTVDM TRACE' in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation.

"If this value is equal to 19790509 the threat will exit," the paper continues. "This is thought to be an infection marker or a 'do not in??ífect' marker. If this is set correctly infection will not occur. The value appears to be a date of May 9, 1979. ... According to Wikipedia, Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community. He was the first Jew and one of the first civilians to be executed by the new Islamic government."

No one has claimed credit for Stuxnet. According to the New York Times, Shai Blitzblau, head of the computer warfare laboratory at Maglan, an Israeli company specializing in information security, said he is "convinced that Israel had nothing to do with Stuxnet."

"We did a complete simulation of it, and we sliced the code to its deepest level," he was quoted as saying. "We have studied its protocols and functionality. Our two main suspects for this are high-level industrial espionage against Siemens and a kind of academic experiment."

Variants of Stuxnet have been traced as far back as June 2009. Many of the infections are known to have taken place in Iran, including at the country's first nuclear power plant. The code has also affected machines in other countries, notably India and Indonesia.

The goal of the malware is to take over industrial control systems by changing code on programmable logic controllers (PLCs), which control industrial processes such as control machinery at a power plant.

"Both asset owners and operators are significantly overestimating the inherent security of their systems as well as their ability to discern an attack under way," said James Arlen, a principal at Push the Stack Consulting. "The particular reason for this misapprehension is, in my opinion, due to a failure to communicate real meaning rather than checkbox meaning. For example, 'We have a firewall' would make an executive without a technogeek background feel safe, yet the reality of the corporate perimeter is that laptops go in and out every day and the organization doesn't mind when a contractor plugs his/her laptop or USB stick into the process control or SCADA [supervisory control and data acquisition] LAN."

Still, the complexity of Stuxnet may make imitation difficult for any other attackers, said Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab.

"We've seen more primitive variants of Stuxnet back in 2009," he said. "Its authors apparently didn't achieve their targets with that code. They went to huge lengths to find these zero-day vulnerabilities and steal certificates. So it looks like actually penetrating all the defenses to get to the industrial control system network is very, very hard."